Skip to content

Mbed TLS 2.1.16
Compare
Choose a tag to compare
@simonbutcher simonbutcher released this 21 Nov 12:34
· 28536 commits to development since this release
mbedtls-2.1.16
568ec7c
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Description

Mbed TLS 2.1.16 is a maintenance release, and contains no new features. It addresses three security issues and resolves multiple defects.

Security

  • Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using PrintableString and the other using UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
  • Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
  • Fixed mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.

Bugfix

  • Fixed the wrong order of memory deallocation in the example program programs/ssl/ssl_server2 leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069.
  • Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
  • Fixed a failure in HMAC-DRBG in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
  • Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
  • Fixed a memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422.
  • Now ignores the IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
  • Zeroizes memory used for buffering or reassembling handshake messages after use.
  • Uses mbedtls_platform_zeroize() instead of memset() for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash.
  • Fixed a compilation failure for configurations which use compile time replacements of the standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
  • Fixed a potential build failure related to the apidoc target, introduced in the previous patch release. Found by Robert Scheck. ##390 ##391
  • Fixed programs/pkey/dh_server.c so that it works correctly with dh_client.c. Found and fixed by Martijn de Milliano.

Changes

  • Added tests for session resumption in DTLS.
  • Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
  • Changed the dtls_client and dtls_server examples to work by default over IPv6 and optionally by a build option over IPv4.
  • Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
  • Improved documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.
  • make apidoc now generates the documentation for the current configuration. Run scripts/apidoc_full.sh to generate the full documentation. This aligns the behavior with Mbed TLS versions 2.2 and later and reverts it back to how it behaved in version 2.1.3.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading