Mbed TLS version 2.14.0 has now been released, in addition to maintenance releases for Mbed TLS 2.7 and Mbed TLS 2.1.
Mbed TLS 2.14.0 introduces several new features:
- Support for non-blocking ECC operations has been introduced with this release. This allows users of Mbed TLS on single-threaded systems to perform elliptic curve cryptographic operations inbetween other critical operations, (such as resetting a watchdog timer), without the use of a pre-emptive scheduler or RTOS. This is explained more fully in the knowledge base article 'Non-blocking ECC operations'.
- Support for CTR-DRBG using only AES-128 cipher operations. On some devices, AES-128 cryptographic accelerators may be available, but not acceleration of AES-256. On such devices, only AES-128 may be required in designs, and by using only the AES-128 accelerator support on the device, code size can be reduced, operations made faster, and power reduced.
- Support for smaller salt sizes for RSASSA-PSS signatures, enabling compliance with FIPS 186-4.
This release also addresses three security issues and resolves multiple defects. Mbed TLS 2.7.7 and 2.1.16 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.
- (2.14.0, 2.7.7, 2.1.16) Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using
PrintableStringand the other using
UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
- (2.14.0, 2.7.7, 2.1.16) Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
- (2.14.0, 2.7.7, 2.1.16) Fixed
mbedtls_mpi_is_prime()to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.
- (2.14.0) Added support for temporarily suspending expensive ECC computations after some configurable amount of operations. This is intended to be used in constrained, single-threaded systems where ECC operations can be time consuming and can block other operations until they complete. This feature is enabled by defining
MBEDTLS_ECP_RESTARTABLEin the configuration file
config.hand is configured by
mbedtls_ecp_set_max_ops()at runtime. It is disabled by default. It applies to the new
xxx_restartablefunctions in ECP, ECDSA, PK and X.509, and to existing functions in ECDH and SSL. It is currently only implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, including client authentication, and there is no support for CRL files.
- (2.14.0) Added support for the Arm CPU DSP extensions to accelerate asymmetric key operations. On CPUs where the extensions are available, they can accelerate the MPI multiplications used in ECC and RSA cryptography. Contributed by Aurelien Jarno.
- (2.14.0) Extended RSASSA-PSS signature support to allow a smaller salt size. Previously, the PSS signature always used a salt with the same length as the hash, and returned an error if this was not possible. Now the salt size may be up to two bytes shorter. This allows the library to support all hash and signature sizes that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
- (2.14.0) Added support for 128 bit keys in CTR-DRBG. Note that using keys shorter than 256 bits limits the security of generated material to 128 bits.
- (2.14.0) Added a common error code of
MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTEDfor features that are not supported by third party implementations of cryptographic primitives. This is useful for hardware accelerators that do not implement all options or features, such as those that support AES-128 but not AES-192 or AES-256.
- (2.14.0) All module specific errors following the form
MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLEthat indicate a feature is not supported are now deprecated and are now replaced by the new equivalent platform error.
- (2.14.0) All module specific generic hardware acceleration errors following the form
MBEDTLS_ERR_XXX_HW_ACCEL_FAILEDare now deprecated and replaced by the equivalent plaform error.
- (2.14.0) The function
mbedtls_mpi_is_prime()is now deprecated in favor of
mbedtls_mpi_is_prime_ext()which allows specifying the number of Miller-Rabin rounds.
- (2.14.0) Changed the default string format used for various X.509 DN attributes was changed to
UTF8String. Previously, the use of the
PrintableStringformat led to wildcards and non-ASCII characters being unusable in some DN attributes. Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by Thomas-Dee.
- (2.14.0, 2.7.7, 2.1.16) Fixed the wrong order of memory deallocation in the example program
programs/ssl/ssl_server2leading to a memory leak in case both
MBEDTLS_MEMORY_BACKTRACEare set. Fixes #2069.
- (2.14.0, 2.7.7, 2.1.16) Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
- (2.14.0, 2.7.7, 2.1.16) Fixed a failure in HMAC-DRBG in the benchmark sample application, when
MBEDTLS_THREADING_Cis defined. Found by TrinityTonic, #1095
- (2.14.0, 2.7.7, 2.1.16) Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
- (2.14.0, 2.7.7, 2.1.16) Fixed a memory leak and freeing without initialization in the example program
programs/x509/cert_write. Fixes #1422.
- (2.14.0, 2.7.7, 2.1.16) Now ignores the IV in
mbedtls_cipher_set_iv()when the cipher mode is
MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
- (2.14.0, 2.7.7, 2.1.16) Zeroizes memory used for buffering or reassembling handshake messages after use.
- (2.14.0, 2.7.7, 2.1.16) Uses
memset()for zeroization of sensitive data in the example programs
- (2.14.0, 2.7.7, 2.1.16) Fixed a compilation failure for configurations which use compile time replacements of the standard
freefunctions through the macros
MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
- (2.1.16) Fixed a potential build failure related to the
apidoctarget, introduced in the previous patch release. Found by Robert Scheck. #390 #391
- (2.1.16) Fixed
programs/pkey/dh_server.cso that it works correctly with
dh_client.c. Found and fixed by Martijn de Milliano.
- (2.14.0) Now remembers the string format of X.509 DN attributes when replicating X.509 DN attributes. Previously, DN attributes were always written in their default string format, which was
PrintableStringin most instances. This could lead to certificates being created which used
PrintableStringin the issuer field even though the signing Certificate Authority used
UTF8Stringsin its subject field. Whilst being compliant with X.509, such certificates were rejected in some applications, such as some versions of Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by Thomas-Dee.
- (2.14.0) Added
mbedtls_mpi_gen_prime()and used it to reduce error probability in RSA key generation to levels mandated by FIPS-186-4..
- (2.14.0) Removed support for Yotta as a build tool.
- (2.14.0, 2.7.7, 2.1.16) Added tests for session resumption in DTLS.
- (2.14.0, 2.7.7, 2.1.16) Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
- (2.14.0, 2.7.7, 2.1.16) Changed the
dtls_serverexamples to work by default over IPv6 and optionally by a build option over IPv4.
- (2.14.0, 2.7.7, 2.1.16) Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
- (2.14.0, 2.7.7, 2.1.16) Improved documentation of
mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.
make apidocnow generates the documentation for the current configuration. Run
scripts/apidoc_full.shto generate the full documentation. This aligns the behavior with Mbed TLS versions 2.2 and later and reverts it back to how it behaved in version 2.1.3.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
End of life for Mbed TLS 2.1
Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.
Get your copy here:
The hashes for files/mbedtls-2.14.0-apache.tgz are:
SHA-1: 8956b0f78e01dc07f53a750087539a3d4d4d5a70 SHA-256: 82f8541ecb7f2e1074c334aa7b665306010a627b9d4d76f99ad1b7c291abc82d
The hashes for files/mbedtls-2.14.0-gpl.tgz are:
SHA-1: 93af9545904551167e67a75cfe2022a2303ae04b SHA-256: 7c62ec02a577e3cca01ee8cd161e1e369537714a148efaafe79887b9d955a691
The hashes for files/mbedtls-2.7.7-apache.tgz are:
SHA-1: c70a73774ccf5393d5c325e981136978ee2ce92e SHA-256: 7bcd05d3a7897ddce4ffe9e74e53634690ce5eb80bbbe358f87cbc7b67ee2f8c
The hashes for files/mbedtls-2.7.7-gpl.tgz are:
SHA-1: f3eacb2cf0c03e279c7ac7f85604fae47b3c3f36 SHA-256: 4a5529cca1d85e3bb64f1aa3976dfe9274a7a79a1642d67f9d69c8fb241c7c96
The hashes for files/mbedtls-2.1.16-apache.tgz are:
SHA-1: 37cee52213eb4f456df98aac4e1d21a41faf2788 SHA-256: d0af5b8181941141017ffc101465a7ef5cccdca7794014d02e39bb55a5abd866
The hashes for files/mbedtls-2.1.16-gpl.tgz are:
SHA-1: 96ef8fa08c241407361d901044e13b568824c5cf SHA-256: 289ac62a508f380e09de87d31c9186c2acf2a5c48db1c7929b345b973c0af018