Lines Matching +full:ipv4 +full:- +full:config +full:- +full:causing +full:- +full:fallback +full:- +full:to +full:- +full:tcp
3 = mbed TLS 3.1.0 branch released 2021-12-17
7 Alternative GCM implementations are expected to verify
8 the length of the provided output buffers and to return the
15 POSIX/Unix-like platforms.
18 * Sign-magnitude and one's complement representations for signed integers are
37 supported on GCC-like compilers and on MSVC and can be configured through
41 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
43 extended to other modules in the future.
46 * Add support for CCM*-no-tag cipher to the PSA.
47 Currently only 13-byte long IV's are supported.
48 For decryption a minimum of 16-byte long input is expected.
49 These restrictions may be subject to change.
51 * Add functions to get the IV and block size from cipher_info structs.
52 * Add functions to check if a cipher supports variable IV or key size.
53 * Add the internal implementation of and support for CCM to the PSA multipart
56 protocol. See docs/architecture/tls13-support.md for the definition of
60 to select the 1.3 version of the protocol to establish a TLS connection.
64 * Zeroize several intermediate variables used to calculate the expected
68 man-in-the-middle to inject fake ciphertext into a DTLS connection.
77 * Fix a double-free that happened after mbedtls_ssl_set_session() or
80 and mbedtls_ssl_free() would cause an internal session buffer to
85 * The GNU makefiles invoke python3 in preference to python except on Windows.
86 The check was accidentally not performed when cross-compiling for Windows
98 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
99 * Failures of alternative implementations of AES or DES single-block
103 where this function cannot fail, or full-module replacements with
108 * Fix compile-time or run-time errors in PSA
112 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
114 * Move GCM's update output buffer length verification from PSA AEAD to
115 the built-in implementation of the GCM.
116 The requirement for output buffer size to be equal or greater then
117 input buffer size is valid only for the built-in implementation of GCM.
124 PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
132 not to list other shared libraries they need.
140 pkcs12 functions when the password is empty. Fix the documentation to
141 better describe the inputs to these functions and their possible values.
151 oversight during the run-up to the release of Mbed TLS 3.0.
152 The fields were never intended to be public.
153 * Implement multi-part CCM API.
154 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
162 to set a callback, but was deemed unnecessary as it was yet another define
163 to remember when writing tests, or test configurations. Fixes #4653.
164 * Improve the performance of base64 constant-flow code. The result is still
165 slower than the original non-constant-flow implementation, but much faster
166 than the previous constant-flow implementation. Fixes #4814.
167 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
171 ChaCha20-Poly1305 is invalid, and not just unsupported.
173 containing various functions meant to resist timing side channel attacks.
178 * The generated configuration-independent files are now automatically
179 generated by the CMake build system on Unix-like systems. This is not
180 yet supported when cross-compiling.
182 = Mbed TLS 3.0.0 branch released 2021-07-07
191 https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
193 * Add missing const attributes to API functions.
194 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
195 header compat-1.3.h and the script rename.pl.
197 Transfer keys and certificates embedded in the library to the test
198 component. This contributes to minimizing library API and discourages
204 which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
208 were not meant to be used in application code have been moved out of
214 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
216 * Drop support for single-DES ciphersuites.
218 * Update AEAD output size macros to bring them in line with the PSA Crypto
220 key type used, as well as the key bit-size in the case of
235 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
237 * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
238 * The interface of the GCM module has changed to remove restrictions on
239 how the input to multipart operations is broken down. mbedtls_gcm_finish()
243 call to mbedtls_gcm_update(), but alternative implementations activated
244 by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
246 no longer pass the associated data to mbedtls_gcm_starts(), but to the
249 * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
250 This separates config option enabling the SHA384 algorithm from option
253 This separates config option enabling the SHA224 algorithm from option
256 session-ID based session resumption) has changed to that of
257 a key-value store with keys being session IDs and values
270 which allows to mark an extension as critical. Fixes #4055.
271 * For multi-part AEAD operations with the cipher module, calling
273 was unclear on this point, and this function happened to never do
275 possible to skip calling it, which is no longer supported.
276 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
288 key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
313 Raw keys and IVs are no longer passed to the callback.
318 context are now connection-specific.
320 length parameter to be the size of the hash input. For RSA signatures
327 * Implement one-shot cipher functions, psa_cipher_encrypt and
328 psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
330 * Direct access to fields of structures declared in public headers is no
339 * Enable by default the functionalities which have no reason to be disabled.
340 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
341 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
351 bear this in mind and do not add them to backported code.
353 release, some configuration-independent files are now generated at build
358 * Refresh the minimum supported versions of tools to build the
364 compile-time option, which was off by default. Users should not trust
365 certificates signed with SHA-1 due to the known attacks against SHA-1.
366 If needed, SHA-1 certificates can still be verified by using a custom
374 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
378 compile-time option. This option has been inactive for a long time.
381 * Remove the following deprecated functions and constants of hex-encoded
399 CBC record splitting, fallback SCSV, and the ability to configure
407 * The RSA module no longer supports private-key operations with the public
409 * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
424 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
429 * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
430 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
433 MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
446 MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
447 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
449 * Remove the compile-time option
453 * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
454 signature with a specific salt length. This function allows to validate
457 * Added support for built-in driver keys through the PSA opaque crypto
458 driver interface. Refer to the documentation of
461 * The multi-part GCM interface (mbedtls_gcm_update() or
462 mbedtls_cipher_update()) no longer requires the size of partial inputs to
464 * The multi-part GCM interface now supports chunked associated data through
465 multiple calls to mbedtls_gcm_update_ad().
471 See docs/architecture/alternative-implementations.md for the remaining
474 query the size of the modulus in a Diffie-Hellman context.
476 Diffie-Hellman context.
477 * Use the new function mbedtls_ecjpake_set_point_format() to select the
484 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
493 * An adversary with access to precise enough information about memory
496 performing a single private-key operation. Found and reported by
498 * An adversary with access to precise enough timing information (typically, a
499 co-located process) could recover a Curve25519 or Curve448 static ECDH key
501 corresponding private-key operation. Found and reported by Leila Batina,
506 lead to the seed file corruption in case if the path to the seed file is
507 equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
511 to create is not valid, bringing them in line with version 1.0.0 of the
513 * Add printf function attributes to mbedtls_debug_print_msg to ensure we
518 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
523 mbedtls_mpi_read_string() was called on "-0", or when
529 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
531 minimum size was rounded down to the nearest multiple of 8.
533 defined to specific values. If the code is used in a context
536 be adequate to build Mbed TLS.
540 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
541 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
543 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
545 Arm Cortex-M. Fixes #4530.
547 directive in a header and a missing initialization in the self-test.
548 * Fix a missing initialization in the Camellia self-test, affecting
550 * Restore the ability to configure PSA via Mbed TLS options to support RSA
552 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
555 (when the encrypt-then-MAC extension is not in use) with some ALT
556 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
557 the affected side to wrongly reject valid messages. Fixes #4118.
558 * Remove outdated check-config.h check that prevented implementing the
567 could notably be triggered by setting the TLS debug level to 3 or above
570 * psa_verify_hash() was relying on implementation-specific behavior of
571 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
577 A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
581 Credit to OSS-Fuzz. Fixes #4641.
586 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
592 * Fix which alert is sent in some cases to conform to the
596 * Correct (change from 12 to 13 bytes) the value of the macro describing the
601 * Add extra printf compiler warning flags to builds.
603 * Alternative implementations of CMAC may now opt to not support 3DES as a
607 * Remove configs/config-psa-crypto.h, which no longer had any intended
627 * Add CMake package config generation for CMake projects consuming Mbed TLS.
628 * config.h has been split into build_info.h and mbedtls_config.h
629 build_info.h is intended to be included from C code directly, while
630 mbedtls_config.h is intended to be edited by end users wishing to
634 * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
635 Defining it to a particular value will ensure that Mbed TLS interprets
636 the config file in a way that's compatible with the config file format
640 * Various changes to which alert and/or error code may be returned
647 = mbed TLS 2.26.0 branch released 2021-03-08
650 * Renamed the PSA Crypto API output buffer size macros to bring them in line
653 in bits rather than bytes, with an additional flag to indicate if the
654 size may have been rounded up to a whole number of bytes.
655 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
676 * Automatic fallback to a software implementation of ECP when
679 * The PSA crypto subsystem can now be configured to use less static RAM by
692 minimum MAC or tag length thanks to the new wildcards
701 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
702 In such cases, a random nonce was necessary to achieve the advertised
707 |A| - |B| where |B| is larger than |A| and has more limbs (so the
713 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
714 value the function might fail to write a private RSA keys of the largest
721 making access aceess to them use constant flow code.
724 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
735 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
737 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
740 * Fixes a bug where, if the library was configured to include support for
746 used to validate digital signatures on certificates and MUST mark the
747 extension as critical in such certificates." Previous to this change,
748 the extension was always marked as non-critical. This was fixed by
752 * A new library C file psa_crypto_client.c has been created to contain
758 = mbed TLS 2.25.0 branch released 2020-12-11
761 * The numerical values of the PSA Crypto API macros have been updated to
762 conform to version 1.0.0 of the specification.
768 as they have no way to check if the output buffer is large enough.
770 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
774 * Update the minimum required CMake version to 2.8.12. This silences a
784 these new functions always append the tag to the ciphertext, and include
791 * Add support for ECB to the PSA cipher API.
795 This is currently non-standard behaviour, but expected to make it into a
797 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
799 external CMake projects that include this one to avoid CMake target name
802 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
804 * In the PSA API, it is no longer necessary to open persistent keys:
806 identical to psa_key_id_t instead of being platform-defined. This bridges
807 the last major gap to compliance with the PSA Cryptography specification
820 of up to 15 bytes, with consequences ranging up to arbitrary code
822 * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
823 MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
824 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
828 are implemented. This could cause failures or the silent use of non-random
830 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
831 CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
834 description part of the cert to the real signature. This meant that a
835 NULL algorithm parameters entry would look identical to an array of REAL
836 (size zero) to the library and thus the certificate would be considered
840 Many thanks to guidovranken who found this issue via differential fuzzing
845 functions to erase sensitive data from memory. Reported by
855 * Fix rsa_prepare_blinding() to retry when the blinding value is not
860 * Use socklen_t on Android and other POSIX-compliant system
861 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
864 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
870 * Fix psa_generate_key() returning an error when asked to generate
872 * Fix psa_key_derivation_output_key() to allow the output of a combined key
873 agreement and subsequent key derivation operation to be used as a key
878 * Fix an off-by-one error in the additional data length check for
879 CCM, which allowed encryption with a non-standard length field.
882 MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
886 * psa_set_key_id() now also sets the lifetime to persistent for keys located
888 * Attempting to create a volatile key with a non-zero key identifier now
891 * Attempting to create or register a key with a key identifier in the vendor
896 (an error condition) and the second operand was aliased to the result.
897 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
914 * The PSA persistent storage format is updated to always store the key bits
917 specification (docs/architecture/mbed-crypto-storage-specification.md).
920 but spurious and misleading since it looked like a mistaken attempt to
921 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
924 = mbed TLS 2.24.0 branch released 2020-09-01
927 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
928 group families to psa_ecc_family_t and psa_dh_family_t, in line with the
931 PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
932 PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
933 PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
934 PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
942 * The new function mbedtls_ecp_write_key() exports private ECC keys back to
945 -Wformat-signedness, and fix the code that causes signed-one-bit-field
946 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
953 subjecAltName extension is present, the expected name was compared to any
955 attacker could for example impersonate a 4-bytes or 16-byte domain by
956 getting a certificate for the corresponding IPv4 or IPv6 (this would
957 require the attacker to control that IP address, though). Similar attacks
961 its revocationDate was in the past according to the local clock if
964 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
971 Encrypt-then-Mac extension, use constant code flow memory access patterns
972 to extract and check the MAC. This is an improvement to the existing
974 effective against network-based attackers, but less so against local
976 if they have access to fine-grained measurements. In particular, this
980 * Fix side channel in RSA private key operations and static (finite-field)
981 Diffie-Hellman. An adversary with precise enough timing and memory access
983 enclave) could bypass an existing counter-measure (base blinding) and
985 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
986 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
988 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
995 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
1000 Montgomery keys in little-endian as defined by RFC7748. Contributed by
1003 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
1005 * Fix self-test failure when the only enabled short Weierstrass elliptic
1017 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
1020 previously could lead to stack overflow on constrained devices.
1024 * Update copyright notices to use Linux Foundation guidance. As a result,
1027 eliminates the need for the lines declaring the files to be part of
1029 * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
1030 example applications which allows to provide a password for the key file
1032 these applications with password-protected key files. Analogously but for
1033 ssl_server2 only, add the command line parameter key_pwd2 which allows to
1037 = mbed TLS 2.23.0 branch released 2020-07-01
1041 key lifetimes to encode a persistence level and the location. Although C
1043 psa_register_se_driver() must be modified to pass the driver's location
1050 high- and low-level error codes, complementing mbedtls_strerror()
1054 * The new utility programs/ssl/ssl_context_info prints a human-readable
1060 a solution to #3241.
1061 * Pass the "certificate policies" extension to the callback supplied to
1064 * Added support to entropy_poll for the kern.arandom syscall supported on
1071 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
1078 f_rng argument. An attacker with access to precise enough timing and
1082 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
1084 macros). This would cause the original Lucky 13 attack to be possible in
1085 those configurations, allowing an active network attacker to recover
1094 pathLenConstraint basic constraint value is equal to INT_MAX.
1096 behavior, so this is unlikely to be exploitable anywhere. #3192
1098 due to shadowed variable. Contributed by Sander Visser in #3310.
1102 mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
1114 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
1118 * Fix false positive uninitialised variable reported by cpp-check.
1127 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
1136 * Unify the example programs termination to call mbedtls_exit() instead of
1137 using a return command. This has been done to enable customization of the
1139 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
1145 buffer is not large enough to hold the ClientHello.
1151 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
1160 = mbed TLS 2.22.0 branch released 2020-04-14
1167 mbedtls_ssl_get_input_max_frag_len() to be more precise about which max
1172 (RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to
1173 the server could cause it to drop established associations with
1175 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
1177 * Fix side channel in ECC code that allowed an adversary with access to
1179 untrusted operating system attacking a secure enclave) to fully recover
1181 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
1203 mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input
1207 = mbed TLS 2.21.0 branch released 2020-02-20
1213 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
1214 library which allows TLS authentication to use keys stored in a
1220 probability (of the order of 2^-n where n is the bitsize of the curve)
1224 * To avoid a side channel vulnerability when parsing an RSA private key,
1228 ARMmbed/mbed-crypto#352
1231 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
1232 support without SHA-384.
1241 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
1244 * Fix an unchecked call to mbedtls_md() in the x509write module.
1247 * Fix some false-positive uninitialized variable warnings in X.509. Fix
1248 contributed by apple-ihack-geek in #2663.
1250 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
1251 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
1253 keys. Found by Catena cyber using oss-fuzz (issue 20467).
1254 * Fix a bug in mbedtls_pk_parse_key() that would cause it to
1257 = mbed TLS 2.20.0 branch released 2020-01-15
1260 * The initial seeding of a CTR_DRBG instance makes a second call to the
1261 entropy function to obtain entropy for a nonce if the entropy size is less
1262 than 3/2 times the key size. In case you want to disable the extra call to
1263 grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
1264 nonce length to 0.
1275 these variables can be used to recover the last round key. To follow best
1276 practice and to limit the impact of buffer overread vulnerabilities (like
1277 Heartbleed) we need to zeroize them before exiting the function.
1284 to have only large prime factors), and then, by brute force, recover the
1287 timings on the comparison in the key generation enabled the attacker to
1288 learn leading bits of the ephemeral key used during ECDSA signatures and to
1300 to achieve the security strength defined by NIST SP 800-90A. You can
1302 * Add ENUMERATED tag support to the ASN.1 module. Contributed by
1303 msopiha-linaro in ARMmbed/mbed-crypto#307.
1306 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
1309 * Rename psa_asymmetric_sign() to psa_sign_hash() and
1310 psa_asymmetric_verify() to psa_verify_hash().
1320 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
1321 * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
1322 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
1323 * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at
1330 * Remove the technical possibility to define custom mbedtls_md_info
1334 * Variables containing error codes are now initialized to an error code
1335 rather than success, so that coding mistakes or memory corruption tends to
1336 cause functions to return this error code rather than a success. There are
1338 merely a robustness improvement. ARMmbed/mbed-crypto#323
1339 * Remove a useless call to mbedtls_ecp_group_free(). Contributed by
1340 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
1342 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
1344 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
1346 = mbed TLS 2.19.1 branch released 2019-09-16
1349 * Declare include headers as PUBLIC to propagate to CMake project consumers
1351 * Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of
1360 * Fix some false-positive uninitialized variable warnings in crypto. Fix
1361 contributed by apple-ihack-geek in #2663.
1363 = mbed TLS 2.19.0 branch released 2019-09-06
1371 as an ASN.1 INTEGER, which caused the size of the key to leak
1372 about 1 bit of information on average and could cause the value to be
1374 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
1382 mbedtls_ssl_session_load() to allow serializing a session, for example to
1383 store it in non-volatile storage, and later using it for TLS session
1385 * Add a new API function mbedtls_ssl_check_record() to allow checking that
1388 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
1391 (https://project-everest.github.io/). It can be enabled at compile time
1394 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
1402 * Add DER-encoded test CRTs to library/certs.c, allowing
1403 the example programs ssl_server2 and ssl_client2 to be run
1409 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
1411 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
1423 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
1424 * Fix multiple X.509 functions previously returning ASN.1 low-level error
1425 codes to always wrap these codes into X.509 high level error codes before
1427 * Fix to allow building test suites with any warning that detects unused
1429 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
1441 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
1443 * Update test certificates that were about to expire. Reported by
1445 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
1449 This could previously lead to segmentation faults in builds using an
1450 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
1453 * Improve code clarity in x509_crt module, removing false-positive
1456 * Fix bug in endianness conversion in bignum module. This lead to
1461 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
1462 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
1465 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
1466 docker-env.sh) to simplify running test suites on a Linux host. Contributed
1468 * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
1471 * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
1472 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
1478 = mbed TLS 2.18.1 branch released 2019-07-12
1488 = mbed TLS 2.18.0 branch released 2019-06-11
1493 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
1495 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
1497 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
1499 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
1500 and the used tls-prf.
1501 * Add public API for tls-prf function, according to requested enum.
1510 * Add support for draft-05 of the Connection ID extension, as specified
1511 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
1512 The Connection ID extension allows to keep DTLS connections beyond the
1514 to the DTLS record header. This identifier can be used to associated an
1516 changed its IP or port. The feature is enabled at compile-time by setting
1517 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
1522 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
1523 and the used tls-prf.
1524 * Add public API for tls-prf function, according to requested enum.
1533 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
1534 used with negative inputs. Found by Guido Vranken in #2404. Credit to
1535 OSS-Fuzz.
1541 * Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx.
1544 public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
1549 * Set the next sequence of the subject_alt_name to NULL when deleting
1551 Credit to OSS-Fuzz.
1554 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
1555 mbedTLS configuration only SHA-2 signed certificates are accepted.
1557 client programs to fail at the peer's certificate verification
1558 due to an unacceptable hash signature. The certificate has been
1559 updated to one that is SHA-256 signed. Fix contributed by
1565 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
1567 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
1570 = mbed TLS 2.17.0 branch released 2019-03-19
1574 which allows copy-less parsing of DER encoded X.509 CRTs,
1577 * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1
1579 * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
1586 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
1587 for the benefit of saving RAM, by disabling the new compile-time
1596 belongs to a different group from the first. Before, if an application
1597 passed keys that belonged to different group, the first key's data was
1598 interpreted according to the second group, which could lead to either
1608 previously lead to a stack overflow on constrained targets.
1613 * Remove the mbedtls namespacing from the header file, to fix a "file not found"
1615 * Fix signed-to-unsigned integer conversion warning
1620 (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
1624 extensions in CSRs and CRTs that caused these bitstrings to not be encoded
1637 * Provide an abstraction of vsnprintf to allow alternative implementations
1641 Previously, this could lead to functionally incorrect assembly being
1647 * Fix configuration queries in ssl-opt.h. #2030
1648 * Ensure that ssl-opt.h can be run in OS X. #2029
1649 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
1654 = mbed TLS 2.16.0 branch released 2018-12-21
1657 * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
1662 function to see for which parameter values it is defined. This feature is
1663 disabled by default. See its API documentation in config.h for additional
1664 steps you have to take when enabling it.
1669 the return type from void to int to allow returning error codes when
1672 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
1673 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
1674 * Extend ECDH interface to enable alternative implementations.
1677 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
1679 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
1701 This could lead to a buffer overflow, but only in case ticket authentication
1703 * Add explicit integer to enumeration type casts to example program
1704 programs/pkey/gen_key which previously led to compilation failure
1711 = mbed TLS 2.15.1 branch released 2018-11-30
1714 * Update the Mbed Crypto submodule to version 0.1.0b2.
1716 = mbed TLS 2.15.0 branch released 2018-11-23
1719 * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
1721 * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
1726 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
1729 = mbed TLS 2.14.1 branch released 2018-11-30
1733 decryption that could lead to a Bleichenbacher-style padding oracle
1740 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
1753 mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
1758 = mbed TLS 2.14.0 branch released 2018-11-19
1761 * Fix overly strict DN comparison when looking for CRLs belonging to a
1762 particular CA. This previously led to ignoring CRLs when the CRL's issuer
1769 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
1770 to trigger a memory access up to 64KiB beyond the incoming message buffer,
1771 potentially leading to an application crash or information disclosure.
1772 * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
1774 adversary to construct non-primes that would be erroneously accepted as
1778 For example, the number of rounds was enough to securely generate RSA key
1779 pairs or Diffie-Hellman parameters, but was insufficient to validate
1780 Diffie-Hellman parameters properly.
1786 some configurable amount of operations. This is intended to be used in
1787 constrained, single-threaded systems where ECC is time consuming and can
1790 configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
1792 yet), and to existing functions in ECDH and SSL (currently only
1793 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
1795 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
1799 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
1801 an error if this was not possible. Now the salt size may be up to two bytes
1802 shorter. This allows the library to support all hash and signature sizes
1803 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
1804 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
1805 than 256 bits limits the security of generated material to 128 bits.
1823 Miller-Rabin rounds.
1827 application leading to a memory leak in case both
1835 which lead to accepting properly authenticated but improperly
1836 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
1845 * Change the default string format used for various X.509 DN attributes to
1846 UTF8String. Previously, the use of the PrintableString format led to
1847 wildcards and non-ASCII characters being unusable in some DN attributes.
1849 Thomas-Dee.
1853 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
1861 * Change the dtls_client and dtls_server samples to work by default over
1862 IPv6 and optionally by a build option over IPv4.
1863 * Change the use of Windows threading to use Microsoft Visual C++ runtime
1864 calls, rather than Win32 API calls directly. This is necessary to avoid
1868 string format (mostly PrintableString), which could lead to CRTs being
1873 Thomas-Dee.
1875 Fixes #517 reported by github-monoculture.
1876 * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
1877 use it to reduce error probability in RSA key generation to levels mandated
1878 by FIPS-186-4.
1880 = mbed TLS 2.13.1 branch released 2018-09-06
1884 whose implementation should behave as a thread-safe version of gmtime().
1885 This allows users to configure such an implementation at compile time when
1887 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
1894 = mbed TLS 2.13.0 branch released 2018-08-31
1897 * Fix an issue in the X.509 module which could lead to a buffer overread
1899 input (extensions length field equal to 0), an illegal read of one byte
1905 with the peer, as well as by a new per-connection MTU option, set using
1907 * Add support for auto-adjustment of MTU to a safe value during the
1912 * Add support for buffering out-of-order handshake messages in DTLS.
1914 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
1915 in mbedtls/config.h.
1918 * Add function mbedtls_ssl_set_datagram_packing() to configure
1923 failure in the function could lead to other buffers being leaked.
1929 This improves compliance to RFC 4492, and as a result, solves
1933 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
1935 * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
1937 without providing a list of CAs. This was due to an overly strict bounds
1944 (found by Catena cyber using oss-fuzz)
1956 * Add support for buffering of out-of-order handshake messages.
1957 * Add warnings to the documentation of the HKDF module to reduce the risk
1961 = mbed TLS 2.12.0 branch released 2018-07-25
1964 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
1965 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
1972 or CCM instead of CBC, using hash sizes other than SHA-384, or using
1973 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
1974 caused by a miscalculation (for SHA-384) in a countermeasure to the
1977 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
1978 1.2, that allowed a local attacker, able to execute code on the local
1979 machine as well as manipulate network packets, to partially recover the
1985 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
1987 * Add a counter-measure against a vulnerability in TLS ciphersuites based
1988 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
1990 to partially recover the plaintext of messages under some conditions (see
1993 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
1997 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
1998 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
2000 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
2001 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
2009 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
2018 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
2026 * Added length checks to some TLS parsing functions. Found and fixed by
2036 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
2038 to the connection being terminated. Seen most often with OpenSSL using
2041 * Fix ssl_client2 example to send application data with 0-length content
2042 when the request_size argument is set to 0 as stated in the documentation.
2046 * Fix build using -std=c99. Fixed by Nick Wilson.
2050 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
2051 * Change the default behaviour of mbedtls_hkdf_extract() to return an error
2052 when calling with a NULL salt and non-zero salt_len. Contributed by
2054 * Change the shebang line in Perl scripts to look up perl in the PATH.
2056 * Allow overriding the time on Windows via the platform-time abstraction.
2058 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
2060 = mbed TLS 2.11.0 branch released 2018-06-18
2063 * Add additional block mode, OFB (Output Feedback), to the AES module and
2065 * Implement the HMAC-based extract-and-expand key derivation function
2068 * Add support for the XTS block cipher mode with AES (AES-XTS).
2070 * In TLS servers, support offloading private key operations to an external
2071 cryptoprocessor. Private key operations can be asynchronous to allow
2072 non-blocking operation of the TLS server stack.
2075 * Fix the cert_write example to handle certificates signed with elliptic
2077 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
2084 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
2085 * Changed the Clang parameters used in the CMake build files to work for
2089 = mbed TLS 2.10.0 branch released 2018-06-06
2093 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
2100 point of view. mbedtls_platform_zeroize() needs to be regularly tested
2101 against compilers to ensure that calls to it are not removed from the
2103 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
2107 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
2108 build to fail. Found by zv-io. Fixes #1651.
2111 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
2115 = mbed TLS 2.9.0 branch released 2018-04-30
2118 * Fix an issue in the X.509 module which could lead to a buffer overread
2119 during certificate validation. Additionally, the issue could also lead to
2120 unnecessary callback checks being made or to some validation checks to be
2122 would require a non DER-compliant certificate to be correctly signed by a
2123 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
2126 function which led to an arbitrary overread of the message buffer. The
2131 * Fix a client-side bug in the validation of the server's ciphersuite choice
2132 which could potentially lead to the client accepting a ciphersuite it didn't
2134 chosen by the server. This could lead to corruption of internal data
2138 * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
2147 * Extend the public API with the function of mbedtls_net_poll() to allow user
2148 applications to wait for a network context to become ready before reading
2150 * Add function mbedtls_ssl_check_pending() to the public API to allow
2151 a check for whether more more data is pending to be processed in the
2153 This function is necessary to determine when it is safe to idle on the
2154 underlying transport in case event-driven IO is used.
2159 * Add missing dependencies in test suites that led to build failures
2160 in configurations that omit certain hashes or public-key algorithms.
2170 unable to parse keys which had only the optional parameters field of the
2175 * Fix overriding and ignoring return values when parsing and writing to
2177 * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
2178 where data needs to be fetched from the underlying transport in order
2179 to make progress. Previously, this error code was also occasionally
2181 further messages could potentially already be pending to be processed
2182 in the internal buffers; these cases led to deadlocks when event-driven
2185 function which leads to a potential one byte overread of the message
2187 * Fix invalid buffer sizes passed to zlib during record compression and
2189 * Fix the soversion of libmbedcrypto to match the soversion of the
2191 version 2.7.1 to reflect breaking changes in that release, but the
2199 public-key algorithms. Includes contributions by Gert van Dijk.
2218 * Add an option in the Makefile to support ar utilities where the operation
2219 letter must not be prefixed by '-', such as LLVM. Found and fixed by
2229 HMAC functions with non-HMAC ciphersuites. Independently contributed
2232 FIPS 186-4. Contributed by Jethro Beekman. #1380
2236 not need to copy the declarations, and ensures that they will have the
2240 = mbed TLS 2.8.0 branch released 2018-03-16
2243 * The truncated HMAC extension now conforms to RFC 6066. This means
2247 prior versions of Mbed TLS. To restore the old behavior, enable
2249 config.h. Found by Andreas Walz (ivESK, Offenburg University of
2257 * Verify results of RSA private key operations to defend
2263 * Fix CRL parsing to reject CRLs containing unsupported critical
2270 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
2281 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
2282 * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
2302 that could cause a key exchange to fail on valid data.
2304 could cause a key exchange to fail on valid data.
2307 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
2315 * MD functions deprecated in 2.7.0 are no longer inline, to provide
2321 = mbed TLS 2.7.0 branch released 2018-02-03
2326 sending a malicious application packet could be used to selectively corrupt
2327 6 bytes on the peer's heap, which could potentially lead to crash or remote
2329 both TLS and DTLS. CVE-2018-0488
2330 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
2331 for the key size, which could potentially lead to crash or remote code
2333 Qualcomm Technologies Inc. CVE-2018-0487
2334 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
2337 64 KiB to the address of the SSL buffer and causing a wrap around.
2340 config and the application data buffer passed to mbedtls_ssl_write
2344 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
2347 * Add a provision to prevent compiler optimizations breaking the time
2351 * Set PEM buffer to zero before freeing it, to avoid decoded private keys
2352 being leaked to memory after release.
2353 * Fix dhm_check_range() failing to detect trivial subgroups and potentially
2355 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
2357 sake of saving memory, but potentially leading to slight timing
2361 * Fix a potential heap buffer over-read in ALPN extension parsing
2362 (server-side). Could result in application crash, but only if an ALPN
2365 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
2372 * New unit tests for timing. Improve the self-test to be more robust
2373 when run on a heavily-loaded machine.
2380 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
2386 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
2392 * Add mechanism to provide alternative implementation of the DHM module.
2395 * Extend RSA interface by multiple functions allowing structure-
2398 up RSA contexts from partial key material and having them completed to the
2399 needs of the implementation automatically. This allows to setup private RSA
2402 * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
2406 The new functions change the return type from void to int to allow
2408 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
2409 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
2410 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
2411 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
2414 * Deprecate usage of RSA primitives with non-matching key-type
2417 Users are advised to use the extended RSA API instead.
2433 * Fix ssl_parse_record_header() to silently discard invalid DTLS records
2439 renegotiated handshakes would only accept signatures using SHA-1
2440 regardless of the peer's preferences, or fail if SHA-1 was disabled.
2441 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
2444 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
2446 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
2453 If a call to one of the functions of the cryptographic primitive modules
2455 mbedtls_pem_read_buffer() causing it to return invalid values. Found by
2457 * Include configuration file in md.h, to fix compilation warnings.
2459 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
2460 writing routines that prevented these functions to work with alternative
2463 non-v3 CRT's.
2465 * Fix net_would_block() to avoid modification by errno through fcntl() call.
2468 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
2471 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
2473 * Add size-checks for record and handshake message content, securing
2474 fragile yet non-exploitable code-paths.
2482 RSA test suite where the failure of CTR DRBG initialization lead to
2492 * Fix the entropy.c module to not call mbedtls_sha256_starts() or
2494 * Fix the entropy.c module to ensure that mbedtls_sha256_init() or
2496 structure. Do not assume that zeroizing a context is a correct way to
2503 * Extend cert_write example program by options to set the certificate version
2510 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
2513 * Update all internal usage of deprecated message digest functions to the
2521 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
2524 = mbed TLS 2.6.0 branch released 2017-08-10
2527 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
2531 triggered remotely from either side. (With authmode set to 'required'
2539 and the context struct mbedtls_platform_context to perform
2540 platform-specific setup and teardown operations. The macro
2541 MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
2543 some embedded environments to provide a means of initialising underlying
2547 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
2552 * Certificate verification functions now set flags to -1 in case the full
2553 chain was not verified due to an internal error (including in the verify
2555 * With authmode set to optional, the TLS handshake is now aborted if the
2556 verification of the peer's certificate failed due to an overlong chain or
2563 to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
2567 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
2569 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
2573 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
2577 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
2581 constructed certificates to bypass the certificate verification check.
2582 * Fix a call to the libc function time() to call the platform abstraction
2588 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
2589 64-bit division. This is useful on embedded platforms where 64-bit division
2592 accelerator code in the library leaves concurrency handling to the
2595 config-no-entropy.h to reduce the RAM footprint.
2600 = mbed TLS 2.5.1 released 2017-06-21
2603 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
2604 The issue could only happen client-side with renegotiation enabled.
2607 back to the server or to a third party). Can be triggered remotely.
2608 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
2609 certificate verification. SHA-1 can be turned back on with a compile-time
2611 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
2613 * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
2614 potential Bleichenbacher/BERserk-style attack.
2619 and with GCC using the -Wpedantic compilation option.
2620 * Fix insufficient support for signature-hash-algorithm extension,
2623 when sending the alert failed. The fix makes sure not to hide the error
2626 peer after sending a fatal alert to refuse a renegotiation attempt.
2627 Previous behaviour was to keep processing data even after the alert has
2631 * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
2632 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
2634 * Fix bug that caused the modular inversion function to accept the invalid
2635 modulus 1 and therefore to hang. Found by blaufish. #641.
2639 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
2643 * Send fatal alerts in more cases. The previous behaviour was to skip
2645 * Clarify ECDSA documentation and improve the sample code to avoid
2647 by Jean-Philippe Aumasson.
2649 = mbed TLS 2.5.0 branch released 2017-05-17
2655 * Add exponent blinding to RSA private operations as a countermeasure
2656 against side-channel attacks like the cache attack described in
2663 This involved exposing parts of the internal interface to enable
2666 * Add a new configuration option to 'mbedtls_ssl_config' to enable
2673 void to int to allow returning error codes when using MBEDTLS_AES_ALT,
2675 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
2676 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
2679 * Remove macros from compat-1.3.h that correspond to deleted items from most
2683 * Add checks in the PK module for the RSA functions on 64-bit systems.
2685 without these checks the type cast could lead to data loss. Found by Guido
2688 = mbed TLS 2.4.2 branch released 2017-03-08
2691 * Add checks to prevent signature forgeries for very large messages while
2692 using RSA through the PK module in 64-bit systems. The issue was caused by
2693 some data loss when casting a size_t to an unsigned int value in the
2695 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
2702 CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
2707 and potentially could lead to remote code execution on some platforms.
2709 team. #569 CVE-2017-2784
2714 MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
2717 * Fix the redefinition of macro ssl_set_bio to an undefined symbol
2718 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
2719 Found by omlib-lin. #673
2721 x509_csr.c that are reported when building mbed TLS with a config.h that
2729 the input string in PEM format to extract the different components. Found
2732 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
2734 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
2736 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
2738 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
2740 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
2742 by missing calls to mbedtls_pem_free() in cases when a
2745 * Fixed the templates used to generate project and solution files for Visual
2746 Studio 2015 as well as the files themselves, to remove a build warning
2751 number to write in hexadecimal is negative and requires an odd number of
2756 = mbed TLS 2.4.1 branch released 2016-12-13
2759 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
2763 = mbed TLS 2.4.0 branch released 2016-10-17
2767 with RFC-5116 and could lead to session key recovery in very long TLS
2768 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
2769 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
2772 mbedtls_x509write_csr_der() when the signature is copied to the buffer
2777 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
2778 NIST SP 800-38B, RFC-4493 and RFC-4615.
2779 * Added hardware entropy selftest to verify that the hardware entropy source
2781 * Added a script to print build environment info for diagnostic use in test
2783 * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
2786 * Added a configuration file config-no-entropy.h that configures the subset of
2788 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
2789 to configure the minimum number of bytes for entropy sources using the
2793 * Fix for platform time abstraction to avoid dependency issues where a build
2795 configuration consistency checks to check_config.h
2796 * Fix dependency issue in Makefile to allow parallel builds.
2799 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
2801 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
2807 * Fixed pthread implementation to avoid unintended double initialisations
2812 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
2814 subramanyam-c. #622
2821 Found by subramanyam-c. #626
2829 * Removed self-tests from the basic-built-test.sh script, and added all
2830 missing self-tests to the test suites, to ensure self-tests are only
2832 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
2833 * Added support for a Yotta specific configuration file -
2837 * Renamed source file library/net.c to library/net_sockets.c to avoid
2840 deprecated, and its contents moved to net_sockets.h.
2841 * Changed the strategy for X.509 certificate parsing and validation, to no
2844 = mbed TLS 2.3.0 branch released 2016-06-28
2849 * Fix potential integer overflow to buffer overflow in
2852 * Fix a potential integer underflow to buffer overread in
2862 arguments where the same (in-place doubling). Found and fixed by Janos
2864 * Fix potential build failures related to the 'apidoc' target, introduced
2868 ECDSA was disabled in config.h . The leak didn't occur by default.
2869 * Fix an issue that caused valid certificates to be rejected whenever an
2873 buffer after DER certificates to be included in the raw representation.
2877 * Fix issue that caused a crash if invalid curves were passed to
2881 * Fix test in ssl-opt.sh that does not run properly with valgrind
2882 * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
2885 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
2887 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
2891 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
2894 = mbed TLS 2.2.1 released 2016-01-05
2897 * Fix potential double free when mbedtls_asn1_store_named_data() fails to
2900 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
2902 SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
2906 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
2907 * Fix bug in certificate validation that caused valid chains to be rejected
2918 = mbed TLS 2.2.0 released 2015-11-04
2936 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
2938 * Added a key extraction callback to accees the master secret and key
2939 block. (Potential uses include EAP-TLS and Thread.)
2942 * Self-signed certificates were not excluded from pathlen counting,
2945 * Fix build error with configurations where ECDHE-PSK is the only key
2947 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
2948 ECHD-ECDSA if the only key exchange. Multiple reports. #310
2949 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
2950 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
2952 size/curve against the profile. Before that, there was no way to set a
2953 minimum key size for end-entity certificates with RSA keys. Found by
2955 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
2959 certificates to be rejected by some applications, including OS X
2964 or -1.
2966 = mbed TLS 2.1.2 released 2015-10-06
2969 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
2972 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
2982 string of close to or larger than 1GB to exploit; on 64 bit machines, would
2983 require reading a string of close to or larger than 2^62 bytes.
2989 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
2991 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
2996 unless you allow third parties to pick trust CAs for client auth.
3005 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
3007 * Fixed paths for check_config.h in example config files. (Found by bachp)
3010 = mbed TLS 2.1.1 released 2015-09-17
3013 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
3015 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
3016 * Fix possible client-side NULL pointer dereference (read) when the client
3017 tries to continue the handshake after it failed (a misuse of the API).
3019 afl-fuzz.)
3023 * Fix off-by-one error in parsing Supported Point Format extension that
3024 caused some handshakes to fail.
3027 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
3031 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
3034 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
3037 = mbed TLS 2.1.0 released 2015-09-04
3041 * Primary open source license changed to Apache 2.0 license.
3045 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
3049 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
3051 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
3053 * Fix compile error with armcc 5 with --gnu option.
3054 * Fix bug in Makefile that caused programs not to be installed correctly
3058 * Fix missing -static-libgcc when building shared libraries for Windows
3062 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
3065 result trying to unlock an unlocked mutex on invalid input (found by
3067 * Fix -Wshadow warnings (found by hnrkp) (#240)
3069 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
3077 * It is now possible to #include a user-provided configuration file at the
3078 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
3081 trusted, no later cert is checked. (suggested by hannes-landeholm)
3083 * Prepend a "thread identifier" to debug messages (issue pointed out by
3085 * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
3088 = mbed TLS 2.0.0 released 2015-07-13
3092 * Ability to override core functions from MDx, SHAx, AES and DES modules
3094 ability to override the whole module.
3095 * New server-side implementation of session tickets that rotate keys to
3101 * Introduced a concept of presets for SSL security-relevant configuration
3106 You now need to link to all of them if you use TLS for example.
3107 * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
3108 Some names have been further changed to make them more consistent.
3109 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
3110 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
3112 mbedtls_cipher_info_t.key_length -> key_bitlen
3113 mbedtls_cipher_context_t.key_length -> key_bitlen
3114 mbedtls_ecp_curve_info.size -> bit_size
3119 mbedtls_ssl_init() -> mbedtls_ssl_setup()
3120 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
3121 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
3122 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
3123 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
3124 Note that for mbedtls_ssl_setup(), you need to be done setting up the
3128 ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
3129 (see rename.pl and compat-1.3.h above) and their first argument's type
3130 changed from ssl_context to ssl_config.
3132 additional callback for read-with-timeout).
3143 place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
3151 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
3152 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
3153 * The following functions changed prototype to avoid an in-out length
3160 changed type to "mbedtls_net_context *".
3168 mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
3169 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
3171 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
3175 length parameter to include the terminating null byte for PEM input.
3176 * Signature of mpi_mul_mpi() changed to make the last argument unsigned
3179 (Thanks to Mansour Moufid for helping with the replacement.)
3180 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
3181 (support for renegotiation now needs explicit enabling in config.h).
3183 in config.h
3184 * net_connect() and net_bind() have a new 'proto' argument to choose
3185 between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
3186 Their 'port' argument type is changed to a string.
3200 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
3204 been removed (compiler is required to support 32-bit operations).
3207 * Removed test program ssl_test, superseded by ssl-opt.sh.
3208 * Removed helper script active-config.pl
3214 Semi-API changes (technically public, morally private)
3215 * Renamed a few headers to include _internal in the name. Those headers are
3216 not supposed to be included by users.
3220 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
3221 * x509_crt.key_usage changed from unsigned char to unsigned int.
3234 custom config.h
3235 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
3239 * The following functions are now case-sensitive:
3249 * Compiler is required to support C99 types such as long long and uint32_t.
3258 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
3262 * With UDP sockets, it is no longer necessary to call net_bind() again
3267 thread-safe if MBEDTLS_THREADING_C is enabled.
3268 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
3274 * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
3277 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
3283 * Add x509_crt_verify_info() to display certificate verification results.
3287 * Add support for id-at-uniqueIdentifier in X.509 names.
3290 * Add an option to use macros instead of function pointers in the platform
3293 cross-compilation easier (thanks to Alon Bar-Lev).
3294 * The benchmark program also prints heap usage for public-key primitives
3296 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
3299 reduced configurations (PSK-CCM and NSA suite B).
3300 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
3302 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
3307 * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
3309 entropy_free() to crash (thanks to Rafał Przywara).
3324 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
3331 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
3335 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
3338 * Add missing dependency on SHA-256 in some x509 programs (reported by
3340 * Fix bug related to ssl_set_curves(): the client didn't check that the
3349 * compat-1.2.h and openssl.h are deprecated.
3352 (contributed by Alon Bar-Lev).
3355 * Move from SHA-1 to SHA-256 in example programs using signatures
3359 * Change #include lines in test files to use double quotes instead of angle
3363 = mbed TLS 1.3.10 released 2015-02-09
3365 * NULL pointer dereference in the buffer-based allocator when the buffer is
3369 * Fix remotely-triggerable uninitialised pointer dereference caused by
3372 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
3378 * Fix timing difference that could theoretically lead to a
3379 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
3383 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
3384 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
3385 * Add support for Encrypt-then-MAC (RFC 7366).
3386 * Add function pk_check_pair() to test if public and private keys match.
3388 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
3390 * Support for renegotiation can now be disabled at compile-time
3391 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
3392 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
3393 for pre-1.2 clients when multiple certificates are available.
3396 * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
3403 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
3414 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
3416 to a failed verification (found by Fredrik Axelsson).
3419 issue with some servers when a zero-length extension was sent. (Reported
3421 * On a 0-length input, base64_encode() did not correctly set output length
3425 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
3426 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
3428 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
3430 * debug_print_buf() now prints a text view in addition to hexadecimal.
3432 but none of them is usable due to external factors such as no certificate
3434 * It is now possible to disable negotiation of truncated HMAC server-side
3440 = PolarSSL 1.3.9 released 2014-10-20
3444 * Remotely-triggerable memory leak when parsing some X.509 certificates
3447 * Remotely-triggerable memory leak when parsing crafted ClientHello
3454 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
3456 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
3459 * Remove non-existent file from VS projects (found by Peter Vaskovic).
3460 * ssl_read() could return non-application data records on server while
3462 * Server-initiated renegotiation would fail with non-blocking I/O if the
3465 with non-blocking I/O.
3473 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
3474 standard defining how to use SHA-2 with SSL 3.0).
3475 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
3476 ambiguous on how to encode some packets with SSL 3.0).
3481 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
3487 = PolarSSL 1.3.8 released 2014-07-11
3490 It was possible to crash the server (and client) using crafted messages
3494 * Add CCM module and cipher mode to Cipher Layer
3496 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
3499 * Add example config.h for PSK with CCM, optimized for low RAM usage.
3500 * Optimize for RAM usage in example config.h for NSA Suite B profile.
3501 * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
3503 * Add server-side enforcement of sent renegotiation requests
3505 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
3506 ciphersuites to use and save some memory if the list is small.
3511 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
3522 * Remove less-than-zero checks on unsigned numbers
3523 * Stricter check on SSL ClientHello internal sizes compared to actual packet
3534 rejected with CBC-based ciphersuites and TLS >= 1.1
3536 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
3537 * Restore ability to use a v1 cert as a CA if trusted locally. (This had
3539 * Restore ability to locally trust a self-signed cert that is not a proper
3545 * Fix off-by-one error in parsing Supported Point Format extension that
3546 caused some handshakes to fail.
3547 * Fix possible miscomputation of the premaster secret with DHE-PSK key
3548 exchange that caused some handshakes to fail with other implementations.
3551 * Fix base64_decode() to return and check length correctly (in case of
3553 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
3556 = PolarSSL 1.3.7 released on 2014-05-02
3558 * debug_set_log_mode() added to determine raw or full logging
3559 * debug_set_threshold() added to ignore messages over threshold level
3560 * version_check_feature() added to check for compile-time options at
3561 run-time
3568 * AES-NI now compiles with "old" assemblers too
3581 * rsa_check_pubkey() now allows an E up to N
3582 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
3584 big-endian platform when size was not an integer number of limbs
3591 = PolarSSL 1.3.6 released on 2014-04-11
3595 * Add option 'use_dev_random' to gen_key application
3605 * Use UTC time to check certificate validity.
3612 This affects certificates in the user-supplied chain except the top
3613 certificate. If the user-supplied chain contains only one certificates,
3630 * oid_get_numeric_string() used to truncate the output without returning an
3632 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
3633 * Calling pk_debug() on an RSA-alt key would segfault.
3634 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
3638 stored in RAM due to missing 'const's (found by Gergely Budai).
3640 = PolarSSL 1.3.5 released on 2014-03-26
3642 * HMAC-DRBG as a separate module
3643 * Option to set the Curve preference order (disabled by default)
3645 * Ability to provide alternate timing implementation
3646 * Ability to force the entropy module to use SHA-256 as its basis
3648 * Testing script ssl-opt.sh added for testing 'live' ssl option
3656 now thread-safe if POLARSSL_THREADING_C defined
3657 * Improvements to the CMake build system, contributed by Julian Ospald.
3660 * Revamped the compat.sh interoperatibility script to include support for
3663 * Improvements to tests/Makefile, contributed by Oden Eriksson.
3666 * Forbid change of server certificate during renegotiation to prevent
3672 * Possible remotely-triggered out-of-bounds memory access fixed (found by
3676 * ecp_gen_keypair() does more tries to prevent failure because of
3679 * Fixed testing with out-of-source builds using cmake
3680 * Fixed version-major intolerance in server
3681 * Fixed CMake symlinking on out-of-source builds
3684 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
3688 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
3699 * x509_get_current_time() uses localtime_r() to prevent thread issues
3701 = PolarSSL 1.3.4 released on 2014-01-27
3704 * Support for RIPEMD-160
3720 = PolarSSL 1.3.3 released on 2013-12-31
3723 * Support for adhering to client ciphersuite order preference
3726 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
3728 * AES-NI support for AES, AES-GCM and AES key scheduling
3729 * SSL Pthread-based server example added (ssl_pthread_server)
3736 * More constant-time checks in the RSA module
3744 * Fixed X.509 hostname comparison (with non-regular characters)
3757 * Possible remotely-triggered out-of-bounds memory access fixed (found by
3760 = PolarSSL 1.3.2 released on 2013-11-04
3762 * PK tests added to test framework
3764 * Support for Camellia-GCM mode and ciphersuites
3767 * Padding checks in cipher layer are now constant-time
3768 * Value comparisons in SSL layer are now constant-time
3775 * Prevent possible alignment warnings on casting from char * to 'aligned *'
3776 * Misc fixes and additions to dependency checks
3780 * Defines to handle UEFI environment under MSVC
3781 * Server-side initiated renegotiations send HelloRequest
3783 = PolarSSL 1.3.1 released on 2013-10-15
3786 * Support for ECDHE-PSK key-exchange and ciphersuites
3787 * Support for RSA-PSK key-exchange and ciphersuites
3793 * config.h is more script-friendly
3805 = PolarSSL 1.3.0 released on 2013-10-01
3810 (ECDHE-based ciphersuites)
3812 (ECDSA-based ciphersuites)
3813 * Ability to specify allowed ciphersuites based on the protocol version.
3814 * PSK and DHE-PSK based ciphersuites added
3816 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
3823 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
3824 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
3832 the same host (Not to be confused with SNI!)
3835 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
3839 * Internals for SSL module adapted to have separate IV pointer that is
3841 * Moved all OID functionality to a separate module. RSA function
3846 * Ability to disable server_name extension (RFC 6066)
3847 * Renamed error_strerror() to the less conflicting polarssl_strerror()
3848 (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
3849 * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
3853 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
3864 * RSA blinding on CRT operations to counter timing attacks
3865 (found by Cyril Arnaud and Pierre-Alain Fouque)
3868 = Version 1.2.14 released 2015-05-??
3871 * Fix potential invalid memory read in the server, that allows a client to
3874 client to crash the server remotely if client authentication is enabled
3876 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
3884 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
3887 = Version 1.2.13 released 2015-02-16
3888 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
3892 * Fix remotely-triggerable uninitialised pointer dereference caused by
3895 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
3908 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
3913 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
3915 to a failed verification (found by Fredrik Axelsson).
3918 issue with some servers when a zero-length extension was sent. (Reported
3920 * On a 0-length input, base64_encode() did not correctly set output length
3926 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
3928 = Version 1.2.12 released 2014-10-24
3931 * Remotely-triggerable memory leak when parsing some X.509 certificates
3939 with non-blocking I/O.
3943 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
3944 * ssl_read() could return non-application data records on server while
3946 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
3955 = Version 1.2.11 released 2014-07-11
3961 * Improvements to the CMake build system, contributed by Julian Ospald.
3964 * Improvements to tests/Makefile, contributed by Oden Eriksson.
3965 * Use UTC time to check certificate validity.
3967 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
3971 * Forbid change of server certificate during renegotiation to prevent
3979 It was possible to crash the server (and client) using crafted messages
3983 * Fixed X.509 hostname comparison (with non-regular characters)
3996 * Fixed testing with out-of-source builds using cmake
3997 * Fixed version-major intolerance in server
3998 * Fixed CMake symlinking on out-of-source builds
3999 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4005 * x509_get_current_time() uses localtime_r() to prevent thread issues
4011 * rsa_check_pubkey() now allows an E up to N
4012 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
4014 big-endian platform when size was not an integer number of limbs
4016 * Stricter check on SSL ClientHello internal sizes compared to actual packet
4022 * Fix base64_decode() to return and check length correctly (in case of
4025 = Version 1.2.10 released 2013-10-07
4027 * Changed RSA blinding to a slower but thread-safe version
4034 = Version 1.2.9 released 2013-10-01
4039 * Fixed potential memory leak when failing to resume a session
4046 * RSA blinding on CRT operations to counter timing attacks
4047 (found by Cyril Arnaud and Pierre-Alain Fouque)
4049 = Version 1.2.8 released 2013-06-19
4053 * Centralized module option values in config.h to allow user-defined
4061 * Added mechanism to provide alternative implementations for all
4063 config.h)
4077 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
4078 * Fixed values for 2-key Triple DES in cipher layer
4082 * A possible DoS during the SSL Handshake, due to faulty parsing of
4083 PEM-encoded certificates has been fixed (found by Jack Lloyd)
4085 = Version 1.2.7 released 2013-04-13
4087 * Ability to specify allowed ciphersuites based on the protocol version.
4090 * Default Blowfish keysize is now 128-bits
4091 * Test suites made smaller to accommodate Raspberry Pi
4095 * GCM adapted to support sizes > 2^29
4097 = Version 1.2.6 released 2013-03-11
4100 * Corrected GCM counter incrementation to use only 32-bits instead of
4101 128-bits (found by Yawning Angel)
4102 * Fixes for 64-bit compilation with MS Visual Studio
4108 rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
4112 * Re-added handling for SSLv2 Client Hello when the define
4120 * Removed timing differences due to bad padding from
4124 = Version 1.2.5 released 2013-02-02
4126 * Allow enabling of dummy error_strerror() to support some use-cases
4129 * Sending of security-relevant alert messages that do not break
4135 ssl_decrypt_buf() due to badly formatted padding
4137 = Version 1.2.4 released 2013-01-25
4139 * More advanced SSL ciphersuite representation and moved to more dynamic
4141 * Added ssl_handshake_step() to allow single stepping the handshake process
4149 = Version 1.2.3 released 2012-11-26
4153 = Version 1.2.2 released 2012-11-24
4155 * Added p_hw_data to ssl_context for context specific hardware acceleration
4157 * During verify trust-CA is only checked for expiration and CRL presence
4163 = Version 1.2.1 released 2012-11-20
4166 bottom-up (Peer cert depth is 0)
4171 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
4172 Pégourié-Gonnard)
4174 Pégourié-Gonnard)
4177 = Version 1.2.0 released 2012-10-31
4183 * Added support for multi-domain certificates through the X509 Subject
4191 * Added GCM suites to TLS 1.2 (RFC 5288)
4205 * Added option to add minimum accepted SSL/TLS protocol version
4210 * Fixed const-correctness mpi_get_bit()
4212 * Moved out_msg to out_hdr + 32 to support hardware acceleration
4213 * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
4214 to not match CN if subjectAltName extension is present (Closes ticket #56)
4215 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
4216 POLARSSL_MODE_CFB, to also handle different block size CFB modes.
4222 * Moved from unsigned long to fixed width uint32_t types throughout code
4223 * Renamed ciphersuites naming scheme to IANA reserved names
4236 * mpi_add_abs() now correctly handles adding short numbers to long numbers
4245 = Version 1.1.8 released on 2013-10-01
4247 * Fixed potential memory leak when failing to resume a session
4251 * Potential buffer-overflow for ssl_read_record() (independently found by
4256 = Version 1.1.7 released on 2013-06-19
4265 * Fixed values for 2-key Triple DES in cipher layer
4269 * A possible DoS during the SSL Handshake, due to faulty parsing of
4270 PEM-encoded certificates has been fixed (found by Jack Lloyd)
4272 = Version 1.1.6 released on 2013-03-11
4277 * Allow enabling of dummy error_strerror() to support some use-cases
4284 * Removed timing differences due to bad padding from
4288 = Version 1.1.5 released on 2013-01-16
4292 * mpi_add_abs() now correctly handles adding short numbers to long numbers
4299 Pégourié-Gonnard)
4300 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
4301 Pégourié-Gonnard)
4312 = Version 1.1.4 released on 2012-05-31
4318 = Version 1.1.3 released on 2012-04-29
4320 * Fixed random MPI generation to not generate more size than requested.
4322 = Version 1.1.2 released on 2012-04-26
4329 Frama-C team at CEA LIST)
4330 * Fixed generation of DHM parameters to correct length (found by Ruslan
4333 = Version 1.1.1 released on 2012-01-23
4337 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
4341 = Version 1.1.0 released on 2011-12-22
4343 * Added ssl_session_reset() to allow better multi-connection pools of
4344 SSL contexts without needing to set all non-connection-specific
4345 data and pointers again. Adapted ssl_server to use this functionality.
4346 * Added ssl_set_max_version() to allow clients to offer a lower maximum
4347 supported version to a server to help buggy server implementations.
4351 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
4358 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
4360 * Inceased maximum size of ASN1 length reads to 32-bits.
4361 * Added an EXPLICIT tag number parameter to x509_get_ext()
4365 * Changed the defined key-length of DES ciphers in cipher.h to include the
4366 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
4367 * Loads of minimal changes to better support WINCE as a build target
4368 (Credits go to Marco Lizza)
4369 * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
4370 trade-off
4373 * Changed the used random function pointer to more flexible format. Renamed
4374 havege_rand() to havege_random() to prevent mistakes. Lots of changes as
4376 * Moved all examples programs to use the new entropy and CTR_DRBG
4377 * Added permissive certificate parsing to x509parse_crt() and
4379 encountering a parse-error. Beware that the meaning of return values has
4384 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
4388 * Allowed X509 key usage parsing to accept 4 byte values instead of the
4390 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
4399 = Version 1.0.0 released on 2011-07-27
4412 = Version 0.99-pre5 released on 2011-05-26
4414 * Added additional Cipher Block Modes to symmetric ciphers
4415 (AES CTR, Camellia CTR, XTEA CBC) including the option to
4419 * A error_strerror function() has been added to translate between
4429 t_int and t_dbl to t_uint and t_udbl in the process
4445 = Version 0.99-pre4 released on 2011-04-01
4448 for the RSAES-OAEP and RSASSA-PSS operations.
4463 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
4467 * Fixed proper handling of RSASSA-PSS verification with variable
4470 = Version 0.99-pre3 released on 2011-02-28
4471 This release replaces version 0.99-pre2 which had possible copyright issues.
4475 * Added crl_app program to allow easy reading and
4479 * Parsing of PEM files moved to separate module (Fixes
4480 ticket #13). Also possible to remove PEM support for
4492 to negotiate anonymous connection (Fixes ticket #12,
4496 * Fixed a possible Man-in-the-Middle attack on the
4497 Diffie Hellman key exchange (thanks to Larry Highsmith,
4500 = Version 0.99-pre1 released on 2011-01-30
4502 Note: Most of these features have been donated by Fox-IT
4505 * Improved X509 certificate parsing to include extended
4510 * Improvements to support integration in other
4516 verification to allow external blacklisting
4517 + Additional example programs to show usage
4519 libpkcs11-helper library
4522 * x509parse_time_expired() checks time in addition to
4525 of ssl_session have been renamed to ciphersuites and
4530 = Version 0.14.0 released on 2010-08-16
4534 * Added compile-time and run-time version information
4541 Now using random fuction provided to function and
4544 * Some SSL defines were renamed in order to avoid
4554 = Version 0.13.1 released on 2010-03-24
4559 = Version 0.13.0 released on 2010-03-21
4561 * Added option parsing for host and port selection to
4564 * Added cert_app program to allow easy reading and
4571 in a function to allow easy future expansion
4572 * Changed symmetric cipher functions to
4574 * Changed ARC4 to use separate input/output buffer
4575 * Added reset function for HMAC context as speed-up
4576 for specific use-cases
4579 * Fixed bug resulting in failure to send the last
4587 = Version 0.12.1 released on 2009-10-04
4598 = Version 0.12.0 released on 2009-07-28
4600 * Added CMake makefiles as alternative to regular Makefiles.
4602 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
4603 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
4609 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
4612 to indicate invalid key lengths.
4619 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
4640 * Fixed Camellia and XTEA for 64-bit Windows systems.
4642 = Version 0.11.1 released on 2009-05-17
4643 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
4644 SHA-512 in rsa_pkcs1_sign()
4646 = Version 0.11.0 released on 2009-05-03
4648 input numbers are even and added testcases to check
4650 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
4660 * Made definition of net_htons() endian-clean for big endian
4664 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
4667 * Added support for CRL revocation to x509parse_verify() and
4669 * Fixed compatibility of XTEA and Camellia on a 64-bit system
4672 = Version 0.10.0 released on 2009-01-12
4673 * Migrated XySSL to PolarSSL
4684 = Version 0.9 released on 2008-03-16
4689 * Fixed a bug in ssl_write() that caused the same payload to
4690 be sent twice in non-blocking mode when send returns EAGAIN
4693 * Added user-defined callback debug function (Krystian Kolodziej)
4699 output data is non-aligned by falling back to the software
4700 implementation, as VIA Nehemiah cannot handle non-aligned buffers
4702 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
4704 * Fixed x509_get_ext() to accept some rare certificates which have
4710 * Added an option to enable/disable the BN assembly code
4711 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
4713 selftest and benchmark to not test ciphers that have been disabled
4714 * Updated x509parse_cert_info() to correctly display byte 0 of the
4716 * Fixed a critical denial-of-service with X.509 cert. verification:
4717 peer may cause xyssl to loop indefinitely by sending a certificate
4719 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
4720 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
4721 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
4722 * Modified ssl_parse_client_key_exchange() to protect against
4724 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
4725 * Updated rsa_gen_key() so that ctx->N is always nbits in size
4726 * Fixed assembly PPC compilation errors on Mac OS X, thanks to
4729 = Version 0.8 released on 2007-10-20
4731 * Modified the HMAC functions to handle keys larger
4732 than 64 bytes, thanks to Stephane Desneux and gary ng
4733 * Fixed ssl_read_record() to properly update the handshake
4736 * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
4737 * Added user-defined callbacks for handling I/O and sessions
4741 * Added AES-CFB mode of operation, contributed by chmike
4743 * Updated the RSA PKCS#1 code to allow choosing between
4745 * Updated ssl_read() to skip 0-length records from OpenSSL
4746 * Fixed the make install target to comply with *BSD make
4747 * Fixed a bug in mpi_read_binary() on 64-bit platforms
4748 * mpi_is_prime() speedups, thanks to Kevin McLaughlin
4754 = Version 0.7 released on 2007-07-07
4756 * Added support for the MicroBlaze soft-core processor
4758 connections from being established with non-blocking I/O
4762 * Added the SHA-224, SHA-384 and SHA-512 hash functions
4763 * Fixed the net_set_*block routines, thanks to Andreas
4767 * Rewrote README.txt in program/ssl/ca to better explain
4768 how to create a test PKI
4770 = Version 0.6 released on 2007-04-01
4773 time, to reduce the memory footprint on embedded systems
4775 havege_struct for this processor, thanks to David Patiño
4776 * Added multiply assembly code for 64-bit PowerPCs,
4777 thanks to Peking University and the OSU Open Source Lab
4780 * Fixed "long long" compilation issues on IA-64 and PPC64
4781 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
4784 = Version 0.5 released on 2007-03-01
4787 * Added (beta) support for non-blocking I/O operations
4790 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
4793 size of 16384 bytes to be rejected
4795 = Version 0.4 released on 2007-02-01
4797 * Added support for Ephemeral Diffie-Hellman key exchange
4799 * Various improvement to the modular exponentiation code
4800 * Rewrote the headers to generate the API docs with doxygen
4803 version was not properly set), thanks to Didier Rebeix
4808 = Version 0.3 released on 2007-01-01
4810 * Added server-side SSLv3 and TLSv1.0 support
4811 * Multiple fixes to enhance the compatibility with g++,
4812 thanks to Xosé Antón Otero Ferreira
4813 * Fixed a bug in the CBC code, thanks to dowst; also,
4815 * Updated rsa_pkcs1_sign to handle arbitrary large inputs
4817 and 486 processors, thanks to Arnaud Cornet
4819 = Version 0.2 released on 2006-12-01
4821 * Updated timing.c to support ARM and MIPS arch
4822 * Updated the MPI code to support 8086 on MSVC 1.5
4824 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
4828 valid RSA keys to be dismissed (thanks to oldwolf)
4829 * Fixed a bug in mpi_is_prime that caused some primes to fail
4830 the Miller-Rabin primality test
4832 I'd also like to thank Younès Hafri for the CRUX linux port,
4834 who maintains the Debian package :-)
4836 = Version 0.1 released on 2006-11-01