Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

There are no security advisories for this release.

Release Notes

Default behavior changes

• The default priority order of TLS 1.3 cipher suites has been modified to follow the same rules as the TLS 1.2 cipher suites (see ssl_ciphersuites.c). The preferred cipher suite is now TLS_CHACHA20_POLY1305_SHA256.

New deprecations

• mbedtls_x509write_crt_set_serial() is now being deprecated in favor of mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any direct dependency of X509 on BIGNUM_C.
• PSA to mbedtls error translation is now unified in psa_util.h, deprecating mbedtls_md_error_from_psa. Each file that performs error translation should define its own version of PSA_TO_MBEDTLS_ERR, optionally providing file-specific error pairs. Please see psa_util.h for more details.

Features

• Added partial support for parsing the PKCS #7 Cryptographic Message Syntax, as defined in RFC 2315. Currently, support is limited to the following:
  • Only the signed-data content type, version 1 is supported.
  • Only DER encoding is supported.
  • Only a single digest algorithm per message is supported.
  • Certificates must be in X.509 format. A message must have either 0 or 1 certificates.
  • There is no support for certificate revocation lists.
  • The authenticated and unauthenticated attribute fields of SignerInfo must be empty. Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for contributing this feature, and to Demi-Marie Obenour for contributing various improvements, tests and bug fixes.
• General performance improvements by accessing multiple bytes at a time. Fixes #1666.
• Improvements to use of unaligned and byte-swapped memory, reducing code size and improving performance (depending on compiler and target architecture).
• Add support for reading points in compressed format (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary() (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4 (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
• SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively. This helps in saving code size when some of the above hashes are not required.
• Add parsing of V3 extensions (key usage, Netscape cert-type, Subject Alternative Names) in x509 Certificate Sign Requests.
• Use HOSTCC (if it is set) when compiling C code during generation of the configuration-independent files. This allows them to be generated when CC is set for cross compilation.
• Add parsing of uniformResourceIdentifier subtype for subjectAltName extension in x509 certificates.
• Add an interruptible version of sign and verify hash to the PSA interface, backed by internal library support for ECDSA signing and verification.
• Add parsing of rfc822Name subtype for subjectAltName extension in x509 certificates.
• The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
• When a PSA driver for ECDSA is present, it is now possible to disable MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509 and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled. Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not supported in those builds yet, as driver support for interruptible ECDSA operations is not present yet.
• Add a driver dispatch layer for EC J-PAKE, enabling alternative implementations of EC J-PAKE through the driver entry points.
• Add new API mbedtls_ssl_cache_remove for cache entry removal by its session id.
• Add support to include the SubjectAltName extension to a CSR.
• Add support for AES with the Armv8-A Cryptographic Extension on 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can be used to enable this feature. Run-time detection is supported under Linux only.
• When a PSA driver for EC J-PAKE is present, it is now possible to disable MBEDTLS_ECJPAKE_C in the build in order to save code size. For the corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs to be enabled.
• Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg() to read non-public fields for padding mode and hash id from an mbedtls_rsa_context, as requested in #6917.
• AES-NI is now supported with Visual Studio.
• AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM is disabled, when compiling with GCC or Clang or a compatible compiler for a target CPU that supports the requisite instructions (for example gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
• It is now possible to use a PSA-held (opaque) password with the TLS 1.2 ECJPAKE key exchange, using the new API function mbedtls_ssl_set_hs_ecjpake_password_opaque().

Security

• Use platform-provided secure zeroization function where possible, such as explicit_bzero().
• Zeroize SSL cache entries when they are freed.
• Fix a potential heap buffer overread in TLS 1.3 client-side when MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
• Add support for AES with the Armv8-A Cryptographic Extension on 64-bit Arm, so that these systems are no longer vulnerable to timing side-channel attacks. This is configured by MBEDTLS_AESCE_C, which is on by default. Reported by Demi Marie Obenour.
• MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on builds that couldn't compile the GCC-style assembly implementation (most notably builds with Visual Studio), leaving them vulnerable to timing side-channel attacks. There is now an intrinsics-based AES-NI implementation as a fallback for when the assembly one cannot be used.

Bugfix

• Fix possible integer overflow in mbedtls_timing_hardclock(), which could cause a crash in programs/test/benchmark.
• Fix IAR compiler warnings. Fixes #6924.
• Fix a bug in the build where directory names containing spaces were causing generate_errors.pl to error out resulting in a build failure. Fixes issue #6879.
• In TLS 1.3, when using a ticket for session resumption, tweak its age calculation on the client side. It prevents a server with more accurate ticket timestamps (typically timestamps in milliseconds) compared to the Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller than the age computed and transmitted by the client and thus potentially reject the ticket. Fix #6623.
• Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
• List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can be toggled with config.py.
• The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be used on a shared secret from a key agreement since its input must be an ECC public key. Reject this properly.
• mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers whose binary representation is longer than 20 bytes. This was already forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being enforced also at code level.
• Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by Aaron Ucko under Valgrind.
• Fix behavior of certain sample programs which could, when run with no arguments, access uninitialized memory in some cases. Fixes #6700 (which was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
• Fix parsing of X.509 SubjectAlternativeName extension. Previously, malformed alternative name components were not caught during initial certificate parsing, but only on subsequent calls to mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
• Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it possible to verify RSA PSS signatures with the pk module, which was inadvertently broken since Mbed TLS 3.0.
• Fix bug in conversion from OID to string in mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed correctly.
• Reject OIDs with overlong-encoded subidentifiers when converting them to a string.
• Reject OIDs with subidentifier values exceeding UINT_MAX. Such subidentifiers can be valid, but Mbed TLS cannot currently handle them.
• Reject OIDs that have unterminated subidentifiers, or (equivalently) have the most-significant bit set in their last byte.
• Silence warnings from clang -Wdocumentation about empty \retval descriptions, which started appearing with Clang 15. Fixes #6960.
• Fix the handling of renegotiation attempts in TLS 1.3. They are now systematically rejected.
• Fix an unused-variable warning in TLS 1.3-only builds if MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
• Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if len argument is 0 and buffer is NULL.
• Allow setting user and peer identifiers for EC J-PAKE operation instead of role in PAKE PSA Crypto API as described in the specification. This is a partial fix that allows only "client" and "server" identifiers.
• Fix a compilation error when PSA Crypto is built with support for TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
• In the TLS 1.3 server, select the preferred client cipher suite, not the least preferred. The selection error was introduced in Mbed TLS 3.3.0.
• Fix TLS 1.3 session resumption when the established pre-shared key is 384 bits long. That is the length of pre-shared keys created under a session where the cipher suite is TLS_AES_256_GCM_SHA384.
• Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT enabled, which required specifying compiler flags enabling SHA3 Crypto Extensions, where some compilers would emit EOR3 instructions in other modules, which would then fail if run on a CPU without the SHA3 extensions. Fixes #5758.

Changes

• Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS, typically /usr/lib/cmake/MbedTLS.
• Mixed-endian systems are explicitly not supported any more.
• When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to the behaviour without it, where deterministic ECDSA was already used.
• Visual Studio: Rename the directory containing Visual Studio files from visualc/VS2010 to visualc/VS2013 as we do not support building with versions older than 2013. Update the solution file to specify VS2013 as a minimum.
• programs/x509/cert_write:
  • now it accepts the serial number in 2 different formats: decimal and hex. They cannot be used simultaneously
  • "serial" is used for the decimal format and it's limted in size to unsigned long long int
  • "serial_hex" is used for the hex format; max length here is MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
• The C code follows a new coding style. This is transparent for users but affects contributors and maintainers of local patches. For more information, see https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
• Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. As tested in issue 6790, the correlation between this define and RSA decryption performance has changed lately due to security fixes. To fix the performance degradation when using default values the window was reduced from 6 to 2, a value that gives the best or close to best results when tested on Cortex-M4 and Intel i7.
• When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify compiler target flags on the command line; the library now sets target options within the appropriate modules.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

1b899f355022e8d02c4d313196a0a16af86c5a692456fa99d302915b8cf0320a mbedtls-3.4.0.tar.gz 9969088c86eb89f6f0a131e699c46ff57058288410f2087bd0d308f65e9fccb5 mbedtls-3.4.0.zip