Lines Matching +full:ipv4 +full:- +full:simple +full:- +full:service +full:- +full:config +full:- +full:txt +full:- +full:disabled
3 = mbed TLS 2.16.11 branch released 2021-07-07
6 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
21 performing a single private-key operation. Found and reported by
24 co-located process) could recover a Curve25519 or Curve448 static ECDH key
26 corresponding private-key operation. Found and reported by Leila Batina,
37 mbedtls_mpi_read_string() was called on "-0", or when
43 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
51 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
52 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
53 was disabled. Fix the dependency. Fixes #4472.
55 Arm Cortex-M. Fixes #4530.
57 directive in a header and a missing initialization in the self-test.
58 * Fix a missing initialization in the Camellia self-test, affecting
61 (when the encrypt-then-MAC extension is not in use) with some ALT
62 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
74 with at least one limb. Credit to OSS-Fuzz. Fixes #4641.
95 = mbed TLS 2.16.10 branch released 2021-03-12
104 |A| - |B| where |B| is larger than |A| and has more limbs (so the
129 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
131 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
139 the extension was always marked as non-critical. This was fixed by
142 = mbed TLS 2.16.9 branch released 2020-12-11
146 MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
147 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
151 are implemented. This could cause failures or the silent use of non-random
179 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
188 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
207 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
210 = mbed TLS 2.16.8 branch released 2020-09-01
214 -Wformat-signedness, and fix the code that causes signed-one-bit-field
215 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
230 Encrypt-then-Mac extension, use constant code flow memory access patterns
233 effective against network-based attackers, but less so against local
235 if they have access to fine-grained measurements. In particular, this
239 * Fix side channel in RSA private key operations and static (finite-field)
240 Diffie-Hellman. An adversary with precise enough timing and memory access
242 enclave) could bypass an existing counter-measure (base blinding) and
244 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
245 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
263 Adapted for long-term support branch 2.16 in #3558.
275 = mbed TLS 2.16.7 branch released 2020-07-01
280 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
291 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
323 `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
327 = mbed TLS 2.16.6 branch released 2020-04-14
334 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
344 = mbed TLS 2.16.5 branch released 2020-02-20
349 probability (of the order of 2^-n where n is the bitsize of the curve)
351 denial of service (application crash or extra resource consumption).
357 ARMmbed/mbed-crypto#352
363 keys. Found by Catena cyber using oss-fuzz (issue 20467).
367 = mbed TLS 2.16.4 branch released 2020-01-15
398 the initial seeding always reset the entropy length to the compile-time
402 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
405 NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
406 to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
408 = mbed TLS 2.16.3 branch released 2019-09-06
414 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
433 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
450 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
453 * Improve code clarity in x509_crt module, removing false-positive
457 mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49.
463 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
467 = mbed TLS 2.16.2 branch released 2019-06-11
478 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
479 mbedTLS configuration only SHA-2 signed certificates are accepted.
483 updated to one that is SHA-256 signed. Fix contributed by
491 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
493 OSS-Fuzz.
505 * Add DER-encoded test CRTs to library/certs.c, allowing
509 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
510 * Fix multiple X.509 functions previously returning ASN.1 low-level error
523 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
525 = mbed TLS 2.16.1 branch released 2019-03-19
546 * Fix signed-to-unsigned integer conversion warning
555 (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
569 * Fix configuration queries in ssl-opt.h. #2030
570 * Ensure that ssl-opt.h can be run in OS X. #2029
573 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
574 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
578 = mbed TLS 2.16.0 branch released 2018-12-21
581 * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
587 disabled by default. See its API documentation in config.h for additional
596 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
597 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
601 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
603 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
635 = mbed TLS 2.14.1 branch released 2018-11-30
639 decryption that could lead to a Bleichenbacher-style padding oracle
646 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
664 = mbed TLS 2.14.0 branch released 2018-11-19
675 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
680 adversary to construct non-primes that would be erroneously accepted as
685 pairs or Diffie-Hellman parameters, but was insufficient to validate
686 Diffie-Hellman parameters properly.
693 constrained, single-threaded systems where ECC is time consuming and can
694 block other operations until they complete. This is disabled by default,
699 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
705 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
709 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
710 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
729 Miller-Rabin rounds.
742 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
753 wildcards and non-ASCII characters being unusable in some DN attributes.
755 Thomas-Dee.
759 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
768 IPv6 and optionally by a build option over IPv4.
779 Thomas-Dee.
781 Fixes #517 reported by github-monoculture.
784 by FIPS-186-4.
786 = mbed TLS 2.13.1 branch released 2018-09-06
790 whose implementation should behave as a thread-safe version of gmtime().
800 = mbed TLS 2.13.0 branch released 2018-08-31
811 with the peer, as well as by a new per-connection MTU option, set using
813 * Add support for auto-adjustment of MTU to a safe value during the
818 * Add support for buffering out-of-order handshake messages in DTLS.
820 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
821 in mbedtls/config.h.
839 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
850 (found by Catena cyber using oss-fuzz)
862 * Add support for buffering of out-of-order handshake messages.
867 = mbed TLS 2.12.0 branch released 2018-07-25
870 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
878 or CCM instead of CBC, using hash sizes other than SHA-384, or using
879 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
880 caused by a miscalculation (for SHA-384) in a countermeasure to the
891 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
893 * Add a counter-measure against a vulnerability in TLS ciphersuites based
899 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
903 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
904 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
906 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
907 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
915 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
930 * Fix compilation error when MBEDTLS_ARC4_C is disabled and
942 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
947 * Fix ssl_client2 example to send application data with 0-length content
952 * Fix build using -std=c99. Fixed by Nick Wilson.
956 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
958 when calling with a NULL salt and non-zero salt_len. Contributed by
962 * Allow overriding the time on Windows via the platform-time abstraction.
964 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
966 = mbed TLS 2.11.0 branch released 2018-06-18
971 * Implement the HMAC-based extract-and-expand key derivation function
974 * Add support for the XTS block cipher mode with AES (AES-XTS).
978 non-blocking operation of the TLS server stack.
995 = mbed TLS 2.10.0 branch released 2018-06-06
999 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
1014 build to fail. Found by zv-io. Fixes #1651.
1017 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
1021 = mbed TLS 2.9.0 branch released 2018-04-30
1028 would require a non DER-compliant certificate to be correctly signed by a
1029 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
1037 * Fix a client-side bug in the validation of the server's ciphersuite choice
1060 underlying transport in case event-driven IO is used.
1066 in configurations that omit certain hashes or public-key algorithms.
1088 in the internal buffers; these cases led to deadlocks when event-driven
1105 public-key algorithms. Includes contributions by Gert van Dijk.
1108 configurations where the feature is disabled. Found and fixed by Gergely
1125 letter must not be prefixed by '-', such as LLVM. Found and fixed by
1135 HMAC functions with non-HMAC ciphersuites. Independently contributed
1138 FIPS 186-4. Contributed by Jethro Beekman. #1380
1146 = mbed TLS 2.8.0 branch released 2018-03-16
1155 config.h. Found by Andreas Walz (ivESK, Offenburg University of
1176 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
1187 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
1213 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
1227 = mbed TLS 2.7.0 branch released 2018-02-03
1235 both TLS and DTLS. CVE-2018-0488
1236 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
1239 Qualcomm Technologies Inc. CVE-2018-0487
1240 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
1245 default enabled) maximum fragment length extension is disabled in the
1246 config and the application data buffer passed to mbedtls_ssl_write
1250 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
1261 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
1267 * Fix a potential heap buffer over-read in ALPN extension parsing
1268 (server-side). Could result in application crash, but only if an ALPN
1271 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
1278 * New unit tests for timing. Improve the self-test to be more robust
1279 when run on a heavily-loaded machine.
1286 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
1292 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
1301 * Extend RSA interface by multiple functions allowing structure-
1314 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
1315 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
1316 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
1317 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
1320 * Deprecate usage of RSA primitives with non-matching key-type
1345 renegotiated handshakes would only accept signatures using SHA-1
1346 regardless of the peer's preferences, or fail if SHA-1 was disabled.
1350 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
1352 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
1365 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
1369 non-v3 CRT's.
1374 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
1379 * Add size-checks for record and handshake message content, securing
1380 fragile yet non-exploitable code-paths.
1416 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
1427 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
1430 = mbed TLS 2.6.0 branch released 2017-08-10
1446 platform-specific setup and teardown operations. The macro
1458 * Certificate verification functions now set flags to -1 in case the full
1475 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
1479 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
1483 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
1494 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
1495 64-bit division. This is useful on embedded platforms where 64-bit division
1501 config-no-entropy.h to reduce the RAM footprint.
1506 = mbed TLS 2.5.1 released 2017-06-21
1509 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
1510 The issue could only happen client-side with renegotiation enabled.
1514 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
1515 certificate verification. SHA-1 can be turned back on with a compile-time
1520 potential Bleichenbacher/BERserk-style attack.
1525 and with GCC using the -Wpedantic compilation option.
1526 * Fix insufficient support for signature-hash-algorithm extension,
1553 by Jean-Philippe Aumasson.
1555 = mbed TLS 2.5.0 branch released 2017-05-17
1562 against side-channel attacks like the cache attack described in
1581 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
1582 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
1585 * Remove macros from compat-1.3.h that correspond to deleted items from most
1589 * Add checks in the PK module for the RSA functions on 64-bit systems.
1594 = mbed TLS 2.4.2 branch released 2017-03-08
1598 using RSA through the PK module in 64-bit systems. The issue was caused by
1601 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
1615 team. #569 CVE-2017-2784
1624 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
1625 Found by omlib-lin. #673
1627 x509_csr.c that are reported when building mbed TLS with a config.h that
1646 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
1662 = mbed TLS 2.4.1 branch released 2016-12-13
1665 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
1669 = mbed TLS 2.4.0 branch released 2016-10-17
1673 with RFC-5116 and could lead to session key recovery in very long TLS
1674 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
1675 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
1683 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
1684 NIST SP 800-38B, RFC-4493 and RFC-4615.
1692 * Added a configuration file config-no-entropy.h that configures the subset of
1694 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
1705 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
1707 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
1720 subramanyam-c. #622
1727 Found by subramanyam-c. #626
1735 * Removed self-tests from the basic-built-test.sh script, and added all
1736 missing self-tests to the test suites, to ensure self-tests are only
1739 * Added support for a Yotta specific configuration file -
1750 = mbed TLS 2.3.0 branch released 2016-06-28
1768 arguments where the same (in-place doubling). Found and fixed by Janos
1774 ECDSA was disabled in config.h . The leak didn't occur by default.
1787 * Fix test in ssl-opt.sh that does not run properly with valgrind
1791 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
1793 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
1794 * Disabled SSLv3 in the default configuration.
1797 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
1800 = mbed TLS 2.2.1 released 2016-01-05
1812 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
1824 = mbed TLS 2.2.0 released 2015-11-04
1842 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
1843 Disabled by default as the specification might still change.
1845 block. (Potential uses include EAP-TLS and Thread.)
1848 * Self-signed certificates were not excluded from pathlen counting,
1851 * Fix build error with configurations where ECDHE-PSK is the only key
1853 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
1854 ECHD-ECDSA if the only key exchange. Multiple reports. #310
1855 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
1856 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
1859 minimum key size for end-entity certificates with RSA keys. Found by
1870 or -1.
1872 = mbed TLS 2.1.2 released 2015-10-06
1875 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
1878 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
1895 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
1897 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
1913 * Fixed paths for check_config.h in example config files. (Found by bachp)
1916 = mbed TLS 2.1.1 released 2015-09-17
1919 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
1921 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
1922 * Fix possible client-side NULL pointer dereference (read) when the client
1925 afl-fuzz.)
1929 * Fix off-by-one error in parsing Supported Point Format extension that
1937 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
1940 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
1943 = mbed TLS 2.1.0 released 2015-09-04
1951 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
1959 * Fix compile error with armcc 5 with --gnu option.
1964 * Fix missing -static-libgcc when building shared libraries for Windows
1973 * Fix -Wshadow warnings (found by hnrkp) (#240)
1975 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
1983 * It is now possible to #include a user-provided configuration file at the
1984 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
1987 trusted, no later cert is checked. (suggested by hannes-landeholm)
1994 = mbed TLS 2.0.0 released 2015-07-13
2001 * New server-side implementation of session tickets that rotate keys to
2007 * Introduced a concept of presets for SSL security-relevant configuration
2015 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
2016 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
2018 mbedtls_cipher_info_t.key_length -> key_bitlen
2019 mbedtls_cipher_context_t.key_length -> key_bitlen
2020 mbedtls_ecp_curve_info.size -> bit_size
2025 mbedtls_ssl_init() -> mbedtls_ssl_setup()
2026 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
2027 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
2028 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
2029 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
2035 (see rename.pl and compat-1.3.h above) and their first argument's type
2038 additional callback for read-with-timeout).
2057 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
2058 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
2059 * The following functions changed prototype to avoid an in-out length
2077 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
2086 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
2087 (support for renegotiation now needs explicit enabling in config.h).
2089 in config.h
2106 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
2110 been removed (compiler is required to support 32-bit operations).
2113 * Removed test program ssl_test, superseded by ssl-opt.sh.
2114 * Removed helper script active-config.pl
2120 Semi-API changes (technically public, morally private)
2135 * Support for receiving SSLv2 ClientHello is now disabled by default at
2140 custom config.h
2141 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
2144 * Negotiation of truncated HMAC is now disabled by default on server too.
2145 * The following functions are now case-sensitive:
2164 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
2173 thread-safe if MBEDTLS_THREADING_C is enabled.
2174 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
2183 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
2193 * Add support for id-at-uniqueIdentifier in X.509 names.
2199 cross-compilation easier (thanks to Alon Bar-Lev).
2200 * The benchmark program also prints heap usage for public-key primitives
2202 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
2205 reduced configurations (PSK-CCM and NSA suite B).
2206 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
2208 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
2237 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
2241 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
2244 * Add missing dependency on SHA-256 in some x509 programs (reported by
2255 * compat-1.2.h and openssl.h are deprecated.
2258 (contributed by Alon Bar-Lev).
2261 * Move from SHA-1 to SHA-256 in example programs using signatures
2269 = mbed TLS 1.3.10 released 2015-02-09
2271 * NULL pointer dereference in the buffer-based allocator when the buffer is
2275 * Fix remotely-triggerable uninitialised pointer dereference caused by
2278 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
2285 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
2289 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
2290 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
2291 * Add support for Encrypt-then-MAC (RFC 7366).
2294 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
2296 * Support for renegotiation can now be disabled at compile-time
2297 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
2298 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
2299 for pre-1.2 clients when multiple certificates are available.
2309 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
2325 issue with some servers when a zero-length extension was sent. (Reported
2327 * On a 0-length input, base64_encode() did not correctly set output length
2332 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
2334 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
2340 * It is now possible to disable negotiation of truncated HMAC server-side
2346 = PolarSSL 1.3.9 released 2014-10-20
2350 * Remotely-triggerable memory leak when parsing some X.509 certificates
2353 * Remotely-triggerable memory leak when parsing crafted ClientHello
2360 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
2362 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
2365 * Remove non-existent file from VS projects (found by Peter Vaskovic).
2366 * ssl_read() could return non-application data records on server while
2368 * Server-initiated renegotiation would fail with non-blocking I/O if the
2371 with non-blocking I/O.
2379 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
2380 standard defining how to use SHA-2 with SSL 3.0).
2381 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
2384 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
2393 = PolarSSL 1.3.8 released 2014-07-11
2402 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
2405 * Add example config.h for PSK with CCM, optimized for low RAM usage.
2406 * Optimize for RAM usage in example config.h for NSA Suite B profile.
2409 * Add server-side enforcement of sent renegotiation requests
2411 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
2428 * Remove less-than-zero checks on unsigned numbers
2440 rejected with CBC-based ciphersuites and TLS >= 1.1
2442 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
2445 * Restore ability to locally trust a self-signed cert that is not a proper
2451 * Fix off-by-one error in parsing Supported Point Format extension that
2453 * Fix possible miscomputation of the premaster secret with DHE-PSK key
2462 = PolarSSL 1.3.7 released on 2014-05-02
2466 * version_check_feature() added to check for compile-time options at
2467 run-time
2474 * AES-NI now compiles with "old" assemblers too
2490 big-endian platform when size was not an integer number of limbs
2492 * Some parts of ssl_tls.c were compiled even when the module was disabled.
2497 = PolarSSL 1.3.6 released on 2014-04-11
2518 This affects certificates in the user-supplied chain except the top
2519 certificate. If the user-supplied chain contains only one certificates,
2538 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
2539 * Calling pk_debug() on an RSA-alt key would segfault.
2540 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
2546 = PolarSSL 1.3.5 released on 2014-03-26
2548 * HMAC-DRBG as a separate module
2549 * Option to set the Curve preference order (disabled by default)
2552 * Ability to force the entropy module to use SHA-256 as its basis
2554 * Testing script ssl-opt.sh added for testing 'live' ssl option
2562 now thread-safe if POLARSSL_THREADING_C defined
2578 * Possible remotely-triggered out-of-bounds memory access fixed (found by
2585 * Fixed testing with out-of-source builds using cmake
2586 * Fixed version-major intolerance in server
2587 * Fixed CMake symlinking on out-of-source builds
2590 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
2594 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
2607 = PolarSSL 1.3.4 released on 2014-01-27
2610 * Support for RIPEMD-160
2626 = PolarSSL 1.3.3 released on 2013-12-31
2632 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
2634 * AES-NI support for AES, AES-GCM and AES key scheduling
2635 * SSL Pthread-based server example added (ssl_pthread_server)
2642 * More constant-time checks in the RSA module
2650 * Fixed X.509 hostname comparison (with non-regular characters)
2663 * Possible remotely-triggered out-of-bounds memory access fixed (found by
2666 = PolarSSL 1.3.2 released on 2013-11-04
2670 * Support for Camellia-GCM mode and ciphersuites
2673 * Padding checks in cipher layer are now constant-time
2674 * Value comparisons in SSL layer are now constant-time
2687 * Server-side initiated renegotiations send HelloRequest
2689 = PolarSSL 1.3.1 released on 2013-10-15
2692 * Support for ECDHE-PSK key-exchange and ciphersuites
2693 * Support for RSA-PSK key-exchange and ciphersuites
2699 * config.h is more script-friendly
2711 = PolarSSL 1.3.0 released on 2013-10-01
2716 (ECDHE-based ciphersuites)
2718 (ECDSA-based ciphersuites)
2720 * PSK and DHE-PSK based ciphersuites added
2722 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
2729 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
2730 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
2759 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
2771 (found by Cyril Arnaud and Pierre-Alain Fouque)
2774 = Version 1.2.14 released 2015-05-??
2782 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
2790 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
2793 = Version 1.2.13 released 2015-02-16
2798 * Fix remotely-triggerable uninitialised pointer dereference caused by
2801 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
2814 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
2824 issue with some servers when a zero-length extension was sent. (Reported
2826 * On a 0-length input, base64_encode() did not correctly set output length
2832 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
2834 = Version 1.2.12 released 2014-10-24
2837 * Remotely-triggerable memory leak when parsing some X.509 certificates
2845 with non-blocking I/O.
2849 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
2850 * ssl_read() could return non-application data records on server while
2852 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
2861 = Version 1.2.11 released 2014-07-11
2889 * Fixed X.509 hostname comparison (with non-regular characters)
2902 * Fixed testing with out-of-source builds using cmake
2903 * Fixed version-major intolerance in server
2904 * Fixed CMake symlinking on out-of-source builds
2905 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
2920 big-endian platform when size was not an integer number of limbs
2931 = Version 1.2.10 released 2013-10-07
2933 * Changed RSA blinding to a slower but thread-safe version
2940 = Version 1.2.9 released 2013-10-01
2953 (found by Cyril Arnaud and Pierre-Alain Fouque)
2955 = Version 1.2.8 released 2013-06-19
2959 * Centralized module option values in config.h to allow user-defined
2963 * HAVEGE random generator disabled by default
2969 config.h)
2984 * Fixed values for 2-key Triple DES in cipher layer
2989 PEM-encoded certificates has been fixed (found by Jack Lloyd)
2991 = Version 1.2.7 released 2013-04-13
2996 * Default Blowfish keysize is now 128-bits
3003 = Version 1.2.6 released 2013-03-11
3006 * Corrected GCM counter incrementation to use only 32-bits instead of
3007 128-bits (found by Yawning Angel)
3008 * Fixes for 64-bit compilation with MS Visual Studio
3018 * Re-added handling for SSLv2 Client Hello when the define
3030 = Version 1.2.5 released 2013-02-02
3032 * Allow enabling of dummy error_strerror() to support some use-cases
3034 disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
3035 * Sending of security-relevant alert messages that do not break
3043 = Version 1.2.4 released 2013-01-25
3055 = Version 1.2.3 released 2012-11-26
3059 = Version 1.2.2 released 2012-11-24
3063 * During verify trust-CA is only checked for expiration and CRL presence
3069 = Version 1.2.1 released 2012-11-20
3072 bottom-up (Peer cert depth is 0)
3078 Pégourié-Gonnard)
3080 Pégourié-Gonnard)
3083 = Version 1.2.0 released 2012-10-31
3086 ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
3089 * Added support for multi-domain certificates through the X509 Subject
3109 * Added simple SSL session cache implementation
3116 * Fixed const-correctness mpi_get_bit()
3151 = Version 1.1.8 released on 2013-10-01
3157 * Potential buffer-overflow for ssl_read_record() (independently found by
3162 = Version 1.1.7 released on 2013-06-19
3164 * HAVEGE random generator disabled by default
3171 * Fixed values for 2-key Triple DES in cipher layer
3176 PEM-encoded certificates has been fixed (found by Jack Lloyd)
3178 = Version 1.1.6 released on 2013-03-11
3183 * Allow enabling of dummy error_strerror() to support some use-cases
3185 disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
3194 = Version 1.1.5 released on 2013-01-16
3205 Pégourié-Gonnard)
3207 Pégourié-Gonnard)
3218 = Version 1.1.4 released on 2012-05-31
3224 = Version 1.1.3 released on 2012-04-29
3228 = Version 1.1.2 released on 2012-04-26
3235 Frama-C team at CEA LIST)
3239 = Version 1.1.1 released on 2012-01-23
3243 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
3247 = Version 1.1.0 released on 2011-12-22
3249 * Added ssl_session_reset() to allow better multi-connection pools of
3250 SSL contexts without needing to set all non-connection-specific
3257 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
3266 * Inceased maximum size of ASN1 length reads to 32-bits.
3271 * Changed the defined key-length of DES ciphers in cipher.h to include the
3276 trade-off
3285 encountering a parse-error. Beware that the meaning of return values has
3290 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
3296 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
3305 = Version 1.0.0 released on 2011-07-27
3308 * Added rsa_encrypt and rsa_decrypt simple example programs.
3318 = Version 0.99-pre5 released on 2011-05-26
3323 * Functions requiring File System functions can now be disabled
3351 = Version 0.99-pre4 released on 2011-04-01
3354 for the RSAES-OAEP and RSASSA-PSS operations.
3369 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
3373 * Fixed proper handling of RSASSA-PSS verification with variable
3376 = Version 0.99-pre3 released on 2011-02-28
3377 This release replaces version 0.99-pre2 which had possible copyright issues.
3402 * Fixed a possible Man-in-the-Middle attack on the
3406 = Version 0.99-pre1 released on 2011-01-30
3408 Note: Most of these features have been donated by Fox-IT
3425 libpkcs11-helper library
3436 = Version 0.14.0 released on 2010-08-16
3440 * Added compile-time and run-time version information
3460 = Version 0.13.1 released on 2010-03-24
3465 = Version 0.13.0 released on 2010-03-21
3481 * Added reset function for HMAC context as speed-up
3482 for specific use-cases
3493 = Version 0.12.1 released on 2009-10-04
3504 = Version 0.12.0 released on 2009-07-28
3508 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
3509 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
3525 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
3546 * Fixed Camellia and XTEA for 64-bit Windows systems.
3548 = Version 0.11.1 released on 2009-05-17
3549 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
3550 SHA-512 in rsa_pkcs1_sign()
3552 = Version 0.11.0 released on 2009-05-03
3556 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
3566 * Made definition of net_htons() endian-clean for big endian
3570 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
3575 * Fixed compatibility of XTEA and Camellia on a 64-bit system
3578 = Version 0.10.0 released on 2009-01-12
3590 = Version 0.9 released on 2008-03-16
3596 be sent twice in non-blocking mode when send returns EAGAIN
3599 * Added user-defined callback debug function (Krystian Kolodziej)
3605 output data is non-aligned by falling back to the software
3606 implementation, as VIA Nehemiah cannot handle non-aligned buffers
3608 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
3617 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
3618 * Disabled obsolete hash functions by default (MD2, MD4); updated
3619 selftest and benchmark to not test ciphers that have been disabled
3622 * Fixed a critical denial-of-service with X.509 cert. verification:
3625 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
3626 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
3627 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
3630 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
3631 * Updated rsa_gen_key() so that ctx->N is always nbits in size
3635 = Version 0.8 released on 2007-10-20
3643 * Added user-defined callbacks for handling I/O and sessions
3647 * Added AES-CFB mode of operation, contributed by chmike
3651 * Updated ssl_read() to skip 0-length records from OpenSSL
3653 * Fixed a bug in mpi_read_binary() on 64-bit platforms
3660 = Version 0.7 released on 2007-07-07
3662 * Added support for the MicroBlaze soft-core processor
3664 connections from being established with non-blocking I/O
3668 * Added the SHA-224, SHA-384 and SHA-512 hash functions
3673 * Rewrote README.txt in program/ssl/ca to better explain
3676 = Version 0.6 released on 2007-04-01
3678 * Ciphers used in SSL/TLS can now be disabled at compile
3682 * Added multiply assembly code for 64-bit PowerPCs,
3686 * Fixed "long long" compilation issues on IA-64 and PPC64
3687 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
3690 = Version 0.5 released on 2007-03-01
3693 * Added (beta) support for non-blocking I/O operations
3696 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
3701 = Version 0.4 released on 2007-02-01
3703 * Added support for Ephemeral Diffie-Hellman key exchange
3714 = Version 0.3 released on 2007-01-01
3716 * Added server-side SSLv3 and TLSv1.0 support
3725 = Version 0.2 released on 2006-12-01
3736 the Miller-Rabin primality test
3740 who maintains the Debian package :-)
3742 = Version 0.1 released on 2006-11-01