mbed TLS 2.5.1, 2.1.8 and 1.3.20 released
mbed TLS version 2.5.1 has been released, as well as releases of maintenance branches, mbed TLS 2.1.8 and 1.3.20.
These releases address several security issues.
mbed TLS 2.5.1 provides new features and functions, whilst mbed TLS 2.1.8 and 1.3.20 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface, to allow users to change library versions easily.
mbed TLS 1.3 Approaches its End of Life
mbed TLS 1.3.0 was first shipped on 1st October 2013, and is now approaching its end of life. All users of mbed TLS 1.3 are advised to upgrade to a later version of mbed TLS wherever possible and should be aware that there will be no further maintenance releases of mbed TLS after the end of this year. The last release of mbed TLS 1.3 will be in November 2017.
- (2.5) Adds hardware acceleration support for the Elliptic Curve Point module. This has involved exposing parts of the internal interface to enable replacing the core functions and adding an alternative, module level replacement to support for enabling the extension of the interface.
- (2.5) Adds a new configuration option to
mbedtls_ssl_config()to enable suppressing the CA list in Certificate Request messages. The default behaviour has not changed, namely every configured CA's name is included.
- (2.5) The following functions in the AES module have been deprecated and replaced by the functions shown below. The new functions change the return type from
intto allow returning error codes when using
- (2.5, 2.1, 1.3) Fixes an unlimited overread of heap-based buffers in
mbedtls_ssl_read(). The issue could only happen client-side with renegotiation enabled. This could result in a Denial of Service (such as crashing the application) or information leak (if the application layer sent data read from
mbedtls_ssl_read()back to the server or to a third party). This can be triggered remotely.
- (2.5, 2.1, 1.3) Adds exponent blinding to RSA private operations as a countermeasure against side-channel attacks like the cache attack described in https://arxiv.org/abs/1702.08719v2. Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and Stefan Mangard.
- (2.5, 2.1, 1.3) Wipes stack buffers in RSA private key operations (
rsa_rsaes_oaep_decrypt()). Found by Laurent Simon.
- (2.5, 2.1) Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. SHA-1 can be turned back on with a compile-time option if needed.
- (2.5, 2.1) Fixes offset in
FALLBACK_SCSVparsing that caused TLS server to fail to detect it sometimes. Reported by Hugo Leisink.
- (2.5, 2.1, 1.3) Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
- (1.3) Removes support of X.509 certificates signed with MD5. Issue raised by Harm Verhagen.
- (1.3) Disables use of extensions for SSLv3, previously causing the "SSLv3 with extensions" test from ssl-opt.sh to fail.
- (2.5, 2.1) Removes macros from
compat-1.3.hthat correspond to deleted items from most recent versions of the library. Found by Kyle Keen.
- (2.5, 2.1) Fixes issue in the Threading module that prevented mutexes from initialising. Found by sznaider. #667 #843
- (2.5) Removes size zero arrays from ECJPAKE test suite. Size zero arrays are not valid C and they prevented the test from compiling in Visual Studio 2015 and with GCC using the -Wpedantic compilation option.
- (2.5, 2.1, 1.3) Fixes insufficient support for signature-hash-algorithm extension, resulting in compatibility problems with Chrome. Found by hfloyrd.
- (2.5) Fixes behaviour that hid the original cause of fatal alerts in some cases when sending the alert failed. The fix makes sure not to hide the original error that triggered the alert.
- (2.5) Fix SSLv3 renegotiation behaviour and stop processing data received from peer after sending a fatal alert to refuse a renegotiation attempt. Previous behaviour was to keep processing data even after the alert had been sent.
- (2.5, 2.1, 1.3) Accepts empty trusted CA chain in authentication mode
MBEDTLS_SSL_VERIFY_OPTIONAL. Found by jethrogb.
- (2.5, 2.1, 1.3) Fixes implementation of
mbedtls_ssl_parse_certificate()to not destroy fatal errors in authentication mode
MBEDTLS_SSL_VERIFY_OPTIONALand to reflect bad EC curves within verification result.
- (2.5, 2.1, 1.3) Fixes bug that caused the modular inversion function to accept the invalid modulus 1 and therefore to hang. Found by blaufish. #641.
- (2.5, 2.1, 1.3) Fixes incorrect sign computation in modular exponentiation when the base is a negative MPI. Previously the result was always negative. Found by Guido Vranken.
- (2.5, 2.1, 1.3) Fixes a numerical underflow leading to stack overflow in
mpi_read_file()that was triggered upon reading an empty line. Found by Guido Vranken.
- (2.5) Adds checks in the PK module for the RSA functions on 64-bit systems. The PK and RSA modules use different types for passing hash length and without these checks the type cast could lead to data loss. Found by Guido Vranken.
- (2.5) Sends fatal alerts in many more cases instead of dropping the connection.
- (2.5, 2.1, 1.3) Clarifies ECDSA documentation and improve the sample code to avoid misunderstanding and potentially dangerous use of the API. Raised by Jean-Philippe Aumasson.
- (1.3) Adds new config.h flag
POLARSSL_X509_MIN_VERIFY_MD_ALGto set the minimum hash accepted when verifying certificate chains. Defaults to SHA1, which means SHA1 is accepted but MD5 and below are rejected.
Who should update
Users affected by one of the issues should update.
Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.
Get your copy here:
The hashes for files/mbedtls-2.5.1-apache.tgz are:
SHA-1: 0e8183e57fed5156bfb03817fedc3cc14a7dc2c4 SHA-256: 559aeb8c8941262d6aad96a0286a230e7ff988ba53efbf609230ca1f81cc81f9
The hashes for files/mbedtls-2.5.1-gpl.tgz are:
SHA-1: 3ca5e25d4e131d845e3fc7db5003b15de294013f SHA-256: 312f020006f0d8e9ede3ed8e73d907a629baf6475229703941769372ab0adee2
The hashes for files/mbedtls-2.1.8-apache.tgz are:
SHA-1: 6fe5b219c50c5961312b6fe01aece2681be3dd4f SHA-256: 9cd2b1af2cd1c66fb44b8aa366b158684c12ff802721a63ab1d652ffea6b3090
The hashes for files/mbedtls-2.1.8-gpl.tgz are:
SHA-1: f684f95094c5295b71bde0db8e3c7c67a7a7d55f SHA-256: 948c045d177084b5d6db056421ed21f6908a28c52d6e5a2377e96572b70f8afb
The hashes for files/mbedtls-1.3.20-gpl.tgz are:
SHA-1: 973bc304e6e85c9beaa354d3881a84f7cf0fc9e1 SHA-256: 00fc54f9838120cb0c13d07e79417af1f5e89633a0efc8399327e7c2024b666f