Lines Matching +full:ipv4 +full:- +full:no +full:- +full:config +full:- +full:for +full:- +full:cpp
3 = mbed TLS 3.1.0 branch released 2021-12-17
6 * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
10 * You can configure groups for a TLS key exchange with the new function
15 POSIX/Unix-like platforms.
18 * Sign-magnitude and one's complement representations for signed integers are
26 * Remove the partial support for running unit tests via Greentea on Mbed OS,
30 * Enable support for Curve448 via the PSA API. Contributed by
37 supported on GCC-like compilers and on MSVC and can be configured through
39 (where supported) for critical functions where ignoring the return
41 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
46 * Add support for CCM*-no-tag cipher to the PSA.
47 Currently only 13-byte long IV's are supported.
48 For decryption a minimum of 16-byte long input is expected.
50 * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
53 * Add the internal implementation of and support for CCM to the PSA multipart
56 protocol. See docs/architecture/tls13-support.md for the definition of
61 * Add PSA API definition for ARIA.
66 case the value leaks through a memory disclosure vulnerability. For
68 man-in-the-middle to inject fake ciphertext into a DTLS connection.
77 * Fix a double-free that happened after mbedtls_ssl_set_session() or
86 The check was accidentally not performed when cross-compiling for Windows
95 for bignum multiplication that broke some bignum operations with
98 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
99 * Failures of alternative implementations of AES or DES single-block
103 where this function cannot fail, or full-module replacements with
107 * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
108 * Fix compile-time or run-time errors in PSA
110 * Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
111 The requirement of minimum 15 bytes for output buffer in
112 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
115 the built-in implementation of the GCM.
116 The requirement for output buffer size to be equal or greater then
117 input buffer size is valid only for the built-in implementation of GCM.
122 This algorithm now accepts only the same salt length for verification
126 for algorithm values that fully encode the hashing step, as per the PSA
137 * Fix the build when no SHA2 module is included. Fixes #4930.
151 oversight during the run-up to the release of Mbed TLS 3.0.
153 * Implement multi-part CCM API.
154 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
158 Implemented functions support chunked data input for both CCM and CCM*
164 * Improve the performance of base64 constant-flow code. The result is still
165 slower than the original non-constant-flow implementation, but much faster
166 than the previous constant-flow implementation. Fixes #4814.
167 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
168 For CCM* encryption/decryption without authentication, input
171 ChaCha20-Poly1305 is invalid, and not just unsupported.
178 * The generated configuration-independent files are now automatically
179 generated by the CMake build system on Unix-like systems. This is not
180 yet supported when cross-compiling.
182 = Mbed TLS 3.0.0 branch released 2021-07-07
186 The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
191 https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
194 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
195 header compat-1.3.h and the script rename.pl.
201 Various helpers and definitions available for use in alt implementations
207 Header files that were only meant for the library's internal use and
211 * Drop support for parsing SSLv2 ClientHello
213 * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
214 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
215 * Drop support for RC4 TLS ciphersuites.
216 * Drop support for single-DES ciphersuites.
217 * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
220 key type used, as well as the key bit-size in the case of
235 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
237 * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
240 now takes extra output parameters for the last partial output block.
241 mbedtls_gcm_update() now takes extra parameters for the output length.
246 no longer pass the associated data to mbedtls_gcm_starts(), but to the
248 These changes are backward compatible for users of the cipher API.
249 * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
250 This separates config option enabling the SHA384 algorithm from option
253 This separates config option enabling the SHA224 algorithm from option
255 * The getter and setter API of the SSL session cache (used for
256 session-ID based session resumption) has changed to that of
257 a key-value store with keys being session IDs and values
261 encryption use the public key. Verification functions also no longer have
268 Support for more than one PSK may be added in 3.X.
271 * For multi-part AEAD operations with the cipher module, calling
275 possible to skip calling it, which is no longer supported.
276 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
287 * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
293 * Instead of accessing the len field of a DHM context, which is no longer
297 function mbedtls_xxx_ret() which was identical except for returning int
299 migration guide for more information. Fixes #4212.
300 * For all functions that take a random number generator (RNG) as a
313 Raw keys and IVs are no longer passed to the callback.
316 paving the way for the larger number of secrets
318 context are now connection-specific.
320 length parameter to be the size of the hash input. For RSA signatures
326 indicating the size of the output buffer for the signature.
327 * Implement one-shot cipher functions, psa_cipher_encrypt and
330 * Direct access to fields of structures declared in public headers is no
331 longer supported except for fields that are documented public. Use accessor
332 functions instead. For more information, see the migration guide entry
335 mbedtls_ssl_{set,get}_session() may now only be called once for any given
339 * Enable by default the functionalities which have no reason to be disabled.
340 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
341 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
342 * Some default policies for X.509 certificate verification and TLS have
343 changed: curves and hashes weaker than 255 bits are no longer accepted
353 release, some configuration-independent files are now generated at build
356 C compiler for the host platform are required. See “Generated source files
357 in the development branch” in README.md for more information.
360 than 3.6 are no longer supported.
364 compile-time option, which was off by default. Users should not trust
365 certificates signed with SHA-1 due to the known attacks against SHA-1.
366 If needed, SHA-1 certificates can still be verified by using a custom
374 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
378 compile-time option. This option has been inactive for a long time.
381 * Remove the following deprecated functions and constants of hex-encoded
398 * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
400 ciphersuites per version, which are no longer relevant. This removes the
407 * The RSA module no longer supports private-key operations with the public
409 * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
420 MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
424 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
425 backward compatibility which is no longer supported. Addresses #4404.
429 * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
430 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
433 MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
435 * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
441 it no longer had any effect.
442 * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
446 MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
447 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
448 See issue #4341 for more details.
449 * Remove the compile-time option
457 * Added support for built-in driver keys through the PSA opaque crypto
459 MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
461 * The multi-part GCM interface (mbedtls_gcm_update() or
462 mbedtls_cipher_update()) no longer requires the size of partial inputs to
464 * The multi-part GCM interface now supports chunked associated data through
471 See docs/architecture/alternative-implementations.md for the remaining
474 query the size of the modulus in a Diffie-Hellman context.
476 Diffie-Hellman context.
478 point format for ECJPAKE instead of accessing the point_format field
479 directly, which is no longer supported.
484 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
485 private keys and of blinding values for DHM and elliptic curves (ECP)
489 learn partial information about the leading bits of the nonce used for the
496 performing a single private-key operation. Found and reported by
499 co-located process) could recover a Curve25519 or Curve448 static ECDH key
501 corresponding private-key operation. Found and reported by Leila Batina,
510 than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
516 rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
518 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
523 mbedtls_mpi_read_string() was called on "-0", or when
529 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
540 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
541 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
543 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
545 Arm Cortex-M. Fixes #4530.
547 directive in a header and a missing initialization in the self-test.
548 * Fix a missing initialization in the Camellia self-test, affecting
552 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
555 (when the encrypt-then-MAC extension is not in use) with some ALT
556 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
558 * Remove outdated check-config.h check that prevented implementing the
568 and using a Montgomery curve for the key exchange. Reported by lhuang04
570 * psa_verify_hash() was relying on implementation-specific behavior of
581 Credit to OSS-Fuzz. Fixes #4641.
582 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
585 * The PSA API no longer allows the creation or destruction of keys with a
586 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
587 can now only be used as intended, for keys that cannot be modified through
607 * Remove configs/config-psa-crypto.h, which no longer had any intended
610 python2, which is no longer supported upstream.
627 * Add CMake package config generation for CMake projects consuming Mbed TLS.
628 * config.h has been split into build_info.h and mbedtls_config.h
634 * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
636 the config file in a way that's compatible with the config file format
647 = mbed TLS 2.26.0 branch released 2021-03-08
660 as always 0. It is now reserved for internal purposes and may take
680 tweaking the setting for the maximum amount of keys simultaneously in RAM.
686 and see the documentation of mbedtls_psa_external_get_random() for details.
687 * Applications using both mbedtls_xxx and psa_xxx functions (for example,
690 mbedtls_psa_get_random() for details.
691 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
701 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
707 |A| - |B| where |B| is larger than |A| and has more limbs (so the
712 * Fix an errorneous estimation for an internal buffer in
724 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
734 twice is safe. This happens for RSA when some Mbed TLS library functions
735 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
737 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
740 * Fixes a bug where, if the library was configured to include support for
748 the extension was always marked as non-critical. This was fixed by
758 = mbed TLS 2.25.0 branch released 2020-12-11
767 mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
768 as they have no way to check if the output buffer is large enough.
770 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
791 * Add support for ECB to the PSA cipher API.
795 This is currently non-standard behaviour, but expected to make it into a
802 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
804 * In the PSA API, it is no longer necessary to open persistent keys:
806 identical to psa_key_id_t instead of being platform-defined. This bridges
808 version 1.0.0. Opening persistent keys is still supported for backward
824 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
828 are implemented. This could cause failures or the silent use of non-random
830 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
842 * Zeroising of local buffers and variables which are used for calculations
860 * Use socklen_t on Android and other POSIX-compliant system
861 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
878 * Fix an off-by-one error in the additional data length check for
879 CCM, which allowed encryption with a non-standard length field.
881 * Correct the default IV size for mbedtls_cipher_info_t structures using
885 * Fix conditions for including string.h in error.c. Fixes #3866.
886 * psa_set_key_id() now also sets the lifetime to persistent for keys located
888 * Attempting to create a volatile key with a non-zero key identifier now
897 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
903 the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
908 for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
915 attribute. No automatic upgrade path is provided. Previously stored keys
917 specification (docs/architecture/mbed-crypto-storage-specification.md).
921 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
924 = mbed TLS 2.24.0 branch released 2020-09-01
927 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
945 -Wformat-signedness, and fix the code that causes signed-one-bit-field
946 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
955 attacker could for example impersonate a 4-bytes or 16-byte domain by
956 getting a certificate for the corresponding IPv4 or IPv6 (this would
964 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
966 revocation of certificates via CRLs. Fixed by no longer checking the
971 Encrypt-then-Mac extension, use constant code flow memory access patterns
974 effective against network-based attackers, but less so against local
976 if they have access to fine-grained measurements. In particular, this
980 * Fix side channel in RSA private key operations and static (finite-field)
981 Diffie-Hellman. An adversary with precise enough timing and memory access
983 enclave) could bypass an existing counter-measure (base blinding) and
985 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
986 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
987 for pinpointing the problematic code.
993 * Library files installed after a CMake build no longer have execute
1000 Montgomery keys in little-endian as defined by RFC7748. Contributed by
1003 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
1005 * Fix self-test failure when the only enabled short Weierstrass elliptic
1017 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
1026 years of publishing are no longer tracked in the source files. This also
1027 eliminates the need for the lines declaring the files to be part of
1030 example applications which allows to provide a password for the key file
1032 these applications with password-protected key files. Analogously but for
1034 set a password for the key file provided through the existing key_file2
1037 = mbed TLS 2.23.0 branch released 2020-07-01
1049 * New functions in the error module return constant strings for
1050 high- and low-level error codes, complementing mbedtls_strerror()
1051 which constructs a string for any error code, including compound
1054 * The new utility programs/ssl/ssl_context_info prints a human-readable
1056 * Add support for midipix, a POSIX layer for Microsoft Windows.
1064 * Added support to entropy_poll for the kern.arandom syscall supported on
1066 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
1071 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
1082 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
1090 * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
1091 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
1118 * Fix false positive uninitialised variable reported by cpp-check.
1127 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
1139 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
1151 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
1160 = mbed TLS 2.22.0 branch released 2020-04-14
1164 SSL module for hardware acceleration of individual records.
1175 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
1181 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
1199 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
1205 is defined), regardless of what MFL was configured for it.
1207 = mbed TLS 2.21.0 branch released 2020-02-20
1212 * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
1213 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
1220 probability (of the order of 2^-n where n is the bitsize of the curve)
1228 ARMmbed/mbed-crypto#352
1231 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
1232 support without SHA-384.
1238 existing code is that elliptic curve key types no longer encode the
1240 a curve family and the key size determines the exact curve (for example,
1241 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
1247 * Fix some false-positive uninitialized variable warnings in X.509. Fix
1248 contributed by apple-ihack-geek in #2663.
1250 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
1253 keys. Found by Catena cyber using oss-fuzz (issue 20467).
1257 = mbed TLS 2.20.0 branch released 2020-01-15
1261 entropy function to obtain entropy for a nonce if the entropy size is less
1270 entropy module formerly only grabbed 32 bytes, which is good enough for
1300 to achieve the security strength defined by NIST SP 800-90A. You can
1303 msopiha-linaro in ARMmbed/mbed-crypto#307.
1306 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
1320 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
1322 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
1337 no known instances where this changes the behavior of the library: this is
1338 merely a robustness improvement. ARMmbed/mbed-crypto#323
1340 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
1342 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
1344 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
1346 = mbed TLS 2.19.1 branch released 2019-09-16
1360 * Fix some false-positive uninitialized variable warnings in crypto. Fix
1361 contributed by apple-ihack-geek in #2663.
1363 = mbed TLS 2.19.0 branch released 2019-09-06
1369 * When writing a private EC key, use a constant size for the private
1373 1 byte too large for the output buffer.
1374 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
1375 implement blinding. Because of this for the same key and message the same
1382 mbedtls_ssl_session_load() to allow serializing a session, for example to
1383 store it in non-volatile storage, and later using it for TLS session
1388 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
1391 (https://project-everest.github.io/). It can be enabled at compile time
1394 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
1402 * Add DER-encoded test CRTs to library/certs.c, allowing
1407 list all curves for which at least one of ECDH or ECDSA is supported, not
1408 just curves for which both are supported. Call mbedtls_ecdsa_can_do() or
1412 mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
1423 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
1424 * Fix multiple X.509 functions previously returning ASN.1 low-level error
1429 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
1439 * Avoid use of statically sized stack buffers for certificate writing.
1450 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
1453 * Improve code clarity in x509_crt module, removing false-positive
1461 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
1462 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
1465 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
1466 docker-env.sh) to simplify running test suites on a Linux host. Contributed
1472 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
1478 = mbed TLS 2.18.1 branch released 2019-07-12
1488 = mbed TLS 2.18.0 branch released 2019-06-11
1495 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
1497 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
1500 and the used tls-prf.
1501 * Add public API for tls-prf function, according to requested enum.
1502 * Add support for parsing otherName entries in the Subject Alternative Name
1505 * Add support for parsing certificate policies extension, as defined in
1510 * Add support for draft-05 of the Connection ID extension, as specified
1511 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
1516 changed its IP or port. The feature is enabled at compile-time by setting
1517 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
1523 and the used tls-prf.
1524 * Add public API for tls-prf function, according to requested enum.
1533 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
1535 OSS-Fuzz.
1546 for the parameter.
1547 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
1551 Credit to OSS-Fuzz.
1554 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
1555 mbedTLS configuration only SHA-2 signed certificates are accepted.
1559 updated to one that is SHA-256 signed. Fix contributed by
1565 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
1570 = mbed TLS 2.17.0 branch released 2019-03-19
1574 which allows copy-less parsing of DER encoded X.509 CRTs,
1585 See the Features section for more information.
1587 for the benefit of saving RAM, by disabling the new compile-time
1588 option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
1609 * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
1615 * Fix signed-to-unsigned integer conversion warning
1620 (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
1625 correctly as trailing zeroes were not accounted for as unused bits in the
1633 Inserted as an enhancement for #1371
1634 * Add support for alternative CSR headers, as used by Microsoft and defined
1638 for platforms that don't provide it. Based on contributions by Joris Aerts
1640 * Fix clobber list in MIPS assembly for large integer multiplication.
1647 * Fix configuration queries in ssl-opt.h. #2030
1648 * Ensure that ssl-opt.h can be run in OS X. #2029
1649 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
1650 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
1654 = mbed TLS 2.16.0 branch released 2018-12-21
1657 * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
1661 the documentation. See the corresponding API documentation for each
1662 function to see for which parameter values it is defined. This feature is
1663 disabled by default. See its API documentation in config.h for additional
1670 using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
1672 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
1673 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
1675 * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
1677 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
1678 * Additional parameter validation checks have been added for the following
1679 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
1687 will no longer be.
1694 * Fix for Clang, which was reporting a warning for the bignum.c inline
1695 assembly for AMD64 targets creating string literals greater than those
1709 of check for certificate/key matching. Reported by Attila Molnar, #507.
1711 = mbed TLS 2.15.1 branch released 2018-11-30
1716 = mbed TLS 2.15.0 branch released 2018-11-23
1726 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
1729 = mbed TLS 2.14.1 branch released 2018-11-30
1733 decryption that could lead to a Bleichenbacher-style padding oracle
1740 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
1743 a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
1758 = mbed TLS 2.14.0 branch released 2018-11-19
1761 * Fix overly strict DN comparison when looking for CRLs belonging to a
1769 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
1773 previous settings for the number of rounds made it practical for an
1774 adversary to construct non-primes that would be erroneously accepted as
1778 For example, the number of rounds was enough to securely generate RSA key
1779 pairs or Diffie-Hellman parameters, but was insufficient to validate
1780 Diffie-Hellman parameters properly.
1785 * Add support for temporarily suspending expensive ECC computations after
1787 constrained, single-threaded systems where ECC is time consuming and can
1793 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
1795 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
1799 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
1803 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
1804 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
1808 * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
1810 implementations implementing cryptographic primitives. This is useful for
1823 Miller-Rabin rounds.
1830 * Fix a bug in the update function for SSL ticket keys which previously
1836 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
1841 * Zeroize memory used for buffering or reassembling handshake messages
1843 * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
1845 * Change the default string format used for various X.509 DN attributes to
1847 wildcards and non-ASCII characters being unusable in some DN attributes.
1849 Thomas-Dee.
1850 * Fix compilation failure for configurations which use compile time
1853 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
1856 * Removed support for Yotta as a build tool.
1857 * Add tests for session resumption in DTLS.
1862 IPv6 and optionally by a build option over IPv4.
1873 Thomas-Dee.
1875 Fixes #517 reported by github-monoculture.
1878 by FIPS-186-4.
1880 = mbed TLS 2.13.1 branch released 2018-09-06
1884 whose implementation should behave as a thread-safe version of gmtime().
1888 automatically select implementations for Windows and POSIX C libraries.
1894 = mbed TLS 2.13.0 branch released 2018-08-31
1903 * Add support for fragmentation of outgoing DTLS handshake messages. This
1905 with the peer, as well as by a new per-connection MTU option, set using
1907 * Add support for auto-adjustment of MTU to a safe value during the
1910 * Add support for packing multiple records within a single datagram,
1912 * Add support for buffering out-of-order handshake messages in DTLS.
1913 The maximum amount of RAM used for this can be controlled by the
1914 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
1915 in mbedtls/config.h.
1933 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
1944 (found by Catena cyber using oss-fuzz)
1956 * Add support for buffering of out-of-order handshake messages.
1961 = mbed TLS 2.12.0 branch released 2018-07-25
1964 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
1970 worked if the same secret (for example a HTTP Cookie) has been repeatedly
1972 or CCM instead of CBC, using hash sizes other than SHA-384, or using
1973 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
1974 caused by a miscalculation (for SHA-384) in a countermeasure to the
1983 the same secret (for example a HTTP Cookie) has been repeatedly sent over
1985 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
1987 * Add a counter-measure against a vulnerability in TLS ciphersuites based
1993 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
1997 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
1998 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
2000 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
2001 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
2003 * Make the receive and transmit buffers independent sizes, for situations
2006 is no functional difference. Contributed by Angus Gratton, and also
2008 * Add support for key wrapping modes based on AES as defined by
2009 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
2016 * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
2018 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
2023 by Brendan Shanks. Part of a fix for #992.
2028 * Fix the inline assembly for the MPI multiply helper function for i386 and
2035 * Fix decryption for zero length messages (which contain all padding) when a
2036 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
2041 * Fix ssl_client2 example to send application data with 0-length content
2044 * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
2046 * Fix build using -std=c99. Fixed by Nick Wilson.
2050 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
2052 when calling with a NULL salt and non-zero salt_len. Contributed by
2056 * Allow overriding the time on Windows via the platform-time abstraction.
2058 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
2060 = mbed TLS 2.11.0 branch released 2018-06-18
2065 * Implement the HMAC-based extract-and-expand key derivation function
2067 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
2068 * Add support for the XTS block cipher mode with AES (AES-XTS).
2072 non-blocking operation of the TLS server stack.
2077 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
2084 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
2085 * Changed the Clang parameters used in the CMake build files to work for
2086 versions later than 3.6. Versions of Clang earlier than this may no longer
2089 = mbed TLS 2.10.0 branch released 2018-06-06
2092 * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
2093 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
2108 build to fail. Found by zv-io. Fixes #1651.
2111 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
2115 = mbed TLS 2.9.0 branch released 2018-04-30
2122 would require a non DER-compliant certificate to be correctly signed by a
2123 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
2131 * Fix a client-side bug in the validation of the server's ciphersuite choice
2135 structures for some configurations.
2141 * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
2143 mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
2148 applications to wait for a network context to become ready before reading
2151 a check for whether more more data is pending to be processed in the
2154 underlying transport in case event-driven IO is used.
2160 in configurations that omit certain hashes or public-key algorithms.
2164 * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
2167 * Fix the Makefile build process for building shared libraries on Mac OS X.
2182 in the internal buffers; these cases led to deadlocks when event-driven
2199 public-key algorithms. Includes contributions by Gert van Dijk.
2212 for Curve25519 (other curves had it already). Contributed by Nicholas
2219 letter must not be prefixed by '-', such as LLVM. Found and fixed by
2229 HMAC functions with non-HMAC ciphersuites. Independently contributed
2232 FIPS 186-4. Contributed by Jethro Beekman. #1380
2240 = mbed TLS 2.8.0 branch released 2018-03-16
2249 config.h. Found by Andreas Walz (ivESK, Offenburg University of
2255 HMAC key of a single, uninterrupted connection (with no
2267 * Extend PKCS#8 interface by introducing support for the entire SHA
2270 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
2272 * Add support for public keys encoded in PKCS#1 format. #1122
2275 * Deprecate support for record compression (configuration option
2281 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
2294 * In test_suite_pk, pass valid parameters when testing for hash length
2307 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
2314 * Remove support for the library reference configuration for picocoin.
2315 * MD functions deprecated in 2.7.0 are no longer inline, to provide
2316 a migration path for those depending on the library's ABI.
2318 * Use (void) when defining functions with no parameters. Contributed by
2321 = mbed TLS 2.7.0 branch released 2018-02-03
2329 both TLS and DTLS. CVE-2018-0488
2330 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
2331 for the key size, which could potentially lead to crash or remote code
2333 Qualcomm Technologies Inc. CVE-2018-0487
2334 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
2340 config and the application data buffer passed to mbedtls_ssl_write
2344 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
2355 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
2356 data. Previously, trailing zero bytes were detected and omitted for the
2361 * Fix a potential heap buffer over-read in ALPN extension parsing
2362 (server-side). Could result in application crash, but only if an ALPN
2365 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
2372 * New unit tests for timing. Improve the self-test to be more robust
2373 when run on a heavily-loaded machine.
2374 * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
2376 * Add support for alternative implementations of GCM, selected by the
2378 * Add support for alternative implementations for ECDSA, controlled by new
2380 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
2384 * Add support for alternative implementation of ECDH, controlled by the
2386 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
2390 * Add support for alternative implementation of ECJPAKE, controlled by
2395 * Extend RSA interface by multiple functions allowing structure-
2397 mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
2400 contexts from keys consisting of N,D,E only, even if P,Q are needed for the
2408 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
2409 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
2410 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
2411 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
2414 * Deprecate usage of RSA primitives with non-matching key-type
2428 * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
2439 renegotiated handshakes would only accept signatures using SHA-1
2440 regardless of the peer's preferences, or fail if SHA-1 was disabled.
2444 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
2446 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
2459 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
2462 * Don't print X.509 version tag for v1 CRT's, and omit extensions for
2463 non-v3 CRT's.
2468 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
2469 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
2473 * Add size-checks for record and handshake message content, securing
2474 fragile yet non-exploitable code-paths.
2506 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
2510 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
2518 * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
2521 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
2524 = mbed TLS 2.6.0 branch released 2017-08-10
2540 platform-specific setup and teardown operations. The macro
2552 * Certificate verification functions now set flags to -1 in case the full
2567 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
2569 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
2571 * Fix a potential integer overflow in the version verification for DER
2573 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
2575 * Fix potential integer overflow in the version verification for DER
2577 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
2579 * Fix a potential integer overflow in the version verification for DER
2588 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
2589 64-bit division. This is useful on embedded platforms where 64-bit division
2595 config-no-entropy.h to reduce the RAM footprint.
2600 = mbed TLS 2.5.1 released 2017-06-21
2603 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
2604 The issue could only happen client-side with renegotiation enabled.
2608 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
2609 certificate verification. SHA-1 can be turned back on with a compile-time
2614 potential Bleichenbacher/BERserk-style attack.
2619 and with GCC using the -Wpedantic compilation option.
2620 * Fix insufficient support for signature-hash-algorithm extension,
2647 by Jean-Philippe Aumasson.
2649 = mbed TLS 2.5.0 branch released 2017-05-17
2656 against side-channel attacks like the cache attack described in
2662 * Add hardware acceleration support for the Elliptic Curve Point module.
2665 replacement support for enabling the extension of the interface.
2675 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
2676 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
2679 * Remove macros from compat-1.3.h that correspond to deleted items from most
2683 * Add checks in the PK module for the RSA functions on 64-bit systems.
2684 The PK and RSA modules use different types for passing hash length and
2688 = mbed TLS 2.4.2 branch released 2017-03-08
2691 * Add checks to prevent signature forgeries for very large messages while
2692 using RSA through the PK module in 64-bit systems. The issue was caused by
2695 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
2701 * Removed MD5 from the allowed hash algorithms for CertificateRequest and
2703 Introduced by interoperability fix for #513.
2706 triggered remotely for example with a maliciously constructed certificate
2709 team. #569 CVE-2017-2784
2718 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
2719 Found by omlib-lin. #673
2721 x509_csr.c that are reported when building mbed TLS with a config.h that
2740 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
2745 * Fixed the templates used to generate project and solution files for Visual
2756 = mbed TLS 2.4.1 branch released 2016-12-13
2759 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
2760 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
2763 = mbed TLS 2.4.0 branch released 2016-10-17
2767 with RFC-5116 and could lead to session key recovery in very long TLS
2768 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
2769 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
2777 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
2778 NIST SP 800-38B, RFC-4493 and RFC-4615.
2781 * Added a script to print build environment info for diagnostic use in test
2786 * Added a configuration file config-no-entropy.h that configures the subset of
2788 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
2789 to configure the minimum number of bytes for entropy sources using the
2793 * Fix for platform time abstraction to avoid dependency issues where a build
2799 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
2801 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
2803 * Fixed cert_app.c sample program for debug output and for use when no root
2809 * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
2814 subramanyam-c. #622
2815 * Fix documentation and implementation missmatch for function arguments of
2819 ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
2820 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
2821 Found by subramanyam-c. #626
2829 * Removed self-tests from the basic-built-test.sh script, and added all
2830 missing self-tests to the test suites, to ensure self-tests are only
2832 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
2833 * Added support for a Yotta specific configuration file -
2835 * Added optimization for code space for X.509/OID based on configured
2839 net.c. For consistency, the corresponding header file, net.h, is marked as
2841 * Changed the strategy for X.509 certificate parsing and validation, to no
2844 = mbed TLS 2.3.0 branch released 2016-06-28
2857 * Support for platform abstraction of the standard C library time()
2862 arguments where the same (in-place doubling). Found and fixed by Janos
2868 ECDSA was disabled in config.h . The leak didn't occur by default.
2881 * Fix test in ssl-opt.sh that does not run properly with valgrind
2885 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
2886 don't use the optimized assembly for bignum multiplication. This removes
2887 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
2889 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
2891 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
2894 = mbed TLS 2.2.1 released 2016-01-05
2898 allocate memory. Only used for certificate generation, not triggerable
2906 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
2918 = mbed TLS 2.2.0 released 2015-11-04
2936 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
2939 block. (Potential uses include EAP-TLS and Thread.)
2942 * Self-signed certificates were not excluded from pathlen counting,
2945 * Fix build error with configurations where ECDHE-PSK is the only key
2947 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
2948 ECHD-ECDSA if the only key exchange. Multiple reports. #310
2949 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
2950 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
2952 size/curve against the profile. Before that, there was no way to set a
2953 minimum key size for end-entity certificates with RSA keys. Found by
2964 or -1.
2966 = mbed TLS 2.1.2 released 2015-10-06
2969 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
2972 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
2989 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
2991 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
2996 unless you allow third parties to pick trust CAs for client auth.
3007 * Fixed paths for check_config.h in example config files. (Found by bachp)
3010 = mbed TLS 2.1.1 released 2015-09-17
3013 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
3015 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
3016 * Fix possible client-side NULL pointer dereference (read) when the client
3019 afl-fuzz.)
3023 * Fix off-by-one error in parsing Supported Point Format extension that
3031 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
3034 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
3037 = mbed TLS 2.1.0 released 2015-09-04
3040 * Added support for yotta as a build system.
3045 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
3053 * Fix compile error with armcc 5 with --gnu option.
3058 * Fix missing -static-libgcc when building shared libraries for Windows
3060 * Fix link error when building shared libraries for Windows with make.
3067 * Fix -Wshadow warnings (found by hnrkp) (#240)
3069 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
3077 * It is now possible to #include a user-provided configuration file at the
3078 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
3081 trusted, no later cert is checked. (suggested by hannes-landeholm)
3088 = mbed TLS 2.0.0 released 2015-07-13
3091 * Support for DTLS 1.0 and 1.2 (RFC 6347).
3095 * New server-side implementation of session tickets that rotate keys to
3098 which algorithms and key sizes (curves for ECDSA) are acceptable.
3101 * Introduced a concept of presets for SSL security-relevant configuration
3106 You now need to link to all of them if you use TLS for example.
3109 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
3110 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
3112 mbedtls_cipher_info_t.key_length -> key_bitlen
3113 mbedtls_cipher_context_t.key_length -> key_bitlen
3114 mbedtls_ecp_curve_info.size -> bit_size
3119 mbedtls_ssl_init() -> mbedtls_ssl_setup()
3120 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
3121 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
3122 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
3123 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
3124 Note that for mbedtls_ssl_setup(), you need to be done setting up the
3129 (see rename.pl and compat-1.3.h above) and their first argument's type
3132 additional callback for read-with-timeout).
3151 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
3152 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
3153 * The following functions changed prototype to avoid an in-out length
3159 * In the NET module, all "int" and "int *" arguments for file descriptors
3161 * net_accept() gained new arguments for the size of the client_ip buffer.
3166 * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
3171 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
3175 length parameter to include the terminating null byte for PEM input.
3179 (Thanks to Mansour Moufid for helping with the replacement.)
3180 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
3181 (support for renegotiation now needs explicit enabling in config.h).
3183 in config.h
3200 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
3204 been removed (compiler is required to support 32-bit operations).
3207 * Removed test program ssl_test, superseded by ssl-opt.sh.
3208 * Removed helper script active-config.pl
3214 Semi-API changes (technically public, morally private)
3229 * Support for receiving SSLv2 ClientHello is now disabled by default at
3231 * The default authmode for SSL/TLS clients is now REQUIRED.
3232 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
3234 custom config.h
3235 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
3239 * The following functions are now case-sensitive:
3258 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
3262 * With UDP sockets, it is no longer necessary to call net_bind() again
3267 thread-safe if MBEDTLS_THREADING_C is enabled.
3268 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
3277 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
3284 * Add support for reading DH parameters with privateValueLength included
3286 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
3287 * Add support for id-at-uniqueIdentifier in X.509 names.
3288 * Add support for overriding snprintf() (except on Windows) and exit() in
3292 * Improved Makefiles for Windows targets by fixing library targets and making
3293 cross-compilation easier (thanks to Alon Bar-Lev).
3294 * The benchmark program also prints heap usage for public-key primitives
3296 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
3297 speed and RAM (heap only for now) usage.
3299 reduced configurations (PSK-CCM and NSA suite B).
3300 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
3302 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
3318 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
3331 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
3335 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
3338 * Add missing dependency on SHA-256 in some x509 programs (reported by
3349 * compat-1.2.h and openssl.h are deprecated.
3352 (contributed by Alon Bar-Lev).
3353 * ssl_set_own_cert() no longer calls pk_check_pair() since the
3354 performance impact was bad for some users (this was introduced in 1.3.10).
3355 * Move from SHA-1 to SHA-256 in example programs using signatures
3360 brackets for uniformity with the rest of the code.
3363 = mbed TLS 1.3.10 released 2015-02-09
3365 * NULL pointer dereference in the buffer-based allocator when the buffer is
3369 * Fix remotely-triggerable uninitialised pointer dereference caused by
3370 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
3372 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
3373 (TLS server is not affected if it doesn't ask for a client certificate)
3376 (TLS server is not affected if it doesn't ask for a client certificate)
3379 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
3383 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
3384 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
3385 * Add support for Encrypt-then-MAC (RFC 7366).
3388 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
3390 * Support for renegotiation can now be disabled at compile-time
3391 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
3392 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
3393 for pre-1.2 clients when multiple certificates are available.
3394 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
3403 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
3414 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
3419 issue with some servers when a zero-length extension was sent. (Reported
3421 * On a 0-length input, base64_encode() did not correctly set output length
3425 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
3426 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
3428 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
3432 but none of them is usable due to external factors such as no certificate
3433 with a suitable (extended)KeyUsage or curve or no PSK set.
3434 * It is now possible to disable negotiation of truncated HMAC server-side
3436 * Example programs for SSL client and server now disable SSLv3 by default.
3437 * Example programs for SSL client and server now disable RC4 by default.
3440 = PolarSSL 1.3.9 released 2014-10-20
3444 * Remotely-triggerable memory leak when parsing some X.509 certificates
3445 (server is not affected if it doesn't ask for a client certificate)
3447 * Remotely-triggerable memory leak when parsing crafted ClientHello
3454 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
3456 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
3459 * Remove non-existent file from VS projects (found by Peter Vaskovic).
3460 * ssl_read() could return non-application data records on server while
3462 * Server-initiated renegotiation would fail with non-blocking I/O if the
3465 with non-blocking I/O.
3473 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
3474 standard defining how to use SHA-2 with SSL 3.0).
3475 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
3487 = PolarSSL 1.3.8 released 2014-07-11
3489 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
3495 * Support for CCM and CCM_8 ciphersuites
3496 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
3499 * Add example config.h for PSK with CCM, optimized for low RAM usage.
3500 * Optimize for RAM usage in example config.h for NSA Suite B profile.
3503 * Add server-side enforcement of sent renegotiation requests
3505 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
3509 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
3514 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
3516 * All public contexts have _init() and _free() functions now for simpler
3522 * Remove less-than-zero checks on unsigned numbers
3527 * Fix symlink command for cross compiling with CMake (found by Andre
3534 rejected with CBC-based ciphersuites and TLS >= 1.1
3536 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
3539 * Restore ability to locally trust a self-signed cert that is not a proper
3540 CA for use as an end entity certificate. (This had been removed in
3542 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
3543 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
3545 * Fix off-by-one error in parsing Supported Point Format extension that
3547 * Fix possible miscomputation of the premaster secret with DHE-PSK key
3553 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
3556 = PolarSSL 1.3.7 released on 2014-05-02
3560 * version_check_feature() added to check for compile-time options at
3561 run-time
3567 * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
3568 * AES-NI now compiles with "old" assemblers too
3577 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
3578 ciphersuites, for full SSL frames of data.
3580 ServerHello when no extensions are present (found by Matthew Page)
3584 big-endian platform when size was not an integer number of limbs
3591 = PolarSSL 1.3.6 released on 2014-04-11
3594 * Support for the ALPN SSL extension
3596 * Enable verification of the keyUsage extension for CA and leaf
3611 * The notAfter date of some certificates was no longer checked since 1.3.5.
3612 This affects certificates in the user-supplied chain except the top
3613 certificate. If the user-supplied chain contains only one certificates,
3632 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
3633 * Calling pk_debug() on an RSA-alt key would segfault.
3634 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
3640 = PolarSSL 1.3.5 released on 2014-03-26
3642 * HMAC-DRBG as a separate module
3644 * Single Platform compatilibity layer (for memory / printf / fprintf)
3646 * Ability to force the entropy module to use SHA-256 as its basis
3648 * Testing script ssl-opt.sh added for testing 'live' ssl option
3650 * Support for reading EC keys that use SpecifiedECDomain in some cases.
3656 now thread-safe if POLARSSL_THREADING_C defined
3660 * Revamped the compat.sh interoperatibility script to include support for
3672 * Possible remotely-triggered out-of-bounds memory access fixed (found by
3679 * Fixed testing with out-of-source builds using cmake
3680 * Fixed version-major intolerance in server
3681 * Fixed CMake symlinking on out-of-source builds
3684 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
3688 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
3701 = PolarSSL 1.3.4 released on 2014-01-27
3703 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
3704 * Support for RIPEMD-160
3705 * Support for AES CFB8 mode
3706 * Support for deterministic ECDSA (RFC 6979)
3720 = PolarSSL 1.3.3 released on 2013-12-31
3723 * Support for adhering to client ciphersuite order preference
3725 * Support for Curve25519
3726 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
3727 * Support for IPv6 in the NET module
3728 * AES-NI support for AES, AES-GCM and AES key scheduling
3729 * SSL Pthread-based server example added (ssl_pthread_server)
3736 * More constant-time checks in the RSA module
3744 * Fixed X.509 hostname comparison (with non-regular characters)
3746 * Missing defines / cases for RSA_PSK key exchange
3757 * Possible remotely-triggered out-of-bounds memory access fixed (found by
3760 = PolarSSL 1.3.2 released on 2013-11-04
3763 * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
3764 * Support for Camellia-GCM mode and ciphersuites
3767 * Padding checks in cipher layer are now constant-time
3768 * Value comparisons in SSL layer are now constant-time
3769 * Support for serialNumber, postalAddress and postalCode in X509 names
3781 * Server-side initiated renegotiations send HelloRequest
3783 = PolarSSL 1.3.1 released on 2013-10-15
3785 * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
3786 * Support for ECDHE-PSK key-exchange and ciphersuites
3787 * Support for RSA-PSK key-exchange and ciphersuites
3790 * RSA blinding locks for a smaller amount of time
3792 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
3793 * config.h is more script-friendly
3801 * Better support for MSVC
3805 = PolarSSL 1.3.0 released on 2013-10-01
3809 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
3810 (ECDHE-based ciphersuites)
3811 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
3812 (ECDSA-based ciphersuites)
3814 * PSK and DHE-PSK based ciphersuites added
3816 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
3821 * Support for max_fragment_length extension (RFC 6066)
3822 * Support for truncated_hmac extension (RFC 6066)
3823 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
3824 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
3825 * Support for session tickets (RFC 5077)
3830 * Optional blinding for RSA, DHM and EC
3831 * Support for multiple active certificate / key pairs in SSL servers for
3839 * Internals for SSL module adapted to have separate IV pointer that is
3840 dynamically set (Better support for hardware acceleration)
3842 prototypes for the RSA sign and verify functions changed as a result
3850 * All RSA operations require a random generator for blinding purposes
3852 * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
3853 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
3860 * Support for AIX header locations in net.c module
3865 (found by Cyril Arnaud and Pierre-Alain Fouque)
3868 = Version 1.2.14 released 2015-05-??
3876 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
3884 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
3887 = Version 1.2.13 released 2015-02-16
3888 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
3892 * Fix remotely-triggerable uninitialised pointer dereference caused by
3894 for a client certificate) (found using Codenomicon Defensics).
3895 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
3896 (TLS server is not affected if it doesn't ask for a client certificate)
3899 (TLS server is not affected if it doesn't ask for a client certificate)
3902 (TLS server is not affected if it doesn't ask for a client certificate).
3908 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
3913 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
3918 issue with some servers when a zero-length extension was sent. (Reported
3920 * On a 0-length input, base64_encode() did not correctly set output length
3926 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
3928 = Version 1.2.12 released 2014-10-24
3931 * Remotely-triggerable memory leak when parsing some X.509 certificates
3932 (server is not affected if it doesn't ask for a client certificate).
3939 with non-blocking I/O.
3943 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
3944 * ssl_read() could return non-application data records on server while
3946 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
3955 = Version 1.2.11 released 2014-07-11
3960 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
3978 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
3983 * Fixed X.509 hostname comparison (with non-regular characters)
3996 * Fixed testing with out-of-source builds using cmake
3997 * Fixed version-major intolerance in server
3998 * Fixed CMake symlinking on out-of-source builds
3999 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4010 when no extensions are present (found by Matthew Page)
4014 big-endian platform when size was not an integer number of limbs
4018 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
4019 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
4025 = Version 1.2.10 released 2013-10-07
4027 * Changed RSA blinding to a slower but thread-safe version
4034 = Version 1.2.9 released 2013-10-01
4036 * x509_verify() now case insensitive for cn (RFC 6125 6.4)
4047 (found by Cyril Arnaud and Pierre-Alain Fouque)
4049 = Version 1.2.8 released 2013-06-19
4053 * Centralized module option values in config.h to allow user-defined
4059 and specific DER parser functions for the PKCS#1 and unencrypted
4061 * Added mechanism to provide alternative implementations for all
4063 config.h)
4070 * Fixed offset for cert_type list in ssl_parse_certificate_request()
4071 * Fixed const correctness issues that have no impact on the ABI
4078 * Fixed values for 2-key Triple DES in cipher layer
4083 PEM-encoded certificates has been fixed (found by Jack Lloyd)
4085 = Version 1.2.7 released 2013-04-13
4090 * Default Blowfish keysize is now 128-bits
4094 * Fix for MPI assembly for ARM
4097 = Version 1.2.6 released 2013-03-11
4099 * Fixed memory leak in ssl_free() and ssl_reset() for active session
4100 * Corrected GCM counter incrementation to use only 32-bits instead of
4101 128-bits (found by Yawning Angel)
4102 * Fixes for 64-bit compilation with MS Visual Studio
4103 * Fixed net_bind() for specified IP addresses on little endian systems
4104 * Fixed assembly code for ARM (Thumb and regular) for some compilers
4110 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
4112 * Re-added handling for SSLv2 Client Hello when the define
4121 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
4124 = Version 1.2.5 released 2013-02-02
4126 * Allow enabling of dummy error_strerror() to support some use-cases
4129 * Sending of security-relevant alert messages that do not break
4137 = Version 1.2.4 released 2013-01-25
4146 * Correctly handle CertificateRequest message in client for <= TLS 1.1
4149 = Version 1.2.3 released 2012-11-26
4153 = Version 1.2.2 released 2012-11-24
4155 * Added p_hw_data to ssl_context for context specific hardware acceleration
4157 * During verify trust-CA is only checked for expiration and CRL presence
4163 = Version 1.2.1 released 2012-11-20
4166 bottom-up (Peer cert depth is 0)
4169 * Fixes for MSVC6
4172 Pégourié-Gonnard)
4174 Pégourié-Gonnard)
4175 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
4177 = Version 1.2.0 released 2012-10-31
4179 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
4182 * Added support for wildcard certificates
4183 * Added support for multi-domain certificates through the X509 Subject
4189 * Added base Galois Counter Mode (GCM) for AES
4193 * Added support for Hardware Acceleration hooking in SSL/TLS
4209 * AES code only check for Padlock once
4210 * Fixed const-correctness mpi_get_bit()
4211 * Documentation for mpi_lsb() and mpi_msb()
4217 * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
4239 * Fixed MPI assembly for SPARC64 platform
4245 = Version 1.1.8 released on 2013-10-01
4251 * Potential buffer-overflow for ssl_read_record() (independently found by
4256 = Version 1.1.7 released on 2013-06-19
4265 * Fixed values for 2-key Triple DES in cipher layer
4270 PEM-encoded certificates has been fixed (found by Jack Lloyd)
4272 = Version 1.1.6 released on 2013-03-11
4274 * Fixed net_bind() for specified IP addresses on little endian systems
4277 * Allow enabling of dummy error_strerror() to support some use-cases
4285 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
4288 = Version 1.1.5 released on 2013-01-16
4290 * Fixed MPI assembly for SPARC64 platform
4299 Pégourié-Gonnard)
4301 Pégourié-Gonnard)
4302 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
4306 * Fixes for MSVC6
4312 = Version 1.1.4 released on 2012-05-31
4318 = Version 1.1.3 released on 2012-04-29
4322 = Version 1.1.2 released on 2012-04-26
4329 Frama-C team at CEA LIST)
4333 = Version 1.1.1 released on 2012-01-23
4335 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
4337 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
4338 * Fixed multiple compiler warnings for VS6 and armcc
4341 = Version 1.1.0 released on 2011-12-22
4343 * Added ssl_session_reset() to allow better multi-connection pools of
4344 SSL contexts without needing to set all non-connection-specific
4351 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
4352 * Added a generic entropy accumulator that provides support for adding
4357 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
4358 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
4359 encryption and private key for decryption. (Closes ticket #34)
4360 * Inceased maximum size of ASN1 length reads to 32-bits.
4365 * Changed the defined key-length of DES ciphers in cipher.h to include the
4370 trade-off
4371 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
4379 encountering a parse-error. Beware that the meaning of return values has
4384 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
4390 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
4394 * Improved build support for s390x and sparc64 in bignum.h
4399 = Version 1.0.0 released on 2011-07-27
4401 * Expanded cipher layer with support for CFB128 and CTR mode
4412 = Version 0.99-pre5 released on 2011-05-26
4427 instead of int for buffer lengths and loop variables for
4445 = Version 0.99-pre4 released on 2011-04-01
4447 * Added support for PKCS#1 v2.1 encoding and thus support
4448 for the RSAES-OAEP and RSASSA-PSS operations.
4451 * Added mpi_fill_random() for centralized filling of big numbers
4463 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
4467 * Fixed proper handling of RSASSA-PSS verification with variable
4470 = Version 0.99-pre3 released on 2011-02-28
4471 This release replaces version 0.99-pre2 which had possible copyright issues.
4480 ticket #13). Also possible to remove PEM support for
4491 * Do not bail out if no client certificate specified. Try
4496 * Fixed a possible Man-in-the-Middle attack on the
4500 = Version 0.99-pre1 released on 2011-01-30
4502 Note: Most of these features have been donated by Fox-IT
4509 * Detection for DES weak keys and parity bits added
4518 * Added support for PKCS#11 through the use of the
4519 libpkcs11-helper library
4530 = Version 0.14.0 released on 2010-08-16
4532 * Added support for SSL_EDH_RSA_AES_128_SHA and
4534 * Added compile-time and run-time version information
4535 * Expanded ssl_client2 arguments for more flexibility
4536 * Added support for TLS v1.1
4548 * Fixed CMake out of source build for tests (found by
4554 = Version 0.13.1 released on 2010-03-24
4559 = Version 0.13.0 released on 2010-03-21
4561 * Added option parsing for host and port selection to
4563 * Added support for GeneralizedTime in X509 parsing
4569 * Added const correctness for main code base
4575 * Added reset function for HMAC context as speed-up
4576 for specific use-cases
4582 * Added small fixes for compiler warnings on a Mac
4587 = Version 0.12.1 released on 2009-10-04
4598 = Version 0.12.0 released on 2009-07-28
4601 * Added preliminary Code Coverage tests for AES, ARC4,
4602 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
4603 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
4608 this is mind when checking for errors.
4609 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
4611 * Changed interface for AES and Camellia setkey functions
4619 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
4638 * Corrected is_prime() results for 0, 1 and 2 (found by
4640 * Fixed Camellia and XTEA for 64-bit Windows systems.
4642 = Version 0.11.1 released on 2009-05-17
4643 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
4644 SHA-512 in rsa_pkcs1_sign()
4646 = Version 0.11.0 released on 2009-05-03
4650 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
4658 * Centralized file opening and reading for x509 files into
4660 * Made definition of net_htons() endian-clean for big endian
4664 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
4665 responsible for crashes and unwanted behaviour.
4666 * Added support for Certificate Revocation List (CRL) parsing.
4667 * Added support for CRL revocation to x509parse_verify() and
4669 * Fixed compatibility of XTEA and Camellia on a 64-bit system
4672 = Version 0.10.0 released on 2009-01-12
4676 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
4684 = Version 0.9 released on 2008-03-16
4686 * Added support for ciphersuite: SSL_RSA_AES_128_SHA
4687 * Enabled support for large files by default in aescrypt2.c
4690 be sent twice in non-blocking mode when send returns EAGAIN
4693 * Added user-defined callback debug function (Krystian Kolodziej)
4699 output data is non-aligned by falling back to the software
4700 implementation, as VIA Nehemiah cannot handle non-aligned buffers
4702 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
4705 an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
4706 * Added support on the client side for the TLS "hostname" extension
4711 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
4716 * Fixed a critical denial-of-service with X.509 cert. verification:
4718 for which the RSA signature check fails (bug reported by Benoit)
4719 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
4720 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
4721 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
4724 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
4725 * Updated rsa_gen_key() so that ctx->N is always nbits in size
4729 = Version 0.8 released on 2007-10-20
4737 * Added user-defined callbacks for handling I/O and sessions
4740 * Added preliminary support for the VIA PadLock routines
4741 * Added AES-CFB mode of operation, contributed by chmike
4745 * Updated ssl_read() to skip 0-length records from OpenSSL
4747 * Fixed a bug in mpi_read_binary() on 64-bit platforms
4754 = Version 0.7 released on 2007-07-07
4756 * Added support for the MicroBlaze soft-core processor
4758 connections from being established with non-blocking I/O
4762 * Added the SHA-224, SHA-384 and SHA-512 hash functions
4770 = Version 0.6 released on 2007-04-01
4774 * Added multiply assembly code for the TriCore and modified
4775 havege_struct for this processor, thanks to David Patiño
4776 * Added multiply assembly code for 64-bit PowerPCs,
4779 * Added support for autoconf, contributed by Arnaud Cornet
4780 * Fixed "long long" compilation issues on IA-64 and PPC64
4781 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
4784 = Version 0.5 released on 2007-03-01
4786 * Added multiply assembly code for SPARC and Alpha
4787 * Added (beta) support for non-blocking I/O operations
4790 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
4795 = Version 0.4 released on 2007-02-01
4797 * Added support for Ephemeral Diffie-Hellman key exchange
4798 * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
4808 = Version 0.3 released on 2007-01-01
4810 * Added server-side SSLv3 and TLSv1.0 support
4814 the bignum code is no longer dependent on long long
4816 * Updated timing.c for improved compatibility with i386
4819 = Version 0.2 released on 2006-12-01
4830 the Miller-Rabin primality test
4832 I'd also like to thank Younès Hafri for the CRUX linux port,
4834 who maintains the Debian package :-)
4836 = Version 0.1 released on 2006-11-01