Lines Matching +full:ipv4 +full:- +full:config +full:- +full:causing +full:- +full:fallback +full:- +full:to +full:- +full:tcp
3 = Mbed TLS 3.6.0 branch released 2024-03-28
12 The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
21 * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
31 * In the PSA API, the experimental way to encode the public exponent of
34 * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
36 mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
37 while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
41 * Added an example program showing how to hash with the PSA API.
42 * Support Armv8-A Crypto Extension acceleration for SHA-256
43 when compiling for Thumb (T32) or 32-bit Arm (A32).
44 * AES-NI is now supported in Windows builds with clang and clang-cl.
48 * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
50 This affects both the low-level modules and the high-level APIs
53 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
54 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
56 library without the corresponding built-in implementation. Generally
57 speaking that requires both the key type and algorithm to be accelerated
58 or they'll both be built in. However, for CCM and GCM the built-in
59 implementation is able to take advantage of a driver that only
61 docs/driver-only-builds.md for full details and current limitations.
63 disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
65 * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
69 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
70 fully provided by drivers. See docs/driver-only-builds.md for full
75 Application data sent and received will be fragmented according to
77 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
78 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
80 to convert between Mbed TLS and PSA curve identifiers.
81 * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
86 mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
90 * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
92 * Add support for using AES-CBC 128, 192, and 256 bit schemes
96 * Add pc files for pkg-config, e.g.:
97 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
98 * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
101 mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
105 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
107 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
110 * The new function mbedtls_ecp_write_key_ext() is similar to
113 * Add new accessor to expose the private group id member of
115 * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
125 mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
127 * Add new accessors to expose the private session-id,
128 session-id length, and ciphersuite-id members of
130 Add new accessor to expose the ciphersuite-id of
133 docs/tls13-early-data.md). The support enablement is controlled at build
136 * Add protection for multithreaded access to the PSA keystore and protection
137 for multithreaded access to the the PSA global state, including
140 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
148 to PSA functions is now secure by default.
152 This feature increases code size and memory usage. If buffers passed to
156 Note that setting this option will cause input-output buffer overlap to
158 Fixes CVE-2024-28960.
159 * Restore the maximum TLS version to be negotiated to the configured one
161 An attacker was able to prevent an Mbed TLS server from establishing any
163 version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.
164 Fixes CVE-2024-28755.
165 * When negotiating TLS version on server side, do not fall back to the
167 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
168 client could put the TLS 1.3-only server in an infinite loop processing
171 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
172 was able to successfully establish a TLS 1.2 connection with the server.
174 Fixes CVE-2024-28836.
177 * Fix the build with CMake when Everest or P256-m is enabled through
188 * Fix build failure in conda-forge. Fixes #8422.
190 * Switch to milliseconds as the unit for ticket creation and reception time
192 tickets compared to peer using a millisecond clock (observed with GnuTLS).
201 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
205 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
213 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
219 allowed SSL sessions saved in one configuration to be loaded in a
221 * In TLS 1.3 clients, fix an interoperability problem due to the client
234 * Use heap memory to allocate DER encoded public/private key.
236 key to a PEM string.
239 individually enabled in order to enable respective support; also the
243 mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
247 to select only some of the parameters / groups, with the macros
248 PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
249 for each size you want to support. Also, if you have an FFDH accelerator,
250 you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
252 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
259 * Rename directory containing Visual Studio files from visualc/VS2013 to
263 = Mbed TLS 3.5.2 branch released 2024-01-26
267 could be sufficient for an attacker to recover the plaintext. A local
268 attacker or a remote attacker who is close to the victim on the network
269 might have precise enough timing measurements to exploit this. It requires
270 the attacker to send a large number of messages for decryption. For
273 * Fix a failure to validate input when writing x509 extensions lengths which
274 could result in an integer overflow, causing a zero-length buffer to be
275 allocated to hold the extension. The extension would then be copied into
276 the buffer, causing a heap buffer overflow.
278 = Mbed TLS 3.5.1 branch released 2023-11-06
281 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
288 = Mbed TLS 3.5.0 branch released 2023-10-05
291 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
292 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
293 there was a flaw in the logic checking if the built-in implementation, in
294 that it failed to check if all the relevant curves were supported by the
295 accelerator. As a result, it was possible to declare no curves as
296 accelerated and still have the built-in implementation compiled out.
297 Starting with this release, it is necessary to declare which curves are
299 considered not accelerated, and the built-in implementation of the curves
315 IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
331 been called. Previously (in 3.3), this was restricted to a few modules,
333 entropy module was not covered which meant an external RNG had to be
334 provided - these limitations are lifted in this version. A new set of
336 to check for availability of hash algorithms, regardless of whether
337 they're provided by a built-in implementation, a driver or both. See
338 docs/driver-only-builds.md.
339 * When a PSA driver for ECDH is present, it is now possible to disable
340 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
341 key exchanges based on ECDH(E) to work, this requires
343 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
345 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
346 a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
348 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
352 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
364 parameters from RFC 7919. This includes a built-in implementation based
367 * It is now possible to generate certificates with SubjectAltNames.
375 * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
376 string to a DER-encoded mbedtls_asn1_buf.
377 * Add SHA-3 family hash functions.
378 * Add support to restrict AES to 128-bit keys in order to save code size.
380 used to enable this feature.
383 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
384 On Aarch64, uplift is typically around 20 - 110%.
385 When compiling with gcc -Os on Aarch64, AES-XTS improves
387 * Add support for PBKDF2-HMAC through the PSA API.
390 or DH) were introduced in order to have finer accuracy in defining the
393 - DERIVE is only available for ECC keys, not for RSA or DH ones.
394 - implementations are free to enable more than what it was strictly
399 and the ephemeral or psk-ephemeral key exchange mode are enabled.
403 * Reduce syscalls to time() during certificate verification.
404 * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
406 * Add getter (mbedtls_ssl_cache_get_timeout()) to access
408 * Add getter (mbedtls_ssl_get_hostname()) to access
410 * Add getter (mbedtls_ssl_conf_get_endpoint()) to access
412 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
413 extended: it is now possible to use mbedtls_pk_write_key_der(),
419 * Add a possibility to generate CSR's with RCF822 and directoryName subtype
421 * Add support for PBKDF2-CMAC through the PSA API.
423 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
424 disables the plain C implementation and the run-time detection for the
444 review the size of the output buffer passed to this function, and note
446 to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
451 (notably recent versions of Clang and IAR) could produce non-constant
453 has access to precise timing measurements.
454 * Updates to constant-time C code so that compilers are less likely to use
456 timing. (Clang has been seen to do this.) Also introduce assembly
457 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
458 guaranteed not to use conditional instructions.
465 null-cipher cipher suites. Credit to OSS-Fuzz.
467 In TLS 1.3, all configurations are affected except PSK-only ones, and
472 Credit to OSS-Fuzz.
477 than all built-in ones and RSA is disabled.
479 * Add missing md.h includes to some of the external programs from
481 was sufficient for a particular program to work, it would only print
488 MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
491 * Fix the J-PAKE driver interface for user and peer to accept any values
492 (previously accepted values were limited to "client" or "server").
494 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
498 way to detect the crypto extensions required. A warning is still issued.
507 mode of operation due to the input not being multiple of block size.
512 example TF-M configuration in configs/ from building cleanly:
517 one of the key exchange modes using ephemeral keys to a server that
524 * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
527 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
529 * Fix compile failure due to empty enum in cipher_wrap.c, when building
533 * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
537 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
538 copied to the struct. This meant that the struct had incomplete
544 enabled, where some low-level modules required by requested PSA crypto
550 error code on failure. Before, they returned 1 to indicate failure in
553 * Fix the build with CMake when Everest or P256-m is enabled through
558 compiling with gcc, clang or armclang and -O0.
560 to avoid accidental misuse.
561 * Use heap memory to allocate DER encoded RSA private key.
564 * Update Windows code to use BCryptGenRandom and wcslen, and
570 to psa_crypto_driver_wrappers_no_static.c.
571 * When using CBC with the cipher module, the requirement to call
576 = Mbed TLS 3.4.1 branch released 2023-08-04
582 * Update test data to avoid failures of unit tests after 2023-08-07.
584 = Mbed TLS 3.4.0 branch released 2023-03-28
587 * The default priority order of TLS 1.3 cipher suites has been modified to
594 mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
596 * PSA to mbedtls error translation is now unified in psa_util.h,
599 optionally providing file-specific error pairs. Please see psa_util.h for
604 Syntax, as defined in RFC 2315. Currently, support is limited to the
606 - Only the signed-data content type, version 1 is supported.
607 - Only DER encoding is supported.
608 - Only a single digest algorithm per message is supported.
609 - Certificates must be in X.509 format. A message must have either 0
611 - There is no support for certificate revocation lists.
612 - The authenticated and unauthenticated attribute fields of SignerInfo
614 Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
615 contributing this feature, and to Demi-Marie Obenour for contributing
619 * Improvements to use of unaligned and byte-swapped memory, reducing code
630 * Add parsing of V3 extensions (key usage, Netscape cert-type,
633 configuration-independent files. This allows them to be generated when
637 * Add an interruptible version of sign and verify hash to the PSA interface,
644 * When a PSA driver for ECDSA is present, it is now possible to disable
645 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
646 and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
650 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
651 implementations of EC J-PAKE through the driver entry points.
654 * Add support to include the SubjectAltName extension to a CSR.
655 * Add support for AES with the Armv8-A Cryptographic Extension on
656 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
657 be used to enable this feature. Run-time detection is supported
659 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
660 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
661 corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
662 to be enabled.
664 to read non-public fields for padding mode and hash id from
666 * AES-NI is now supported with Visual Studio.
667 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
670 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
671 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
672 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
677 * Use platform-provided secure zeroization function where possible, such as
680 * Fix a potential heap buffer overread in TLS 1.3 client-side when
682 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
683 Arm, so that these systems are no longer vulnerable to timing side-channel
687 builds that couldn't compile the GCC-style assembly implementation
688 (most notably builds with Visual Studio), leaving them vulnerable to
689 timing side-channel attacks. There is now an intrinsics-based AES-NI
690 implementation as a fallback for when the assembly one cannot be used.
697 causing generate_errors.pl to error out resulting in a build failure.
701 ticket timestamps (typically timestamps in milliseconds) compared to the
702 Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
708 be toggled with config.py.
714 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
724 certificate parsing, but only on subsequent calls to
727 possible to verify RSA PSS signatures with the pk module, which was
729 * Fix bug in conversion from OID to string in
732 * Reject OIDs with overlong-encoded subidentifiers when converting
733 them to a string.
737 have the most-significant bit set in their last byte.
738 * Silence warnings from clang -Wdocumentation about empty \retval
742 * Fix an unused-variable warning in TLS 1.3-only builds if
746 * Allow setting user and peer identifiers for EC J-PAKE operation
753 * Fix TLS 1.3 session resumption when the established pre-shared key is
754 384 bits long. That is the length of pre-shared keys created under a
765 * Mixed-endian systems are explicitly not supported any more.
768 signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
771 visualc/VS2010 to visualc/VS2013 as we do not support building with versions
772 older than 2013. Update the solution file to specify VS2013 as a minimum.
774 - now it accepts the serial number in 2 different formats: decimal and
776 - "serial" is used for the decimal format and it's limted in size to
778 - "serial_hex" is used for the hex format; max length here is
783 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
784 * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
786 RSA decryption performance has changed lately due to security fixes.
787 To fix the performance degradation when using default values the
788 window was reduced from 6 to 2, a value that gives the best or close
789 to best results when tested on Cortex-M4 and Intel i7.
791 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
795 = Mbed TLS 3.3.0 branch released 2022-12-14
801 RFC 9146, which is not interoperable with the draft-05 version.
802 If you need to communicate with peers that use earlier versions of
803 Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
804 to 1, but then you won't be able to communicate with peers that use the
805 standard (non-draft) version.
806 If you need to interoperate with both classes of peers with the
814 addition to jinja2. The official list of required Python modules is
829 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
830 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
833 built-in implementation present, but only in some configurations.
834 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
836 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
840 Note that some modules are not able to use hashes from PSA yet, including
841 the entropy module. As a consequence, for now the only way to build with
842 all hashes only provided by drivers (no built-in hash) is to use
846 As a consequence, they now work in configurations where the built-in
848 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
850 * Add support for opaque keys as the private keys associated to certificates
852 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
853 Signature verification is production-ready, but generation is for testing
855 (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
859 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
861 be used to sign one message so is impractical for most circumstances.
862 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
863 The pre-shared keys can be provisioned externally or via the ticket
881 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
892 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
893 calculation that can be used to derive the session secret in TLS 1.2,
894 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
901 * Fix an issue where an adversary with access to precise enough information
904 victim performing a single private-key operation if the window size used
906 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
907 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
911 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
912 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
914 it could be turned into a symbolic link to itself.
915 * Fix a long-standing build failure when building x86 PIC code with old
917 recommend upgrading to a more recent compiler instead. Fixes #1910.
918 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
919 Contributed by Kazuyuki Kimura to fix #2020.
920 * Use double quotes to include private header file psa_crypto_cipher.h.
934 * Fix a build error due to a missing prototype warning when
945 * Fix compilation errors when trying to build with
946 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
949 Change mbedtls_x509_get_name() to clean up allocated objects on error.
955 public key. This bug meant that it was possible to verify a
961 * Add a configuration check to exclude optional client authentication
963 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
970 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
984 to OSS-Fuzz. Fixes #6597.
987 * Move some SSL-specific code out of libmbedcrypto where it had been placed
993 * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
994 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
995 should not be done - they are documented for use only by AES-GCM and
999 = Mbed TLS 3.2.1 branch released 2022-07-12
1002 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1004 = Mbed TLS 3.2.0 branch released 2022-07-11
1034 * Add accessor to obtain ciphersuite id from ssl context.
1035 * Add accessors to get members from ciphersuite info.
1037 * Add accessor to get the raw buffer pointer from a PEM context.
1041 * Add an accessor function to get the configuration associated with
1043 * Add a function to access the protocol version from an SSL context in a
1044 form that's easy to compare. Fixes #5407.
1045 * Add function mbedtls_md_info_from_ctx() to recall the message digest
1046 information that was used to set up a message digest context.
1050 * Provide mechanism to reset handshake cert list by calling
1052 * Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
1057 * Add function mbedtls_timing_get_final_delay() to access the private
1060 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1062 * Add function mbedtls_ecp_export() to export ECP key pair parameters.
1064 * Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
1065 Handshake has completed or not, and thus whether to continue calling
1067 * Add the function mbedtls_ssl_get_own_cid() to access our own connection id
1073 mbedtls_ssl_conf_min_tls_version() that use a single value to specify
1075 * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
1076 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1081 Furthermore you may name an additional file to include after the main
1083 * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
1085 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1086 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1091 first ClientHello was not suitable to the server.
1092 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1098 establishment only). See docs/architecture/tls13-support.md for a
1101 * Add accessors to configure DN hints for certificate request:
1105 now causes most of them to be done using PSA Crypto; see
1106 docs/use-psa-crypto.md for the list of exceptions.
1110 * Opaque pre-shared keys for TLS, provisioned with
1113 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1114 * cmake now detects if it is being built as a sub-project, and in that case
1119 by side in order to illustrate how the operation is performed in PSA.
1123 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1128 * Add the platform function mbedtls_setbuf() to allow buffering to be
1129 disabled on stdio files, to stop secrets loaded from said files being
1132 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1139 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1143 and possibly up to 571 bytes with a custom cookie check function.
1146 client or server could cause an MbedTLS server or client to overread up
1147 to 64 kBytes of data and potentially overread the input buffer by that
1155 client or server to be able to authenticate itself through a certificate
1156 to an Mbed TLS TLS 1.3 server or client while it does not own a proper
1157 certificate to do so.
1161 pattern for PSA_WANT_xxx symbols. Previously you had to specify
1169 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1170 client would fail to check that the curve selected by the server for
1173 according to its configuration. Fixes #5291.
1179 * Fix API violation in mbedtls_md_process() test by adding a call to
1182 to catch bad uses of time.h.
1183 * Fix a race condition in out-of-source builds with CMake when generated data
1188 potentially leading to corrupted alert messages being sent in case
1189 the function needs to be re-called after initially returning
1192 MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null
1196 documentation stated that the `allowed_pks` field applies to signatures
1197 only, but in fact it does apply to the public key type of the end entity
1207 MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
1210 been received yet when we first try to fetch it.
1213 * Add mbedtls_x509_dn_get_next function to return the next relative DN in
1214 an X509 name, to allow walking the name list. Fixes #5431.
1217 and other special characters, conforming to RFC 1779. Fixes #769.
1219 * Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
1223 * Fix a TLS 1.3 handshake failure when the first attempt to send the client
1235 non-compliant. This could not lead to a buffer overflow. In particular,
1245 make to break on a clean checkout. Fixes #5340.
1246 * Work around an MSVC ARM64 compiler bug causing incorrect behaviour
1248 * Removed the prompt to exit from all windows build programs, which was causing
1254 driver descriptions. For the time being, to customize this file,
1255 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1256 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1261 * Assume source files are in UTF-8 when using MSVC with CMake.
1264 * cmake: Use GnuInstallDirs to customize install directories
1274 = mbed TLS 3.1.0 branch released 2021-12-17
1278 Alternative GCM implementations are expected to verify
1279 the length of the provided output buffers and to return the
1286 POSIX/Unix-like platforms.
1289 * Sign-magnitude and one's complement representations for signed integers are
1308 supported on GCC-like compilers and on MSVC and can be configured through
1312 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
1314 extended to other modules in the future.
1317 * Add support for CCM*-no-tag cipher to the PSA.
1318 Currently only 13-byte long IV's are supported.
1319 For decryption a minimum of 16-byte long input is expected.
1320 These restrictions may be subject to change.
1322 * Add functions to get the IV and block size from cipher_info structs.
1323 * Add functions to check if a cipher supports variable IV or key size.
1324 * Add the internal implementation of and support for CCM to the PSA multipart
1327 protocol. See docs/architecture/tls13-support.md for the definition of
1331 to select the 1.3 version of the protocol to establish a TLS connection.
1335 * Zeroize several intermediate variables used to calculate the expected
1339 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1348 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1351 and mbedtls_ssl_free() would cause an internal session buffer to
1356 * The GNU makefiles invoke python3 in preference to python except on Windows.
1357 The check was accidentally not performed when cross-compiling for Windows
1369 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1370 * Failures of alternative implementations of AES or DES single-block
1374 where this function cannot fail, or full-module replacements with
1379 * Fix compile-time or run-time errors in PSA
1383 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1385 * Move GCM's update output buffer length verification from PSA AEAD to
1386 the built-in implementation of the GCM.
1387 The requirement for output buffer size to be equal or greater then
1388 input buffer size is valid only for the built-in implementation of GCM.
1395 PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
1403 not to list other shared libraries they need.
1411 pkcs12 functions when the password is empty. Fix the documentation to
1412 better describe the inputs to these functions and their possible values.
1422 oversight during the run-up to the release of Mbed TLS 3.0.
1423 The fields were never intended to be public.
1424 * Implement multi-part CCM API.
1425 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1433 to set a callback, but was deemed unnecessary as it was yet another define
1434 to remember when writing tests, or test configurations. Fixes #4653.
1435 * Improve the performance of base64 constant-flow code. The result is still
1436 slower than the original non-constant-flow implementation, but much faster
1437 than the previous constant-flow implementation. Fixes #4814.
1438 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1442 ChaCha20-Poly1305 is invalid, and not just unsupported.
1444 containing various functions meant to resist timing side channel attacks.
1449 * The generated configuration-independent files are now automatically
1450 generated by the CMake build system on Unix-like systems. This is not
1451 yet supported when cross-compiling.
1453 = Mbed TLS 3.0.0 branch released 2021-07-07
1462 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1464 * Add missing const attributes to API functions.
1465 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
1466 header compat-1.3.h and the script rename.pl.
1468 Transfer keys and certificates embedded in the library to the test
1469 component. This contributes to minimizing library API and discourages
1475 which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
1479 were not meant to be used in application code have been moved out of
1485 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1487 * Drop support for single-DES ciphersuites.
1489 * Update AEAD output size macros to bring them in line with the PSA Crypto
1491 key type used, as well as the key bit-size in the case of
1506 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1508 * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
1509 * The interface of the GCM module has changed to remove restrictions on
1510 how the input to multipart operations is broken down. mbedtls_gcm_finish()
1514 call to mbedtls_gcm_update(), but alternative implementations activated
1515 by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
1517 no longer pass the associated data to mbedtls_gcm_starts(), but to the
1520 * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
1521 This separates config option enabling the SHA384 algorithm from option
1524 This separates config option enabling the SHA224 algorithm from option
1527 session-ID based session resumption) has changed to that of
1528 a key-value store with keys being session IDs and values
1541 which allows to mark an extension as critical. Fixes #4055.
1542 * For multi-part AEAD operations with the cipher module, calling
1544 was unclear on this point, and this function happened to never do
1546 possible to skip calling it, which is no longer supported.
1547 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1559 key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
1584 Raw keys and IVs are no longer passed to the callback.
1589 context are now connection-specific.
1591 length parameter to be the size of the hash input. For RSA signatures
1598 * Implement one-shot cipher functions, psa_cipher_encrypt and
1599 psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
1601 * Direct access to fields of structures declared in public headers is no
1610 * Enable by default the functionalities which have no reason to be disabled.
1611 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
1612 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1622 bear this in mind and do not add them to backported code.
1624 release, some configuration-independent files are now generated at build
1629 * Refresh the minimum supported versions of tools to build the
1635 compile-time option, which was off by default. Users should not trust
1636 certificates signed with SHA-1 due to the known attacks against SHA-1.
1637 If needed, SHA-1 certificates can still be verified by using a custom
1645 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
1649 compile-time option. This option has been inactive for a long time.
1652 * Remove the following deprecated functions and constants of hex-encoded
1670 CBC record splitting, fallback SCSV, and the ability to configure
1678 * The RSA module no longer supports private-key operations with the public
1680 * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
1695 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
1700 * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
1701 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
1704 MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
1717 MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
1718 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
1720 * Remove the compile-time option
1724 * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
1725 signature with a specific salt length. This function allows to validate
1728 * Added support for built-in driver keys through the PSA opaque crypto
1729 driver interface. Refer to the documentation of
1732 * The multi-part GCM interface (mbedtls_gcm_update() or
1733 mbedtls_cipher_update()) no longer requires the size of partial inputs to
1735 * The multi-part GCM interface now supports chunked associated data through
1736 multiple calls to mbedtls_gcm_update_ad().
1742 See docs/architecture/alternative-implementations.md for the remaining
1745 query the size of the modulus in a Diffie-Hellman context.
1747 Diffie-Hellman context.
1748 * Use the new function mbedtls_ecjpake_set_point_format() to select the
1755 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1764 * Fix an issue where an adversary with access to precise enough information
1767 victim performing a single private-key operation. Found and reported by
1769 * Fix an issue where an adversary with access to precise enough timing
1770 information (typically, a co-located process) could recover a Curve25519
1772 observing the victim performing the corresponding private-key operation.
1778 lead to the seed file corruption in case if the path to the seed file is
1779 equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
1783 to create is not valid, bringing them in line with version 1.0.0 of the
1785 * Add printf function attributes to mbedtls_debug_print_msg to ensure we
1790 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1795 mbedtls_mpi_read_string() was called on "-0", or when
1801 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
1803 minimum size was rounded down to the nearest multiple of 8.
1805 defined to specific values. If the code is used in a context
1808 be adequate to build Mbed TLS.
1812 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
1813 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
1815 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
1817 Arm Cortex-M. Fixes #4530.
1819 directive in a header and a missing initialization in the self-test.
1820 * Fix a missing initialization in the Camellia self-test, affecting
1822 * Restore the ability to configure PSA via Mbed TLS options to support RSA
1824 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
1827 (when the encrypt-then-MAC extension is not in use) with some ALT
1828 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
1829 the affected side to wrongly reject valid messages. Fixes #4118.
1830 * Remove outdated check-config.h check that prevented implementing the
1839 could notably be triggered by setting the TLS debug level to 3 or above
1842 * psa_verify_hash() was relying on implementation-specific behavior of
1843 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
1849 A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
1853 Credit to OSS-Fuzz. Fixes #4641.
1858 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
1864 * Fix which alert is sent in some cases to conform to the
1868 * Correct (change from 12 to 13 bytes) the value of the macro describing the
1873 * Add extra printf compiler warning flags to builds.
1875 * Alternative implementations of CMAC may now opt to not support 3DES as a
1879 * Remove configs/config-psa-crypto.h, which no longer had any intended
1899 * Add CMake package config generation for CMake projects consuming Mbed TLS.
1900 * config.h has been split into build_info.h and mbedtls_config.h
1901 build_info.h is intended to be included from C code directly, while
1902 mbedtls_config.h is intended to be edited by end users wishing to
1906 * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
1907 Defining it to a particular value will ensure that Mbed TLS interprets
1908 the config file in a way that's compatible with the config file format
1912 * Various changes to which alert and/or error code may be returned
1919 = mbed TLS 2.26.0 branch released 2021-03-08
1922 * Renamed the PSA Crypto API output buffer size macros to bring them in line
1925 in bits rather than bytes, with an additional flag to indicate if the
1926 size may have been rounded up to a whole number of bytes.
1927 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
1948 * Automatic fallback to a software implementation of ECP when
1951 * The PSA crypto subsystem can now be configured to use less static RAM by
1964 minimum MAC or tag length thanks to the new wildcards
1973 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
1974 In such cases, a random nonce was necessary to achieve the advertised
1979 |A| - |B| where |B| is larger than |A| and has more limbs (so the
1985 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
1986 value the function might fail to write a private RSA keys of the largest
1993 making access aceess to them use constant flow code.
1996 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2007 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2009 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2012 * Fixes a bug where, if the library was configured to include support for
2018 used to validate digital signatures on certificates and MUST mark the
2019 extension as critical in such certificates." Previous to this change,
2020 the extension was always marked as non-critical. This was fixed by
2024 * A new library C file psa_crypto_client.c has been created to contain
2030 = mbed TLS 2.25.0 branch released 2020-12-11
2033 * The numerical values of the PSA Crypto API macros have been updated to
2034 conform to version 1.0.0 of the specification.
2040 as they have no way to check if the output buffer is large enough.
2042 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2046 * Update the minimum required CMake version to 2.8.12. This silences a
2056 these new functions always append the tag to the ciphertext, and include
2063 * Add support for ECB to the PSA cipher API.
2067 This is currently non-standard behaviour, but expected to make it into a
2069 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
2071 external CMake projects that include this one to avoid CMake target name
2074 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2076 * In the PSA API, it is no longer necessary to open persistent keys:
2078 identical to psa_key_id_t instead of being platform-defined. This bridges
2079 the last major gap to compliance with the PSA Cryptography specification
2092 of up to 15 bytes, with consequences ranging up to arbitrary code
2094 * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
2095 MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
2096 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2100 are implemented. This could cause failures or the silent use of non-random
2102 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
2103 CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
2106 description part of the cert to the real signature. This meant that a
2107 NULL algorithm parameters entry would look identical to an array of REAL
2108 (size zero) to the library and thus the certificate would be considered
2112 Many thanks to guidovranken who found this issue via differential fuzzing
2117 functions to erase sensitive data from memory. Reported by
2127 * Fix rsa_prepare_blinding() to retry when the blinding value is not
2132 * Use socklen_t on Android and other POSIX-compliant system
2133 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2136 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
2142 * Fix psa_generate_key() returning an error when asked to generate
2144 * Fix psa_key_derivation_output_key() to allow the output of a combined key
2145 agreement and subsequent key derivation operation to be used as a key
2150 * Fix an off-by-one error in the additional data length check for
2151 CCM, which allowed encryption with a non-standard length field.
2154 MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
2158 * psa_set_key_id() now also sets the lifetime to persistent for keys located
2160 * Attempting to create a volatile key with a non-zero key identifier now
2163 * Attempting to create or register a key with a key identifier in the vendor
2168 (an error condition) and the second operand was aliased to the result.
2169 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2186 * The PSA persistent storage format is updated to always store the key bits
2189 specification (docs/architecture/mbed-crypto-storage-specification.md).
2192 but spurious and misleading since it looked like a mistaken attempt to
2193 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2196 = mbed TLS 2.24.0 branch released 2020-09-01
2199 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2200 group families to psa_ecc_family_t and psa_dh_family_t, in line with the
2203 PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
2204 PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
2205 PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
2206 PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
2214 * The new function mbedtls_ecp_write_key() exports private ECC keys back to
2217 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2218 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2225 subjecAltName extension is present, the expected name was compared to any
2227 attacker could for example impersonate a 4-bytes or 16-byte domain by
2228 getting a certificate for the corresponding IPv4 or IPv6 (this would
2229 require the attacker to control that IP address, though). Similar attacks
2233 its revocationDate was in the past according to the local clock if
2236 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
2243 Encrypt-then-Mac extension, use constant code flow memory access patterns
2244 to extract and check the MAC. This is an improvement to the existing
2246 effective against network-based attackers, but less so against local
2248 if they have access to fine-grained measurements. In particular, this
2252 * Fix side channel in RSA private key operations and static (finite-field)
2253 Diffie-Hellman. An adversary with precise enough timing and memory access
2255 enclave) could bypass an existing counter-measure (base blinding) and
2257 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2258 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2260 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
2267 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
2272 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2275 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2277 * Fix self-test failure when the only enabled short Weierstrass elliptic
2289 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2292 previously could lead to stack overflow on constrained devices.
2296 * Update copyright notices to use Linux Foundation guidance. As a result,
2299 eliminates the need for the lines declaring the files to be part of
2301 * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
2302 example applications which allows to provide a password for the key file
2304 these applications with password-protected key files. Analogously but for
2305 ssl_server2 only, add the command line parameter key_pwd2 which allows to
2309 = mbed TLS 2.23.0 branch released 2020-07-01
2313 key lifetimes to encode a persistence level and the location. Although C
2315 psa_register_se_driver() must be modified to pass the driver's location
2322 high- and low-level error codes, complementing mbedtls_strerror()
2326 * The new utility programs/ssl/ssl_context_info prints a human-readable
2332 a solution to #3241.
2333 * Pass the "certificate policies" extension to the callback supplied to
2336 * Added support to entropy_poll for the kern.arandom syscall supported on
2343 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2350 f_rng argument. An attacker with access to precise enough timing and
2354 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2356 macros). This would cause the original Lucky 13 attack to be possible in
2357 those configurations, allowing an active network attacker to recover
2366 pathLenConstraint basic constraint value is equal to INT_MAX.
2368 behavior, so this is unlikely to be exploitable anywhere. #3192
2370 due to shadowed variable. Contributed by Sander Visser in #3310.
2374 mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
2386 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
2390 * Fix false positive uninitialised variable reported by cpp-check.
2399 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2408 * Unify the example programs termination to call mbedtls_exit() instead of
2409 using a return command. This has been done to enable customization of the
2411 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2417 buffer is not large enough to hold the ClientHello.
2423 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2432 = mbed TLS 2.22.0 branch released 2020-04-14
2439 mbedtls_ssl_get_input_max_frag_len() to be more precise about which max
2444 (RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to
2445 the server could cause it to drop established associations with
2447 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
2449 * Fix side channel in ECC code that allowed an adversary with access to
2451 untrusted operating system attacking a secure enclave) to fully recover
2453 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2475 mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input
2479 = mbed TLS 2.21.0 branch released 2020-02-20
2485 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2486 library which allows TLS authentication to use keys stored in a
2492 probability (of the order of 2^-n where n is the bitsize of the curve)
2496 * To avoid a side channel vulnerability when parsing an RSA private key,
2500 ARMmbed/mbed-crypto#352
2503 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2504 support without SHA-384.
2513 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2516 * Fix an unchecked call to mbedtls_md() in the x509write module.
2519 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2520 contributed by apple-ihack-geek in #2663.
2522 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2523 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
2525 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2526 * Fix a bug in mbedtls_pk_parse_key() that would cause it to
2529 = mbed TLS 2.20.0 branch released 2020-01-15
2532 * The initial seeding of a CTR_DRBG instance makes a second call to the
2533 entropy function to obtain entropy for a nonce if the entropy size is less
2534 than 3/2 times the key size. In case you want to disable the extra call to
2535 grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
2536 nonce length to 0.
2547 these variables can be used to recover the last round key. To follow best
2548 practice and to limit the impact of buffer overread vulnerabilities (like
2549 Heartbleed) we need to zeroize them before exiting the function.
2556 to have only large prime factors), and then, by brute force, recover the
2559 timings on the comparison in the key generation enabled the attacker to
2560 learn leading bits of the ephemeral key used during ECDSA signatures and to
2572 to achieve the security strength defined by NIST SP 800-90A. You can
2574 * Add ENUMERATED tag support to the ASN.1 module. Contributed by
2575 msopiha-linaro in ARMmbed/mbed-crypto#307.
2578 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2581 * Rename psa_asymmetric_sign() to psa_sign_hash() and
2582 psa_asymmetric_verify() to psa_verify_hash().
2592 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2593 * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
2594 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2595 * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at
2602 * Remove the technical possibility to define custom mbedtls_md_info
2606 * Variables containing error codes are now initialized to an error code
2607 rather than success, so that coding mistakes or memory corruption tends to
2608 cause functions to return this error code rather than a success. There are
2610 merely a robustness improvement. ARMmbed/mbed-crypto#323
2611 * Remove a useless call to mbedtls_ecp_group_free(). Contributed by
2612 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2614 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2616 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2618 = mbed TLS 2.19.1 branch released 2019-09-16
2621 * Declare include headers as PUBLIC to propagate to CMake project consumers
2623 * Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of
2632 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2633 contributed by apple-ihack-geek in #2663.
2635 = mbed TLS 2.19.0 branch released 2019-09-06
2643 as an ASN.1 INTEGER, which caused the size of the key to leak
2644 about 1 bit of information on average and could cause the value to be
2646 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
2654 mbedtls_ssl_session_load() to allow serializing a session, for example to
2655 store it in non-volatile storage, and later using it for TLS session
2657 * Add a new API function mbedtls_ssl_check_record() to allow checking that
2660 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
2663 (https://project-everest.github.io/). It can be enabled at compile time
2666 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
2674 * Add DER-encoded test CRTs to library/certs.c, allowing
2675 the example programs ssl_server2 and ssl_client2 to be run
2681 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
2683 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
2695 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
2696 * Fix multiple X.509 functions previously returning ASN.1 low-level error
2697 codes to always wrap these codes into X.509 high level error codes before
2699 * Fix to allow building test suites with any warning that detects unused
2701 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2713 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
2715 * Update test certificates that were about to expire. Reported by
2717 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
2721 This could previously lead to segmentation faults in builds using an
2722 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
2725 * Improve code clarity in x509_crt module, removing false-positive
2728 * Fix bug in endianness conversion in bignum module. This lead to
2733 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2734 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
2737 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2738 docker-env.sh) to simplify running test suites on a Linux host. Contributed
2740 * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
2743 * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
2744 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
2750 = mbed TLS 2.18.1 branch released 2019-07-12
2760 = mbed TLS 2.18.0 branch released 2019-06-11
2765 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
2767 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
2769 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
2771 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
2772 and the used tls-prf.
2773 * Add public API for tls-prf function, according to requested enum.
2782 * Add support for draft-05 of the Connection ID extension, as specified
2783 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2784 The Connection ID extension allows to keep DTLS connections beyond the
2786 to the DTLS record header. This identifier can be used to associated an
2788 changed its IP or port. The feature is enabled at compile-time by setting
2789 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
2794 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
2795 and the used tls-prf.
2796 * Add public API for tls-prf function, according to requested enum.
2805 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
2806 used with negative inputs. Found by Guido Vranken in #2404. Credit to
2807 OSS-Fuzz.
2813 * Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx.
2816 public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
2821 * Set the next sequence of the subject_alt_name to NULL when deleting
2823 Credit to OSS-Fuzz.
2826 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
2827 mbedTLS configuration only SHA-2 signed certificates are accepted.
2829 client programs to fail at the peer's certificate verification
2830 due to an unacceptable hash signature. The certificate has been
2831 updated to one that is SHA-256 signed. Fix contributed by
2837 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
2839 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
2842 = mbed TLS 2.17.0 branch released 2019-03-19
2846 which allows copy-less parsing of DER encoded X.509 CRTs,
2849 * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1
2851 * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
2858 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
2859 for the benefit of saving RAM, by disabling the new compile-time
2868 belongs to a different group from the first. Before, if an application
2869 passed keys that belonged to different group, the first key's data was
2870 interpreted according to the second group, which could lead to either
2880 previously lead to a stack overflow on constrained targets.
2885 * Remove the mbedtls namespacing from the header file, to fix a "file not found"
2887 * Fix signed-to-unsigned integer conversion warning
2892 (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
2896 extensions in CSRs and CRTs that caused these bitstrings to not be encoded
2909 * Provide an abstraction of vsnprintf to allow alternative implementations
2913 Previously, this could lead to functionally incorrect assembly being
2919 * Fix configuration queries in ssl-opt.h. #2030
2920 * Ensure that ssl-opt.h can be run in OS X. #2029
2921 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
2926 = mbed TLS 2.16.0 branch released 2018-12-21
2929 * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
2934 function to see for which parameter values it is defined. This feature is
2935 disabled by default. See its API documentation in config.h for additional
2936 steps you have to take when enabling it.
2941 the return type from void to int to allow returning error codes when
2944 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
2945 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
2946 * Extend ECDH interface to enable alternative implementations.
2949 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
2951 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
2973 This could lead to a buffer overflow, but only in case ticket authentication
2975 * Add explicit integer to enumeration type casts to example program
2976 programs/pkey/gen_key which previously led to compilation failure
2983 = mbed TLS 2.15.1 branch released 2018-11-30
2986 * Update the Mbed Crypto submodule to version 0.1.0b2.
2988 = mbed TLS 2.15.0 branch released 2018-11-23
2991 * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
2993 * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
2998 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3001 = mbed TLS 2.14.1 branch released 2018-11-30
3005 decryption that could lead to a Bleichenbacher-style padding oracle
3012 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3025 mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
3030 = mbed TLS 2.14.0 branch released 2018-11-19
3033 * Fix overly strict DN comparison when looking for CRLs belonging to a
3034 particular CA. This previously led to ignoring CRLs when the CRL's issuer
3041 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3042 to trigger a memory access up to 64KiB beyond the incoming message buffer,
3043 potentially leading to an application crash or information disclosure.
3044 * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
3046 adversary to construct non-primes that would be erroneously accepted as
3050 For example, the number of rounds was enough to securely generate RSA key
3051 pairs or Diffie-Hellman parameters, but was insufficient to validate
3052 Diffie-Hellman parameters properly.
3058 some configurable amount of operations. This is intended to be used in
3059 constrained, single-threaded systems where ECC is time consuming and can
3062 configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
3064 yet), and to existing functions in ECDH and SSL (currently only
3065 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3067 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
3071 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3073 an error if this was not possible. Now the salt size may be up to two bytes
3074 shorter. This allows the library to support all hash and signature sizes
3075 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3076 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3077 than 256 bits limits the security of generated material to 128 bits.
3095 Miller-Rabin rounds.
3099 application leading to a memory leak in case both
3107 which lead to accepting properly authenticated but improperly
3108 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3117 * Change the default string format used for various X.509 DN attributes to
3118 UTF8String. Previously, the use of the PrintableString format led to
3119 wildcards and non-ASCII characters being unusable in some DN attributes.
3121 Thomas-Dee.
3125 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3133 * Change the dtls_client and dtls_server samples to work by default over
3134 IPv6 and optionally by a build option over IPv4.
3135 * Change the use of Windows threading to use Microsoft Visual C++ runtime
3136 calls, rather than Win32 API calls directly. This is necessary to avoid
3140 string format (mostly PrintableString), which could lead to CRTs being
3145 Thomas-Dee.
3147 Fixes #517 reported by github-monoculture.
3148 * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
3149 use it to reduce error probability in RSA key generation to levels mandated
3150 by FIPS-186-4.
3152 = mbed TLS 2.13.1 branch released 2018-09-06
3156 whose implementation should behave as a thread-safe version of gmtime().
3157 This allows users to configure such an implementation at compile time when
3159 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
3166 = mbed TLS 2.13.0 branch released 2018-08-31
3169 * Fix an issue in the X.509 module which could lead to a buffer overread
3171 input (extensions length field equal to 0), an illegal read of one byte
3177 with the peer, as well as by a new per-connection MTU option, set using
3179 * Add support for auto-adjustment of MTU to a safe value during the
3184 * Add support for buffering out-of-order handshake messages in DTLS.
3186 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3187 in mbedtls/config.h.
3190 * Add function mbedtls_ssl_set_datagram_packing() to configure
3195 failure in the function could lead to other buffers being leaked.
3201 This improves compliance to RFC 4492, and as a result, solves
3205 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3207 * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
3209 without providing a list of CAs. This was due to an overly strict bounds
3216 (found by Catena cyber using oss-fuzz)
3228 * Add support for buffering of out-of-order handshake messages.
3229 * Add warnings to the documentation of the HKDF module to reduce the risk
3233 = mbed TLS 2.12.0 branch released 2018-07-25
3236 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3237 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
3244 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3245 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3246 caused by a miscalculation (for SHA-384) in a countermeasure to the
3249 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3250 1.2, that allowed a local attacker, able to execute code on the local
3251 machine as well as manipulate network packets, to partially recover the
3257 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3259 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3260 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3262 to partially recover the plaintext of messages under some conditions (see
3265 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3269 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3270 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3272 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3273 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3281 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3290 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
3298 * Added length checks to some TLS parsing functions. Found and fixed by
3308 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3310 to the connection being terminated. Seen most often with OpenSSL using
3313 * Fix ssl_client2 example to send application data with 0-length content
3314 when the request_size argument is set to 0 as stated in the documentation.
3318 * Fix build using -std=c99. Fixed by Nick Wilson.
3322 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3323 * Change the default behaviour of mbedtls_hkdf_extract() to return an error
3324 when calling with a NULL salt and non-zero salt_len. Contributed by
3326 * Change the shebang line in Perl scripts to look up perl in the PATH.
3328 * Allow overriding the time on Windows via the platform-time abstraction.
3330 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3332 = mbed TLS 2.11.0 branch released 2018-06-18
3335 * Add additional block mode, OFB (Output Feedback), to the AES module and
3337 * Implement the HMAC-based extract-and-expand key derivation function
3340 * Add support for the XTS block cipher mode with AES (AES-XTS).
3342 * In TLS servers, support offloading private key operations to an external
3343 cryptoprocessor. Private key operations can be asynchronous to allow
3344 non-blocking operation of the TLS server stack.
3347 * Fix the cert_write example to handle certificates signed with elliptic
3349 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
3356 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
3357 * Changed the Clang parameters used in the CMake build files to work for
3361 = mbed TLS 2.10.0 branch released 2018-06-06
3365 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
3372 point of view. mbedtls_platform_zeroize() needs to be regularly tested
3373 against compilers to ensure that calls to it are not removed from the
3375 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
3379 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
3380 build to fail. Found by zv-io. Fixes #1651.
3383 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3387 = mbed TLS 2.9.0 branch released 2018-04-30
3390 * Fix an issue in the X.509 module which could lead to a buffer overread
3391 during certificate validation. Additionally, the issue could also lead to
3392 unnecessary callback checks being made or to some validation checks to be
3394 would require a non DER-compliant certificate to be correctly signed by a
3395 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3398 function which led to an arbitrary overread of the message buffer. The
3403 * Fix a client-side bug in the validation of the server's ciphersuite choice
3404 which could potentially lead to the client accepting a ciphersuite it didn't
3406 chosen by the server. This could lead to corruption of internal data
3410 * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
3419 * Extend the public API with the function of mbedtls_net_poll() to allow user
3420 applications to wait for a network context to become ready before reading
3422 * Add function mbedtls_ssl_check_pending() to the public API to allow
3423 a check for whether more more data is pending to be processed in the
3425 This function is necessary to determine when it is safe to idle on the
3426 underlying transport in case event-driven IO is used.
3431 * Add missing dependencies in test suites that led to build failures
3432 in configurations that omit certain hashes or public-key algorithms.
3442 unable to parse keys which had only the optional parameters field of the
3447 * Fix overriding and ignoring return values when parsing and writing to
3449 * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
3450 where data needs to be fetched from the underlying transport in order
3451 to make progress. Previously, this error code was also occasionally
3453 further messages could potentially already be pending to be processed
3454 in the internal buffers; these cases led to deadlocks when event-driven
3457 function which leads to a potential one byte overread of the message
3459 * Fix invalid buffer sizes passed to zlib during record compression and
3461 * Fix the soversion of libmbedcrypto to match the soversion of the
3463 version 2.7.1 to reflect breaking changes in that release, but the
3471 public-key algorithms. Includes contributions by Gert van Dijk.
3490 * Add an option in the Makefile to support ar utilities where the operation
3491 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3501 HMAC functions with non-HMAC ciphersuites. Independently contributed
3504 FIPS 186-4. Contributed by Jethro Beekman. #1380
3508 not need to copy the declarations, and ensures that they will have the
3512 = mbed TLS 2.8.0 branch released 2018-03-16
3515 * The truncated HMAC extension now conforms to RFC 6066. This means
3519 prior versions of Mbed TLS. To restore the old behavior, enable
3521 config.h. Found by Andreas Walz (ivESK, Offenburg University of
3529 * Verify results of RSA private key operations to defend
3535 * Fix CRL parsing to reject CRLs containing unsupported critical
3542 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3553 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3554 * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
3574 that could cause a key exchange to fail on valid data.
3576 could cause a key exchange to fail on valid data.
3579 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3587 * MD functions deprecated in 2.7.0 are no longer inline, to provide
3593 = mbed TLS 2.7.0 branch released 2018-02-03
3598 sending a malicious application packet could be used to selectively corrupt
3599 6 bytes on the peer's heap, which could potentially lead to crash or remote
3601 both TLS and DTLS. CVE-2018-0488
3602 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3603 for the key size, which could potentially lead to crash or remote code
3605 Qualcomm Technologies Inc. CVE-2018-0487
3606 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3609 64 KiB to the address of the SSL buffer and causing a wrap around.
3612 config and the application data buffer passed to mbedtls_ssl_write
3616 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
3619 * Add a provision to prevent compiler optimizations breaking the time
3623 * Set PEM buffer to zero before freeing it, to avoid decoded private keys
3624 being leaked to memory after release.
3625 * Fix dhm_check_range() failing to detect trivial subgroups and potentially
3627 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
3629 sake of saving memory, but potentially leading to slight timing
3633 * Fix a potential heap buffer over-read in ALPN extension parsing
3634 (server-side). Could result in application crash, but only if an ALPN
3637 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3644 * New unit tests for timing. Improve the self-test to be more robust
3645 when run on a heavily-loaded machine.
3652 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
3658 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
3664 * Add mechanism to provide alternative implementation of the DHM module.
3667 * Extend RSA interface by multiple functions allowing structure-
3670 up RSA contexts from partial key material and having them completed to the
3671 needs of the implementation automatically. This allows to setup private RSA
3674 * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
3678 The new functions change the return type from void to int to allow
3680 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
3681 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
3682 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
3683 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
3686 * Deprecate usage of RSA primitives with non-matching key-type
3689 Users are advised to use the extended RSA API instead.
3705 * Fix ssl_parse_record_header() to silently discard invalid DTLS records
3711 renegotiated handshakes would only accept signatures using SHA-1
3712 regardless of the peer's preferences, or fail if SHA-1 was disabled.
3713 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
3716 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
3718 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
3725 If a call to one of the functions of the cryptographic primitive modules
3727 mbedtls_pem_read_buffer() causing it to return invalid values. Found by
3729 * Include configuration file in md.h, to fix compilation warnings.
3731 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3732 writing routines that prevented these functions to work with alternative
3735 non-v3 CRT's.
3737 * Fix net_would_block() to avoid modification by errno through fcntl() call.
3740 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
3743 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
3745 * Add size-checks for record and handshake message content, securing
3746 fragile yet non-exploitable code-paths.
3754 RSA test suite where the failure of CTR DRBG initialization lead to
3764 * Fix the entropy.c module to not call mbedtls_sha256_starts() or
3766 * Fix the entropy.c module to ensure that mbedtls_sha256_init() or
3768 structure. Do not assume that zeroizing a context is a correct way to
3775 * Extend cert_write example program by options to set the certificate version
3782 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
3785 * Update all internal usage of deprecated message digest functions to the
3793 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
3796 = mbed TLS 2.6.0 branch released 2017-08-10
3799 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
3803 triggered remotely from either side. (With authmode set to 'required'
3811 and the context struct mbedtls_platform_context to perform
3812 platform-specific setup and teardown operations. The macro
3813 MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
3815 some embedded environments to provide a means of initialising underlying
3819 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
3824 * Certificate verification functions now set flags to -1 in case the full
3825 chain was not verified due to an internal error (including in the verify
3827 * With authmode set to optional, the TLS handshake is now aborted if the
3828 verification of the peer's certificate failed due to an overlong chain or
3835 to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
3839 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
3841 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
3845 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3849 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3853 constructed certificates to bypass the certificate verification check.
3854 * Fix a call to the libc function time() to call the platform abstraction
3860 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
3861 64-bit division. This is useful on embedded platforms where 64-bit division
3864 accelerator code in the library leaves concurrency handling to the
3867 config-no-entropy.h to reduce the RAM footprint.
3872 = mbed TLS 2.5.1 released 2017-06-21
3875 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
3876 The issue could only happen client-side with renegotiation enabled.
3879 back to the server or to a third party). Can be triggered remotely.
3880 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
3881 certificate verification. SHA-1 can be turned back on with a compile-time
3883 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
3885 * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
3886 potential Bleichenbacher/BERserk-style attack.
3891 and with GCC using the -Wpedantic compilation option.
3892 * Fix insufficient support for signature-hash-algorithm extension,
3895 when sending the alert failed. The fix makes sure not to hide the error
3898 peer after sending a fatal alert to refuse a renegotiation attempt.
3899 Previous behaviour was to keep processing data even after the alert has
3903 * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
3904 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
3906 * Fix bug that caused the modular inversion function to accept the invalid
3907 modulus 1 and therefore to hang. Found by blaufish. #641.
3911 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
3915 * Send fatal alerts in more cases. The previous behaviour was to skip
3917 * Clarify ECDSA documentation and improve the sample code to avoid
3919 by Jean-Philippe Aumasson.
3921 = mbed TLS 2.5.0 branch released 2017-05-17
3927 * Add exponent blinding to RSA private operations as a countermeasure
3928 against side-channel attacks like the cache attack described in
3935 This involved exposing parts of the internal interface to enable
3938 * Add a new configuration option to 'mbedtls_ssl_config' to enable
3945 void to int to allow returning error codes when using MBEDTLS_AES_ALT,
3947 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
3948 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
3951 * Remove macros from compat-1.3.h that correspond to deleted items from most
3955 * Add checks in the PK module for the RSA functions on 64-bit systems.
3957 without these checks the type cast could lead to data loss. Found by Guido
3960 = mbed TLS 2.4.2 branch released 2017-03-08
3963 * Add checks to prevent signature forgeries for very large messages while
3964 using RSA through the PK module in 64-bit systems. The issue was caused by
3965 some data loss when casting a size_t to an unsigned int value in the
3967 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
3974 CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
3979 and potentially could lead to remote code execution on some platforms.
3981 team. #569 CVE-2017-2784
3986 MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
3989 * Fix the redefinition of macro ssl_set_bio to an undefined symbol
3990 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
3991 Found by omlib-lin. #673
3993 x509_csr.c that are reported when building mbed TLS with a config.h that
4001 the input string in PEM format to extract the different components. Found
4004 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4006 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4008 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4010 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4012 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4014 by missing calls to mbedtls_pem_free() in cases when a
4017 * Fixed the templates used to generate project and solution files for Visual
4018 Studio 2015 as well as the files themselves, to remove a build warning
4023 number to write in hexadecimal is negative and requires an odd number of
4028 = mbed TLS 2.4.1 branch released 2016-12-13
4031 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4035 = mbed TLS 2.4.0 branch released 2016-10-17
4039 with RFC-5116 and could lead to session key recovery in very long TLS
4040 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4041 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4044 mbedtls_x509write_csr_der() when the signature is copied to the buffer
4049 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4050 NIST SP 800-38B, RFC-4493 and RFC-4615.
4051 * Added hardware entropy selftest to verify that the hardware entropy source
4053 * Added a script to print build environment info for diagnostic use in test
4055 * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
4058 * Added a configuration file config-no-entropy.h that configures the subset of
4060 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
4061 to configure the minimum number of bytes for entropy sources using the
4065 * Fix for platform time abstraction to avoid dependency issues where a build
4067 configuration consistency checks to check_config.h
4068 * Fix dependency issue in Makefile to allow parallel builds.
4071 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4073 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4079 * Fixed pthread implementation to avoid unintended double initialisations
4084 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
4086 subramanyam-c. #622
4093 Found by subramanyam-c. #626
4101 * Removed self-tests from the basic-built-test.sh script, and added all
4102 missing self-tests to the test suites, to ensure self-tests are only
4104 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
4105 * Added support for a Yotta specific configuration file -
4109 * Renamed source file library/net.c to library/net_sockets.c to avoid
4112 deprecated, and its contents moved to net_sockets.h.
4113 * Changed the strategy for X.509 certificate parsing and validation, to no
4116 = mbed TLS 2.3.0 branch released 2016-06-28
4121 * Fix potential integer overflow to buffer overflow in
4124 * Fix a potential integer underflow to buffer overread in
4134 arguments where the same (in-place doubling). Found and fixed by Janos
4136 * Fix potential build failures related to the 'apidoc' target, introduced
4140 ECDSA was disabled in config.h . The leak didn't occur by default.
4141 * Fix an issue that caused valid certificates to be rejected whenever an
4145 buffer after DER certificates to be included in the raw representation.
4149 * Fix issue that caused a crash if invalid curves were passed to
4153 * Fix test in ssl-opt.sh that does not run properly with valgrind
4154 * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
4157 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4159 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4163 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4166 = mbed TLS 2.2.1 released 2016-01-05
4169 * Fix potential double free when mbedtls_asn1_store_named_data() fails to
4172 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
4174 SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
4178 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4179 * Fix bug in certificate validation that caused valid chains to be rejected
4190 = mbed TLS 2.2.0 released 2015-11-04
4208 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4210 * Added a key extraction callback to accees the master secret and key
4211 block. (Potential uses include EAP-TLS and Thread.)
4214 * Self-signed certificates were not excluded from pathlen counting,
4217 * Fix build error with configurations where ECDHE-PSK is the only key
4219 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4220 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4221 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4222 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4224 size/curve against the profile. Before that, there was no way to set a
4225 minimum key size for end-entity certificates with RSA keys. Found by
4227 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4231 certificates to be rejected by some applications, including OS X
4236 or -1.
4238 = mbed TLS 2.1.2 released 2015-10-06
4241 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4244 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4254 string of close to or larger than 1GB to exploit; on 64 bit machines, would
4255 require reading a string of close to or larger than 2^62 bytes.
4261 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4263 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4268 unless you allow third parties to pick trust CAs for client auth.
4277 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
4279 * Fixed paths for check_config.h in example config files. (Found by bachp)
4282 = mbed TLS 2.1.1 released 2015-09-17
4285 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4287 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4288 * Fix possible client-side NULL pointer dereference (read) when the client
4289 tries to continue the handshake after it failed (a misuse of the API).
4291 afl-fuzz.)
4295 * Fix off-by-one error in parsing Supported Point Format extension that
4296 caused some handshakes to fail.
4299 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
4303 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
4306 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4309 = mbed TLS 2.1.0 released 2015-09-04
4313 * Primary open source license changed to Apache 2.0 license.
4317 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4321 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
4323 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
4325 * Fix compile error with armcc 5 with --gnu option.
4326 * Fix bug in Makefile that caused programs not to be installed correctly
4330 * Fix missing -static-libgcc when building shared libraries for Windows
4334 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
4337 result trying to unlock an unlocked mutex on invalid input (found by
4339 * Fix -Wshadow warnings (found by hnrkp) (#240)
4341 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4349 * It is now possible to #include a user-provided configuration file at the
4350 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
4353 trusted, no later cert is checked. (suggested by hannes-landeholm)
4355 * Prepend a "thread identifier" to debug messages (issue pointed out by
4357 * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
4360 = mbed TLS 2.0.0 released 2015-07-13
4364 * Ability to override core functions from MDx, SHAx, AES and DES modules
4366 ability to override the whole module.
4367 * New server-side implementation of session tickets that rotate keys to
4373 * Introduced a concept of presets for SSL security-relevant configuration
4378 You now need to link to all of them if you use TLS for example.
4379 * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
4380 Some names have been further changed to make them more consistent.
4381 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4382 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4384 mbedtls_cipher_info_t.key_length -> key_bitlen
4385 mbedtls_cipher_context_t.key_length -> key_bitlen
4386 mbedtls_ecp_curve_info.size -> bit_size
4391 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4392 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4393 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4394 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4395 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4396 Note that for mbedtls_ssl_setup(), you need to be done setting up the
4400 ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
4401 (see rename.pl and compat-1.3.h above) and their first argument's type
4402 changed from ssl_context to ssl_config.
4404 additional callback for read-with-timeout).
4415 place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
4423 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4424 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4425 * The following functions changed prototype to avoid an in-out length
4432 changed type to "mbedtls_net_context *".
4440 mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
4441 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
4443 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4447 length parameter to include the terminating null byte for PEM input.
4448 * Signature of mpi_mul_mpi() changed to make the last argument unsigned
4451 (Thanks to Mansour Moufid for helping with the replacement.)
4452 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
4453 (support for renegotiation now needs explicit enabling in config.h).
4455 in config.h
4456 * net_connect() and net_bind() have a new 'proto' argument to choose
4457 between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
4458 Their 'port' argument type is changed to a string.
4472 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4476 been removed (compiler is required to support 32-bit operations).
4479 * Removed test program ssl_test, superseded by ssl-opt.sh.
4480 * Removed helper script active-config.pl
4486 Semi-API changes (technically public, morally private)
4487 * Renamed a few headers to include _internal in the name. Those headers are
4488 not supposed to be included by users.
4492 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
4493 * x509_crt.key_usage changed from unsigned char to unsigned int.
4506 custom config.h
4507 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4511 * The following functions are now case-sensitive:
4521 * Compiler is required to support C99 types such as long long and uint32_t.
4530 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4534 * With UDP sockets, it is no longer necessary to call net_bind() again
4539 thread-safe if MBEDTLS_THREADING_C is enabled.
4540 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4546 * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
4549 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4555 * Add x509_crt_verify_info() to display certificate verification results.
4559 * Add support for id-at-uniqueIdentifier in X.509 names.
4562 * Add an option to use macros instead of function pointers in the platform
4565 cross-compilation easier (thanks to Alon Bar-Lev).
4566 * The benchmark program also prints heap usage for public-key primitives
4568 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4571 reduced configurations (PSK-CCM and NSA suite B).
4572 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
4574 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
4579 * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
4581 entropy_free() to crash (thanks to Rafał Przywara).
4596 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
4603 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4607 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
4610 * Add missing dependency on SHA-256 in some x509 programs (reported by
4612 * Fix bug related to ssl_set_curves(): the client didn't check that the
4621 * compat-1.2.h and openssl.h are deprecated.
4624 (contributed by Alon Bar-Lev).
4627 * Move from SHA-1 to SHA-256 in example programs using signatures
4631 * Change #include lines in test files to use double quotes instead of angle
4635 = mbed TLS 1.3.10 released 2015-02-09
4637 * NULL pointer dereference in the buffer-based allocator when the buffer is
4641 * Fix remotely-triggerable uninitialised pointer dereference caused by
4644 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4650 * Fix timing difference that could theoretically lead to a
4651 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4655 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
4656 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
4657 * Add support for Encrypt-then-MAC (RFC 7366).
4658 * Add function pk_check_pair() to test if public and private keys match.
4660 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4662 * Support for renegotiation can now be disabled at compile-time
4663 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
4664 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
4665 for pre-1.2 clients when multiple certificates are available.
4668 * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
4675 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4686 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
4688 to a failed verification (found by Fredrik Axelsson).
4691 issue with some servers when a zero-length extension was sent. (Reported
4693 * On a 0-length input, base64_encode() did not correctly set output length
4697 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
4698 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
4700 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
4702 * debug_print_buf() now prints a text view in addition to hexadecimal.
4704 but none of them is usable due to external factors such as no certificate
4706 * It is now possible to disable negotiation of truncated HMAC server-side
4712 = PolarSSL 1.3.9 released 2014-10-20
4716 * Remotely-triggerable memory leak when parsing some X.509 certificates
4719 * Remotely-triggerable memory leak when parsing crafted ClientHello
4726 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4728 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4731 * Remove non-existent file from VS projects (found by Peter Vaskovic).
4732 * ssl_read() could return non-application data records on server while
4734 * Server-initiated renegotiation would fail with non-blocking I/O if the
4737 with non-blocking I/O.
4745 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
4746 standard defining how to use SHA-2 with SSL 3.0).
4747 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
4748 ambiguous on how to encode some packets with SSL 3.0).
4753 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
4759 = PolarSSL 1.3.8 released 2014-07-11
4762 It was possible to crash the server (and client) using crafted messages
4766 * Add CCM module and cipher mode to Cipher Layer
4768 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4771 * Add example config.h for PSK with CCM, optimized for low RAM usage.
4772 * Optimize for RAM usage in example config.h for NSA Suite B profile.
4773 * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
4775 * Add server-side enforcement of sent renegotiation requests
4777 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
4778 ciphersuites to use and save some memory if the list is small.
4783 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
4794 * Remove less-than-zero checks on unsigned numbers
4795 * Stricter check on SSL ClientHello internal sizes compared to actual packet
4806 rejected with CBC-based ciphersuites and TLS >= 1.1
4808 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
4809 * Restore ability to use a v1 cert as a CA if trusted locally. (This had
4811 * Restore ability to locally trust a self-signed cert that is not a proper
4817 * Fix off-by-one error in parsing Supported Point Format extension that
4818 caused some handshakes to fail.
4819 * Fix possible miscomputation of the premaster secret with DHE-PSK key
4820 exchange that caused some handshakes to fail with other implementations.
4823 * Fix base64_decode() to return and check length correctly (in case of
4825 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
4828 = PolarSSL 1.3.7 released on 2014-05-02
4830 * debug_set_log_mode() added to determine raw or full logging
4831 * debug_set_threshold() added to ignore messages over threshold level
4832 * version_check_feature() added to check for compile-time options at
4833 run-time
4840 * AES-NI now compiles with "old" assemblers too
4853 * rsa_check_pubkey() now allows an E up to N
4854 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
4856 big-endian platform when size was not an integer number of limbs
4863 = PolarSSL 1.3.6 released on 2014-04-11
4867 * Add option 'use_dev_random' to gen_key application
4877 * Use UTC time to check certificate validity.
4884 This affects certificates in the user-supplied chain except the top
4885 certificate. If the user-supplied chain contains only one certificates,
4902 * oid_get_numeric_string() used to truncate the output without returning an
4904 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
4905 * Calling pk_debug() on an RSA-alt key would segfault.
4906 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
4910 stored in RAM due to missing 'const's (found by Gergely Budai).
4912 = PolarSSL 1.3.5 released on 2014-03-26
4914 * HMAC-DRBG as a separate module
4915 * Option to set the Curve preference order (disabled by default)
4917 * Ability to provide alternate timing implementation
4918 * Ability to force the entropy module to use SHA-256 as its basis
4920 * Testing script ssl-opt.sh added for testing 'live' ssl option
4928 now thread-safe if POLARSSL_THREADING_C defined
4929 * Improvements to the CMake build system, contributed by Julian Ospald.
4932 * Revamped the compat.sh interoperatibility script to include support for
4935 * Improvements to tests/Makefile, contributed by Oden Eriksson.
4938 * Forbid change of server certificate during renegotiation to prevent
4944 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4948 * ecp_gen_keypair() does more tries to prevent failure because of
4951 * Fixed testing with out-of-source builds using cmake
4952 * Fixed version-major intolerance in server
4953 * Fixed CMake symlinking on out-of-source builds
4956 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4960 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
4971 * x509_get_current_time() uses localtime_r() to prevent thread issues
4973 = PolarSSL 1.3.4 released on 2014-01-27
4976 * Support for RIPEMD-160
4992 = PolarSSL 1.3.3 released on 2013-12-31
4995 * Support for adhering to client ciphersuite order preference
4998 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5000 * AES-NI support for AES, AES-GCM and AES key scheduling
5001 * SSL Pthread-based server example added (ssl_pthread_server)
5008 * More constant-time checks in the RSA module
5016 * Fixed X.509 hostname comparison (with non-regular characters)
5029 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5032 = PolarSSL 1.3.2 released on 2013-11-04
5034 * PK tests added to test framework
5036 * Support for Camellia-GCM mode and ciphersuites
5039 * Padding checks in cipher layer are now constant-time
5040 * Value comparisons in SSL layer are now constant-time
5047 * Prevent possible alignment warnings on casting from char * to 'aligned *'
5048 * Misc fixes and additions to dependency checks
5052 * Defines to handle UEFI environment under MSVC
5053 * Server-side initiated renegotiations send HelloRequest
5055 = PolarSSL 1.3.1 released on 2013-10-15
5058 * Support for ECDHE-PSK key-exchange and ciphersuites
5059 * Support for RSA-PSK key-exchange and ciphersuites
5065 * config.h is more script-friendly
5077 = PolarSSL 1.3.0 released on 2013-10-01
5082 (ECDHE-based ciphersuites)
5084 (ECDSA-based ciphersuites)
5085 * Ability to specify allowed ciphersuites based on the protocol version.
5086 * PSK and DHE-PSK based ciphersuites added
5088 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5095 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5096 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5104 the same host (Not to be confused with SNI!)
5107 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
5111 * Internals for SSL module adapted to have separate IV pointer that is
5113 * Moved all OID functionality to a separate module. RSA function
5118 * Ability to disable server_name extension (RFC 6066)
5119 * Renamed error_strerror() to the less conflicting polarssl_strerror()
5120 (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
5121 * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
5125 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5136 * RSA blinding on CRT operations to counter timing attacks
5137 (found by Cyril Arnaud and Pierre-Alain Fouque)
5140 = Version 1.2.14 released 2015-05-??
5143 * Fix potential invalid memory read in the server, that allows a client to
5146 client to crash the server remotely if client authentication is enabled
5148 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5156 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5159 = Version 1.2.13 released 2015-02-16
5160 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
5164 * Fix remotely-triggerable uninitialised pointer dereference caused by
5167 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5180 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5185 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5187 to a failed verification (found by Fredrik Axelsson).
5190 issue with some servers when a zero-length extension was sent. (Reported
5192 * On a 0-length input, base64_encode() did not correctly set output length
5198 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5200 = Version 1.2.12 released 2014-10-24
5203 * Remotely-triggerable memory leak when parsing some X.509 certificates
5211 with non-blocking I/O.
5215 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5216 * ssl_read() could return non-application data records on server while
5218 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5227 = Version 1.2.11 released 2014-07-11
5233 * Improvements to the CMake build system, contributed by Julian Ospald.
5236 * Improvements to tests/Makefile, contributed by Oden Eriksson.
5237 * Use UTC time to check certificate validity.
5239 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
5243 * Forbid change of server certificate during renegotiation to prevent
5251 It was possible to crash the server (and client) using crafted messages
5255 * Fixed X.509 hostname comparison (with non-regular characters)
5268 * Fixed testing with out-of-source builds using cmake
5269 * Fixed version-major intolerance in server
5270 * Fixed CMake symlinking on out-of-source builds
5271 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5277 * x509_get_current_time() uses localtime_r() to prevent thread issues
5283 * rsa_check_pubkey() now allows an E up to N
5284 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5286 big-endian platform when size was not an integer number of limbs
5288 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5294 * Fix base64_decode() to return and check length correctly (in case of
5297 = Version 1.2.10 released 2013-10-07
5299 * Changed RSA blinding to a slower but thread-safe version
5306 = Version 1.2.9 released 2013-10-01
5311 * Fixed potential memory leak when failing to resume a session
5318 * RSA blinding on CRT operations to counter timing attacks
5319 (found by Cyril Arnaud and Pierre-Alain Fouque)
5321 = Version 1.2.8 released 2013-06-19
5325 * Centralized module option values in config.h to allow user-defined
5333 * Added mechanism to provide alternative implementations for all
5335 config.h)
5349 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
5350 * Fixed values for 2-key Triple DES in cipher layer
5354 * A possible DoS during the SSL Handshake, due to faulty parsing of
5355 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5357 = Version 1.2.7 released 2013-04-13
5359 * Ability to specify allowed ciphersuites based on the protocol version.
5362 * Default Blowfish keysize is now 128-bits
5363 * Test suites made smaller to accommodate Raspberry Pi
5367 * GCM adapted to support sizes > 2^29
5369 = Version 1.2.6 released 2013-03-11
5372 * Corrected GCM counter incrementation to use only 32-bits instead of
5373 128-bits (found by Yawning Angel)
5374 * Fixes for 64-bit compilation with MS Visual Studio
5380 rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
5384 * Re-added handling for SSLv2 Client Hello when the define
5392 * Removed timing differences due to bad padding from
5396 = Version 1.2.5 released 2013-02-02
5398 * Allow enabling of dummy error_strerror() to support some use-cases
5401 * Sending of security-relevant alert messages that do not break
5407 ssl_decrypt_buf() due to badly formatted padding
5409 = Version 1.2.4 released 2013-01-25
5411 * More advanced SSL ciphersuite representation and moved to more dynamic
5413 * Added ssl_handshake_step() to allow single stepping the handshake process
5421 = Version 1.2.3 released 2012-11-26
5425 = Version 1.2.2 released 2012-11-24
5427 * Added p_hw_data to ssl_context for context specific hardware acceleration
5429 * During verify trust-CA is only checked for expiration and CRL presence
5435 = Version 1.2.1 released 2012-11-20
5438 bottom-up (Peer cert depth is 0)
5443 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5444 Pégourié-Gonnard)
5446 Pégourié-Gonnard)
5449 = Version 1.2.0 released 2012-10-31
5455 * Added support for multi-domain certificates through the X509 Subject
5463 * Added GCM suites to TLS 1.2 (RFC 5288)
5477 * Added option to add minimum accepted SSL/TLS protocol version
5482 * Fixed const-correctness mpi_get_bit()
5484 * Moved out_msg to out_hdr + 32 to support hardware acceleration
5485 * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
5486 to not match CN if subjectAltName extension is present (Closes ticket #56)
5487 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
5488 POLARSSL_MODE_CFB, to also handle different block size CFB modes.
5494 * Moved from unsigned long to fixed width uint32_t types throughout code
5495 * Renamed ciphersuites naming scheme to IANA reserved names
5508 * mpi_add_abs() now correctly handles adding short numbers to long numbers
5517 = Version 1.1.8 released on 2013-10-01
5519 * Fixed potential memory leak when failing to resume a session
5523 * Potential buffer-overflow for ssl_read_record() (independently found by
5528 = Version 1.1.7 released on 2013-06-19
5537 * Fixed values for 2-key Triple DES in cipher layer
5541 * A possible DoS during the SSL Handshake, due to faulty parsing of
5542 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5544 = Version 1.1.6 released on 2013-03-11
5549 * Allow enabling of dummy error_strerror() to support some use-cases
5556 * Removed timing differences due to bad padding from
5560 = Version 1.1.5 released on 2013-01-16
5564 * mpi_add_abs() now correctly handles adding short numbers to long numbers
5571 Pégourié-Gonnard)
5572 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5573 Pégourié-Gonnard)
5584 = Version 1.1.4 released on 2012-05-31
5590 = Version 1.1.3 released on 2012-04-29
5592 * Fixed random MPI generation to not generate more size than requested.
5594 = Version 1.1.2 released on 2012-04-26
5601 Frama-C team at CEA LIST)
5602 * Fixed generation of DHM parameters to correct length (found by Ruslan
5605 = Version 1.1.1 released on 2012-01-23
5609 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
5613 = Version 1.1.0 released on 2011-12-22
5615 * Added ssl_session_reset() to allow better multi-connection pools of
5616 SSL contexts without needing to set all non-connection-specific
5617 data and pointers again. Adapted ssl_server to use this functionality.
5618 * Added ssl_set_max_version() to allow clients to offer a lower maximum
5619 supported version to a server to help buggy server implementations.
5623 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
5630 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
5632 * Inceased maximum size of ASN1 length reads to 32-bits.
5633 * Added an EXPLICIT tag number parameter to x509_get_ext()
5637 * Changed the defined key-length of DES ciphers in cipher.h to include the
5638 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
5639 * Loads of minimal changes to better support WINCE as a build target
5640 (Credits go to Marco Lizza)
5641 * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
5642 trade-off
5645 * Changed the used random function pointer to more flexible format. Renamed
5646 havege_rand() to havege_random() to prevent mistakes. Lots of changes as
5648 * Moved all examples programs to use the new entropy and CTR_DRBG
5649 * Added permissive certificate parsing to x509parse_crt() and
5651 encountering a parse-error. Beware that the meaning of return values has
5656 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
5660 * Allowed X509 key usage parsing to accept 4 byte values instead of the
5662 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5671 = Version 1.0.0 released on 2011-07-27
5684 = Version 0.99-pre5 released on 2011-05-26
5686 * Added additional Cipher Block Modes to symmetric ciphers
5687 (AES CTR, Camellia CTR, XTEA CBC) including the option to
5691 * A error_strerror function() has been added to translate between
5701 t_int and t_dbl to t_uint and t_udbl in the process
5717 = Version 0.99-pre4 released on 2011-04-01
5720 for the RSAES-OAEP and RSASSA-PSS operations.
5735 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
5739 * Fixed proper handling of RSASSA-PSS verification with variable
5742 = Version 0.99-pre3 released on 2011-02-28
5743 This release replaces version 0.99-pre2 which had possible copyright issues.
5747 * Added crl_app program to allow easy reading and
5751 * Parsing of PEM files moved to separate module (Fixes
5752 ticket #13). Also possible to remove PEM support for
5764 to negotiate anonymous connection (Fixes ticket #12,
5768 * Fixed a possible Man-in-the-Middle attack on the
5769 Diffie Hellman key exchange (thanks to Larry Highsmith,
5772 = Version 0.99-pre1 released on 2011-01-30
5774 Note: Most of these features have been donated by Fox-IT
5777 * Improved X509 certificate parsing to include extended
5782 * Improvements to support integration in other
5788 verification to allow external blacklisting
5789 + Additional example programs to show usage
5791 libpkcs11-helper library
5794 * x509parse_time_expired() checks time in addition to
5797 of ssl_session have been renamed to ciphersuites and
5802 = Version 0.14.0 released on 2010-08-16
5806 * Added compile-time and run-time version information
5813 Now using random fuction provided to function and
5816 * Some SSL defines were renamed in order to avoid
5826 = Version 0.13.1 released on 2010-03-24
5831 = Version 0.13.0 released on 2010-03-21
5833 * Added option parsing for host and port selection to
5836 * Added cert_app program to allow easy reading and
5843 in a function to allow easy future expansion
5844 * Changed symmetric cipher functions to
5846 * Changed ARC4 to use separate input/output buffer
5847 * Added reset function for HMAC context as speed-up
5848 for specific use-cases
5851 * Fixed bug resulting in failure to send the last
5859 = Version 0.12.1 released on 2009-10-04
5870 = Version 0.12.0 released on 2009-07-28
5872 * Added CMake makefiles as alternative to regular Makefiles.
5874 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
5875 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
5881 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
5884 to indicate invalid key lengths.
5891 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
5912 * Fixed Camellia and XTEA for 64-bit Windows systems.
5914 = Version 0.11.1 released on 2009-05-17
5915 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
5916 SHA-512 in rsa_pkcs1_sign()
5918 = Version 0.11.0 released on 2009-05-03
5920 input numbers are even and added testcases to check
5922 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
5932 * Made definition of net_htons() endian-clean for big endian
5936 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
5939 * Added support for CRL revocation to x509parse_verify() and
5941 * Fixed compatibility of XTEA and Camellia on a 64-bit system
5944 = Version 0.10.0 released on 2009-01-12
5945 * Migrated XySSL to PolarSSL
5956 = Version 0.9 released on 2008-03-16
5961 * Fixed a bug in ssl_write() that caused the same payload to
5962 be sent twice in non-blocking mode when send returns EAGAIN
5965 * Added user-defined callback debug function (Krystian Kolodziej)
5971 output data is non-aligned by falling back to the software
5972 implementation, as VIA Nehemiah cannot handle non-aligned buffers
5974 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
5976 * Fixed x509_get_ext() to accept some rare certificates which have
5982 * Added an option to enable/disable the BN assembly code
5983 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
5985 selftest and benchmark to not test ciphers that have been disabled
5986 * Updated x509parse_cert_info() to correctly display byte 0 of the
5988 * Fixed a critical denial-of-service with X.509 cert. verification:
5989 peer may cause xyssl to loop indefinitely by sending a certificate
5991 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
5992 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
5993 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
5994 * Modified ssl_parse_client_key_exchange() to protect against
5996 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
5997 * Updated rsa_gen_key() so that ctx->N is always nbits in size
5998 * Fixed assembly PPC compilation errors on Mac OS X, thanks to
6001 = Version 0.8 released on 2007-10-20
6003 * Modified the HMAC functions to handle keys larger
6004 than 64 bytes, thanks to Stephane Desneux and gary ng
6005 * Fixed ssl_read_record() to properly update the handshake
6008 * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
6009 * Added user-defined callbacks for handling I/O and sessions
6013 * Added AES-CFB mode of operation, contributed by chmike
6015 * Updated the RSA PKCS#1 code to allow choosing between
6017 * Updated ssl_read() to skip 0-length records from OpenSSL
6018 * Fixed the make install target to comply with *BSD make
6019 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6020 * mpi_is_prime() speedups, thanks to Kevin McLaughlin
6026 = Version 0.7 released on 2007-07-07
6028 * Added support for the MicroBlaze soft-core processor
6030 connections from being established with non-blocking I/O
6034 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6035 * Fixed the net_set_*block routines, thanks to Andreas
6039 * Rewrote README.txt in program/ssl/ca to better explain
6040 how to create a test PKI
6042 = Version 0.6 released on 2007-04-01
6045 time, to reduce the memory footprint on embedded systems
6047 havege_struct for this processor, thanks to David Patiño
6048 * Added multiply assembly code for 64-bit PowerPCs,
6049 thanks to Peking University and the OSU Open Source Lab
6052 * Fixed "long long" compilation issues on IA-64 and PPC64
6053 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6056 = Version 0.5 released on 2007-03-01
6059 * Added (beta) support for non-blocking I/O operations
6062 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6065 size of 16384 bytes to be rejected
6067 = Version 0.4 released on 2007-02-01
6069 * Added support for Ephemeral Diffie-Hellman key exchange
6071 * Various improvement to the modular exponentiation code
6072 * Rewrote the headers to generate the API docs with doxygen
6075 version was not properly set), thanks to Didier Rebeix
6080 = Version 0.3 released on 2007-01-01
6082 * Added server-side SSLv3 and TLSv1.0 support
6083 * Multiple fixes to enhance the compatibility with g++,
6084 thanks to Xosé Antón Otero Ferreira
6085 * Fixed a bug in the CBC code, thanks to dowst; also,
6087 * Updated rsa_pkcs1_sign to handle arbitrary large inputs
6089 and 486 processors, thanks to Arnaud Cornet
6091 = Version 0.2 released on 2006-12-01
6093 * Updated timing.c to support ARM and MIPS arch
6094 * Updated the MPI code to support 8086 on MSVC 1.5
6096 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
6100 valid RSA keys to be dismissed (thanks to oldwolf)
6101 * Fixed a bug in mpi_is_prime that caused some primes to fail
6102 the Miller-Rabin primality test
6104 I'd also like to thank Younès Hafri for the CRUX linux port,
6106 who maintains the Debian package :-)
6108 = Version 0.1 released on 2006-11-01