mbed TLS version 2.2.0 has been released, as well as maintenance releases of mbed TLS 2.1.3, and 1.3.15 and PolarSSL 1.2.18.
The mbed TLS 2.2.0 release adds experimental support for EC J-PAKE and fixes a number of security issues and bugs, as well as a performance issue. The maintenance releases contain fixes for the security issues as well as other bugs.
Security (all branches)
Guido Vranken of Intelworks has found 3 new security weaknesses, none of which are exploitable remotely in the context of TLS. In addition, Nicholas Wilson found a missing check in the X.509 chain verification.
- Fixes a potential double free if
mbedtls_ssl_conf_psk()is called more than once and an allocation fails. This cannot be forced remotely. Found by Guido Vranken, Intelworks. (No fix required for the PolarSSL 1.2.18 release)
- Fixes a potential heap corruption on Windows when
mbedtls_x509_crt_parse_path()is passed a path longer than 2GB. This cannot be triggered remotely. Found by Guido Vranken, Intelworks.
- Fixes a potential buffer overflow in some
asn1_write_xxx()functions. This cannot be triggered remotely unless you create X.509 certificates based on untrusted input or write keys of untrusted origin. Found by Guido Vranken, Intelworks.
- The X509
max_pathlenconstraint was not enforced on intermediate certificates. Found by Nicholas Wilson, and fix and tests provided by Janos Follath.
Features (2.2.0 only)
- Experimental support for EC J-PAKE as defined in the new Thread 1.0.0 standard has been added. This is disabled by default as the specification is still under development.
- Added a key extraction callback to access the master secret and key block. (Potential uses include EAP-TLS and Thread.)
Bugfix (all branches)
- Self-signed certificates were not excluded from pathlen counting, resulting in some valid X.509 being incorrectly rejected. Found and fixed by Janos Follath.
- Fixes a build error with configurations where ECDHE-PSK is the only key exchange. Found and fixed by Chris Hammond.
- Fixes a build error with configurations where RSA, RSA-PSK, ECDH-RSA or ECHD-ECDSA are the only key exchanges. Multiple reports.
- Fixes a bug causing some handshakes to fail due to some non-fatal alerts not being properly ignored. Found by mancha and Kasom Koht-arsa.
mbedtls_x509_crt_verify(_with_profile)()now also checks the key type and size/curve against the profile. Before that, there was no way to set a minimum key size for end-entity certificates with RSA keys. Found by Matthew Page of Scannex Electronics Ltd.
- Fixes failures in MPI on Sparc64 due to use of bad assembly code. Found by Kurt Danielson.
- Fixes a typo in the name of the extKeyUsage OID. Found by inestlerode.
- Fixes a bug in ASN.1 encoding of booleans that causes generated CA certificates to be rejected by some applications, including the OS X Keychain. Found and fixed by Jonathan Leroy, Inikup.
Changes (2.2.0 and 2.1.3)
- Improved performance of
mbedtls_ecp_muladd()when one of the scalars is 1 or -1.
Who should update
Users affected by one of the fixed issues or wanting to use the new features should update.
Users of the 1.2 branch are reminded that support for 1.2 will stop on December 31, 2015 and encouraged to move to a maintained branch before that date.
The 2.1 branch will be maintained as a stable branch (security and bug fixes, low-impact changes, no new feature) for two years (until December 31, 2017), while the 2.x branch will receive new features and improvements.
Get your copy here:
The hashes for mbedtls-2.2.0-apache.tgz are:
SHA-1 : eceecfc82cbdea8f91ce416489e0f6fee964049c SHA-256 : 3c6d3487ab056da94450cf907afc84f026aff7880182baffe137c98e3d00fb55
The hashes for mbedtls-2.2.0-gpl.tgz are:
SHA-1 : 69eb876cbdd8a3dc5122be2234d0cfe187437e95 SHA-256 : 451c1b864b5d07df9830f67af600ea6d53629df4484d38e86b2edc7a7526077c
The hashes for mbedtls-2.1.3-apache.tgz are:
SHA-1 : 87fe738c749e9f55e97ede50f0b00f77f338fdfc SHA-256 : 2f01cfd0d6760726c87c244109fc6917c0ed0d96da4dc10ab8b7e6237532fc90
The hashes for mbedtls-2.1.3-gpl.tgz are:
SHA-1 : a68b8b68646f242bdd792a99f8ad14e175fb68ba SHA-256 : 59d37b3f11ed2f95751dae4de18f6ce8bb33b1ea3053632c1ec4784fdb0e7dbb
The hashes for mbedtls-1.3.15-gpl.tgz are:
SHA-1 : 718fca315e84d7c23ce81e36870ce34493cac0f5 SHA-256 : ed0be9905ba08f614772ac2b6dcce0c65cf3fb235cab7e6894838efc19518da3
The hashes for polarssl-1.2.18-gpl.tgz are:
SHA-1 : a7448c0f7d9d3a1ea520df12aeea21381e05c37f SHA-256 : 63c4ed4d9f6a241088e2287958f265403f874248d6a98b98f27cd3aa2f90f030