mbed TLS 2.4.0, 2.1.6 and 1.3.18 released
mbed TLS version 2.4.0 has been released, as well as releases of the maintenance branches, mbed TLS 2.1.6 and 1.3.18.
mbed TLS version 2.4.0 addresses two security issues, one of which cannot be exploited remotely, and the other is not present in the default configuration.
- (2.4, 2.1, 1.3) Removes the
MBEDTLS_SSL_AEAD_RANDOM_IVconfiguration option, because it was not compliant with RFC-5116 and could lead to session key recovery in very long TLS sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic. This option was not enabled by default.
- (2.4, 2.1, 1.3) Fixes potential stack corruption in
mbedtls_x509write_csr_der()when the signature is copied to the buffer without checking whether there is enough space in the destination. The issue cannot be triggered remotely. Found by Jethro Beekman.
- (2.4) Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by NIST SP 800-38B, RFC-4493 and RFC-4615.
- (2.4) Added hardware entropy self-test to verify that the hardware entropy source is functioning correctly.
- (2.4) Added a script to print build environment information for diagnostic use in test scripts, which is also now called by
- (2.4) Added the macro
MBEDTLS_X509_MAX_FILE_PATH_LENthat enables the user to configure the maximum length of a file path that can be buffered when calling
- (2.4) Added a configuration file
config-no-entropy.hthat configures the subset of library features that do not require an entropy source.
- (2.4) Added the macro
config.h.This allows users to configure the minimum number of bytes for entropy sources using the
- (2.1, 1.3) Fixes an issue that caused valid certificates being rejected whenever an expired or not yet valid version of the trusted certificate was before the valid version in the trusted certificate list.
- (2.4) Fixes platform time abstraction to avoid dependency issues where a build may need time but not the standard C library abstraction, and added configuration consistency checks to
- (2.4) Fixes dependency issue in Makefile to allow parallel builds.
- (2.4, 2.1, 1.3) Fixes incorrect handling of block lengths in
crypt_and_hash.csample program, when GCM is used. Found by udf2457. #441
- (2.4, 2.1, 1.3) Fixes key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't enabled unless others were also present. Found by David Fernandez. #428
- (2.4) Fixes for out-of-tree builds using CMake. Found by jwurzer, and fix based on a contribution from Tobias Tangemann. #541
- (2.4, 2.1, 1.3) Fixes
cert_app.csample program for debug output and for use when no root certificates are provided.
- (2.4, 2.1, 1.3) Fixes conditional statement that would cause a 1 byte overread in
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
- (2.4, 2.1) Fixes pthread implementation to avoid unintended double initialisations and double frees. Found by Niklas Amnebratt.
- (2.4, 2.1, 1.3) Fixes the sample applications
cert_write.cfor builds where the configuration
MBEDTLS_PEM_WRITE_Cis not defined. Found by inestlerode. #559.
- (2.4, 2.1) Fixes
mbedtls_x509_get_sig()to update the ASN1 type in the
mbedtls_x509_bufdata structure until after error checks are successful. Found by subramanyam-c. #622
- (2.4, 2.1, 1.3) Fixes documentation and implementation mismatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
- (2.4, 2.1, 1.3) Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
- (2.4, 2.1) Fixes potential byte overread when verifying malformed SERVER_HELLO in
ssl_parse_hello_verify_request()for DTLS. Found by Guido Vranken.
- (2.4, 2.1) Fixes check for validity of date when parsing in
mbedtls_x509_get_time(). Found by subramanyam-c. #626
- (2.4) Fixes compatibility issue with Internet Explorer client authentication, where the limited hash choices prevented the client from sending its certificate. Found by teumas. #513
- (2.1, 1.3) Fixes missing return code check after call to
mbedtls_md_setup()that could result in usage of invalid
mbedtls_rsa_rsassa_pss_verify_ext(). Fixed by Brian J. Murray. #502
- (2.4) Fixes compilation without MBEDTLS_SELF_TEST enabled.
- (2.4) Extended test coverage of special cases, and added new timing test suite.
- (2.4) Removed self-tests from the
basic-built-test.shscript, and added all missing self-tests to the test suites, to ensure self-tests are only executed once.
- (2.4) Added support for 3 and 4 byte lengths to
- (2.4) Added support for a Yotta specific configuration file - through the symbol
- (2.4) Added optimisation for code space for X.509/OID based on configured features. Contributed by Aviv Palivoda.
- (2.4) Renamed source file
library/net_sockets.cto avoid naming collision in projects which also have files with the common name
net.c. For consistency, the corresponding header file,
net.h, is marked as deprecated, and its contents moved to
- (2.4) Changed the strategy for X.509 certificate parsing and validation, to no longer disregard certificates with unrecognised fields.
- (1.3) Add compile time option for relaxed X.509 time verification to enable accepting certificates with non-standard time format (that is without seconds or with a time zone). Patch provided by James Yonan of OpenVPN.
Who should update
Users affected by one of the issues should update.
Users who want to use the new features should update.
Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.
Get your copy here:
The hashes for files/mbedtls-2.4.0-apache.tgz are:
The hashes for files/mbedtls-2.4.0-gpl.tgz are:
The hashes for files/mbedtls-2.1.6-apache.tgz are:
The hashes for files/mbedtls-2.1.6-gpl.tgz are:
The hashes for files/mbedtls-1.3.18-gpl.tgz are: