Mbed TLS 2.7.0, 2.1.10 and 1.3.22 released
Mbed TLS version 2.7.0 has been released, in addition to maintenance releases of Mbed TLS 2.1 and Mbed TLS 1.3.
Mbed TLS 2.7.0 introduces the ability to provide cryptographic hardware acceleration for many more of the library's functions, as well as addressing several security issues and resolving many defects. Mbed TLS 2.1.10 and 1.3.22 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.
These releases also address multiple security issues, including two significant security issues which have been assigned the CVE codes, CVE-2018-0487 and CVE-2018-0488 and for which security advisories are being provided.
End of life for Mbed TLS 1.3
Mbed TLS 1.3.0 was first shipped on 1st October 2013, and has now reached the end of its life. All users of Mbed TLS 1.3 are advised to upgrade to a later version of Mbed TLS wherever possible and should be aware that no further maintenance releases of Mbed TLS 1.3 are planned.
Users seeking assistance in upgrading to later versions of Mbed TLS are recommended to read the 'Upgrade to 2.0 Knowledgebase article'.
(2.7, 2.1, 1.3) Fixed a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. CVE-2018-0488
(2.7, 2.1, 1.3) Fixed a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. Found by Seth Terashima, Qualcomm Product Security Initiative, Qualcomm Technologies Inc. CVE-2018-0487
(2.7, 2.1, 1.3) Fixed a buffer overflow in RSA-PSS verification when the unmasked data was all zeros.
(2.7, 2.1, 1.3) Fixed an unsafe bounds check in
ssl_parse_client_psk_identity()when adding 64kb to the address of the SSL buffer and causing a wrap around.
(2.7, 2.1) Fixed a potential heap buffer overflow in
mbedtls_ssl_write()when the maximum fragment length extension was disabled and application data passed to the function
mbedtls_ssl_write()was larger than the internal message buffer.
The exploitability of this issue depends on whether the application layer can be forced into sending such large packets. The issue was independently reported by Tim Nordell via e-mail and by Florin Petriuc and sjorsdewit. Fix proposed by Florin Petriuc in #1022. Fixes #707.
(2.7, 2.1, 1.3) Added a provision to prevent compiler optimizations breaking the time constancy of
(2.7, 2.1, 1.3) Added a provision to ensure that more buffers are cleared after use if they contain sensitive data. Changes were introduced in multiple places in the library.
(2.7, 2.1, 1.3) Added a provision to set the PEM buffer to zero before freeing it, to avoid decoded private keys being leaked to memory after release.
(2.7, 2.1, 1.3) Corrected
dhm_check_range()to detect trivial subgroups which were potentially leaking 1 bit of the private key. Reported by prashantkspatil.
(2.7, 2.1, 1.3) Made
mbedtls_mpi_read_binary()constant-time with respect to the input data. Previously, trailing zero bytes were detected and omitted for the sake of saving memory, but potentially led to slight timing differences. Reported by Marco Macchetti, Kudelski Group.
(2.7, 2.1, 1.3) Added provision to wipe the stack buffer temporarily holding the EC private exponent after keypair generation.
(2.7, 2.1, 1.3) Fixed a potential heap buffer over-read in the ALPN extension parsing (server-side). This could result in an application crash, but only if an ALPN name larger than 16 bytes had been configured on the server.
(2.7, 2.1, 1.3) Changed the default choice of DHE parameters from the ones in RFC 5114 to the ones in RFC 3526, which were transparently generated.
(2.7) Added support for alternative implementations of the CCM and CMAC modules to enable cryptographic hardware acceleration of them. Submitted by Steven Cooreman, Silicon Labs.
(2.7) Added support for alternative implementations of the GCM module, enabled by the configuration flag
MBEDTLS_GCM_ALT, to enable cryptographic hardware acceleration of them.
(2.7) Added support for alternative implementations of the ECDSA module, controlled by the configuration flags
The following functions from the ECDSA module can be replaced with alternative implementations:
mbedtls_ecdsa_sign() mbedtls_ecdsa_verify() mbedtls_ecdsa_genkey()
(2.7) Added support for alternative implementations of ECDH, controlled by the configuration flags
The following functions from the ECDH module can be replaced with an alternative implementation:
(2.7) Added support for alternative implementations of ECJPAKE, controlled by the configuration flag
(2.7) Added support for alternative implementations of the DHM module.
(2.7, 2.1) The
selftestprogram can now execute a subset of the available tests controlled by command line arguments.
(2.7, 2.1) Added new unit tests for timing, to improve the self-test to be more robust when executed on a heavily loaded machine.
(2.7, 2.1, 1.3) Comments can now be added to the test data files used by the test suites.
Mbed TLS 2.7.0 maintains source code compatibility with previous versions of Mbed TLS but there are some changes which make the ABI incompatible with the previous version, Mbed TLS 2.6.0.
(2.7) Extended the RSA interface with multiple functions to allow structure-independent setup and export of the RSA contexts. Notably,
mbedtls_rsa_complete()have been introduced for setting up RSA contexts from partial key material and having them completed to the needs of the implementation automatically. This allows setup of private RSA contexts from keys consisting of N,D,E only, even if P,Q are needed for the purpose or CRT and/or blinding.
(2.7) The configuration option
MBEDTLS_RSA_ALTcan be used to define alternative implementations of the RSA interface declared in
rsa.hto enable cryptographic accelerators.
(2.7) The following functions in the message digest modules (MD2, MD4, MD5, SHA1, SHA256, SHA512) have been deprecated and replaced as follows:
The new functions change the return type from void to int to allow returning error codes when using
mbedtls_<MODULE>_starts()is replaced by
mbedtls_<MODULE>_update()is replaced by
mbedtls_<MODULE>_finish()is replaced by
mbedtls_<MODULE>_process()is replaced by
(2.7) Use of RSA primitives with non-matching key-type have been deprecated (e.g. signing with a public key).
(2.7) Direct manipulation of structure fields of the RSA contexts has been deprecated. Users are advised to use the extended RSA API instead.
(2.7) Message digest functions that return
voidhave been deprecated, and we now recommend use of their equivalent functions that return an error code. This includes
<MODULE>can be any of
(2.7) Use of the DHE parameters from RFC 5114 have been deprecated, and superseded by parameters from RFC 3526 or the newly added parameters from RFC 7919.
(2.7) The hex string DHE constants
MBEDTLS_DHM_RFC3526_MODP_2048_Petc. have been deprecated and supserseded by binary encoded constants
(2.7) The function
mbedtls_ssl_conf_dh_param()for setting the default DHE parameters from hex strings has been deprecated and superseded by the function
mbedtls_ssl_conf_dh_param_bin()which accepts the DHM parameters in binary form, matching the constants from the new standards.
(2.7, 2.1) Fixed
ssl_parse_record_header()to silently discard invalid DTLS records as recommended in RFC 6347 Section 126.96.36.199.
(2.7, 2.1, 1.3) Fixed a memory leak in
mbedtls_ssl_set_hostname()when called multiple times. Found by projectgus and jethrogb. #836.
(2.7, 2.1, 1.3) Fixed the usage help text in the
programs/ssl/ssl_server2example. Found and fixed by Bei Lin.
(1.3) Fixed an issue with implicit cast compilation warnings with Microsoft Visual Studio in the
x509.cmodules and some sample applications.
(2.7, 2.1, 1.3) Fixed an issue with parsing the signature algorithm extension when renegotiating. Previously, renegotiated handshakes would only accept signatures using SHA-1 regardless of the peer's preferences or would alternatively always fail if SHA-1 was disabled.
(2.7, 2.1, 1.3) Fixed the leap year calculation in
x509_date_is_valid()to ensure that invalid dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694
(2.7, 2.1, 1.3) Fixed some invalid RSA-PSS signatures with keys of size 8N+1 that were accepted. Generating these signatures required the private key.
(1.3) Added support for building the test suites on Windows. Contributed by Nicholas Wilson.
(2.7) Fixed compilation warnings regarding the use of a variable before assignment with the IAR Compiler. Found by gkerrien38.
(2.7, 2.1, 1.3) Fixed unchecked return codes from AES, DES and 3DES functions in
pem_des3_decrypt()respectively. If a call to one of the functions of the cryptographic primitive modules failed, the error may not be noticed by the function
mbedtls_pem_read_buffer()causing it to return invalid values. Found by Guido Vranken. #756
(2.7, 2.1, 1.3) Added inclusion of the configuration file in
md.h, to fix compiler warnings. Reported by aaronmdjones. #1001
(2.7, 2.1, 1.3) Corrected extraction of the signature type from the PK instance in X.509 CRT and CSR writing routines that prevented these functions to work with alternative RSA implementations. Raised by J.B. in the Mbed TLS forum. #1011
(2.7, 2.1, 1.3) No longer prints the X.509 version tag for v1 certificates, and omits extensions for certificates which are not v3.
(2.7, 2.1, 1.3) Fixes the internal function
net_would_block()to avoid modification of
fcntl(). Found by nkolban. #845
(2.7, 2.1, 1.3) Fixes handling of handshake messages in
MBEDTLS_SSL_RENEGOTIATIONis disabled. Found by erja-gp.
(2.7, 2.1, 1.3) Added a check for invalid private parameters in
mbedtls_ecdsa_sign(). Reported by Yolan Romailler.
(2.7, 2.1, 1.3) Fixes word size check in in
pk.cto not depend on
(2.7) Fix incorrect unit in benchmark output. #850
(2.7, 2.1) Added size-checks for record and handshake message content, to secure vulnerable code paths.
(2.7, 2.1, 1.3) Fixed a potential crash when calling
mbedtls_ssl_cache_free()twice. Found by MilenkoMitrovic. #1104
(2.7, 2.1, 1.3) Fixed
mbedtls_timing_alarm(0)on Unix and MinGW.
(2.7, 2.1, 1.3) Fixed use of uninitialized memory in
(2.7) Fixed potential memory leaks in
(2.7) Added missing return code checks in
(2.7, 2.1, 1.3) Fixed issues in the RSA key generation program
programs/x509/rsa_genkeyand the RSA test suite where the failure of CTR DRBG initialization led to freeing an RSA context and several MPI's without proper initialization beforehand.
(2.7) Fixed an error message in
programs/pkey/gen_key.c. Found and fixed by Chris Xue.
(2.7) Fixed the example
programs/pkey/dh_server.cto ensure it works fully with
dh_client.c. Found and fixed by Martijn de Milliano.
(2.7, 2.1, 1.3) Fixed an issue in the cipher decryption with the mode
MBEDTLS_PADDING_ONE_AND_ZEROSthat sometimes accepted invalid padding. Note, this padding mode is not used by the TLS protocol. Found and fixed by Micha Kraus.
(2.7) Fixed the
entropy.cmodule to not call
(2.7) Fixed the
entropy.cmodule to ensure that
mbedtls_sha512_init()is called before operating on the relevant context structure. Do not assume that zeroizing a context is a correct way to reset it. Found independently by ccli8.
mbedtls_entropy_free(), properly free the message digest context.
(1.3) Fix typo in
ssl.hleading to a too small value of
MBEDTLS_SSL_MAC_ADDin case CBC is disabled but ARC4 is enabled.
(2.7, 2.1, 1.3) Extended the
cert_writeexample program by options to set the certificate version and the message digest, and further, to allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions.
(2.7) Only check for necessary RSA structure fields in
mbedtls_rsa_private. In particular, don't require P or Q if neither CRT nor blinding are used. Reported and fix proposed independently by satur9nine and sliai.
(2.7) Only execute AES-192 self-test if AES-192 is available. #963
(2.7) Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module.
(2.7) Updated all internal usage of deprecated message digest functions to the new ones with return codes. In particular, this modifies the
mbedtls_md_info_tstructure. Propagate errors from these functions everywhere except some locations in the
(2.7) Improve CTR_DRBG error handling by propagating underlying AES errors.
MBEDTLS_ERR_XXX_HW_ACCEL_FAILEDerror codes for all cryptography modules where the software implementation can be replaced by a hardware implementation.
(2.7, 2.1, 1.3) Added explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4 in documentation within the library.
(1.3) Improved makefiles on Windows: don't run find, and call perl explicitly.
Who should update
All users affected by one of the issues should update.
Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.
Get your copy here:
The hashes for mbedtls-2.7.0-apache.tgz are:
SHA-1: 01ffebf679c8696cc941c41224fa73d8944d2c85 SHA-256: aeb66d6cd43aa1c79c145d15845c655627a7fc30d624148aaafbb6c36d7f55ef
The hashes for mbedtls-2.7.0-gpl.tgz are:
SHA-1: 6c8e62985c5a73318d391e1327830b3ff85f87a0 SHA-256: 2c6fe289b4b50bf67b4839e81b07fcf52a19f5129d0241d2aa4d49cb1ef11e4f
The hashes for mbedtls-2.1.10-apache.tgz are:
SHA-1: f11cfe5ba68cfa22f464e255e46b4701f640e395 SHA-256: 98c2e45a1a9e74317cceacf95857a9dab248f5dbc212a130d38403b10bd387f0
The hashes for mbedtls-2.1.10-gpl.tgz are:
SHA-1: b968ce5510186427bd0412d7fb596d89a708b1f5 SHA-256: f9bad02c31bc0c2848e109d0d95a40fafff45c53a3cee8665103decc93c6981e
The hashes for mbedtls-1.3.22-gpl.tgz are:
SHA-1: 52702f9a559fcbb2d249f59f8599e35682bda54a SHA-256: ded041aa4acf9a3e4d0c85bf334b0860135da996e75afdcc3abf22f403d14457