Mbed TLS 2.6.0, 2.1.9 and 1.3.21 released
Mbed TLS version 2.6.0 has been released, in addition to maintenance branch releases, Mbed TLS 2.1.9 and 1.3.21.
These releases address several security issues, one of which can be remotely exploited, dependent on how application software uses Mbed TLS.
Mbed TLS 2.6.0 provides new features and functions, whilst Mbed TLS 2.1.9 and 1.3.21 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.
Mbed TLS 1.3 approaches its end of life
Mbed TLS 1.3.0 was first shipped on 1st October 2013, and is now approaching its end of life. All users of Mbed TLS 1.3.0 are advised to upgrade to a later version of Mbed TLS wherever possible and should be aware that there will be no further maintenance releases of Mbed TLS after the end of this year. The last release of Mbed TLS 1.3 will be in November 2017.
(2.6, 2.1, 1.3) Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result()would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted).
(2.6, 2.1, 1.3) Added wiping of sensitive data after use in the AES example applications
programs/aes/crypt_and_hash. Found by Laurent Simon.
- (2.6) Added the functions
mbedtls_platform_teardown()and the context
struct mbedtls_platform_contextto perform platform-specific setup and teardown operations. The configuration macro
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALTallows the functions to be overridden by the user in a
platform_alt.hheader file. These functions are useful to provide a means to initialise underlying cryptographic acceleration hardware.
(2.6) Reverted API/ABI changes introduced in Mbed TLS 2.5.1 to restore the API to be compatible with Mbed TLS 2.5.0, removing some minor breaks in the interface. Specifically the inline qualifier was removed from the functions
mbedtls_ssl_ciphersuite_uses_psk(). Found by James Cowgill. #978
(2.6, 2.1, 1.3) Certificate verification functions now set flags to -1 in case the full chain was not verified due to an internal error (including in the verify callback) or chain length limitations.
(2.6, 2.1, 1.3) When the SSL verification mode is set to
MBEDTLS_SSL_VERIFY_OPTIONALthe handshake is now aborted if the verification of the peer's certificate failed due to an overly long chain or alternatively if a fatal error was returned in the verification callback.
(2.6, 2.1, 1.3) Added a check to confirm
iv_lenis zero, when using GCM, and return an error if so. Reported by roberto. #716
(2.6, 2.1, 1.3) Changed a preprocessor condition from
#if defined(MBEDTLS_THREADING_C)as the library cannot assume threading will always be implemented by pthread support. #696
(2.6, 2.1, 1.3) Fixed a resource leak on Windows platforms in the function
mbedtls_x509_crt_parse_path(), which occured in the event of an error. Found by redplait. #590
(2.6, 2.1, 1.3) Added checking for errors in calls to
mbedtls_mpi_fill_random(). Reported by and fix proposed by Guido Vranken. #740
(2.6) Fixed conditional pre-processor directives in
bignum.hto enable 64-bit compilation when using ARM Compiler 6.
(2.6, 2.1, 1.3) Fixed a potential integer overflow in the version verification for DER encoded X.509 CRLs and CSRs. The overflow could enable maliciously constructed CRLs to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America
(2.6, 2.1, 1.3) Fixed a potential integer overflow in the version verification for DER encoded X.509 certificates. The overflow could enable maliciously constructed certificates to bypass the certificate verification check.
(2.6) Fixed a call to the libc function
time()to call the platform abstraction function
mbedtls_time()instead. Found by wairua. #666
(2.6, 2.1, 1.3) Avoided shadowing of time and index functions through Mbed TLS function arguments. Found by inestlerode. #557
MBEDTLS_NO_UDBL_DIVISION, to prevent the use of 64-bit division. This is useful on embedded platforms where 64-bit division created a dependency on external libraries. #708
(2.6) Removed mutexes from ECP hardware accelerator code. Now all hardware accelerator code in the library leaves concurrency handling to the platform. Reported by Steven Cooreman. #863
(2.6) Define the macro
MBEDTLS_AES_ROM_TABLESin the configuration file
config-no-entropy.hto reduce the RAM footprint.
Added a test script that can be hooked into git that verifies commits before they are pushed.
Improved documentation of PKCS1 decryption functions.
Who should update
Users affected by one of the issues should update.
Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.
Get your copy here:
The hashes for mbedtls-2.6.0-apache.tgz are:
SHA-1: e914288da50977f541773f9d36e26f14926594a5 SHA-256: 99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687
The hashes for mbedtls-2.6.0-gpl.tgz are:
SHA-1: 0e657805b5dc9777e0e0333a95d7886ae8f0314e SHA-256: a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
The hashes for mbedtls-2.1.9-apache.tgz are:
SHA-1: 880f1cd07809f902f5db733c8ceea8112eba6586 SHA-256: e098c03583f22a09a078bbb23c6bb9e7143f36b4357964bb481513e819097aa4
The hashes for mbedtls-2.1.9-gpl.tgz are:
SHA-1: 9ef8e90e024a7c731dcf11288344e3b47e707763 SHA-256: 2b0946fd4e9aa02b2461bf0abc121750c8904a26a0eb5593be59fb9e22005be1
The hashes for mbedtls-1.3.21-gpl.tgz are:
SHA-1: de6855b8f9570f22f660552184efa3f42b3b0412 SHA-256: 85ab0ac922e2b254063384fcae8f327acea48079eef8feccd90a4288a9d2ba84