Mbed TLS 2.6.0, 2.1.9 and 1.3.21 released
Description
Mbed TLS version 2.6.0 has been released, in addition to maintenance branch releases, Mbed TLS 2.1.9 and 1.3.21.
These releases address several security issues, one of which can be remotely exploited, dependent on how application software uses Mbed TLS.
Mbed TLS 2.6.0 provides new features and functions, whilst Mbed TLS 2.1.9 and 1.3.21 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.
Mbed TLS 1.3 approaches its end of life
Mbed TLS 1.3.0 was first shipped on 1st October 2013, and is now approaching its end of life. All users of Mbed TLS 1.3.0 are advised to upgrade to a later version of Mbed TLS wherever possible and should be aware that there will be no further maintenance releases of Mbed TLS after the end of this year. The last release of Mbed TLS 1.3 will be in November 2017.
Security
(2.6, 2.1, 1.3) Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result()
would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set bymbedtls_ssl_conf_authmode()
to be 'required' (the default), the handshake was correctly aborted).(2.6, 2.1, 1.3) Added wiping of sensitive data after use in the AES example applications
programs/aes/aescrypt2
andprograms/aes/crypt_and_hash
. Found by Laurent Simon.
Features
- (2.6) Added the functions
mbedtls_platform_setup()
andmbedtls_platform_teardown()
and the contextstruct mbedtls_platform_context
to perform platform-specific setup and teardown operations. The configuration macroMBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
allows the functions to be overridden by the user in aplatform_alt.h
header file. These functions are useful to provide a means to initialise underlying cryptographic acceleration hardware.
API Changes
(2.6) Reverted API/ABI changes introduced in Mbed TLS 2.5.1 to restore the API to be compatible with Mbed TLS 2.5.0, removing some minor breaks in the interface. Specifically the inline qualifier was removed from the functions
mbedtls_aes_decrypt()
,mbedtls_aes_encrypt()
,mbedtls_ssl_ciphersuite_uses_ec()
andmbedtls_ssl_ciphersuite_uses_psk()
. Found by James Cowgill. #978(2.6, 2.1, 1.3) Certificate verification functions now set flags to -1 in case the full chain was not verified due to an internal error (including in the verify callback) or chain length limitations.
(2.6, 2.1, 1.3) When the SSL verification mode is set to
MBEDTLS_SSL_VERIFY_OPTIONAL
the handshake is now aborted if the verification of the peer's certificate failed due to an overly long chain or alternatively if a fatal error was returned in the verification callback.
Bugfix
(2.6, 2.1, 1.3) Added a check to confirm
iv_len
is zero, when using GCM, and return an error if so. Reported by roberto. #716(2.6, 2.1, 1.3) Changed a preprocessor condition from
#if defined(MBEDTLS_THREADING_PTHREAD)
to#if defined(MBEDTLS_THREADING_C)
as the library cannot assume threading will always be implemented by pthread support. #696(2.6, 2.1, 1.3) Fixed a resource leak on Windows platforms in the function
mbedtls_x509_crt_parse_path()
, which occured in the event of an error. Found by redplait. #590(2.6, 2.1, 1.3) Added checking for errors in calls to
mbedtls_mpi_fill_random()
. Reported by and fix proposed by Guido Vranken. #740(2.6) Fixed conditional pre-processor directives in
bignum.h
to enable 64-bit compilation when using ARM Compiler 6.(2.6, 2.1, 1.3) Fixed a potential integer overflow in the version verification for DER encoded X.509 CRLs and CSRs. The overflow could enable maliciously constructed CRLs to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America
(2.6, 2.1, 1.3) Fixed a potential integer overflow in the version verification for DER encoded X.509 certificates. The overflow could enable maliciously constructed certificates to bypass the certificate verification check.
(2.6) Fixed a call to the libc function
time()
to call the platform abstraction functionmbedtls_time()
instead. Found by wairua. #666(2.6, 2.1, 1.3) Avoided shadowing of time and index functions through Mbed TLS function arguments. Found by inestlerode. #557
Changes
(2.6) Added
config.h
optionMBEDTLS_NO_UDBL_DIVISION
, to prevent the use of 64-bit division. This is useful on embedded platforms where 64-bit division created a dependency on external libraries. #708(2.6) Removed mutexes from ECP hardware accelerator code. Now all hardware accelerator code in the library leaves concurrency handling to the platform. Reported by Steven Cooreman. #863
(2.6) Define the macro
MBEDTLS_AES_ROM_TABLES
in the configuration fileconfig-no-entropy.h
to reduce the RAM footprint.Added a test script that can be hooked into git that verifies commits before they are pushed.
Improved documentation of PKCS1 decryption functions.
Who should update
Users affected by one of the issues should update.
Users of the PolarSSL 1.2 branch are urged to upgrade to one of the maintained branches as 1.2 is now end-of-life and will no longer receive security fixes.
Download links
Get your copy here:
- mbedtls-2.6.0-apache.tgz
- mbedtls-2.6.0-gpl.tgz
- mbedtls-2.1.9-apache.tgz
- mbedtls-2.1.9-gpl.tgz
- mbedtls-1.3.21-gpl.tgz
Hashes
The hashes for mbedtls-2.6.0-apache.tgz are:
SHA-1: e914288da50977f541773f9d36e26f14926594a5
SHA-256: 99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687
The hashes for mbedtls-2.6.0-gpl.tgz are:
SHA-1: 0e657805b5dc9777e0e0333a95d7886ae8f0314e
SHA-256: a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
The hashes for mbedtls-2.1.9-apache.tgz are:
SHA-1: 880f1cd07809f902f5db733c8ceea8112eba6586
SHA-256: e098c03583f22a09a078bbb23c6bb9e7143f36b4357964bb481513e819097aa4
The hashes for mbedtls-2.1.9-gpl.tgz are:
SHA-1: 9ef8e90e024a7c731dcf11288344e3b47e707763
SHA-256: 2b0946fd4e9aa02b2461bf0abc121750c8904a26a0eb5593be59fb9e22005be1
The hashes for mbedtls-1.3.21-gpl.tgz are:
SHA-1: de6855b8f9570f22f660552184efa3f42b3b0412
SHA-256: 85ab0ac922e2b254063384fcae8f327acea48079eef8feccd90a4288a9d2ba84