Skip to content

Mbed TLS 2.14.0
Compare
Choose a tag to compare
@simonbutcher simonbutcher released this 21 Nov 12:34
· 24784 commits to development since this release
mbedtls-2.14.0
556d7d9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Description

Mbed TLS 2.14.0 introduces several new features:

  • Support for non-blocking ECC operations has been introduced with this release. This allows users of Mbed TLS on single-threaded systems to perform elliptic curve cryptographic operations inbetween other critical operations, (such as resetting a watchdog timer), without the use of a pre-emptive scheduler or RTOS. This is explained more fully in the knowledge base article 'Non-blocking ECC operations'.
  • Support for CTR-DRBG using only AES-128 cipher operations. On some devices, AES-128 cryptographic accelerators may be available, but not acceleration of AES-256. On such devices, only AES-128 may be required in designs, and by using only the AES-128 accelerator support on the device, code size can be reduced, operations made faster, and power reduced.
  • Support for smaller salt sizes for RSASSA-PSS signatures, enabling compliance with FIPS 186-4.

This release also addresses three security issues and resolves multiple defects.

Security

  • Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using PrintableString and the other using UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
  • Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
  • Fixed mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.

Features

  • Added support for temporarily suspending expensive ECC computations after some configurable amount of operations. This is intended to be used in constrained, single-threaded systems where ECC operations can be time consuming and can block other operations until they complete. This feature is enabled by defining MBEDTLS_ECP_RESTARTABLE in the configuration file config.h and is configured by mbedtls_ecp_set_max_ops() at runtime. It is disabled by default. It applies to the new xxx_restartable functions in ECP, ECDSA, PK and X.509, and to existing functions in ECDH and SSL. It is currently only implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, including client authentication, and there is no support for CRL files.
  • Added support for the Arm CPU DSP extensions to accelerate asymmetric key operations. On CPUs where the extensions are available, they can accelerate the MPI multiplications used in ECC and RSA cryptography. Contributed by Aurelien Jarno.
  • Extended RSASSA-PSS signature support to allow a smaller salt size. Previously, the PSS signature always used a salt with the same length as the hash, and returned an error if this was not possible. Now the salt size may be up to two bytes shorter. This allows the library to support all hash and signature sizes that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
  • Added support for 128 bit keys in CTR-DRBG. Note that using keys shorter than 256 bits limits the security of generated material to 128 bits.

API Changes

  • Added a common error code of MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED for features that are not supported by third party implementations of cryptographic primitives. This is useful for hardware accelerators that do not implement all options or features, such as those that support AES-128 but not AES-192 or AES-256.

New deprecations

  • All module specific errors following the form MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not supported are now deprecated and are now replaced by the new equivalent platform error.
  • All module specific generic hardware acceleration errors following the form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED are now deprecated and replaced by the equivalent plaform error.
  • The function mbedtls_mpi_is_prime() is now deprecated in favor of mbedtls_mpi_is_prime_ext() which allows specifying the number of Miller-Rabin rounds.

Bugfix

  • Changed the default string format used for various X.509 DN attributes was changed to UTF8String. Previously, the use of the PrintableString format led to wildcards and non-ASCII characters being unusable in some DN attributes. Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by Thomas-Dee.
  • Fixed the wrong order of memory deallocation in the example program programs/ssl/ssl_server2 leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069.
  • Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
  • Fixed a failure in HMAC-DRBG in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
  • Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
  • Fixed a memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422.
  • Now ignores the IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
  • Zeroizes memory used for buffering or reassembling handshake messages after use.
  • Uses mbedtls_platform_zeroize() instead of memset() for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash.
  • Fixed a compilation failure for configurations which use compile time replacements of the standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.

Changes

  • Now remembers the string format of X.509 DN attributes when replicating X.509 DN attributes. Previously, DN attributes were always written in their default string format, which was PrintableString in most instances. This could lead to certificates being created which used PrintableString in the issuer field even though the signing Certificate Authority used UTF8Strings in its subject field. Whilst being compliant with X.509, such certificates were rejected in some applications, such as some versions of Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by Thomas-Dee.
  • Added MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and used it to reduce error probability in RSA key generation to levels mandated by FIPS-186-4..
  • Removed support for Yotta as a build tool.
  • Added tests for session resumption in DTLS.
  • Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
  • Changed the dtls_client and dtls_server examples to work by default over IPv6 and optionally by a build option over IPv4.
  • Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
  • Improved documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading