Merge pull request #534 from sbutcher-arm/version-2.1.16
Bump Mbed TLS Version to 2.1.16
diff --git a/ChangeLog b/ChangeLog
index a3e9cf8..3500ffe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,30 +1,30 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS x.x.x branch released xxxx-xx-xx
+= mbed TLS 2.1.16 branch released 2018-11-19
Security
* Fix overly strict DN comparison when looking for CRLs belonging to a
- particular CA. This previously lead to ignoring CRLs when the CRL's issuer
+ particular CA. This previously led to ignoring CRLs when the CRL's issuer
name and the CA's subject name differed in their string encoding (e.g.,
one using PrintableString and the other UTF8String) or in the choice of
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
#1784.
+ * Fix a flawed bounds check in server PSK hint parsing. In case the
+ incoming message buffer was placed within the first 64KiB of address
+ space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
+ to trigger a memory access up to 64KiB beyond the incoming message buffer,
+ potentially leading to application crash or information disclosure.
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
previous settings for the number of rounds made it practical for an
adversary to construct non-primes that would be erroneously accepted as
primes with high probability. This does not have an impact on the
- security of TLS, but can matter in other contexts with potentially
- adversarially-chosen numbers that should be prime and can be validated.
+ security of TLS, but can matter in other contexts with numbers chosen
+ potentially by an adversary that should be prime and can be validated.
For example, the number of rounds was enough to securely generate RSA key
pairs or Diffie-Hellman parameters, but was insufficient to validate
Diffie-Hellman parameters properly.
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
Kenneth G. Paterson and Juraj Somorovsky.
- * Fix a flawed bounds check in server PSK hint parsing. In case the
- incoming message buffer was placed within the first 64KB of address
- space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
- to trigger a memory access up to 64KB beyond the incoming message buffer,
- potentially leading to application crash or information disclosure.
Bugfix
* Fix failure in hmac_drbg in the benchmark sample application, when
@@ -34,7 +34,7 @@
* Fix potential build failures related to the 'apidoc' target, introduced
in the previous patch release. Found by Robert Scheck. #390 #391
* Fix a bug in the record decryption routine ssl_decrypt_buf()
- which lead to accepting properly authenticated but improperly
+ which led to accepting properly authenticated but improperly
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
application leading to a memory leak in case both
@@ -44,10 +44,6 @@
program programs/x509/cert_write. Fixes #1422.
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
MBEDTLS_MODE_ECB. Found by ezdevelop, Fixes #1091.
- * Fix failure in hmac_drbg in the benchmark sample application, when
- MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
- * Fix a bug in the update function for SSL ticket keys which previously
- invalidated keys of a lifetime of less than a 1s. Fixes #1968.
* Zeroize memory used for reassembling handshake messages after use.
* Use `mbedtls_zeroize()` instead of `memset()` for zeroization of
sensitive data in the example programs aescrypt2 and crypt_and_hash.
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index a44f02d..a4d68cc 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -21,7 +21,7 @@
*/
/**
- * @mainpage mbed TLS v2.1.15 source code documentation
+ * @mainpage mbed TLS v2.1.16 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 381ff3a..73432b9 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.1.15"
+PROJECT_NAME = "mbed TLS v2.1.16"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index 7d78ac4..393bc35 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -39,16 +39,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 1
-#define MBEDTLS_VERSION_PATCH 15
+#define MBEDTLS_VERSION_PATCH 16
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02010F00
-#define MBEDTLS_VERSION_STRING "2.1.15"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.1.15"
+#define MBEDTLS_VERSION_NUMBER 0x02011000
+#define MBEDTLS_VERSION_STRING "2.1.16"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.1.16"
#if defined(MBEDTLS_VERSION_C)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index e5a9546..caef16d 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -138,15 +138,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
- set_target_properties(mbedcrypto PROPERTIES VERSION 2.1.15 SOVERSION 0)
+ set_target_properties(mbedcrypto PROPERTIES VERSION 2.1.16 SOVERSION 0)
target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.1.15 SOVERSION 0)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.1.16 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.1.15 SOVERSION 10)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.1.16 SOVERSION 10)
target_link_libraries(mbedtls ${libs} mbedx509)
install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 4db9f94..a8660fb 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.1.15"
+check_compiletime_version:"2.1.16"
Check runtime library version
-check_runtime_version:"2.1.15"
+check_runtime_version:"2.1.16"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/yotta/data/module.json b/yotta/data/module.json
index e9d2578..8e62441 100644
--- a/yotta/data/module.json
+++ b/yotta/data/module.json
@@ -1,6 +1,6 @@
{
"name": "mbedtls",
- "version": "2.1.15",
+ "version": "2.1.16",
"description": "The mbed TLS crypto/SSL/TLS library",
"licenses": [
{