All Versions
80
Latest Version
Avg Release Cycle
46 days
Latest Release
1946 days ago

Changelog History
Page 4

  • v2.7.13

    January 15, 2020
  • v2.7.12 Changes

    September 18, 2019

    Description

    πŸš€ Mbed TLS 2.7.12 is a maintenance release of the Mbed TLS 2.7 branch, and
    πŸ›  provides bug fixes and minor enhancements.

    πŸ”’ Security

    • πŸ›  Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug.
    • When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer.
    • The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd.

    API Changes

    • The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding.
    • The new function mbedtls_ecp_gen_privkey() allows to generate a private key without generating the public part of the pair.

    πŸ›  Bugfix

    • πŸ›  Fix to allow building test suites with any warning that detects unused functions. Fixes #1628.
    • Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
    • βœ‚ Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
    • πŸ›  Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir.
    • πŸ›  Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev.
    • πŸ›  Fix misuse of signed arithmetic in the HAVEGE module. #2598
    • ⚑️ Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357.
    • Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
    • Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander [email protected] in #2363.

    πŸ”„ Changes

    • πŸ›  Make make clean clean all programs always. Fixes #1862.

    ⚑️ Who should update

    ⚑️ We recommend all affected users should update to take advantage of the bug
    πŸ›  fixes contained in this release at an appropriate point in their development
    lifecycle.

  • v2.7.11 Changes

    June 19, 2019

    Description

    πŸš€ Mbed TLS 2.7.11 is a maintenance release of the Mbed TLS 2.7 branch, and
    πŸ›  provides bug fixes and minor enhancements.

    πŸ”’ Security

    • Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key.

    πŸ›  Bugfix

    • ⚑️ Server's RSA certificate in certs.c was SHA-1 signed. In the default Mbed TLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk.
    • Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239.
    • πŸ›  Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106.
    • Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz.
    • πŸ›  Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd.
    • Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337
    • Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter.
    • Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560.
    • πŸ›  Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
    • πŸ›  Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431.

    πŸ”„ Changes

    • Return from various debugging routines immediately if the provided SSL context is unset.
    • βœ‚ Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
    • Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin).
    • Change wording in the mbedtls_ssl_conf_max_frag_len()'s documentation to improve clarity. Fixes #2258.
    • βœ… Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
    • Improve debug output of ssl_client2 and ssl_server2 in case suitable test CRTs are available because MBEDTLS_PEM_PARSE_C is disabled. Fixes #2254.

    ⚑️ Who should update

    ⚑️ We recommend all affected users should update to take advantage of the bug
    πŸ›  fixes contained in this release at an appropriate point in their development
    lifecycle.

  • v2.7.10 Changes

    March 27, 2019

    Description

    πŸš€ Mbed TLS 2.7.10 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements.

    πŸ”‹ Features

    πŸ›  Bugfix

    • Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996.
    • πŸ›  Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin.
    • Reduce stack usage of mpi_write_hlp() by eliminating recursion. Fixes #2190.
    • βœ‚ Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
    • Fix returning the value 1 when mbedtls_ecdsa_genkey() failed.
    • Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring().
    • πŸ›  Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610.

    πŸ”„ Changes

    • πŸ”§ Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371
    • βž• Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767.
    • ⬇️ Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees.
    • 0️⃣ Ciphersuites based on 3DES now have the lowest priority by default when they are enabled.

    ⚑️ Who should update

    πŸš€ We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

  • v2.7.9 Changes

    December 24, 2018

    Description

    πŸš€ Mbed TLS 2.7.9 is a maintenance release, and contains no new features. This release addresses multiple defects.

    πŸ›  Bugfix

    • πŸ›  Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
    • Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
    • πŸ›  Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
    • βž• Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
    • Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.

    ⚑️ Who should update

    πŸš€ We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

  • v1.2.13 Changes

    February 16, 2015

    Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting this will be made in the 1.2 branch at this point.

    πŸ”’ Security

    • Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics).
    • Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics).
    • Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) found using Codenomicon Defensics).
    • Fix buffer overread of size 1 when parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate).

    πŸ›  Bugfix

    • Fix potential undefined behaviour in Camellia.
    • Fix memory leaks in PKCS#5 and PKCS#12.
    • Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
    • Fix bug in MPI/bignum on s390/s390x (reported by Dan HorΓ‘k) (introduced in 1.2.12).
    • Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic).
    • Fix assembly selection for MIPS64 (thanks to James Cowgill).
    • ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson).
    • Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.)
    • On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard).

    πŸ”„ Changes

    • Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
    • Forbid repeated extensions in X.509 certificates.
    • Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain (default = 8).
  • v1.2.12 Changes

    October 24, 2014

    πŸ”’ Security

    • Remotely-triggerable memory leak when parsing some X.509 certificates (server is not affected if it doesn't ask for a client certificate). (Found using Codenomicon Defensics.)

    πŸ›  Bugfix

    • Fix potential bad read in parsing ServerHello (found by Adrien Vialletelle).
    • ssl_close_notify() could send more than one message in some circumstances with non-blocking I/O.
    • x509_crt_parse() did not increase total_failed on PEM error
    • Fix compiler warnings on iOS (found by Sander Niemeijer).
    • Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
    • Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
    • ssl_read() could return non-application data records on server while renegotation was pending, and on client when a HelloRequest was received.
    • Fix warnings from Clang's scan-build (contributed by Alfred Klomp).

    πŸ”„ Changes

    • X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more.
    • ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
    • Accept spaces at end of line or end of buffer in base64_decode().
  • v1.2.11 Changes

    July 11, 2014

    πŸ”‹ Features

    • Entropy module now supports seed writing and reading

    πŸ”„ Changes

    • Introduced POLARSSL_HAVE_READDIR_R for systems without it
    • Improvements to the CMake build system, contributed by Julian Ospald.
    • Work around a bug of the version of Clang shipped by Apple with Mavericks that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
    • Improvements to tests/Makefile, contributed by Oden Eriksson.
    • Use UTC time to check certificate validity.
    • Reject certificates with times not in UTC, per RFC 5280.
    • Migrate zeroizing of data to polarssl_zeroize() instead of memset() against unwanted compiler optimizations

    πŸ”’ Security

    • Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is optional (the attack was already impossible when authentication is required).
    • Check notBefore timestamp of certificates and CRLs from the future.
    • Forbid sequence number wrapping
    • Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft)
    • Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen.

    πŸ›  Bugfix

    • Fixed X.509 hostname comparison (with non-regular characters)
    • SSL now gracefully handles missing RNG
    • crypt_and_hash app checks MAC before final decryption
    • Fixed x509_crt_parse_path() bug on Windows platforms
    • Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by TrustInSoft)
    • Fixed potential overflow in certificate size verification in ssl_write_certificate() (found by TrustInSoft)
    • Fix ASM format in bn_mul.h
    • Potential memory leak in bignum_selftest()
    • Replaced expired test certificate
    • ssl_mail_client now terminates lines with CRLF, instead of LF
    • Fix bug in RSA PKCS#1 v1.5 "reversed" operations
    • Fixed testing with out-of-source builds using cmake
    • Fixed version-major intolerance in server
    • Fixed CMake symlinking on out-of-source builds
    • Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.)
    • ssl_init() was leaving a dirty pointer in ssl_context if malloc of out_ctr failed
    • ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc of one of them failed
    • x509_get_current_time() uses localtime_r() to prevent thread issues
    • Some example server programs were not sending the close_notify alert.
    • Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR.
    • Improve interoperability by not writing extension length in ClientHello when no extensions are present (found by Matthew Page)
    • rsa_check_pubkey() now allows an E up to N
    • On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
    • mpi_fill_random() was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs
    • Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
    • Stricter check on SSL ClientHello internal sizes compared to actual packet size (found by TrustInSoft)
    • Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
    • Use \n\t rather than semicolons for bn_mul asm, since some assemblers interpret semicolons as comment delimiters (found by Barry K. Nathan).
    • Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
    • Fix base64_decode() to return and check length correctly (in case of tight buffers)
  • v1.2.10 Changes

    October 07, 2013

    πŸ”„ Changes

    • Changed RSA blinding to a slower but thread-safe version

    πŸ›  Bugfix

    • Fixed memory leak in RSA as a result of introduction of blinding
    • Fixed ssl_pkcs11_decrypt() prototype
    • Fixed MSVC project files
  • v1.2.9 Changes

    October 01, 2013

    πŸ”„ Changes

    • x509_verify() now case insensitive for cn (RFC 6125 6.4)

    πŸ›  Bugfix

    • Fixed potential memory leak when failing to resume a session
    • Fixed potential file descriptor leaks (found by Remi Gacogne)
    • Minor fixes

    πŸ”’ Security

    • Fixed potential heap buffer overflow on large hostname setting
    • Fixed potential negative value misinterpretation in load_file()
    • RSA blinding on CRT operations to counter timing attacks (found by Cyril Arnaud and Pierre-Alain Fouque)