Mbed TLS 2.7.10

Description

Mbed TLS 2.7.10 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements.

Features

• Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf.

Bugfix

• Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996.
• Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin.
• Reduce stack usage of mpi_write_hlp() by eliminating recursion. Fixes #2190.
• Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
• Fix returning the value 1 when mbedtls_ecdsa_genkey() failed.
• Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring().
• Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610.

Changes

• Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371
• Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767.
• Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees.
• Ciphersuites based on 3DES now have the lowest priority by default when they are enabled.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.1

Description

Mbed TLS 2.16.1 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements.

Features

• Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf.

Bugfix

• Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
• Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996.
• Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets.
• Add MBEDTLS_SELF_TEST for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971
• Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin.
• Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212.
• Reduce stack usage of mpi_write_hlp() by eliminating recursion. Fixes #2190.
• Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
• Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319.
• Fix returning the value 1 when mbedtls_ecdsa_genkey() failed.
• Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
• Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring().
• Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610.

Changes

• Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371
• Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767.
• Fix configuration queries in ssl-opt.h. #2030
• Ensure that ssl-opt.h can be run in OS X. #2029
• Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees.
• Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
• Ciphersuites based on 3DES now have the lowest priority by default when they are enabled.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.7.9

Description

Mbed TLS 2.7.9 is a maintenance release, and contains no new features. This release addresses multiple defects.

Bugfix

• Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
• Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
• Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
• Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.0

Description

Mbed TLS 2.16.0 introduces a new feature of optional parameter validation. This feature verifies and validates all parameters passed into the library, to confirm they meet the preconditions of each library function. Normally, the library does not check for invalid parameters which are no risk to the security of the library and will cause an obvious error during execution, as it's assumed this kind of issue will be picked up during development, and are unlikely to occur in normal operation. This new feature can speed up development by identifying and indicating any obvious failure in use of the library if the parameter is invalid, and by allowing users to log such errors, in test, development or usage, rather than have to work through stack traces.

Announcing Mbed TLS 2.16 Long Term Support

We are pleased to announce that Mbed TLS 2.16.0 will be the basis of our next Long Term Support branch, and will be maintained for at least 3 years up until the end of 2021.

During that time, no new features will be added to the branch, the API and ABI will be maintained, and only bug fixes will be made to maintenance releases of 2.16.0.

This is further discussed in our blog posting 'Announcing Long Term Support Branch Mbed TLS 2.16'.

Features

• Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it.

API Changes

• The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798.
  mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
• Extend ECDH interface to enable alternative implementations.
• Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
• Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be.

New deprecations

• Deprecate mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() in favor of functions that can return an error code.

Bugfix

• Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
• Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
• Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
• Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
• Fix double initialization of ECC hardware that made some accelerators hang.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.1.18

Description

Mbed TLS 2.1.18 is a maintenance release, and contains no new features. This release addresses multiple defects.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and has come to the end of its life. This is the last release of the 2.1 branch.

All users of Mbed TLS 2.1 are now advised to upgrade to a later version of Mbed TLS wherever possible. There will now be no further releases of Mbed TLS 2.1.

Bugfix

• Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
• Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
• Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
• Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.15.1

Description

Mbed TLS 2.15.1 is a release of Mbed TLS intended only for Mbed OS, and will not be released as a standalone release on the Mbed TLS website.

This release updates the version of the PSA Crypto library used in Mbed TLS.

Changes

• Update the Mbed Crypto submodule to version 0.1.0b2. This change enables use of Mbed Crypto with Mbed TLS configurations that do not include GCM or CCM.

Who should update

This release is provided for use in Mbed OS only, and is not intended for wider usage outside of Mbed OS.

Mbed TLS 2.7.8

Description

Mbed TLS 2.7.8 is a maintenance release, and contains no new features. It addresses two security issues, one of which we are issuing Security Advisory 18-03 for.

Security

• Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
• Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.

API Changes

• The new functions mbedtls_ctr_drbg_update_ret() and mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.14.1

Description

Mbed TLS 2.14.1 is a maintenance release, and contains no new features. It addresses two security issues, one of which we have issued Security Advisory 18-03 for.

Security

• Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
• Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.

API Changes

• The new functions mbedtls_ctr_drbg_update_ret() and mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.1.17

Description

Mbed TLS 2.1.17 is a maintenance release, and contains no new features. It addresses two security issues, one of which we have issued Security Advisory 18-03 for.

Security

• Fixes timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). The issue was first discovered and raised by Eyal Ronen - Weizmann Institute, Robert Gillham - University of Adelaide, Daniel Genkin - University of Michigan, Adi Shamir - Weizmann Institute, David Wong - NCC Group, and Yuval Yarom - University of Adelaide and Data61. The attack is described in more detail in the paper, The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. This issue has been allocated CVE-2018-19608.
• Now wipes sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Mbed TLS 2.15.0

Description

Mbed TLS 2.15.0 is a release of Mbed TLS intended only for Mbed OS, and will not be released as a standalone release on the Mbed TLS website.

The release introduces an initial version of PSA Crypto and integration of Mbed TLS into that.

Security

• (2.15.0) This release contains no security fixes.

Features

• (2.15.0) Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of Mbed Crypto as the source of the cryptography implementation.
• (2.15.0) Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable the PSA Crypto API from Mbed Crypto when additionally used with the USE_CRYPTO_SUBMODULE build option.

API Changes

• (2.15.0) There are no API Changes in this release in the default configuration. When PSA Crypto is enabled, there are some changes to expected behaviour of the API.

New deprecations

• (2.15.0) There are no new deprecations in this release.

Bugfix

• (2.15.0) There are no new bug fixes in this release.

Changes

• (2.15.0) Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.

Who should update

This release is provided for use in Mbed OS only, and is not intended for wider usage outside of Mbed OS.