Skip to content

Mbed TLS 2.28.0

Compare
Choose a tag to compare
@daverodgman daverodgman released this 17 Dec 11:39
8b3f26a

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

API changes

  • Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
    different order. This only affects applications that define such
    structures directly or serialize them.

Requirement changes

  • Sign-magnitude and one's complement representations for signed integers are
    not supported. Two's complement is the only supported representation.

Removals

  • Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
    which allowed SHA-1 in the default TLS configuration for certificate
    signing. It was intended to facilitate the transition in environments
    with SHA-1 certificates. SHA-1 is considered a weak message digest and
    its use constitutes a security risk.
  • Remove the partial support for running unit tests via Greentea on Mbed OS,
    which had been unmaintained since 2018.

Features

  • The identifier of the CID TLS extension can be configured by defining
    MBEDTLS_TLS_EXT_CID at compile time.
  • Warn if errors from certain functions are ignored. This is currently
    supported on GCC-like compilers and on MSVC and can be configured through
    the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
    (where supported) for critical functions where ignoring the return
    value is almost always a bug. Enable the new configuration option
    MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
    is currently implemented in the AES, DES and md modules, and will be
    extended to other modules in the future.
  • Add missing PSA macros declared by PSA Crypto API 1.0.0:
    PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
  • Add new API mbedtls_ct_memcmp for constant time buffer comparison.
  • Add PSA API definition for ARIA.

Security

  • Zeroize several intermediate variables used to calculate the expected
    value when verifying a MAC or AEAD tag. This hardens the library in
    case the value leaks through a memory disclosure vulnerability. For
    example, a memory disclosure vulnerability could have allowed a
    man-in-the-middle to inject fake ciphertext into a DTLS connection.
  • In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
    from the output buffer. This fixes a potential policy bypass or decryption
    oracle vulnerability if the output buffer is in memory that is shared with
    an untrusted application.
  • Fix a double-free that happened after mbedtls_ssl_set_session() or
    mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
    (out of memory). After that, calling mbedtls_ssl_session_free()
    and mbedtls_ssl_free() would cause an internal session buffer to
    be free()'d twice.

Bugfix

  • Stop using reserved identifiers as local variables. Fixes #4630.
  • The GNU makefiles invoke python3 in preference to python except on Windows.
    The check was accidentally not performed when cross-compiling for Windows
    on Linux. Fix this. Fixes #4774.
  • Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
    PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
  • Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
  • Don't use the obsolete header path sys/fcntl.h in unit tests.
    These header files cause compilation errors in musl.
    Fixes #4969.
  • Fix missing constraints on x86_64 and aarch64 assembly code
    for bignum multiplication that broke some bignum operations with
    (at least) Clang 12.
    Fixes #4116, #4786, #4917, #4962.
  • Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Failures of alternative implementations of AES or DES single-block
    functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
    MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
    This does not concern the implementation provided with Mbed TLS,
    where this function cannot fail, or full-module replacements with
    MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
  • Some failures of HMAC operations were ignored. These failures could only
    happen with an alternative implementation of the underlying hash module.
  • Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
  • Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
    MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
  • Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
    This algorithm now accepts only the same salt length for verification
    that it produces when signing, as documented. Use the new algorithm
    PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
  • The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
    for algorithm values that fully encode the hashing step, as per the PSA
    Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
    PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
    all algorithms that can be used with psa_{sign,verify}_hash(), including
    these two.
  • Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
    not to list other shared libraries they need.
  • Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
    exceeds 2^32. Fixes #4884.
  • Fix an uninitialized variable warning in test_suite_ssl.function with GCC
    version 11.
  • Fix the build when no SHA2 module is included. Fixes #4930.
  • Fix the build when only the bignum module is included. Fixes #4929.
  • Fix a potential invalid pointer dereference and infinite loop bugs in
    pkcs12 functions when the password is empty. Fix the documentation to
    better describe the inputs to these functions and their possible values.
    Fixes #5136.
  • The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
    operations psa_mac_compute() and psa_mac_sign_setup().
  • The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
    operations psa_mac_verify() and psa_mac_verify_setup().

Changes

  • Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
    disabled by default.
  • Improve the performance of base64 constant-flow code. The result is still
    slower than the original non-constant-flow implementation, but much faster
    than the previous constant-flow implementation. Fixes #4814.
  • Indicate in the error returned if the nonce length used with
    ChaCha20-Poly1305 is invalid, and not just unsupported.
  • The mbedcrypto library includes a new source code module constant_time.c,
    containing various functions meant to resist timing side channel attacks.
    This module does not have a separate configuration option, and functions
    from this module will be included in the build as required. Currently
    most of the interface of this module is private and may change at any
    time.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc mbedtls-2.28.0.tar.gz
80cf41f5f3f625436e3a800e9708e60a25206cd5d81968ba8dd9f3e8becd37e6 mbedtls-2.28.0.zip