Mbed TLS 2.13.0
Description
Mbed TLS 2.13.0 introduces several new features improving our support for DTLS over low-bandwidth, high latency networks with high packet loss. Specifically:
- Support for fragmentation of outgoing handshake messages, allowing the use of Mbed TLS across networks with datagram links with MTUs as low as 512 bytes, making it suitable for NB-IOT networks.
- Grouping outgoing handshake messages in a single datagram, reducing both the network load and the likelihood of reordering effects.
- Reordering handshake packets that have been received out of order, reducing the number of retransmissions necessary to complete a handshake, and therefore increasing handshake efficiency and reducing network load.
This release also addresses one security issue and resolves multiple defects.
Security
- Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. A read of one byte beyond the limit of the input buffer was made, when the extensions length field was zero. Found by Nathan Crandall.
Features
-
Added support for fragmentation of outgoing DTLS handshake messages. This is controlled by the maximum fragment length set locally or negotiated with the peer, or alternatively by a new per-connection MTU (Maximum Transmission Unit) option, set using
mbedtls_ssl_set_mtu()
. -
Added support for the automatic adjustment of the MTU to a safe value during the handshake for when flights of messages are not received, as defined by (RFC 6347, section 4.1.1.1).
-
Added support for the packing of multiple records into a single datagram. This feature is enabled by default.
-
Added support for buffering of out-of-order handshake messages in DTLS. The maximum amount of RAM used for this can be controlled by the compile-time constant
MBEDTLS_SSL_DTLS_MAX_BUFFERING
as defined in the configuration file.
API Changes
- Added the function
mbedtls_ssl_set_datagram_packing()
to configure the use of datagram packing. This feature is enabled by default.
Bugfixes
-
Fixed a potential memory leak in
mbedtls_ssl_setup()
function. An allocation failure in the function could lead to other buffers being leaked. -
Fixed an issue with
MBEDTLS_CHACHAPOLY_C
which would not compile ifMBEDTLS_ARC4_C
andMBEDTLS_CIPHER_NULL_CIPHER
weren't also defined, and an issue with the wrong test dependencies forMBEDTLS_ARC4_C
. #1890. -
Fixed a memory leak in
ecp_mul_comb()
ifecp_precompute_comb()
fails. Fix contributed by Espressif Systems. -
ECC extensions are now only included if an ECC based ciphersuite is used. This improves compliance to (RFC 4492, and as a result, solves interoperability issues with BouncyCastle. Raised by milenamil in #1157.
-
Fixed a potential use-after-free issue in
mbedtls_ssl_get_max_frag_len()
andmbedtls_ssl_get_record_expansion()
after a session reset. Fixes #1941. -
Fixed a miscalculation of the maximum record expansion in
mbedtls_ssl_get_record_expansion()
when using the Chacha-Poly1305 ciphersuites or any CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913 and #1914. -
Fixed a bug that caused SSL/TLS clients to incorrectly abort the handshake with TLS versions 1.1 and earlier when the server requested authentication without providing a list of CA's (Certificate Authorities). This was due to an overly strict bounds check in parsing the
CertificateRequest
message, introduced in Mbed TLS 2.12.0. Fixes #1954. -
Fixed a memory leak and free without initialization in the
pk_encrypt
andpk_decrypt
example programs. Reported by Brace Stout. Fixes #1128. -
Fixed undefined shifts with negative values in certificates parsing. Fixed by Catena Cyber, with credit for finding the issue to OSS-Fuzz.
-
Replaced
printf
withmbedtls_printf()
in the ARIA module. Found by TrinityTonic in #1908. -
Removed a redundant else statement. Raised by irwir. Fixes #1776.
Changes
-
Improved interworking with some alternative Mbed OS hardware accelerated CCM implementations by using CCM test vectors from RAM.
-
Added support to preserve the timestamps of headers copied when doing a
make install
. Contributed by xueruini. -
Forward declaration of
structs
in the public interface are now possible. Contributed by Dawid Drozd. Fixes #1215 raised by randombit. -
Added support for buffering of out-of-order handshake messages. Original contribution by Bryce Kahle.
-
Added warnings to the documentation of the HKDF module to reduce the risk of misusing the
mbedtls_hkdf_extract()
andmbedtls_hkdf_expand()
functions. Fixes #1775. Reported by Brian J. Murray.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.
End of life for Mbed TLS 2.1
Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.