Skip to content

Mbed TLS 3.4.0

Compare
Choose a tag to compare
@paul-elliott-arm paul-elliott-arm released this 28 Mar 12:50
· 8052 commits to development since this release
1873d3b

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

There are no security advisories for this release.

Release Notes

Default behavior changes

  • The default priority order of TLS 1.3 cipher suites has been modified to
    follow the same rules as the TLS 1.2 cipher suites (see
    ssl_ciphersuites.c). The preferred cipher suite is now
    TLS_CHACHA20_POLY1305_SHA256.

New deprecations

  • mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
    mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
    direct dependency of X509 on BIGNUM_C.
  • PSA to mbedtls error translation is now unified in psa_util.h,
    deprecating mbedtls_md_error_from_psa. Each file that performs error
    translation should define its own version of PSA_TO_MBEDTLS_ERR,
    optionally providing file-specific error pairs. Please see psa_util.h for
    more details.

Features

  • Added partial support for parsing the PKCS #7 Cryptographic Message
    Syntax, as defined in RFC 2315. Currently, support is limited to the
    following:
    • Only the signed-data content type, version 1 is supported.
    • Only DER encoding is supported.
    • Only a single digest algorithm per message is supported.
    • Certificates must be in X.509 format. A message must have either 0
      or 1 certificates.
    • There is no support for certificate revocation lists.
    • The authenticated and unauthenticated attribute fields of SignerInfo
      must be empty.
      Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
      contributing this feature, and to Demi-Marie Obenour for contributing
      various improvements, tests and bug fixes.
  • General performance improvements by accessing multiple bytes at a time.
    Fixes #1666.
  • Improvements to use of unaligned and byte-swapped memory, reducing code
    size and improving performance (depending on compiler and target
    architecture).
  • Add support for reading points in compressed format
    (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
    (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
    (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
    except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
  • SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
    This helps in saving code size when some of the above hashes are not
    required.
  • Add parsing of V3 extensions (key usage, Netscape cert-type,
    Subject Alternative Names) in x509 Certificate Sign Requests.
  • Use HOSTCC (if it is set) when compiling C code during generation of the
    configuration-independent files. This allows them to be generated when
    CC is set for cross compilation.
  • Add parsing of uniformResourceIdentifier subtype for subjectAltName
    extension in x509 certificates.
  • Add an interruptible version of sign and verify hash to the PSA interface,
    backed by internal library support for ECDSA signing and verification.
  • Add parsing of rfc822Name subtype for subjectAltName
    extension in x509 certificates.
  • The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
    MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
    the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
  • When a PSA driver for ECDSA is present, it is now possible to disable
    MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
    and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
    Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
    supported in those builds yet, as driver support for interruptible ECDSA
    operations is not present yet.
  • Add a driver dispatch layer for EC J-PAKE, enabling alternative
    implementations of EC J-PAKE through the driver entry points.
  • Add new API mbedtls_ssl_cache_remove for cache entry removal by
    its session id.
  • Add support to include the SubjectAltName extension to a CSR.
  • Add support for AES with the Armv8-A Cryptographic Extension on
    64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
    be used to enable this feature. Run-time detection is supported
    under Linux only.
  • When a PSA driver for EC J-PAKE is present, it is now possible to disable
    MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
    corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
    to be enabled.
  • Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
    to read non-public fields for padding mode and hash id from
    an mbedtls_rsa_context, as requested in #6917.
  • AES-NI is now supported with Visual Studio.
  • AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
    is disabled, when compiling with GCC or Clang or a compatible compiler
    for a target CPU that supports the requisite instructions (for example
    gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
    compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
  • It is now possible to use a PSA-held (opaque) password with the TLS 1.2
    ECJPAKE key exchange, using the new API function
    mbedtls_ssl_set_hs_ecjpake_password_opaque().

Security

  • Use platform-provided secure zeroization function where possible, such as
    explicit_bzero().
  • Zeroize SSL cache entries when they are freed.
  • Fix a potential heap buffer overread in TLS 1.3 client-side when
    MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
  • Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
    Arm, so that these systems are no longer vulnerable to timing side-channel
    attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
    Reported by Demi Marie Obenour.
  • MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
    builds that couldn't compile the GCC-style assembly implementation
    (most notably builds with Visual Studio), leaving them vulnerable to
    timing side-channel attacks. There is now an intrinsics-based AES-NI
    implementation as a fallback for when the assembly one cannot be used.

Bugfix

  • Fix possible integer overflow in mbedtls_timing_hardclock(), which
    could cause a crash in programs/test/benchmark.
  • Fix IAR compiler warnings. Fixes #6924.
  • Fix a bug in the build where directory names containing spaces were
    causing generate_errors.pl to error out resulting in a build failure.
    Fixes issue #6879.
  • In TLS 1.3, when using a ticket for session resumption, tweak its age
    calculation on the client side. It prevents a server with more accurate
    ticket timestamps (typically timestamps in milliseconds) compared to the
    Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
    than the age computed and transmitted by the client and thus potentially
    reject the ticket. Fix #6623.
  • Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
    defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
  • List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
    be toggled with config.py.
  • The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
    used on a shared secret from a key agreement since its input must be
    an ECC public key. Reject this properly.
  • mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
    whose binary representation is longer than 20 bytes. This was already
    forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
    enforced also at code level.
  • Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
    Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
    Aaron Ucko under Valgrind.
  • Fix behavior of certain sample programs which could, when run with no
    arguments, access uninitialized memory in some cases. Fixes #6700 (which
    was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
  • Fix parsing of X.509 SubjectAlternativeName extension. Previously,
    malformed alternative name components were not caught during initial
    certificate parsing, but only on subsequent calls to
    mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
  • Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
    possible to verify RSA PSS signatures with the pk module, which was
    inadvertently broken since Mbed TLS 3.0.
  • Fix bug in conversion from OID to string in
    mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
    correctly.
  • Reject OIDs with overlong-encoded subidentifiers when converting
    them to a string.
  • Reject OIDs with subidentifier values exceeding UINT_MAX. Such
    subidentifiers can be valid, but Mbed TLS cannot currently handle them.
  • Reject OIDs that have unterminated subidentifiers, or (equivalently)
    have the most-significant bit set in their last byte.
  • Silence warnings from clang -Wdocumentation about empty \retval
    descriptions, which started appearing with Clang 15. Fixes #6960.
  • Fix the handling of renegotiation attempts in TLS 1.3. They are now
    systematically rejected.
  • Fix an unused-variable warning in TLS 1.3-only builds if
    MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
  • Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
    len argument is 0 and buffer is NULL.
  • Allow setting user and peer identifiers for EC J-PAKE operation
    instead of role in PAKE PSA Crypto API as described in the specification.
    This is a partial fix that allows only "client" and "server" identifiers.
  • Fix a compilation error when PSA Crypto is built with support for
    TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
  • In the TLS 1.3 server, select the preferred client cipher suite, not the
    least preferred. The selection error was introduced in Mbed TLS 3.3.0.
  • Fix TLS 1.3 session resumption when the established pre-shared key is
    384 bits long. That is the length of pre-shared keys created under a
    session where the cipher suite is TLS_AES_256_GCM_SHA384.
  • Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
    enabled, which required specifying compiler flags enabling SHA3 Crypto
    Extensions, where some compilers would emit EOR3 instructions in other
    modules, which would then fail if run on a CPU without the SHA3
    extensions. Fixes #5758.

Changes

  • Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
    typically /usr/lib/cmake/MbedTLS.
  • Mixed-endian systems are explicitly not supported any more.
  • When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
    defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
    signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
    the behaviour without it, where deterministic ECDSA was already used.
  • Visual Studio: Rename the directory containing Visual Studio files from
    visualc/VS2010 to visualc/VS2013 as we do not support building with versions
    older than 2013. Update the solution file to specify VS2013 as a minimum.
  • programs/x509/cert_write:
    • now it accepts the serial number in 2 different formats: decimal and
      hex. They cannot be used simultaneously
    • "serial" is used for the decimal format and it's limted in size to
      unsigned long long int
    • "serial_hex" is used for the hex format; max length here is
      MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
  • The C code follows a new coding style. This is transparent for users but
    affects contributors and maintainers of local patches. For more
    information, see
    https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
  • Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
    As tested in issue 6790, the correlation between this define and
    RSA decryption performance has changed lately due to security fixes.
    To fix the performance degradation when using default values the
    window was reduced from 6 to 2, a value that gives the best or close
    to best results when tested on Cortex-M4 and Intel i7.
  • When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
    MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
    compiler target flags on the command line; the library now sets target
    options within the appropriate modules.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

1b899f355022e8d02c4d313196a0a16af86c5a692456fa99d302915b8cf0320a mbedtls-3.4.0.tar.gz
9969088c86eb89f6f0a131e699c46ff57058288410f2087bd0d308f65e9fccb5 mbedtls-3.4.0.zip