Skip to content

Mbed TLS 2.28.1

Compare
Choose a tag to compare
@daverodgman daverodgman released this 11 Jul 19:09
· 2042 commits to mbedtls-2.28 since this release
dd79db1

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

  • mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
    for IV lengths other than 12. The library was silently overwriting this
    length with 12, but did not inform the caller about it. Fixes #4301.

Features

  • When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
    feature requirements in the file named by the new macro
    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
    Furthermore you may name an additional file to include after the main
    file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.

Security

  • Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
    module before freeing them. These buffers contain secret key material, and
    could thus potentially leak the key through freed heap.
  • Fix a potential heap buffer overread in TLS 1.2 server-side when
    MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
    mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
    is selected. This may result in an application crash or potentially an
    information leak.
  • Fix a buffer overread in DTLS ClientHello parsing in servers with
    MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
    or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
    after the end of the SSL input buffer. The buffer overread only happens
    when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
    the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
    and possibly up to 571 bytes with a custom cookie check function.
    Reported by the Cybeats PSI Team.

Bugfix

  • Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
  • Fix several bugs (warnings, compiler and linker errors, test failures)
    in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
    enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
    client would fail to check that the curve selected by the server for
    ECDHE was indeed one that was offered. As a result, the client would
    accept any curve that it supported, even if that curve was not allowed
    according to its configuration. Fixes #5291.
  • Fix unit tests that used 0 as the file UID. This failed on some
    implementations of PSA ITS. Fixes #3838.
  • Fix API violation in mbedtls_md_process() test by adding a call to
    mbedtls_md_starts(). Fixes #2227.
  • Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
    to catch bad uses of time.h.
  • Fix the library search path when building a shared library with CMake
    on Windows.
  • Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
    potentially leading to corrupted alert messages being sent in case
    the function needs to be re-called after initially returning
    MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
  • In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
    MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
    DTLS handshakes using CID would crash due to a null pointer dereference.
    Fix this. Fixes #3998.
  • Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
    documentation stated that the allowed_pks field applies to signatures
    only, but in fact it does apply to the public key type of the end entity
    certificate, too. Fixes #1992.
  • Fix PSA cipher multipart operations using ARC4. Previously, an IV was
    required but discarded. Now, an IV is rejected, as it should be.
  • Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
    not NULL and val_len is zero.
  • psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
    applicable. Fixes #5735.
  • Fix a bug in the x25519 example program where the removal of
    MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
    #3191.
  • Encode X.509 dates before 1/1/2000 as UTCTime rather than
    GeneralizedTime. Fixes #5465.
  • Fix order value of curve x448.
  • Fix string representation of DNs when outputting values containing commas
    and other special characters, conforming to RFC 1779. Fixes #769.
  • Silence a warning from GCC 12 in the selftest program. Fixes #5974.
  • Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
  • Fix resource leaks in mbedtls_pk_parse_public_key() in low
    memory conditions.
  • Fix server connection identifier setting for outgoing encrypted records
    on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
    connection identifier, the Mbed TLS client now properly sends the server
    connection identifier in encrypted record headers. Fix #5872.
  • Fix a null pointer dereference when performing some operations on zero
    represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
    by 2, and mbedtls_mpi_write_string() in base 2).
  • Fix record sizes larger than 16384 being sometimes accepted despite being
    non-compliant. This could not lead to a buffer overflow. In particular,
    application data size was already checked correctly.

Changes

  • Assume source files are in UTF-8 when using MSVC with CMake.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4 mbedtls-2.28.1.tar.gz
b67866fc781934d9c6a322489a1efdc79ef545bf242a3bfa7cffd3c393d377c1 mbedtls-2.28.1.zip