Lines Matching +full:ipv4 +full:- +full:no +full:- +full:config +full:- +full:for +full:- +full:cpp
3 = Mbed TLS 3.6.0 branch released 2024-03-28
18 * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
21 * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
24 * In the PSA API, domain parameters are no longer used for anything.
32 an RSA key as a domain parameter is no longer supported. Use
42 * Support Armv8-A Crypto Extension acceleration for SHA-256
43 when compiling for Thumb (T32) or 32-bit Arm (A32).
44 * AES-NI is now supported in Windows builds with clang and clang-cl.
50 This affects both the low-level modules and the high-level APIs
53 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
54 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
56 library without the corresponding built-in implementation. Generally
58 or they'll both be built in. However, for CCM and GCM the built-in
61 docs/driver-only-builds.md for full details and current limitations.
67 GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
69 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
70 fully provided by drivers. See docs/driver-only-builds.md for full
73 * Add support for record size limit extension as defined by RFC 8449
77 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
78 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
88 * Add partial platform support for z/OS.
89 * Improve performance for gcc (versions older than 9.3.0) and IAR.
92 * Add support for using AES-CBC 128, 192, and 256 bit schemes
95 in bits, i.e. the key size for an RSA key.
96 * Add pc files for pkg-config, e.g.:
97 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
103 * The benchmark program now reports times for both ephemeral and static
105 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
107 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
127 * Add new accessors to expose the private session-id,
128 session-id length, and ciphersuite-id members of
130 Add new accessor to expose the ciphersuite-id of
133 docs/tls13-early-data.md). The support enablement is controlled at build
136 * Add protection for multithreaded access to the PSA keystore and protection
137 for multithreaded access to the the PSA global state, including
140 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
153 PSA functions are owned exclusively by the PSA core for the duration of
154 the function call (i.e. no buffer parameters are in shared memory),
156 Note that setting this option will cause input-output buffer overlap to
158 Fixes CVE-2024-28960.
164 Fixes CVE-2024-28755.
167 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
168 client could put the TLS 1.3-only server in an infinite loop processing
171 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
174 Fixes CVE-2024-28836.
177 * Fix the build with CMake when Everest or P256-m is enabled through
188 * Fix build failure in conda-forge. Fixes #8422.
190 * Switch to milliseconds as the unit for ticket creation and reception time
201 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
204 * Correct initial capacities for key derivation algorithms:TLS12_PRF,
205 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
206 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
213 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
215 RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
235 This reduces stack usage significantly for writing a public/private
237 * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
246 * Extended PSA Crypto configurations options for FFDH by making it possible
249 for each size you want to support. Also, if you have an FFDH accelerator,
251 support for these domain parameters.
252 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
263 = Mbed TLS 3.5.2 branch released 2024-01-26
267 could be sufficient for an attacker to recover the plaintext. A local
270 the attacker to send a large number of messages for decryption. For
274 could result in an integer overflow, causing a zero-length buffer to be
278 = Mbed TLS 3.5.1 branch released 2023-11-06
281 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
288 = Mbed TLS 3.5.0 branch released 2023-10-05
291 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
292 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
293 there was a flaw in the logic checking if the built-in implementation, in
295 accelerator. As a result, it was possible to declare no curves as
296 accelerated and still have the built-in implementation compiled out.
299 considered not accelerated, and the built-in implementation of the curves
302 function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
316 the capabilities of the PSA side for either key.
325 for overflow of the output buffer and reporting the actual length
334 provided - these limitations are lifted in this version. A new set of
336 to check for availability of hash algorithms, regardless of whether
337 they're provided by a built-in implementation, a driver or both. See
338 docs/driver-only-builds.md.
339 * When a PSA driver for ECDH is present, it is now possible to disable
340 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
343 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
344 as PSA does not have an API for restartable ECDH yet.
345 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
347 if not required by another module) and still get support for ECC keys and
348 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
349 for details.
350 * Add parsing of directoryName subtype for subjectAltName extension in
352 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
357 * Add support for reading and writing X25519 and X448
361 * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
362 if no PAKE algorithms are requested
363 * Add support for the FFDH algorithm and DH key types in PSA, with
364 parameters from RFC 7919. This includes a built-in implementation based
370 See mbedtls_x509write_crt_set_subject_alternative_name for
376 string to a DER-encoded mbedtls_asn1_buf.
377 * Add SHA-3 family hash functions.
378 * Add support to restrict AES to 128-bit keys in order to save code size.
383 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
384 On Aarch64, uplift is typically around 20 - 110%.
385 When compiling with gcc -Os on Aarch64, AES-XTS improves
387 * Add support for PBKDF2-HMAC through the PSA API.
391 PSA capabilities for each key. These capabilities, named yyy above, can be
393 - DERIVE is only available for ECC keys, not for RSA or DH ones.
394 - implementations are free to enable more than what it was strictly
395 requested. For example BASIC internally enables IMPORT and EXPORT
396 (useful for testing purposes), but this might change in the future.
397 * Add support for FFDH key exchange in TLS 1.3.
399 and the ephemeral or psk-ephemeral key exchange mode are enabled.
412 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
418 representation of A for some curves. Fixes #8045.
421 * Add support for PBKDF2-CMAC through the PSA API.
423 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
424 disables the plain C implementation and the run-time detection for the
432 option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
447 which checks for overflow of the output buffer and reports the actual
451 (notably recent versions of Clang and IAR) could produce non-constant
454 * Updates to constant-time C code so that compilers are less likely to use
457 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
465 null-cipher cipher suites. Credit to OSS-Fuzz.
467 In TLS 1.3, all configurations are affected except PSK-only ones, and
472 Credit to OSS-Fuzz.
475 * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
477 than all built-in ones and RSA is disabled.
481 was sufficient for a particular program to work, it would only print
491 * Fix the J-PAKE driver interface for user and peer to accept any values
494 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
504 building for arm64_32 (e.g., for watchos). Reported by Paulo
512 example TF-M configuration in configs/ from building cleanly:
519 * Fix CCM* with no tag being not supported in a build with CCM as the only
527 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
537 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
544 enabled, where some low-level modules required by requested PSA crypto
548 * Fix log level for the got supported group message. Fixes #6765
553 * Fix the build with CMake when Everest or P256-m is enabled through
557 * Enable Arm / Thumb bignum assembly for most Arm platforms when
558 compiling with gcc, clang or armclang and -O0.
562 This reduces stack usage significantly for RSA signature
576 = Mbed TLS 3.4.1 branch released 2023-08-04
582 * Update test data to avoid failures of unit tests after 2023-08-07.
584 = Mbed TLS 3.4.0 branch released 2023-03-28
599 optionally providing file-specific error pairs. Please see psa_util.h for
603 * Added partial support for parsing the PKCS #7 Cryptographic Message
606 - Only the signed-data content type, version 1 is supported.
607 - Only DER encoding is supported.
608 - Only a single digest algorithm per message is supported.
609 - Certificates must be in X.509 format. A message must have either 0
611 - There is no support for certificate revocation lists.
612 - The authenticated and unauthenticated attribute fields of SignerInfo
614 Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
615 contributing this feature, and to Demi-Marie Obenour for contributing
619 * Improvements to use of unaligned and byte-swapped memory, reducing code
622 * Add support for reading points in compressed format
624 (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
630 * Add parsing of V3 extensions (key usage, Netscape cert-type,
633 configuration-independent files. This allows them to be generated when
634 CC is set for cross compilation.
635 * Add parsing of uniformResourceIdentifier subtype for subjectAltName
638 backed by internal library support for ECDSA signing and verification.
639 * Add parsing of rfc822Name subtype for subjectAltName
642 MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
644 * When a PSA driver for ECDSA is present, it is now possible to disable
645 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
648 supported in those builds yet, as driver support for interruptible ECDSA
650 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
651 implementations of EC J-PAKE through the driver entry points.
652 * Add new API mbedtls_ssl_cache_remove for cache entry removal by
655 * Add support for AES with the Armv8-A Cryptographic Extension on
656 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
657 be used to enable this feature. Run-time detection is supported
659 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
660 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
664 to read non-public fields for padding mode and hash id from
666 * AES-NI is now supported with Visual Studio.
667 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
669 for a target CPU that supports the requisite instructions (for example
670 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
671 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
672 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
677 * Use platform-provided secure zeroization function where possible, such as
680 * Fix a potential heap buffer overread in TLS 1.3 client-side when
682 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
683 Arm, so that these systems are no longer vulnerable to timing side-channel
687 builds that couldn't compile the GCC-style assembly implementation
689 timing side-channel attacks. There is now an intrinsics-based AES-NI
690 implementation as a fallback for when the assembly one cannot be used.
699 * In TLS 1.3, when using a ticket for session resumption, tweak its age
708 be toggled with config.py.
714 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
719 * Fix behavior of certain sample programs which could, when run with no
732 * Reject OIDs with overlong-encoded subidentifiers when converting
737 have the most-significant bit set in their last byte.
738 * Silence warnings from clang -Wdocumentation about empty \retval
742 * Fix an unused-variable warning in TLS 1.3-only builds if
746 * Allow setting user and peer identifiers for EC J-PAKE operation
749 * Fix a compilation error when PSA Crypto is built with support for
753 * Fix TLS 1.3 session resumption when the established pre-shared key is
754 384 bits long. That is the length of pre-shared keys created under a
765 * Mixed-endian systems are explicitly not supported any more.
767 defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
774 - now it accepts the serial number in 2 different formats: decimal and
776 - "serial" is used for the decimal format and it's limted in size to
778 - "serial_hex" is used for the hex format; max length here is
780 * The C code follows a new coding style. This is transparent for users but
781 affects contributors and maintainers of local patches. For more
783 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
789 to best results when tested on Cortex-M4 and Intel i7.
791 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
795 = Mbed TLS 3.3.0 branch released 2022-12-14
800 It is now no longer experimental, and implements the final version from
801 RFC 9146, which is not interoperable with the draft-05 version.
805 standard (non-draft) version.
829 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
830 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
832 * Some modules can now use PSA drivers for hashes, including with no
833 built-in implementation present, but only in some configurations.
834 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
836 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
838 See the documentation of the corresponding macros in mbedtls_config.h for
841 the entropy module. As a consequence, for now the only way to build with
842 all hashes only provided by drivers (no built-in hash) is to use
846 As a consequence, they now work in configurations where the built-in
848 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
850 * Add support for opaque keys as the private keys associated to certificates
851 for authentication in TLS 1.3.
852 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
853 Signature verification is production-ready, but generation is for testing
856 1024 messages. As such, it is not intended for use in TLS, but instead
857 for verification of assets transmitted over an insecure channel,
859 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
860 required for LMS. This can be used independently, but each key can only
861 be used to sign one message so is impractical for most circumstances.
862 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
863 The pre-shared keys can be provisioned externally or via the ticket
868 control the support for the three possible TLS 1.3 key exchange modes.
869 * cert_write: support for setting extended key usage attributes. A
872 * cert_write: support for writing certificate files in either PEM
881 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
883 exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
885 * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
888 * Add a driver dispatch layer for raw key agreement, enabling alternative
892 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
894 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
904 victim performing a single private-key operation if the window size used
905 for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
906 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
907 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
911 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
912 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
915 * Fix a long-standing build failure when building x86 PIC code with old
918 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
930 advertised support for PSS in both TLS 1.2 and 1.3, but only
946 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
963 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
970 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
972 not processed correctly by some bignum operations. Fix this. This had no
984 to OSS-Fuzz. Fixes #6597.
987 * Move some SSL-specific code out of libmbedcrypto where it had been placed
989 * Fix a build error when compiling the bignum module for some Arm platforms.
994 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
995 should not be done - they are documented for use only by AES-GCM and
999 = Mbed TLS 3.2.1 branch released 2022-07-12
1002 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1004 = Mbed TLS 3.2.0 branch released 2022-07-11
1008 for IV lengths other than 12. The library was silently overwriting this
1012 * The library will no longer compile out of the box on a platform without
1029 mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
1036 * Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
1039 a piece of user data which is reserved for the application. The user
1051 mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
1055 * Add support for psa crypto key derivation for elliptic curve
1060 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1069 * Introduce mbedtls_ssl_hs_cb_t typedef for use with
1076 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1085 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1086 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1087 for Aarch64.
1088 * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
1089 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
1092 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1098 establishment only). See docs/architecture/tls13-support.md for a
1101 * Add accessors to configure DN hints for certificate request:
1106 docs/use-psa-crypto.md for the list of exceptions.
1110 * Opaque pre-shared keys for TLS, provisioned with
1112 previously only worked for "pure" PSK key exchange, now can also be used
1113 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1114 * cmake now detects if it is being built as a sub-project, and in that case
1123 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1132 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1139 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1153 provided by a client or server certificate for authentication was not
1161 pattern for PSA_WANT_xxx symbols. Previously you had to specify
1162 PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
1169 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1170 client would fail to check that the curve selected by the server for
1183 * Fix a race condition in out-of-source builds with CMake when generated data
1189 the function needs to be re-called after initially returning
1227 * Fix server connection identifier setting for outgoing encrypted records
1235 non-compliant. This could not lead to a buffer overflow. In particular,
1254 driver descriptions. For the time being, to customize this file,
1255 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1256 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1259 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1261 * Assume source files are in UTF-8 when using MSVC with CMake.
1266 variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
1270 * In CMake builds, add aliases for libraries so that the normal MbedTLS::*
1274 = mbed TLS 3.1.0 branch released 2021-12-17
1277 * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
1281 * You can configure groups for a TLS key exchange with the new function
1286 POSIX/Unix-like platforms.
1289 * Sign-magnitude and one's complement representations for signed integers are
1297 * Remove the partial support for running unit tests via Greentea on Mbed OS,
1301 * Enable support for Curve448 via the PSA API. Contributed by
1308 supported on GCC-like compilers and on MSVC and can be configured through
1310 (where supported) for critical functions where ignoring the return
1312 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
1317 * Add support for CCM*-no-tag cipher to the PSA.
1318 Currently only 13-byte long IV's are supported.
1319 For decryption a minimum of 16-byte long input is expected.
1321 * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
1324 * Add the internal implementation of and support for CCM to the PSA multipart
1327 protocol. See docs/architecture/tls13-support.md for the definition of
1332 * Add PSA API definition for ARIA.
1337 case the value leaks through a memory disclosure vulnerability. For
1339 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1348 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1357 The check was accidentally not performed when cross-compiling for Windows
1366 for bignum multiplication that broke some bignum operations with
1369 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1370 * Failures of alternative implementations of AES or DES single-block
1374 where this function cannot fail, or full-module replacements with
1378 * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
1379 * Fix compile-time or run-time errors in PSA
1381 * Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
1382 The requirement of minimum 15 bytes for output buffer in
1383 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1386 the built-in implementation of the GCM.
1387 The requirement for output buffer size to be equal or greater then
1388 input buffer size is valid only for the built-in implementation of GCM.
1393 This algorithm now accepts only the same salt length for verification
1397 for algorithm values that fully encode the hashing step, as per the PSA
1408 * Fix the build when no SHA2 module is included. Fixes #4930.
1422 oversight during the run-up to the release of Mbed TLS 3.0.
1424 * Implement multi-part CCM API.
1425 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1429 Implemented functions support chunked data input for both CCM and CCM*
1435 * Improve the performance of base64 constant-flow code. The result is still
1436 slower than the original non-constant-flow implementation, but much faster
1437 than the previous constant-flow implementation. Fixes #4814.
1438 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1439 For CCM* encryption/decryption without authentication, input
1442 ChaCha20-Poly1305 is invalid, and not just unsupported.
1449 * The generated configuration-independent files are now automatically
1450 generated by the CMake build system on Unix-like systems. This is not
1451 yet supported when cross-compiling.
1453 = Mbed TLS 3.0.0 branch released 2021-07-07
1457 The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
1462 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1465 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
1466 header compat-1.3.h and the script rename.pl.
1472 Various helpers and definitions available for use in alt implementations
1478 Header files that were only meant for the library's internal use and
1482 * Drop support for parsing SSLv2 ClientHello
1484 * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
1485 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1486 * Drop support for RC4 TLS ciphersuites.
1487 * Drop support for single-DES ciphersuites.
1488 * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
1491 key type used, as well as the key bit-size in the case of
1506 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1508 * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
1511 now takes extra output parameters for the last partial output block.
1512 mbedtls_gcm_update() now takes extra parameters for the output length.
1517 no longer pass the associated data to mbedtls_gcm_starts(), but to the
1519 These changes are backward compatible for users of the cipher API.
1520 * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
1521 This separates config option enabling the SHA384 algorithm from option
1524 This separates config option enabling the SHA224 algorithm from option
1526 * The getter and setter API of the SSL session cache (used for
1527 session-ID based session resumption) has changed to that of
1528 a key-value store with keys being session IDs and values
1532 encryption use the public key. Verification functions also no longer have
1539 Support for more than one PSK may be added in 3.X.
1542 * For multi-part AEAD operations with the cipher module, calling
1546 possible to skip calling it, which is no longer supported.
1547 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1558 * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
1564 * Instead of accessing the len field of a DHM context, which is no longer
1568 function mbedtls_xxx_ret() which was identical except for returning int
1570 migration guide for more information. Fixes #4212.
1571 * For all functions that take a random number generator (RNG) as a
1584 Raw keys and IVs are no longer passed to the callback.
1587 paving the way for the larger number of secrets
1589 context are now connection-specific.
1591 length parameter to be the size of the hash input. For RSA signatures
1597 indicating the size of the output buffer for the signature.
1598 * Implement one-shot cipher functions, psa_cipher_encrypt and
1601 * Direct access to fields of structures declared in public headers is no
1602 longer supported except for fields that are documented public. Use accessor
1603 functions instead. For more information, see the migration guide entry
1606 mbedtls_ssl_{set,get}_session() may now only be called once for any given
1610 * Enable by default the functionalities which have no reason to be disabled.
1611 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
1612 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1613 * Some default policies for X.509 certificate verification and TLS have
1614 changed: curves and hashes weaker than 255 bits are no longer accepted
1624 release, some configuration-independent files are now generated at build
1627 C compiler for the host platform are required. See “Generated source files
1628 in the development branch” in README.md for more information.
1631 than 3.6 are no longer supported.
1635 compile-time option, which was off by default. Users should not trust
1636 certificates signed with SHA-1 due to the known attacks against SHA-1.
1637 If needed, SHA-1 certificates can still be verified by using a custom
1645 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
1649 compile-time option. This option has been inactive for a long time.
1652 * Remove the following deprecated functions and constants of hex-encoded
1669 * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
1671 ciphersuites per version, which are no longer relevant. This removes the
1678 * The RSA module no longer supports private-key operations with the public
1680 * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
1691 MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
1695 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
1696 backward compatibility which is no longer supported. Addresses #4404.
1700 * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
1701 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
1704 MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
1706 * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
1712 it no longer had any effect.
1713 * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
1717 MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
1718 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
1719 See issue #4341 for more details.
1720 * Remove the compile-time option
1728 * Added support for built-in driver keys through the PSA opaque crypto
1730 MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
1732 * The multi-part GCM interface (mbedtls_gcm_update() or
1733 mbedtls_cipher_update()) no longer requires the size of partial inputs to
1735 * The multi-part GCM interface now supports chunked associated data through
1742 See docs/architecture/alternative-implementations.md for the remaining
1745 query the size of the modulus in a Diffie-Hellman context.
1747 Diffie-Hellman context.
1749 point format for ECJPAKE instead of accessing the point_format field
1750 directly, which is no longer supported.
1755 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1756 private keys and of blinding values for DHM and elliptic curves (ECP)
1760 learn partial information about the leading bits of the nonce used for the
1767 victim performing a single private-key operation. Found and reported by
1770 information (typically, a co-located process) could recover a Curve25519
1772 observing the victim performing the corresponding private-key operation.
1782 than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
1788 rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
1790 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1795 mbedtls_mpi_read_string() was called on "-0", or when
1801 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
1812 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
1813 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
1815 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
1817 Arm Cortex-M. Fixes #4530.
1819 directive in a header and a missing initialization in the self-test.
1820 * Fix a missing initialization in the Camellia self-test, affecting
1824 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
1827 (when the encrypt-then-MAC extension is not in use) with some ALT
1828 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
1830 * Remove outdated check-config.h check that prevented implementing the
1840 and using a Montgomery curve for the key exchange. Reported by lhuang04
1842 * psa_verify_hash() was relying on implementation-specific behavior of
1853 Credit to OSS-Fuzz. Fixes #4641.
1854 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
1857 * The PSA API no longer allows the creation or destruction of keys with a
1858 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
1859 can now only be used as intended, for keys that cannot be modified through
1879 * Remove configs/config-psa-crypto.h, which no longer had any intended
1882 python2, which is no longer supported upstream.
1899 * Add CMake package config generation for CMake projects consuming Mbed TLS.
1900 * config.h has been split into build_info.h and mbedtls_config.h
1906 * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
1908 the config file in a way that's compatible with the config file format
1919 = mbed TLS 2.26.0 branch released 2021-03-08
1932 as always 0. It is now reserved for internal purposes and may take
1952 tweaking the setting for the maximum amount of keys simultaneously in RAM.
1958 and see the documentation of mbedtls_psa_external_get_random() for details.
1959 * Applications using both mbedtls_xxx and psa_xxx functions (for example,
1962 mbedtls_psa_get_random() for details.
1963 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
1973 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
1979 |A| - |B| where |B| is larger than |A| and has more limbs (so the
1984 * Fix an errorneous estimation for an internal buffer in
1996 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2006 twice is safe. This happens for RSA when some Mbed TLS library functions
2007 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2009 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2012 * Fixes a bug where, if the library was configured to include support for
2020 the extension was always marked as non-critical. This was fixed by
2030 = mbed TLS 2.25.0 branch released 2020-12-11
2039 mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
2040 as they have no way to check if the output buffer is large enough.
2042 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2063 * Add support for ECB to the PSA cipher API.
2067 This is currently non-standard behaviour, but expected to make it into a
2074 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2076 * In the PSA API, it is no longer necessary to open persistent keys:
2078 identical to psa_key_id_t instead of being platform-defined. This bridges
2080 version 1.0.0. Opening persistent keys is still supported for backward
2096 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2100 are implemented. This could cause failures or the silent use of non-random
2102 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
2114 * Zeroising of local buffers and variables which are used for calculations
2132 * Use socklen_t on Android and other POSIX-compliant system
2133 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2150 * Fix an off-by-one error in the additional data length check for
2151 CCM, which allowed encryption with a non-standard length field.
2153 * Correct the default IV size for mbedtls_cipher_info_t structures using
2157 * Fix conditions for including string.h in error.c. Fixes #3866.
2158 * psa_set_key_id() now also sets the lifetime to persistent for keys located
2160 * Attempting to create a volatile key with a non-zero key identifier now
2169 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2175 the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
2180 for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
2187 attribute. No automatic upgrade path is provided. Previously stored keys
2189 specification (docs/architecture/mbed-crypto-storage-specification.md).
2193 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2196 = mbed TLS 2.24.0 branch released 2020-09-01
2199 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2217 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2218 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2227 attacker could for example impersonate a 4-bytes or 16-byte domain by
2228 getting a certificate for the corresponding IPv4 or IPv6 (this would
2236 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
2238 revocation of certificates via CRLs. Fixed by no longer checking the
2243 Encrypt-then-Mac extension, use constant code flow memory access patterns
2246 effective against network-based attackers, but less so against local
2248 if they have access to fine-grained measurements. In particular, this
2252 * Fix side channel in RSA private key operations and static (finite-field)
2253 Diffie-Hellman. An adversary with precise enough timing and memory access
2255 enclave) could bypass an existing counter-measure (base blinding) and
2257 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2258 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2259 for pinpointing the problematic code.
2265 * Library files installed after a CMake build no longer have execute
2272 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2275 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2277 * Fix self-test failure when the only enabled short Weierstrass elliptic
2289 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2298 years of publishing are no longer tracked in the source files. This also
2299 eliminates the need for the lines declaring the files to be part of
2302 example applications which allows to provide a password for the key file
2304 these applications with password-protected key files. Analogously but for
2306 set a password for the key file provided through the existing key_file2
2309 = mbed TLS 2.23.0 branch released 2020-07-01
2321 * New functions in the error module return constant strings for
2322 high- and low-level error codes, complementing mbedtls_strerror()
2323 which constructs a string for any error code, including compound
2326 * The new utility programs/ssl/ssl_context_info prints a human-readable
2328 * Add support for midipix, a POSIX layer for Microsoft Windows.
2336 * Added support to entropy_poll for the kern.arandom syscall supported on
2338 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2343 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2354 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2362 * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
2363 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
2390 * Fix false positive uninitialised variable reported by cpp-check.
2399 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2411 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2423 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2432 = mbed TLS 2.22.0 branch released 2020-04-14
2436 SSL module for hardware acceleration of individual records.
2447 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
2453 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2471 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
2477 is defined), regardless of what MFL was configured for it.
2479 = mbed TLS 2.21.0 branch released 2020-02-20
2484 * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
2485 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2492 probability (of the order of 2^-n where n is the bitsize of the curve)
2500 ARMmbed/mbed-crypto#352
2503 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2504 support without SHA-384.
2510 existing code is that elliptic curve key types no longer encode the
2512 a curve family and the key size determines the exact curve (for example,
2513 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2519 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2520 contributed by apple-ihack-geek in #2663.
2522 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2525 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2529 = mbed TLS 2.20.0 branch released 2020-01-15
2533 entropy function to obtain entropy for a nonce if the entropy size is less
2542 entropy module formerly only grabbed 32 bytes, which is good enough for
2572 to achieve the security strength defined by NIST SP 800-90A. You can
2575 msopiha-linaro in ARMmbed/mbed-crypto#307.
2578 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2592 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2594 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2609 no known instances where this changes the behavior of the library: this is
2610 merely a robustness improvement. ARMmbed/mbed-crypto#323
2612 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2614 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2616 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2618 = mbed TLS 2.19.1 branch released 2019-09-16
2632 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2633 contributed by apple-ihack-geek in #2663.
2635 = mbed TLS 2.19.0 branch released 2019-09-06
2641 * When writing a private EC key, use a constant size for the private
2645 1 byte too large for the output buffer.
2646 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
2647 implement blinding. Because of this for the same key and message the same
2654 mbedtls_ssl_session_load() to allow serializing a session, for example to
2655 store it in non-volatile storage, and later using it for TLS session
2660 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
2663 (https://project-everest.github.io/). It can be enabled at compile time
2666 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
2674 * Add DER-encoded test CRTs to library/certs.c, allowing
2679 list all curves for which at least one of ECDH or ECDSA is supported, not
2680 just curves for which both are supported. Call mbedtls_ecdsa_can_do() or
2684 mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
2695 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
2696 * Fix multiple X.509 functions previously returning ASN.1 low-level error
2701 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2711 * Avoid use of statically sized stack buffers for certificate writing.
2722 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
2725 * Improve code clarity in x509_crt module, removing false-positive
2733 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2734 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
2737 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2738 docker-env.sh) to simplify running test suites on a Linux host. Contributed
2744 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
2750 = mbed TLS 2.18.1 branch released 2019-07-12
2760 = mbed TLS 2.18.0 branch released 2019-06-11
2767 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
2769 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
2772 and the used tls-prf.
2773 * Add public API for tls-prf function, according to requested enum.
2774 * Add support for parsing otherName entries in the Subject Alternative Name
2777 * Add support for parsing certificate policies extension, as defined in
2782 * Add support for draft-05 of the Connection ID extension, as specified
2783 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2788 changed its IP or port. The feature is enabled at compile-time by setting
2789 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
2795 and the used tls-prf.
2796 * Add public API for tls-prf function, according to requested enum.
2805 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
2807 OSS-Fuzz.
2818 for the parameter.
2819 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
2823 Credit to OSS-Fuzz.
2826 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
2827 mbedTLS configuration only SHA-2 signed certificates are accepted.
2831 updated to one that is SHA-256 signed. Fix contributed by
2837 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
2842 = mbed TLS 2.17.0 branch released 2019-03-19
2846 which allows copy-less parsing of DER encoded X.509 CRTs,
2857 See the Features section for more information.
2859 for the benefit of saving RAM, by disabling the new compile-time
2860 option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
2881 * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
2887 * Fix signed-to-unsigned integer conversion warning
2892 (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
2897 correctly as trailing zeroes were not accounted for as unused bits in the
2905 Inserted as an enhancement for #1371
2906 * Add support for alternative CSR headers, as used by Microsoft and defined
2910 for platforms that don't provide it. Based on contributions by Joris Aerts
2912 * Fix clobber list in MIPS assembly for large integer multiplication.
2919 * Fix configuration queries in ssl-opt.h. #2030
2920 * Ensure that ssl-opt.h can be run in OS X. #2029
2921 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
2922 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
2926 = mbed TLS 2.16.0 branch released 2018-12-21
2929 * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
2933 the documentation. See the corresponding API documentation for each
2934 function to see for which parameter values it is defined. This feature is
2935 disabled by default. See its API documentation in config.h for additional
2942 using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
2944 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
2945 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
2947 * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
2949 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
2950 * Additional parameter validation checks have been added for the following
2951 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
2959 will no longer be.
2966 * Fix for Clang, which was reporting a warning for the bignum.c inline
2967 assembly for AMD64 targets creating string literals greater than those
2981 of check for certificate/key matching. Reported by Attila Molnar, #507.
2983 = mbed TLS 2.15.1 branch released 2018-11-30
2988 = mbed TLS 2.15.0 branch released 2018-11-23
2998 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3001 = mbed TLS 2.14.1 branch released 2018-11-30
3005 decryption that could lead to a Bleichenbacher-style padding oracle
3012 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3015 a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
3030 = mbed TLS 2.14.0 branch released 2018-11-19
3033 * Fix overly strict DN comparison when looking for CRLs belonging to a
3041 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3045 previous settings for the number of rounds made it practical for an
3046 adversary to construct non-primes that would be erroneously accepted as
3050 For example, the number of rounds was enough to securely generate RSA key
3051 pairs or Diffie-Hellman parameters, but was insufficient to validate
3052 Diffie-Hellman parameters properly.
3057 * Add support for temporarily suspending expensive ECC computations after
3059 constrained, single-threaded systems where ECC is time consuming and can
3065 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3067 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
3071 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3075 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3076 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3080 * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
3082 implementations implementing cryptographic primitives. This is useful for
3095 Miller-Rabin rounds.
3102 * Fix a bug in the update function for SSL ticket keys which previously
3108 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3113 * Zeroize memory used for buffering or reassembling handshake messages
3115 * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
3117 * Change the default string format used for various X.509 DN attributes to
3119 wildcards and non-ASCII characters being unusable in some DN attributes.
3121 Thomas-Dee.
3122 * Fix compilation failure for configurations which use compile time
3125 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3128 * Removed support for Yotta as a build tool.
3129 * Add tests for session resumption in DTLS.
3134 IPv6 and optionally by a build option over IPv4.
3145 Thomas-Dee.
3147 Fixes #517 reported by github-monoculture.
3150 by FIPS-186-4.
3152 = mbed TLS 2.13.1 branch released 2018-09-06
3156 whose implementation should behave as a thread-safe version of gmtime().
3160 automatically select implementations for Windows and POSIX C libraries.
3166 = mbed TLS 2.13.0 branch released 2018-08-31
3175 * Add support for fragmentation of outgoing DTLS handshake messages. This
3177 with the peer, as well as by a new per-connection MTU option, set using
3179 * Add support for auto-adjustment of MTU to a safe value during the
3182 * Add support for packing multiple records within a single datagram,
3184 * Add support for buffering out-of-order handshake messages in DTLS.
3185 The maximum amount of RAM used for this can be controlled by the
3186 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3187 in mbedtls/config.h.
3205 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3216 (found by Catena cyber using oss-fuzz)
3228 * Add support for buffering of out-of-order handshake messages.
3233 = mbed TLS 2.12.0 branch released 2018-07-25
3236 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3242 worked if the same secret (for example a HTTP Cookie) has been repeatedly
3244 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3245 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3246 caused by a miscalculation (for SHA-384) in a countermeasure to the
3255 the same secret (for example a HTTP Cookie) has been repeatedly sent over
3257 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3259 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3265 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3269 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3270 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3272 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3273 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3275 * Make the receive and transmit buffers independent sizes, for situations
3278 is no functional difference. Contributed by Angus Gratton, and also
3280 * Add support for key wrapping modes based on AES as defined by
3281 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3288 * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
3290 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
3295 by Brendan Shanks. Part of a fix for #992.
3300 * Fix the inline assembly for the MPI multiply helper function for i386 and
3307 * Fix decryption for zero length messages (which contain all padding) when a
3308 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3313 * Fix ssl_client2 example to send application data with 0-length content
3316 * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
3318 * Fix build using -std=c99. Fixed by Nick Wilson.
3322 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3324 when calling with a NULL salt and non-zero salt_len. Contributed by
3328 * Allow overriding the time on Windows via the platform-time abstraction.
3330 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3332 = mbed TLS 2.11.0 branch released 2018-06-18
3337 * Implement the HMAC-based extract-and-expand key derivation function
3339 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3340 * Add support for the XTS block cipher mode with AES (AES-XTS).
3344 non-blocking operation of the TLS server stack.
3349 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
3356 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
3357 * Changed the Clang parameters used in the CMake build files to work for
3358 versions later than 3.6. Versions of Clang earlier than this may no longer
3361 = mbed TLS 2.10.0 branch released 2018-06-06
3364 * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
3365 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
3380 build to fail. Found by zv-io. Fixes #1651.
3383 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3387 = mbed TLS 2.9.0 branch released 2018-04-30
3394 would require a non DER-compliant certificate to be correctly signed by a
3395 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3403 * Fix a client-side bug in the validation of the server's ciphersuite choice
3407 structures for some configurations.
3413 * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
3415 mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
3420 applications to wait for a network context to become ready before reading
3423 a check for whether more more data is pending to be processed in the
3426 underlying transport in case event-driven IO is used.
3432 in configurations that omit certain hashes or public-key algorithms.
3436 * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
3439 * Fix the Makefile build process for building shared libraries on Mac OS X.
3454 in the internal buffers; these cases led to deadlocks when event-driven
3471 public-key algorithms. Includes contributions by Gert van Dijk.
3484 for Curve25519 (other curves had it already). Contributed by Nicholas
3491 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3501 HMAC functions with non-HMAC ciphersuites. Independently contributed
3504 FIPS 186-4. Contributed by Jethro Beekman. #1380
3512 = mbed TLS 2.8.0 branch released 2018-03-16
3521 config.h. Found by Andreas Walz (ivESK, Offenburg University of
3527 HMAC key of a single, uninterrupted connection (with no
3539 * Extend PKCS#8 interface by introducing support for the entire SHA
3542 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3544 * Add support for public keys encoded in PKCS#1 format. #1122
3547 * Deprecate support for record compression (configuration option
3553 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3566 * In test_suite_pk, pass valid parameters when testing for hash length
3579 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3586 * Remove support for the library reference configuration for picocoin.
3587 * MD functions deprecated in 2.7.0 are no longer inline, to provide
3588 a migration path for those depending on the library's ABI.
3590 * Use (void) when defining functions with no parameters. Contributed by
3593 = mbed TLS 2.7.0 branch released 2018-02-03
3601 both TLS and DTLS. CVE-2018-0488
3602 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3603 for the key size, which could potentially lead to crash or remote code
3605 Qualcomm Technologies Inc. CVE-2018-0487
3606 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3612 config and the application data buffer passed to mbedtls_ssl_write
3616 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
3627 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
3628 data. Previously, trailing zero bytes were detected and omitted for the
3633 * Fix a potential heap buffer over-read in ALPN extension parsing
3634 (server-side). Could result in application crash, but only if an ALPN
3637 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3644 * New unit tests for timing. Improve the self-test to be more robust
3645 when run on a heavily-loaded machine.
3646 * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
3648 * Add support for alternative implementations of GCM, selected by the
3650 * Add support for alternative implementations for ECDSA, controlled by new
3652 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
3656 * Add support for alternative implementation of ECDH, controlled by the
3658 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
3662 * Add support for alternative implementation of ECJPAKE, controlled by
3667 * Extend RSA interface by multiple functions allowing structure-
3669 mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
3672 contexts from keys consisting of N,D,E only, even if P,Q are needed for the
3680 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
3681 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
3682 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
3683 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
3686 * Deprecate usage of RSA primitives with non-matching key-type
3700 * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
3711 renegotiated handshakes would only accept signatures using SHA-1
3712 regardless of the peer's preferences, or fail if SHA-1 was disabled.
3716 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
3718 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
3731 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3734 * Don't print X.509 version tag for v1 CRT's, and omit extensions for
3735 non-v3 CRT's.
3740 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
3741 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
3745 * Add size-checks for record and handshake message content, securing
3746 fragile yet non-exploitable code-paths.
3778 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
3782 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
3790 * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
3793 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
3796 = mbed TLS 2.6.0 branch released 2017-08-10
3812 platform-specific setup and teardown operations. The macro
3824 * Certificate verification functions now set flags to -1 in case the full
3839 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
3841 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
3843 * Fix a potential integer overflow in the version verification for DER
3845 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3847 * Fix potential integer overflow in the version verification for DER
3849 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3851 * Fix a potential integer overflow in the version verification for DER
3860 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
3861 64-bit division. This is useful on embedded platforms where 64-bit division
3867 config-no-entropy.h to reduce the RAM footprint.
3872 = mbed TLS 2.5.1 released 2017-06-21
3875 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
3876 The issue could only happen client-side with renegotiation enabled.
3880 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
3881 certificate verification. SHA-1 can be turned back on with a compile-time
3886 potential Bleichenbacher/BERserk-style attack.
3891 and with GCC using the -Wpedantic compilation option.
3892 * Fix insufficient support for signature-hash-algorithm extension,
3919 by Jean-Philippe Aumasson.
3921 = mbed TLS 2.5.0 branch released 2017-05-17
3928 against side-channel attacks like the cache attack described in
3934 * Add hardware acceleration support for the Elliptic Curve Point module.
3937 replacement support for enabling the extension of the interface.
3947 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
3948 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
3951 * Remove macros from compat-1.3.h that correspond to deleted items from most
3955 * Add checks in the PK module for the RSA functions on 64-bit systems.
3956 The PK and RSA modules use different types for passing hash length and
3960 = mbed TLS 2.4.2 branch released 2017-03-08
3963 * Add checks to prevent signature forgeries for very large messages while
3964 using RSA through the PK module in 64-bit systems. The issue was caused by
3967 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
3973 * Removed MD5 from the allowed hash algorithms for CertificateRequest and
3975 Introduced by interoperability fix for #513.
3978 triggered remotely for example with a maliciously constructed certificate
3981 team. #569 CVE-2017-2784
3990 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
3991 Found by omlib-lin. #673
3993 x509_csr.c that are reported when building mbed TLS with a config.h that
4012 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4017 * Fixed the templates used to generate project and solution files for Visual
4028 = mbed TLS 2.4.1 branch released 2016-12-13
4031 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4032 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
4035 = mbed TLS 2.4.0 branch released 2016-10-17
4039 with RFC-5116 and could lead to session key recovery in very long TLS
4040 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4041 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4049 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4050 NIST SP 800-38B, RFC-4493 and RFC-4615.
4053 * Added a script to print build environment info for diagnostic use in test
4058 * Added a configuration file config-no-entropy.h that configures the subset of
4060 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
4061 to configure the minimum number of bytes for entropy sources using the
4065 * Fix for platform time abstraction to avoid dependency issues where a build
4071 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4073 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4075 * Fixed cert_app.c sample program for debug output and for use when no root
4081 * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
4086 subramanyam-c. #622
4087 * Fix documentation and implementation missmatch for function arguments of
4091 ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
4092 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4093 Found by subramanyam-c. #626
4101 * Removed self-tests from the basic-built-test.sh script, and added all
4102 missing self-tests to the test suites, to ensure self-tests are only
4104 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
4105 * Added support for a Yotta specific configuration file -
4107 * Added optimization for code space for X.509/OID based on configured
4111 net.c. For consistency, the corresponding header file, net.h, is marked as
4113 * Changed the strategy for X.509 certificate parsing and validation, to no
4116 = mbed TLS 2.3.0 branch released 2016-06-28
4129 * Support for platform abstraction of the standard C library time()
4134 arguments where the same (in-place doubling). Found and fixed by Janos
4140 ECDSA was disabled in config.h . The leak didn't occur by default.
4153 * Fix test in ssl-opt.sh that does not run properly with valgrind
4157 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4158 don't use the optimized assembly for bignum multiplication. This removes
4159 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4161 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
4163 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4166 = mbed TLS 2.2.1 released 2016-01-05
4170 allocate memory. Only used for certificate generation, not triggerable
4178 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4190 = mbed TLS 2.2.0 released 2015-11-04
4208 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4211 block. (Potential uses include EAP-TLS and Thread.)
4214 * Self-signed certificates were not excluded from pathlen counting,
4217 * Fix build error with configurations where ECDHE-PSK is the only key
4219 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4220 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4221 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4222 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4224 size/curve against the profile. Before that, there was no way to set a
4225 minimum key size for end-entity certificates with RSA keys. Found by
4236 or -1.
4238 = mbed TLS 2.1.2 released 2015-10-06
4241 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4244 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4261 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4263 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4268 unless you allow third parties to pick trust CAs for client auth.
4279 * Fixed paths for check_config.h in example config files. (Found by bachp)
4282 = mbed TLS 2.1.1 released 2015-09-17
4285 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4287 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4288 * Fix possible client-side NULL pointer dereference (read) when the client
4291 afl-fuzz.)
4295 * Fix off-by-one error in parsing Supported Point Format extension that
4303 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
4306 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4309 = mbed TLS 2.1.0 released 2015-09-04
4312 * Added support for yotta as a build system.
4317 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4325 * Fix compile error with armcc 5 with --gnu option.
4330 * Fix missing -static-libgcc when building shared libraries for Windows
4332 * Fix link error when building shared libraries for Windows with make.
4339 * Fix -Wshadow warnings (found by hnrkp) (#240)
4341 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4349 * It is now possible to #include a user-provided configuration file at the
4350 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
4353 trusted, no later cert is checked. (suggested by hannes-landeholm)
4360 = mbed TLS 2.0.0 released 2015-07-13
4363 * Support for DTLS 1.0 and 1.2 (RFC 6347).
4367 * New server-side implementation of session tickets that rotate keys to
4370 which algorithms and key sizes (curves for ECDSA) are acceptable.
4373 * Introduced a concept of presets for SSL security-relevant configuration
4378 You now need to link to all of them if you use TLS for example.
4381 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4382 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4384 mbedtls_cipher_info_t.key_length -> key_bitlen
4385 mbedtls_cipher_context_t.key_length -> key_bitlen
4386 mbedtls_ecp_curve_info.size -> bit_size
4391 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4392 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4393 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4394 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4395 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4396 Note that for mbedtls_ssl_setup(), you need to be done setting up the
4401 (see rename.pl and compat-1.3.h above) and their first argument's type
4404 additional callback for read-with-timeout).
4423 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4424 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4425 * The following functions changed prototype to avoid an in-out length
4431 * In the NET module, all "int" and "int *" arguments for file descriptors
4433 * net_accept() gained new arguments for the size of the client_ip buffer.
4438 * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
4443 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4447 length parameter to include the terminating null byte for PEM input.
4451 (Thanks to Mansour Moufid for helping with the replacement.)
4452 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
4453 (support for renegotiation now needs explicit enabling in config.h).
4455 in config.h
4472 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4476 been removed (compiler is required to support 32-bit operations).
4479 * Removed test program ssl_test, superseded by ssl-opt.sh.
4480 * Removed helper script active-config.pl
4486 Semi-API changes (technically public, morally private)
4501 * Support for receiving SSLv2 ClientHello is now disabled by default at
4503 * The default authmode for SSL/TLS clients is now REQUIRED.
4504 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4506 custom config.h
4507 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4511 * The following functions are now case-sensitive:
4530 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4534 * With UDP sockets, it is no longer necessary to call net_bind() again
4539 thread-safe if MBEDTLS_THREADING_C is enabled.
4540 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4549 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4556 * Add support for reading DH parameters with privateValueLength included
4558 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4559 * Add support for id-at-uniqueIdentifier in X.509 names.
4560 * Add support for overriding snprintf() (except on Windows) and exit() in
4564 * Improved Makefiles for Windows targets by fixing library targets and making
4565 cross-compilation easier (thanks to Alon Bar-Lev).
4566 * The benchmark program also prints heap usage for public-key primitives
4568 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4569 speed and RAM (heap only for now) usage.
4571 reduced configurations (PSK-CCM and NSA suite B).
4572 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
4574 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
4590 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
4603 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4607 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
4610 * Add missing dependency on SHA-256 in some x509 programs (reported by
4621 * compat-1.2.h and openssl.h are deprecated.
4624 (contributed by Alon Bar-Lev).
4625 * ssl_set_own_cert() no longer calls pk_check_pair() since the
4626 performance impact was bad for some users (this was introduced in 1.3.10).
4627 * Move from SHA-1 to SHA-256 in example programs using signatures
4632 brackets for uniformity with the rest of the code.
4635 = mbed TLS 1.3.10 released 2015-02-09
4637 * NULL pointer dereference in the buffer-based allocator when the buffer is
4641 * Fix remotely-triggerable uninitialised pointer dereference caused by
4642 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
4644 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4645 (TLS server is not affected if it doesn't ask for a client certificate)
4648 (TLS server is not affected if it doesn't ask for a client certificate)
4651 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4655 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
4656 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
4657 * Add support for Encrypt-then-MAC (RFC 7366).
4660 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4662 * Support for renegotiation can now be disabled at compile-time
4663 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
4664 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
4665 for pre-1.2 clients when multiple certificates are available.
4666 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
4675 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4686 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
4691 issue with some servers when a zero-length extension was sent. (Reported
4693 * On a 0-length input, base64_encode() did not correctly set output length
4697 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
4698 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
4700 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
4704 but none of them is usable due to external factors such as no certificate
4705 with a suitable (extended)KeyUsage or curve or no PSK set.
4706 * It is now possible to disable negotiation of truncated HMAC server-side
4708 * Example programs for SSL client and server now disable SSLv3 by default.
4709 * Example programs for SSL client and server now disable RC4 by default.
4712 = PolarSSL 1.3.9 released 2014-10-20
4716 * Remotely-triggerable memory leak when parsing some X.509 certificates
4717 (server is not affected if it doesn't ask for a client certificate)
4719 * Remotely-triggerable memory leak when parsing crafted ClientHello
4726 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4728 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4731 * Remove non-existent file from VS projects (found by Peter Vaskovic).
4732 * ssl_read() could return non-application data records on server while
4734 * Server-initiated renegotiation would fail with non-blocking I/O if the
4737 with non-blocking I/O.
4745 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
4746 standard defining how to use SHA-2 with SSL 3.0).
4747 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
4759 = PolarSSL 1.3.8 released 2014-07-11
4761 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
4767 * Support for CCM and CCM_8 ciphersuites
4768 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4771 * Add example config.h for PSK with CCM, optimized for low RAM usage.
4772 * Optimize for RAM usage in example config.h for NSA Suite B profile.
4775 * Add server-side enforcement of sent renegotiation requests
4777 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
4781 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
4786 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
4788 * All public contexts have _init() and _free() functions now for simpler
4794 * Remove less-than-zero checks on unsigned numbers
4799 * Fix symlink command for cross compiling with CMake (found by Andre
4806 rejected with CBC-based ciphersuites and TLS >= 1.1
4808 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
4811 * Restore ability to locally trust a self-signed cert that is not a proper
4812 CA for use as an end entity certificate. (This had been removed in
4814 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
4815 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
4817 * Fix off-by-one error in parsing Supported Point Format extension that
4819 * Fix possible miscomputation of the premaster secret with DHE-PSK key
4825 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
4828 = PolarSSL 1.3.7 released on 2014-05-02
4832 * version_check_feature() added to check for compile-time options at
4833 run-time
4839 * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
4840 * AES-NI now compiles with "old" assemblers too
4849 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
4850 ciphersuites, for full SSL frames of data.
4852 ServerHello when no extensions are present (found by Matthew Page)
4856 big-endian platform when size was not an integer number of limbs
4863 = PolarSSL 1.3.6 released on 2014-04-11
4866 * Support for the ALPN SSL extension
4868 * Enable verification of the keyUsage extension for CA and leaf
4883 * The notAfter date of some certificates was no longer checked since 1.3.5.
4884 This affects certificates in the user-supplied chain except the top
4885 certificate. If the user-supplied chain contains only one certificates,
4904 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
4905 * Calling pk_debug() on an RSA-alt key would segfault.
4906 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
4912 = PolarSSL 1.3.5 released on 2014-03-26
4914 * HMAC-DRBG as a separate module
4916 * Single Platform compatilibity layer (for memory / printf / fprintf)
4918 * Ability to force the entropy module to use SHA-256 as its basis
4920 * Testing script ssl-opt.sh added for testing 'live' ssl option
4922 * Support for reading EC keys that use SpecifiedECDomain in some cases.
4928 now thread-safe if POLARSSL_THREADING_C defined
4932 * Revamped the compat.sh interoperatibility script to include support for
4944 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4951 * Fixed testing with out-of-source builds using cmake
4952 * Fixed version-major intolerance in server
4953 * Fixed CMake symlinking on out-of-source builds
4956 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4960 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
4973 = PolarSSL 1.3.4 released on 2014-01-27
4975 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
4976 * Support for RIPEMD-160
4977 * Support for AES CFB8 mode
4978 * Support for deterministic ECDSA (RFC 6979)
4992 = PolarSSL 1.3.3 released on 2013-12-31
4995 * Support for adhering to client ciphersuite order preference
4997 * Support for Curve25519
4998 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
4999 * Support for IPv6 in the NET module
5000 * AES-NI support for AES, AES-GCM and AES key scheduling
5001 * SSL Pthread-based server example added (ssl_pthread_server)
5008 * More constant-time checks in the RSA module
5016 * Fixed X.509 hostname comparison (with non-regular characters)
5018 * Missing defines / cases for RSA_PSK key exchange
5029 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5032 = PolarSSL 1.3.2 released on 2013-11-04
5035 * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
5036 * Support for Camellia-GCM mode and ciphersuites
5039 * Padding checks in cipher layer are now constant-time
5040 * Value comparisons in SSL layer are now constant-time
5041 * Support for serialNumber, postalAddress and postalCode in X509 names
5053 * Server-side initiated renegotiations send HelloRequest
5055 = PolarSSL 1.3.1 released on 2013-10-15
5057 * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
5058 * Support for ECDHE-PSK key-exchange and ciphersuites
5059 * Support for RSA-PSK key-exchange and ciphersuites
5062 * RSA blinding locks for a smaller amount of time
5064 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
5065 * config.h is more script-friendly
5073 * Better support for MSVC
5077 = PolarSSL 1.3.0 released on 2013-10-01
5081 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
5082 (ECDHE-based ciphersuites)
5083 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
5084 (ECDSA-based ciphersuites)
5086 * PSK and DHE-PSK based ciphersuites added
5088 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5093 * Support for max_fragment_length extension (RFC 6066)
5094 * Support for truncated_hmac extension (RFC 6066)
5095 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5096 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5097 * Support for session tickets (RFC 5077)
5102 * Optional blinding for RSA, DHM and EC
5103 * Support for multiple active certificate / key pairs in SSL servers for
5111 * Internals for SSL module adapted to have separate IV pointer that is
5112 dynamically set (Better support for hardware acceleration)
5114 prototypes for the RSA sign and verify functions changed as a result
5122 * All RSA operations require a random generator for blinding purposes
5124 * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
5125 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5132 * Support for AIX header locations in net.c module
5137 (found by Cyril Arnaud and Pierre-Alain Fouque)
5140 = Version 1.2.14 released 2015-05-??
5148 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5156 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5159 = Version 1.2.13 released 2015-02-16
5160 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
5164 * Fix remotely-triggerable uninitialised pointer dereference caused by
5166 for a client certificate) (found using Codenomicon Defensics).
5167 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5168 (TLS server is not affected if it doesn't ask for a client certificate)
5171 (TLS server is not affected if it doesn't ask for a client certificate)
5174 (TLS server is not affected if it doesn't ask for a client certificate).
5180 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5185 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5190 issue with some servers when a zero-length extension was sent. (Reported
5192 * On a 0-length input, base64_encode() did not correctly set output length
5198 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5200 = Version 1.2.12 released 2014-10-24
5203 * Remotely-triggerable memory leak when parsing some X.509 certificates
5204 (server is not affected if it doesn't ask for a client certificate).
5211 with non-blocking I/O.
5215 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5216 * ssl_read() could return non-application data records on server while
5218 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5227 = Version 1.2.11 released 2014-07-11
5232 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
5250 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
5255 * Fixed X.509 hostname comparison (with non-regular characters)
5268 * Fixed testing with out-of-source builds using cmake
5269 * Fixed version-major intolerance in server
5270 * Fixed CMake symlinking on out-of-source builds
5271 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5282 when no extensions are present (found by Matthew Page)
5286 big-endian platform when size was not an integer number of limbs
5290 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
5291 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
5297 = Version 1.2.10 released 2013-10-07
5299 * Changed RSA blinding to a slower but thread-safe version
5306 = Version 1.2.9 released 2013-10-01
5308 * x509_verify() now case insensitive for cn (RFC 6125 6.4)
5319 (found by Cyril Arnaud and Pierre-Alain Fouque)
5321 = Version 1.2.8 released 2013-06-19
5325 * Centralized module option values in config.h to allow user-defined
5331 and specific DER parser functions for the PKCS#1 and unencrypted
5333 * Added mechanism to provide alternative implementations for all
5335 config.h)
5342 * Fixed offset for cert_type list in ssl_parse_certificate_request()
5343 * Fixed const correctness issues that have no impact on the ABI
5350 * Fixed values for 2-key Triple DES in cipher layer
5355 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5357 = Version 1.2.7 released 2013-04-13
5362 * Default Blowfish keysize is now 128-bits
5366 * Fix for MPI assembly for ARM
5369 = Version 1.2.6 released 2013-03-11
5371 * Fixed memory leak in ssl_free() and ssl_reset() for active session
5372 * Corrected GCM counter incrementation to use only 32-bits instead of
5373 128-bits (found by Yawning Angel)
5374 * Fixes for 64-bit compilation with MS Visual Studio
5375 * Fixed net_bind() for specified IP addresses on little endian systems
5376 * Fixed assembly code for ARM (Thumb and regular) for some compilers
5382 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
5384 * Re-added handling for SSLv2 Client Hello when the define
5393 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
5396 = Version 1.2.5 released 2013-02-02
5398 * Allow enabling of dummy error_strerror() to support some use-cases
5401 * Sending of security-relevant alert messages that do not break
5409 = Version 1.2.4 released 2013-01-25
5418 * Correctly handle CertificateRequest message in client for <= TLS 1.1
5421 = Version 1.2.3 released 2012-11-26
5425 = Version 1.2.2 released 2012-11-24
5427 * Added p_hw_data to ssl_context for context specific hardware acceleration
5429 * During verify trust-CA is only checked for expiration and CRL presence
5435 = Version 1.2.1 released 2012-11-20
5438 bottom-up (Peer cert depth is 0)
5441 * Fixes for MSVC6
5444 Pégourié-Gonnard)
5446 Pégourié-Gonnard)
5447 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5449 = Version 1.2.0 released 2012-10-31
5451 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
5454 * Added support for wildcard certificates
5455 * Added support for multi-domain certificates through the X509 Subject
5461 * Added base Galois Counter Mode (GCM) for AES
5465 * Added support for Hardware Acceleration hooking in SSL/TLS
5481 * AES code only check for Padlock once
5482 * Fixed const-correctness mpi_get_bit()
5483 * Documentation for mpi_lsb() and mpi_msb()
5489 * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
5511 * Fixed MPI assembly for SPARC64 platform
5517 = Version 1.1.8 released on 2013-10-01
5523 * Potential buffer-overflow for ssl_read_record() (independently found by
5528 = Version 1.1.7 released on 2013-06-19
5537 * Fixed values for 2-key Triple DES in cipher layer
5542 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5544 = Version 1.1.6 released on 2013-03-11
5546 * Fixed net_bind() for specified IP addresses on little endian systems
5549 * Allow enabling of dummy error_strerror() to support some use-cases
5557 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
5560 = Version 1.1.5 released on 2013-01-16
5562 * Fixed MPI assembly for SPARC64 platform
5571 Pégourié-Gonnard)
5573 Pégourié-Gonnard)
5574 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5578 * Fixes for MSVC6
5584 = Version 1.1.4 released on 2012-05-31
5590 = Version 1.1.3 released on 2012-04-29
5594 = Version 1.1.2 released on 2012-04-26
5601 Frama-C team at CEA LIST)
5605 = Version 1.1.1 released on 2012-01-23
5607 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
5609 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
5610 * Fixed multiple compiler warnings for VS6 and armcc
5613 = Version 1.1.0 released on 2011-12-22
5615 * Added ssl_session_reset() to allow better multi-connection pools of
5616 SSL contexts without needing to set all non-connection-specific
5623 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
5624 * Added a generic entropy accumulator that provides support for adding
5629 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
5630 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
5631 encryption and private key for decryption. (Closes ticket #34)
5632 * Inceased maximum size of ASN1 length reads to 32-bits.
5637 * Changed the defined key-length of DES ciphers in cipher.h to include the
5642 trade-off
5643 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
5651 encountering a parse-error. Beware that the meaning of return values has
5656 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
5662 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5666 * Improved build support for s390x and sparc64 in bignum.h
5671 = Version 1.0.0 released on 2011-07-27
5673 * Expanded cipher layer with support for CFB128 and CTR mode
5684 = Version 0.99-pre5 released on 2011-05-26
5699 instead of int for buffer lengths and loop variables for
5717 = Version 0.99-pre4 released on 2011-04-01
5719 * Added support for PKCS#1 v2.1 encoding and thus support
5720 for the RSAES-OAEP and RSASSA-PSS operations.
5723 * Added mpi_fill_random() for centralized filling of big numbers
5735 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
5739 * Fixed proper handling of RSASSA-PSS verification with variable
5742 = Version 0.99-pre3 released on 2011-02-28
5743 This release replaces version 0.99-pre2 which had possible copyright issues.
5752 ticket #13). Also possible to remove PEM support for
5763 * Do not bail out if no client certificate specified. Try
5768 * Fixed a possible Man-in-the-Middle attack on the
5772 = Version 0.99-pre1 released on 2011-01-30
5774 Note: Most of these features have been donated by Fox-IT
5781 * Detection for DES weak keys and parity bits added
5790 * Added support for PKCS#11 through the use of the
5791 libpkcs11-helper library
5802 = Version 0.14.0 released on 2010-08-16
5804 * Added support for SSL_EDH_RSA_AES_128_SHA and
5806 * Added compile-time and run-time version information
5807 * Expanded ssl_client2 arguments for more flexibility
5808 * Added support for TLS v1.1
5820 * Fixed CMake out of source build for tests (found by
5826 = Version 0.13.1 released on 2010-03-24
5831 = Version 0.13.0 released on 2010-03-21
5833 * Added option parsing for host and port selection to
5835 * Added support for GeneralizedTime in X509 parsing
5841 * Added const correctness for main code base
5847 * Added reset function for HMAC context as speed-up
5848 for specific use-cases
5854 * Added small fixes for compiler warnings on a Mac
5859 = Version 0.12.1 released on 2009-10-04
5870 = Version 0.12.0 released on 2009-07-28
5873 * Added preliminary Code Coverage tests for AES, ARC4,
5874 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
5875 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
5880 this is mind when checking for errors.
5881 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
5883 * Changed interface for AES and Camellia setkey functions
5891 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
5910 * Corrected is_prime() results for 0, 1 and 2 (found by
5912 * Fixed Camellia and XTEA for 64-bit Windows systems.
5914 = Version 0.11.1 released on 2009-05-17
5915 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
5916 SHA-512 in rsa_pkcs1_sign()
5918 = Version 0.11.0 released on 2009-05-03
5922 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
5930 * Centralized file opening and reading for x509 files into
5932 * Made definition of net_htons() endian-clean for big endian
5936 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
5937 responsible for crashes and unwanted behaviour.
5938 * Added support for Certificate Revocation List (CRL) parsing.
5939 * Added support for CRL revocation to x509parse_verify() and
5941 * Fixed compatibility of XTEA and Camellia on a 64-bit system
5944 = Version 0.10.0 released on 2009-01-12
5948 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
5956 = Version 0.9 released on 2008-03-16
5958 * Added support for ciphersuite: SSL_RSA_AES_128_SHA
5959 * Enabled support for large files by default in aescrypt2.c
5962 be sent twice in non-blocking mode when send returns EAGAIN
5965 * Added user-defined callback debug function (Krystian Kolodziej)
5971 output data is non-aligned by falling back to the software
5972 implementation, as VIA Nehemiah cannot handle non-aligned buffers
5974 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
5977 an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
5978 * Added support on the client side for the TLS "hostname" extension
5983 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
5988 * Fixed a critical denial-of-service with X.509 cert. verification:
5990 for which the RSA signature check fails (bug reported by Benoit)
5991 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
5992 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
5993 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
5996 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
5997 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6001 = Version 0.8 released on 2007-10-20
6009 * Added user-defined callbacks for handling I/O and sessions
6012 * Added preliminary support for the VIA PadLock routines
6013 * Added AES-CFB mode of operation, contributed by chmike
6017 * Updated ssl_read() to skip 0-length records from OpenSSL
6019 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6026 = Version 0.7 released on 2007-07-07
6028 * Added support for the MicroBlaze soft-core processor
6030 connections from being established with non-blocking I/O
6034 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6042 = Version 0.6 released on 2007-04-01
6046 * Added multiply assembly code for the TriCore and modified
6047 havege_struct for this processor, thanks to David Patiño
6048 * Added multiply assembly code for 64-bit PowerPCs,
6051 * Added support for autoconf, contributed by Arnaud Cornet
6052 * Fixed "long long" compilation issues on IA-64 and PPC64
6053 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6056 = Version 0.5 released on 2007-03-01
6058 * Added multiply assembly code for SPARC and Alpha
6059 * Added (beta) support for non-blocking I/O operations
6062 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6067 = Version 0.4 released on 2007-02-01
6069 * Added support for Ephemeral Diffie-Hellman key exchange
6070 * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
6080 = Version 0.3 released on 2007-01-01
6082 * Added server-side SSLv3 and TLSv1.0 support
6086 the bignum code is no longer dependent on long long
6088 * Updated timing.c for improved compatibility with i386
6091 = Version 0.2 released on 2006-12-01
6102 the Miller-Rabin primality test
6104 I'd also like to thank Younès Hafri for the CRUX linux port,
6106 who maintains the Debian package :-)
6108 = Version 0.1 released on 2006-11-01