Mbed TLS 2.9.0

Description

Mbed TLS version 2.9.0 has now been released, in addition to maintenance releases for Mbed TLS 2.1 and Mbed TLS 1.3.

Mbed TLS 2.9.0 introduces some minor functional improvements including code size reductions with smaller AES tables, and initial support for Curve448 along with some security fixes and bug fixes.

Security

• (2.9, 2.7, 2.1) Fixed an issue in the X.509 module which could lead to a buffer overread during certificate validation. Additionally, the issue could also lead to unnecessary callback checks being made or to some validation checks to be omitted. The overread could be triggered remotely, while the other issues would require a non DER-compliant certificate to be correctly signed by a trusted CA, or a trusted CA with a non DER-compliant certificate. Found by luocm. Fixes #825.
• (2.9, 2.7, 2.1) Fixed the buffer length assertion in the ssl_parse_certificate_request() function which could lead to an arbitrary overread of the message buffer. The overreads could be caused by receiving a malformed algorithms section which was too short. In builds with debug output, this overread data was output with the debug data.
• (2.9, 2.7, 2.1) Fixed a client-side bug in the validation of the server's ciphersuite choice which could potentially lead to the client accepting a ciphersuite it didn't offer or a ciphersuite that could not be used with the TLS or DTLS version chosen by the server. This could lead to corruption of internal data structures for some configurations.

Features

• (2.9) Added an option of MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB. Suggested and contributed by jkivilin.
• (2.9) Added initial support for Curve448 (RFC 7748). So far only mbedtls_ecp_mul() and ECDH primitive functions (mbedtls_ecdh_gen_public(), mbedtls_ecdh_compute_shared()) are supported for now. Contributed by Nicholas Wilson.

API Changes

Mbed TLS 2.9.0 maintains source code and binary compatibility with the last minor version, Mbed TLS 2.8.0, but extends the interface with additional capabilities.

• (2.9) Extended the API with the function of mbedtls_net_poll() to allow user applications to wait for a network context to become ready before reading or writing.
• (2.9) Added the function mbedtls_ssl_check_pending() to the public API to allow a check for whether more more data is pending to be processed in the internal message buffers. This function is necessary to determine the underlying transport when event-driven IO is used.

Bugfix

• (2.9, 2.7) Fixed a spurious uninitialized variable warning in cmac.c. Fix independently contributed by Brian J Murray and David Brown.
• (2.9, 2.7, 2.1) Added missing dependencies in test suites that led to build failures in configurations that omit certain hashes or public-key algorithms. Fixes #1040.
• (2.9, 2.7) Fixed a C89 incompatibility issue in benchmark.c. Contributed by Brendan Shanks. Fixes #1353.
• (2.9, 2.7, 2.1) Added missing dependencies for MBEDTLS_HAVE_TIME_DATE and MBEDTLS_VERSION_FEATURES in some test suites. Contributed by Deomid Ryabkov. Fixes #1299, #1475.
• (2.9, 2.7, 2.1) Fixed the Makefile build process for building shared libraries on Mac OS X. Fixed by mnacamura.
• (2.9, 2.7, 2.1) Fixed parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was unable to parse keys which had only the optional parameters field of the ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
• (2.9, 2.7, 2.1) Added an optimisation to return the plaintext data more quickly on unpadded CBC decryption, as stated in the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson.
• (2.9, 2.7, 2.1) Fixed the overriding and ignoring of return values when parsing and writing to a file in the pk_sign program. Found by kevlut in #1142.
• (2.9) Added restrictions to the usage of the error code MBEDTLS_ERR_SSL_WANT_READ to situations where data needs to be fetched from the underlying transport in order to make progress. Previously, this error code was also occasionally returned when unexpected messages were being discarded, ignoring that further messages could potentially already be pending to be processed in the internal buffers; these cases led to deadlocks when event-driven I/O was used. Found and reported by Hubert Mis in #772.
• (2.9, 2.7, 2.1) Fixed buffer length assertions in the ssl_parse_certificate_request() function which led to a potential one byte overread of the message buffer.
• (2.9, 2.7, 2.1) Fixed invalid buffer sizes being passed to zlib during record compression and decompression.
• (2.9) Raised the soversion of libmbedcrypto to match the soversion of the maintained 2.7 branch. The soversion was increased in Mbed TLS version 2.7.1 to reflect breaking changes in that release, but the increment was missed in 2.8.0 and later releases outside of the 2.7 branch.

Changes

• (2.9) Removed some redundant code in bignum.c. Contributed by Alexey Skalozub.
• (2.9, 2.7) Added support for cmake builds where Mbed TLS is a subproject. Fix contributed independently by Matthieu Volat and Arne Schwabe.
• (2.9, 2.7, 2.1) Improved the testing of configurations that omit certain hashes or public-key algorithms. Includes contributions by Gert van Dijk.
• (2.9, 2.7, 2.1) Improved negative testing of X.509 parsing.
• (2.9, 2.7, 2.1) Does not define global mutexes for readdir() and gmtime() in configurations where the feature is disabled. Found and fixed by Gergely Budai.
• (2.9) Hardened the function mbedtls_ssl_config_free() against misuse, so that it doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and instead incorrectly manipulates the configuration structure directly. Found and fix submitted by junyeonLEE in #1220.
• (2.9, 2.7, 2.1) Provided an empty implementation of mbedtls_pkcs5_pbes2() when MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2 without PBES2. Fixed by Marcos Del Sol Vives.
• (2.9) Added the order of the base point as N in the mbedtls_ecp_group structure for Curve25519, which other curves already had. Contributed by Nicholas Wilson #481.
• (2.9, 2.7, 2.1) Improved the documentation of mbedtls_net_accept(). Contributed by Ivan Krylov.
• (2.9, 2.7, 2.1) Improved the documentation of mbedtls_ssl_write(). Suggested by Paul Sokolovsky in #1356.
• (2.9, 2.7, 2.1) Added an option in the Makefile to support ar utilities where the operation letter must not be prefixed by '-', such as LLVM. Found and fixed by Alex Hixon.
• (2.9, 2.7, 2.1) Added the ability to allow configuration of the shared library extension by setting the DLEXT environment variable when using the project makefiles.
• (2.9) Optimized unnecessary zeroing in mbedtls_mpi_copy(). Based on a contribution by Alexey Skalozub in #405.
• (2.9, 2.7, 2.1) Changed the SSL module, such that when f_send, f_recv or f_recv_timeout report transmitting more than the required length, they now return an error. Raised by Sam O'Connor in #1245.
• (2.9, 2.7, 2.1) Improved the robustness of mbedtls_ssl_derive_keys() against the use of HMAC functions with non-HMAC ciphersuites. Independently contributed by Jiayuan Chen. Fixes #1437.
• (2.9) Improved security of RSA key generation by including criteria from FIPS 186-4. Contributed by Jethro Beekman. #1380
• (2.9) Added declaration of functions in header files even when an alternative implementation of the corresponding module uses an MBEDTLS_..._ALT macro. This means that alternative implementations no longer need to copy the declarations, and ensures that they will have the same API.
• (2.9) Added platform setup and teardown calls in test suites, for consistency, and to allow the test suites to work on platforms with cryptographic acceleration.