Lines Matching +full:ipv4 +full:- +full:second +full:- +full:language +full:- +full:is +full:- +full:cpp
3 = Mbed TLS 3.6.0 branch released 2024-03-28
27 * mbedtls_ecp_write_key() is deprecated in favor of
32 an RSA key as a domain parameter is no longer supported. Use
34 * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
42 * Support Armv8-A Crypto Extension acceleration for SHA-256
43 when compiling for Thumb (T32) or 32-bit Arm (A32).
44 * AES-NI is now supported in Windows builds with clang and clang-cl.
50 This affects both the low-level modules and the high-level APIs
51 (the cipher and PSA interfaces). This option is incompatible with modes
53 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
54 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
56 library without the corresponding built-in implementation. Generally
58 or they'll both be built in. However, for CCM and GCM the built-in
59 implementation is able to take advantage of a driver that only
60 accelerates the key type (that is, the block cipher primitive). See
61 docs/driver-only-builds.md for full details and current limitations.
62 * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
69 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
70 fully provided by drivers. See docs/driver-only-builds.md for full
77 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
78 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
92 * Add support for using AES-CBC 128, 192, and 256 bit schemes
96 * Add pc files for pkg-config, e.g.:
97 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
105 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
106 operations when hardware accelerated AES is not present. Improves
107 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
110 * The new function mbedtls_ecp_write_key_ext() is similar to
119 * mbedtls_psa_get_random() is always available as soon as
120 MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
127 * Add new accessors to expose the private session-id,
128 session-id length, and ciphersuite-id members of
130 Add new accessor to expose the ciphersuite-id of
133 docs/tls13-early-data.md). The support enablement is controlled at build
140 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
148 to PSA functions is now secure by default.
150 of intermediate outputs during operations. This is currently implemented
156 Note that setting this option will cause input-output buffer overlap to
158 Fixes CVE-2024-28960.
160 when an SSL context is reset with the mbedtls_ssl_session_reset() API.
164 Fixes CVE-2024-28755.
166 TLS 1.2 implementation of the protocol if it is disabled.
167 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
168 client could put the TLS 1.3-only server in an infinite loop processing
171 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
174 Fixes CVE-2024-28836.
177 * Fix the build with CMake when Everest or P256-m is enabled through
179 * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
182 in the san parameter is not separated by a colon.
184 in the san parameter is not separated by a colon.
188 * Fix build failure in conda-forge. Fixes #8422.
195 is disabled at runtime. Fixes #8593.
201 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
205 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
206 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
213 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
230 functions. Note that overlap is still only partially supported when
231 MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
241 acceleration is required.
244 * mbedtls_pk_sign_ext() is now always available, not just when
245 PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
252 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
261 * The TLS 1.3 protocol is now enabled in the default configuration.
263 = Mbed TLS 3.5.2 branch released 2024-01-26
268 attacker or a remote attacker who is close to the victim on the network
274 could result in an integer overflow, causing a zero-length buffer to be
278 = Mbed TLS 3.5.1 branch released 2023-11-06
281 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
288 = Mbed TLS 3.5.0 branch released 2023-10-05
291 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
292 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
293 there was a flaw in the logic checking if the built-in implementation, in
296 accelerated and still have the built-in implementation compiled out.
297 Starting with this release, it is necessary to declare which curves are
299 considered not accelerated, and the built-in implementation of the curves
307 * Minimum required Windows version is now Windows Vista, or
312 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
315 IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
317 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
330 drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
334 provided - these limitations are lifted in this version. A new set of
337 they're provided by a built-in implementation, a driver or both. See
338 docs/driver-only-builds.md.
339 * When a PSA driver for ECDH is present, it is now possible to disable
343 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
345 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
346 a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
348 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
352 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
364 parameters from RFC 7919. This includes a built-in implementation based
367 * It is now possible to generate certificates with SubjectAltNames.
376 string to a DER-encoded mbedtls_asn1_buf.
377 * Add SHA-3 family hash functions.
378 * Add support to restrict AES to 128-bit keys in order to save code size.
383 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
384 On Aarch64, uplift is typically around 20 - 110%.
385 When compiling with gcc -Os on Aarch64, AES-XTS improves
387 * Add support for PBKDF2-HMAC through the PSA API.
389 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
393 - DERIVE is only available for ECC keys, not for RSA or DH ones.
394 - implementations are free to enable more than what it was strictly
398 This is automatically enabled as soon as PSA_WANT_ALG_FFDH
399 and the ephemeral or psk-ephemeral key exchange mode are enabled.
412 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
413 extended: it is now possible to use mbedtls_pk_write_key_der(),
421 * Add support for PBKDF2-CMAC through the PSA API.
423 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
424 disables the plain C implementation and the run-time detection for the
451 (notably recent versions of Clang and IAR) could produce non-constant
454 * Updates to constant-time C code so that compilers are less likely to use
457 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
465 null-cipher cipher suites. Credit to OSS-Fuzz.
467 In TLS 1.3, all configurations are affected except PSK-only ones, and
472 Credit to OSS-Fuzz.
476 PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
477 than all built-in ones and RSA is disabled.
482 a message that one of the required defines is missing.
487 * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
490 MBEDTLS_USE_PSA_CRYPTO is enabled.
491 * Fix the J-PAKE driver interface for user and peer to accept any values
494 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
498 way to detect the crypto extensions required. A warning is still issued.
512 example TF-M configuration in configs/ from building cleanly:
527 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
528 is called with zero length and padlock is not enabled.
534 MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
537 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
544 enabled, where some low-level modules required by requested PSA crypto
553 * Fix the build with CMake when Everest or P256-m is enabled through
558 compiling with gcc, clang or armclang and -O0.
563 operations when MBEDTLS_PSA_CRYPTO_C is defined.
572 mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
576 = Mbed TLS 3.4.1 branch released 2023-08-04
582 * Update test data to avoid failures of unit tests after 2023-08-07.
584 = Mbed TLS 3.4.0 branch released 2023-03-28
589 ssl_ciphersuites.c). The preferred cipher suite is now
593 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
594 mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
596 * PSA to mbedtls error translation is now unified in psa_util.h,
599 optionally providing file-specific error pairs. Please see psa_util.h for
604 Syntax, as defined in RFC 2315. Currently, support is limited to the
606 - Only the signed-data content type, version 1 is supported.
607 - Only DER encoding is supported.
608 - Only a single digest algorithm per message is supported.
609 - Certificates must be in X.509 format. A message must have either 0
611 - There is no support for certificate revocation lists.
612 - The authenticated and unauthenticated attribute fields of SignerInfo
615 contributing this feature, and to Demi-Marie Obenour for contributing
619 * Improvements to use of unaligned and byte-swapped memory, reducing code
630 * Add parsing of V3 extensions (key usage, Netscape cert-type,
632 * Use HOSTCC (if it is set) when compiling C code during generation of the
633 configuration-independent files. This allows them to be generated when
634 CC is set for cross compilation.
644 * When a PSA driver for ECDSA is present, it is now possible to disable
649 operations is not present yet.
650 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
651 implementations of EC J-PAKE through the driver entry points.
655 * Add support for AES with the Armv8-A Cryptographic Extension on
656 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
657 be used to enable this feature. Run-time detection is supported
659 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
664 to read non-public fields for padding mode and hash id from
666 * AES-NI is now supported with Visual Studio.
667 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
668 is disabled, when compiling with GCC or Clang or a compatible compiler
670 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
671 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
672 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
677 * Use platform-provided secure zeroization function where possible, such as
680 * Fix a potential heap buffer overread in TLS 1.3 client-side when
681 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
682 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
683 Arm, so that these systems are no longer vulnerable to timing side-channel
684 attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
686 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
687 builds that couldn't compile the GCC-style assembly implementation
689 timing side-channel attacks. There is now an intrinsics-based AES-NI
706 defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
713 whose binary representation is longer than 20 bytes. This was already
714 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
732 * Reject OIDs with overlong-encoded subidentifiers when converting
737 have the most-significant bit set in their last byte.
738 * Silence warnings from clang -Wdocumentation about empty \retval
742 * Fix an unused-variable warning in TLS 1.3-only builds if
745 len argument is 0 and buffer is NULL.
746 * Allow setting user and peer identifiers for EC J-PAKE operation
748 This is a partial fix that allows only "client" and "server" identifiers.
749 * Fix a compilation error when PSA Crypto is built with support for
753 * Fix TLS 1.3 session resumption when the established pre-shared key is
754 384 bits long. That is the length of pre-shared keys created under a
755 session where the cipher suite is TLS_AES_256_GCM_SHA384.
765 * Mixed-endian systems are explicitly not supported any more.
774 - now it accepts the serial number in 2 different formats: decimal and
776 - "serial" is used for the decimal format and it's limted in size to
778 - "serial_hex" is used for the hex format; max length here is
780 * The C code follows a new coding style. This is transparent for users but
783 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
789 to best results when tested on Cortex-M4 and Intel i7.
791 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
795 = Mbed TLS 3.3.0 branch released 2022-12-14
800 It is now no longer experimental, and implements the final version from
801 RFC 9146, which is not interoperable with the draft-05 version.
805 standard (non-draft) version.
813 from a release, the Python module jsonschema is now necessary, in
814 addition to jinja2. The official list of required Python modules is
829 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
830 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
833 built-in implementation present, but only in some configurations.
834 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
835 hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
836 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
837 when) MBEDTLS_MD5_C is disabled.
842 all hashes only provided by drivers (no built-in hash) is to use
844 * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
846 As a consequence, they now work in configurations where the built-in
848 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
849 though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
852 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
853 Signature verification is production-ready, but generation is for testing
856 1024 messages. As such, it is not intended for use in TLS, but instead
859 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
861 be used to sign one message so is impractical for most circumstances.
862 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
863 The pre-shared keys can be provisioned externally or via the ticket
865 The ticket mechanism is supported when the configuration option
866 MBEDTLS_SSL_SESSION_TICKETS is enabled.
875 supports a subset of the driver description language, including
881 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
890 entry point. This entry point is specified in the proposed PSA driver
892 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
894 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
899 MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
904 victim performing a single private-key operation if the window size used
906 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
907 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
911 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
912 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
915 * Fix a long-standing build failure when building x86 PIC code with old
918 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
925 broken link is encountered, skip the broken link and continue parsing
935 MBEDTLS_DEPRECATED_REMOVED is enabled.
937 MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
946 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
962 in TLS 1.3 (where it is forbidden).
963 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
968 the error code returned by mbedtls_mpi_write_file() is overwritten
970 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
981 when both operands are 0 and the left operand is represented with 0 limbs.
984 to OSS-Fuzz. Fixes #6597.
987 * Move some SSL-specific code out of libmbedcrypto where it had been placed
994 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
995 should not be done - they are documented for use only by AES-GCM and
999 = Mbed TLS 3.2.1 branch released 2022-07-12
1002 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1004 = Mbed TLS 3.2.0 branch released 2022-07-11
1039 a piece of user data which is reserved for the application. The user
1060 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1061 PSA Crypto is enabled.
1076 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1078 * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
1085 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1086 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1089 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
1092 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1098 establishment only). See docs/architecture/tls13-support.md for a
1106 docs/use-psa-crypto.md for the list of exceptions.
1108 Opaque keys can now be used everywhere a private key is expected in the
1110 * Opaque pre-shared keys for TLS, provisioned with
1113 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1114 * cmake now detects if it is being built as a sub-project, and in that case
1119 by side in order to illustrate how the operation is performed in PSA.
1123 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1132 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1133 MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
1134 mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
1135 is selected. This may result in an application crash or potentially an
1139 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1141 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
1150 buffer is rather small but increases as its size
1163 * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
1167 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
1169 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1174 * The TLS 1.3 implementation is now compatible with the
1181 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
1183 * Fix a race condition in out-of-source builds with CMake when generated data
1189 the function needs to be re-called after initially returning
1199 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
1200 not NULL and val_len is zero.
1220 when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
1235 non-compliant. This could not lead to a buffer overflow. In particular,
1252 * The file library/psa_crypto_driver_wrappers.c is now generated
1255 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1256 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1257 AEAD functions is not an AEAD algorithm. This aligns them with the
1259 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1261 * Assume source files are in UTF-8 when using MSVC with CMake.
1267 LIB_INSTALL_DIR is set.
1271 targets work when MbedTLS is built as a subdirectory. This allows the
1274 = mbed TLS 3.1.0 branch released 2021-12-17
1280 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1286 POSIX/Unix-like platforms.
1289 * Sign-magnitude and one's complement representations for signed integers are
1290 not supported. Two's complement is the only supported representation.
1307 * Warn if errors from certain functions are ignored. This is currently
1308 supported on GCC-like compilers and on MSVC and can be configured through
1311 value is almost always a bug. Enable the new configuration option
1313 is currently implemented in the AES, DES and md modules, and will be
1317 * Add support for CCM*-no-tag cipher to the PSA.
1318 Currently only 13-byte long IV's are supported.
1319 For decryption a minimum of 16-byte long input is expected.
1327 protocol. See docs/architecture/tls13-support.md for the definition of
1339 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1342 if the output buffer is in memory that is shared with an untrusted
1346 oracle vulnerability if the output buffer is in memory that is shared with
1348 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1357 The check was accidentally not performed when cross-compiling for Windows
1369 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1370 * Failures of alternative implementations of AES or DES single-block
1374 where this function cannot fail, or full-module replacements with
1379 * Fix compile-time or run-time errors in PSA
1380 AEAD functions when ChachaPoly is disabled. Fixes #5065.
1383 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1386 the built-in implementation of the GCM.
1388 input buffer size is valid only for the built-in implementation of GCM.
1391 MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
1396 * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
1408 * Fix the build when no SHA2 module is included. Fixes #4930.
1409 * Fix the build when only the bignum module is included. Fixes #4929.
1411 pkcs12 functions when the password is empty. Fix the documentation to
1422 oversight during the run-up to the release of Mbed TLS 3.0.
1424 * Implement multi-part CCM API.
1425 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1435 * Improve the performance of base64 constant-flow code. The result is still
1436 slower than the original non-constant-flow implementation, but much faster
1437 than the previous constant-flow implementation. Fixes #4814.
1438 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1442 ChaCha20-Poly1305 is invalid, and not just unsupported.
1447 most of the interface of this module is private and may change at any
1449 * The generated configuration-independent files are now automatically
1450 generated by the CMake build system on Unix-like systems. This is not
1451 yet supported when cross-compiling.
1453 = Mbed TLS 3.0.0 branch released 2021-07-07
1462 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1466 header compat-1.3.h and the script rename.pl.
1485 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1487 * Drop support for single-DES ciphersuites.
1491 key type used, as well as the key bit-size in the case of
1506 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1510 how the input to multipart operations is broken down. mbedtls_gcm_finish()
1527 session-ID based session resumption) has changed to that of
1528 a key-value store with keys being session IDs and values
1542 * For multi-part AEAD operations with the cipher module, calling
1543 mbedtls_cipher_finish() is now mandatory. Previously the documentation
1546 possible to skip calling it, which is no longer supported.
1547 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1564 * Instead of accessing the len field of a DHM context, which is no longer
1572 parameter, this parameter is now mandatory (that is, NULL is not an
1589 context are now connection-specific.
1598 * Implement one-shot cipher functions, psa_cipher_encrypt and
1601 * Direct access to fields of structures declared in public headers is no
1611 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
1612 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1624 release, some configuration-independent files are now generated at build
1635 compile-time option, which was off by default. Users should not trust
1636 certificates signed with SHA-1 due to the known attacks against SHA-1.
1637 If needed, SHA-1 certificates can still be verified by using a custom
1645 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
1649 compile-time option. This option has been inactive for a long time.
1652 * Remove the following deprecated functions and constants of hex-encoded
1678 * The RSA module no longer supports private-key operations with the public
1691 MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
1696 backward compatibility which is no longer supported. Addresses #4404.
1701 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
1706 * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
1718 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
1720 * Remove the compile-time option
1728 * Added support for built-in driver keys through the PSA opaque crypto
1732 * The multi-part GCM interface (mbedtls_gcm_update() or
1735 * The multi-part GCM interface now supports chunked associated data through
1742 See docs/architecture/alternative-implementations.md for the remaining
1745 query the size of the modulus in a Diffie-Hellman context.
1747 Diffie-Hellman context.
1750 directly, which is no longer supported.
1755 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1759 An adversary who is capable of very precise timing measurements could
1767 victim performing a single private-key operation. Found and reported by
1770 information (typically, a co-located process) could recover a Curve25519
1772 observing the victim performing the corresponding private-key operation.
1778 lead to the seed file corruption in case if the path to the seed file is
1783 to create is not valid, bringing them in line with version 1.0.0 of the
1790 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1795 mbedtls_mpi_read_string() was called on "-0", or when
1798 * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
1801 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
1805 defined to specific values. If the code is used in a context
1812 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
1813 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
1815 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
1816 * Fix test suite code on platforms where int32_t is not int, such as
1817 Arm Cortex-M. Fixes #4530.
1819 directive in a header and a missing initialization in the self-test.
1820 * Fix a missing initialization in the Camellia self-test, affecting
1824 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
1827 (when the encrypt-then-MAC extension is not in use) with some ALT
1828 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
1830 * Remove outdated check-config.h check that prevented implementing the
1842 * psa_verify_hash() was relying on implementation-specific behavior of
1844 implementations. This reliance is now removed. Fixes #3990.
1853 Credit to OSS-Fuzz. Fixes #4641.
1854 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
1858 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
1861 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
1862 in all the right places. Include it from crypto_platform.h, which is
1864 * Fix which alert is sent in some cases to conform to the
1879 * Remove configs/config-psa-crypto.h, which no longer had any intended
1882 python2, which is no longer supported upstream.
1883 * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
1884 When that flag is on, standard GNU C printf format specifiers
1893 when their input has length 0. Note that this is an implementation detail
1901 build_info.h is intended to be included from C code directly, while
1902 mbedtls_config.h is intended to be edited by end users wishing to
1911 The only value supported by Mbed TLS 3.0.0 is 0x03000000.
1915 PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
1916 when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
1917 is also applied when loading a key from storage.
1919 = mbed TLS 2.26.0 branch released 2021-03-08
1932 as always 0. It is now reserved for internal purposes and may take
1945 CTR_DRBG is used by default if it is available, but you can override
1973 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
1979 |A| - |B| where |B| is larger than |A| and has more limbs (so the
1982 all calls inside the library were safe since this function is
1985 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
1990 mbedtls_net_recv_timeout() when given a file descriptor that is
1996 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2002 is enabled, on platforms where initializing a mutex allocates resources.
2006 twice is safe. This happens for RSA when some Mbed TLS library functions
2007 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2008 enabled on platforms where freeing a mutex twice is not safe.
2009 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2010 when MBEDTLS_THREADING_C is enabled on platforms where initializing
2020 the extension was always marked as non-critical. This was fixed by
2026 implementation is not included into the library.
2030 = mbed TLS 2.25.0 branch released 2020-12-11
2036 The underlying stream cipher is determined by the key type
2040 as they have no way to check if the output buffer is large enough.
2042 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2067 This is currently non-standard behaviour, but expected to make it into a
2069 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
2072 clashes. The default value of this variable is "", so default target names
2074 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2076 * In the PSA API, it is no longer necessary to open persistent keys:
2077 operations now accept the key identifier. The type psa_key_handle_t is now
2078 identical to psa_key_id_t instead of being platform-defined. This bridges
2080 version 1.0.0. Opening persistent keys is still supported for backward
2096 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2098 which is how most uses of randomization in asymmetric cryptography
2100 are implemented. This could cause failures or the silent use of non-random
2123 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
2124 enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
2127 * Fix rsa_prepare_blinding() to retry when the blinding value is not
2129 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
2132 * Use socklen_t on Android and other POSIX-compliant system
2133 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2148 chars. Fixes a build failure on platforms where char is unsigned. Fixes
2150 * Fix an off-by-one error in the additional data length check for
2151 CCM, which allowed encryption with a non-standard length field.
2155 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
2160 * Attempting to create a volatile key with a non-zero key identifier now
2168 (an error condition) and the second operand was aliased to the result.
2169 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2186 * The PSA persistent storage format is updated to always store the key bits
2187 attribute. No automatic upgrade path is provided. Previously stored keys
2189 specification (docs/architecture/mbed-crypto-storage-specification.md).
2193 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2196 = mbed TLS 2.24.0 branch released 2020-09-01
2199 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2215 a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
2217 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2218 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2225 subjecAltName extension is present, the expected name was compared to any
2227 attacker could for example impersonate a 4-bytes or 16-byte domain by
2228 getting a certificate for the corresponding IPv4 or IPv6 (this would
2243 Encrypt-then-Mac extension, use constant code flow memory access patterns
2244 to extract and check the MAC. This is an improvement to the existing
2246 effective against network-based attackers, but less so against local
2248 if they have access to fine-grained measurements. In particular, this
2252 * Fix side channel in RSA private key operations and static (finite-field)
2253 Diffie-Hellman. An adversary with precise enough timing and memory access
2255 enclave) could bypass an existing counter-measure (base blinding) and
2257 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2258 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2268 redefinition if the function is inlined.
2272 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2275 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2277 * Fix self-test failure when the only enabled short Weierstrass elliptic
2278 curve is secp192k1. Fixes #2017.
2285 * Fix bug in redirection of unit test outputs on platforms where stdout is
2289 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2294 * Undefine the ASSERT macro before defining it locally, in case it is defined
2297 the copyright of contributors other than Arm is now acknowledged, and the
2304 these applications with password-protected key files. Analogously but for
2309 = mbed TLS 2.23.0 branch released 2020-07-01
2316 instead of the keys' lifetime. If the library is upgraded on an existing
2322 high- and low-level error codes, complementing mbedtls_strerror()
2326 * The new utility programs/ssl/ssl_context_info prints a human-readable
2343 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2354 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2366 pathLenConstraint basic constraint value is equal to INT_MAX.
2367 The actual effect with almost every compiler is the intended
2368 behavior, so this is unlikely to be exploitable anywhere. #3192
2371 * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
2390 * Fix false positive uninitialised variable reported by cpp-check.
2398 * Fix warnings about signedness issues in format strings. The build is now
2399 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2411 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2417 buffer is not large enough to hold the ClientHello.
2423 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2432 = mbed TLS 2.22.0 branch released 2020-04-14
2440 fragment length is desired.
2448 (which it is by default).
2453 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2471 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
2472 is back directly in the present repository.
2476 buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
2477 is defined), regardless of what MFL was configured for it.
2479 = mbed TLS 2.21.0 branch released 2020-02-20
2485 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2492 probability (of the order of 2^-n where n is the bitsize of the curve)
2493 unless the RNG is broken, and could result in information disclosure or
2500 ARMmbed/mbed-crypto#352
2503 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2504 support without SHA-384.
2510 existing code is that elliptic curve key types no longer encode the
2513 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2519 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2520 contributed by apple-ihack-geek in #2663.
2522 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2525 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2529 = mbed TLS 2.20.0 branch released 2020-01-15
2532 * The initial seeding of a CTR_DRBG instance makes a second call to the
2533 entropy function to obtain entropy for a nonce if the entropy size is less
2542 entropy module formerly only grabbed 32 bytes, which is good enough for
2543 security if the source is genuinely strong, but less than the expected 64
2553 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2555 blinded value, factor it (as it is smaller than RSA keys and not guaranteed
2571 initial seeding. The default nonce length is chosen based on the key size
2572 to achieve the security strength defined by NIST SP 800-90A. You can
2575 msopiha-linaro in ARMmbed/mbed-crypto#307.
2578 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2579 key derivation function, use a buffer instead (this is now always
2592 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2594 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2609 no known instances where this changes the behavior of the library: this is
2610 merely a robustness improvement. ARMmbed/mbed-crypto#323
2612 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2614 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2616 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2618 = mbed TLS 2.19.1 branch released 2019-09-16
2628 mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
2632 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2633 contributed by apple-ihack-geek in #2663.
2635 = mbed TLS 2.19.0 branch released 2019-09-06
2646 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
2655 store it in non-volatile storage, and later using it for TLS session
2658 an incoming record is valid, authentic and has not been seen before. This
2660 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
2663 (https://project-everest.github.io/). It can be enabled at compile time
2664 with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
2665 verified and significantly faster, but is only supported on x86 platforms
2666 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
2674 * Add DER-encoded test CRTs to library/certs.c, allowing
2679 list all curves for which at least one of ECDH or ECDSA is supported, not
2681 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
2683 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
2691 is now deprecated.
2695 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
2696 * Fix multiple X.509 functions previously returning ASN.1 low-level error
2701 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2722 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
2725 * Improve code clarity in x509_crt module, removing false-positive
2733 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2737 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2738 docker-env.sh) to simplify running test suites on a Linux host. Contributed
2744 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
2750 = mbed TLS 2.18.1 branch released 2019-07-12
2760 = mbed TLS 2.18.0 branch released 2019-06-11
2765 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
2767 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
2769 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
2772 and the used tls-prf.
2773 * Add public API for tls-prf function, according to requested enum.
2778 RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
2782 * Add support for draft-05 of the Connection ID extension, as specified
2783 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2788 changed its IP or port. The feature is enabled at compile-time by setting
2789 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
2795 and the used tls-prf.
2796 * Add public API for tls-prf function, according to requested enum.
2805 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
2807 OSS-Fuzz.
2823 Credit to OSS-Fuzz.
2826 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
2827 mbedTLS configuration only SHA-2 signed certificates are accepted.
2828 This certificate is used in the demo server programs, which lead the
2831 updated to one that is SHA-256 signed. Fix contributed by
2834 provided SSL context is unset.
2842 = mbed TLS 2.17.0 branch released 2019-03-19
2846 which allows copy-less parsing of DER encoded X.509 CRTs,
2859 for the benefit of saving RAM, by disabling the new compile-time
2867 * Make mbedtls_ecdh_get_params return an error if the second key
2870 interpreted according to the second group, which could lead to either
2876 when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
2877 * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
2887 * Fix signed-to-unsigned integer conversion warning
2919 * Fix configuration queries in ssl-opt.h. #2030
2920 * Ensure that ssl-opt.h can be run in OS X. #2029
2921 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
2926 = mbed TLS 2.16.0 branch released 2018-12-21
2934 function to see for which parameter values it is defined. This feature is
2944 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
2945 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
2949 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
2951 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
2956 changed so that the same level of validation is present in all modules, and
2957 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
2958 is off. That means that checks which were previously present by default
2983 = mbed TLS 2.15.1 branch released 2018-11-30
2988 = mbed TLS 2.15.0 branch released 2018-11-23
2998 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3001 = mbed TLS 2.14.1 branch released 2018-11-30
3005 decryption that could lead to a Bleichenbacher-style padding oracle
3011 (University of Adelaide, Data61). The attack is described in more detail
3012 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3030 = mbed TLS 2.14.0 branch released 2018-11-19
3041 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3046 adversary to construct non-primes that would be erroneously accepted as
3051 pairs or Diffie-Hellman parameters, but was insufficient to validate
3052 Diffie-Hellman parameters properly.
3058 some configurable amount of operations. This is intended to be used in
3059 constrained, single-threaded systems where ECC is time consuming and can
3060 block other operations until they complete. This is disabled by default,
3065 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3071 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3075 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3076 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3081 a feature that is not supported by underlying alternative
3082 implementations implementing cryptographic primitives. This is useful for
3087 MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
3095 Miller-Rabin rounds.
3105 MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
3108 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3111 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
3119 wildcards and non-ASCII characters being unusable in some DN attributes.
3121 Thomas-Dee.
3125 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3134 IPv6 and optionally by a build option over IPv4.
3136 calls, rather than Win32 API calls directly. This is necessary to avoid
3145 Thomas-Dee.
3147 Fixes #517 reported by github-monoculture.
3150 by FIPS-186-4.
3152 = mbed TLS 2.13.1 branch released 2018-09-06
3156 whose implementation should behave as a thread-safe version of gmtime().
3159 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
3163 * Fix build failures on platforms where only gmtime() is available but
3166 = mbed TLS 2.13.0 branch released 2018-08-31
3172 beyond the input buffer is made. Found and analyzed by Nathan Crandall.
3176 is controlled by the maximum fragment length as set locally or negotiated
3177 with the peer, as well as by a new per-connection MTU option, set using
3179 * Add support for auto-adjustment of MTU to a safe value during the
3184 * Add support for buffering out-of-order handshake messages in DTLS.
3186 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3200 * Add ecc extensions only if an ecc based ciphersuite is used.
3205 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3216 (found by Catena cyber using oss-fuzz)
3228 * Add support for buffering of out-of-order handshake messages.
3233 = mbed TLS 2.12.0 branch released 2018-07-25
3236 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3244 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3245 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3246 caused by a miscalculation (for SHA-384) in a countermeasure to the
3257 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3259 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3265 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3269 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3270 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3272 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3273 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3278 is no functional difference. Contributed by Angus Gratton, and also
3281 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3296 * Fix compilation error when MBEDTLS_ARC4_C is disabled and
3297 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3308 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3313 * Fix ssl_client2 example to send application data with 0-length content
3314 when the request_size argument is set to 0 as stated in the documentation.
3317 deep copy of the session, and the peer certificate is not lost. Fixes #926.
3318 * Fix build using -std=c99. Fixed by Nick Wilson.
3322 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3324 when calling with a NULL salt and non-zero salt_len. Contributed by
3328 * Allow overriding the time on Windows via the platform-time abstraction.
3330 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3332 = mbed TLS 2.11.0 branch released 2018-06-18
3337 * Implement the HMAC-based extract-and-expand key derivation function
3340 * Add support for the XTS block cipher mode with AES (AES-XTS).
3344 non-blocking operation of the TLS server stack.
3361 = mbed TLS 2.10.0 branch released 2018-06-06
3371 mbedtls_platform_zeroize(), which is a critical function from a security
3375 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
3380 build to fail. Found by zv-io. Fixes #1651.
3383 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3387 = mbed TLS 2.9.0 branch released 2018-04-30
3394 would require a non DER-compliant certificate to be correctly signed by a
3395 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3400 where an optional signature algorithms list is expected when the signature
3401 algorithms section is too short. In builds with debug output, the overread
3402 data is output with the debug data.
3403 * Fix a client-side bug in the validation of the server's ciphersuite choice
3423 a check for whether more more data is pending to be processed in the
3425 This function is necessary to determine when it is safe to idle on the
3426 underlying transport in case event-driven IO is used.
3432 in configurations that omit certain hashes or public-key algorithms.
3454 in the internal buffers; these cases led to deadlocks when event-driven
3468 * Support cmake builds where Mbed TLS is a subproject. Fix contributed
3471 public-key algorithms. Includes contributions by Gert van Dijk.
3474 configurations where the feature is disabled. Found and fixed by Gergely
3481 MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
3491 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3501 HMAC functions with non-HMAC ciphersuites. Independently contributed
3504 FIPS 186-4. Contributed by Jethro Beekman. #1380
3506 of the corresponding module is activated by defining the corresponding
3512 = mbed TLS 2.8.0 branch released 2018-03-16
3542 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3553 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3560 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
3563 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
3579 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3593 = mbed TLS 2.7.0 branch released 2018-02-03
3597 extension. When the truncated HMAC extension is enabled and CBC is used,
3601 both TLS and DTLS. CVE-2018-0488
3602 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3605 Qualcomm Technologies Inc. CVE-2018-0487
3606 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3611 default enabled) maximum fragment length extension is disabled in the
3613 is larger than the internal message buffer (16384 bytes by default), the
3616 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
3627 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
3633 * Fix a potential heap buffer over-read in ALPN extension parsing
3634 (server-side). Could result in application crash, but only if an ALPN
3637 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3644 * New unit tests for timing. Improve the self-test to be more robust
3645 when run on a heavily-loaded machine.
3667 * Extend RSA interface by multiple functions allowing structure-
3680 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
3681 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
3682 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
3683 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
3686 * Deprecate usage of RSA primitives with non-matching key-type
3688 * Direct manipulation of structure fields of RSA contexts is deprecated.
3692 mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
3711 renegotiated handshakes would only accept signatures using SHA-1
3712 regardless of the peer's preferences, or fail if SHA-1 was disabled.
3716 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
3718 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
3731 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3735 non-v3 CRT's.
3740 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
3745 * Add size-checks for record and handshake message content, securing
3746 fragile yet non-exploitable code-paths.
3762 Note, this padding mode is not used by the TLS protocol. Found and fixed by
3767 mbedtls_sha512_init() is called before operating on the relevant context
3768 structure. Do not assume that zeroizing a context is a correct way to
3782 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
3793 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
3796 = mbed TLS 2.6.0 branch released 2017-08-10
3799 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
3812 platform-specific setup and teardown operations. The macro
3824 * Certificate verification functions now set flags to -1 in case the full
3827 * With authmode set to optional, the TLS handshake is now aborted if the
3832 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
3841 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
3845 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3849 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3861 64-bit division. This is useful on embedded platforms where 64-bit division
3867 config-no-entropy.h to reduce the RAM footprint.
3872 = mbed TLS 2.5.1 released 2017-06-21
3875 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
3876 The issue could only happen client-side with renegotiation enabled.
3880 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
3881 certificate verification. SHA-1 can be turned back on with a compile-time
3886 potential Bleichenbacher/BERserk-style attack.
3891 and with GCC using the -Wpedantic compilation option.
3892 * Fix insufficient support for signature-hash-algorithm extension,
3908 * Fix incorrect sign computation in modular exponentiation when the base is
3919 by Jean-Philippe Aumasson.
3921 = mbed TLS 2.5.0 branch released 2017-05-17
3928 against side-channel attacks like the cache attack described in
3940 behaviour has not changed, namely every configured CAs name is included.
3947 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
3948 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
3951 * Remove macros from compat-1.3.h that correspond to deleted items from most
3955 * Add checks in the PK module for the RSA functions on 64-bit systems.
3960 = mbed TLS 2.4.2 branch released 2017-03-08
3964 using RSA through the PK module in 64-bit systems. The issue was caused by
3967 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
3981 team. #569 CVE-2017-2784
3990 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
3991 Found by omlib-lin. #673
3998 renegotiation routines at unexpected times when the protocol is DTLS. Found
4012 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4023 number to write in hexadecimal is negative and requires an odd number of
4028 = mbed TLS 2.4.1 branch released 2016-12-13
4031 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4035 = mbed TLS 2.4.0 branch released 2016-10-17
4039 with RFC-5116 and could lead to session key recovery in very long TLS
4040 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4041 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4044 mbedtls_x509write_csr_der() when the signature is copied to the buffer
4045 without checking whether there is enough space in the destination. The
4049 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4050 NIST SP 800-38B, RFC-4493 and RFC-4615.
4052 is functioning correctly.
4054 scripts, which is also now called by all.sh.
4058 * Added a configuration file config-no-entropy.h that configures the subset of
4070 when GCM is used. Found by udf2457. #441
4071 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4073 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4082 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
4086 subramanyam-c. #622
4093 Found by subramanyam-c. #626
4101 * Removed self-tests from the basic-built-test.sh script, and added all
4102 missing self-tests to the test suites, to ensure self-tests are only
4105 * Added support for a Yotta specific configuration file -
4111 net.c. For consistency, the corresponding header file, net.h, is marked as
4116 = mbed TLS 2.3.0 branch released 2016-06-28
4125 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
4134 arguments where the same (in-place doubling). Found and fixed by Janos
4153 * Fix test in ssl-opt.sh that does not run properly with valgrind
4157 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4159 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4163 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4166 = mbed TLS 2.2.1 released 2016-01-05
4178 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4186 datagram if a single record in a datagram is unexpected, instead only
4190 = mbed TLS 2.2.0 released 2015-11-04
4193 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
4197 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
4208 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4211 block. (Potential uses include EAP-TLS and Thread.)
4214 * Self-signed certificates were not excluded from pathlen counting,
4217 * Fix build error with configurations where ECDHE-PSK is the only key
4219 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4220 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4221 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4222 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4225 minimum key size for end-entity certificates with RSA keys. Found by
4235 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
4236 or -1.
4238 = mbed TLS 2.1.2 released 2015-10-06
4241 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4244 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4249 mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
4261 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4263 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4282 = mbed TLS 2.1.1 released 2015-09-17
4285 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4287 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4288 * Fix possible client-side NULL pointer dereference (read) when the client
4291 afl-fuzz.)
4295 * Fix off-by-one error in parsing Supported Point Format extension that
4302 connection, if cookie verification is available
4306 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4309 = mbed TLS 2.1.0 released 2015-09-04
4317 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4325 * Fix compile error with armcc 5 with --gnu option.
4330 * Fix missing -static-libgcc when building shared libraries for Windows
4339 * Fix -Wshadow warnings (found by hnrkp) (#240)
4341 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4349 * It is now possible to #include a user-provided configuration file at the
4352 * When verifying a certificate chain, if an intermediate certificate is
4353 trusted, no later cert is checked. (suggested by hannes-landeholm)
4360 = mbed TLS 2.0.0 released 2015-07-13
4367 * New server-side implementation of session tickets that rotate keys to
4373 * Introduced a concept of presets for SSL security-relevant configuration
4381 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4382 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4384 mbedtls_cipher_info_t.key_length -> key_bitlen
4385 mbedtls_cipher_context_t.key_length -> key_bitlen
4386 mbedtls_ecp_curve_info.size -> bit_size
4391 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4392 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4393 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4394 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4395 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4401 (see rename.pl and compat-1.3.h above) and their first argument's type
4404 additional callback for read-with-timeout).
4423 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4424 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4425 * The following functions changed prototype to avoid an in-out length
4441 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
4442 available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
4443 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4449 * calloc() is now used instead of malloc() everywhere. API of platform
4458 Their 'port' argument type is changed to a string.
4472 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4476 been removed (compiler is required to support 32-bit operations).
4479 * Removed test program ssl_test, superseded by ssl-opt.sh.
4480 * Removed helper script active-config.pl
4483 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4484 argument (allowing memory savings if HMAC is not used)
4486 Semi-API changes (technically public, morally private)
4498 * The default minimum TLS version is now TLS 1.0.
4499 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4501 * Support for receiving SSLv2 ClientHello is now disabled by default at
4503 * The default authmode for SSL/TLS clients is now REQUIRED.
4504 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4505 enabled in the default configuration, this is only noticeable if using a
4507 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4508 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
4510 * Negotiation of truncated HMAC is now disabled by default on server too.
4511 * The following functions are now case-sensitive:
4519 * The minimum MSVC version required is now 2010 (better C99 support).
4521 * Compiler is required to support C99 types such as long long and uint32_t.
4530 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4534 * With UDP sockets, it is no longer necessary to call net_bind() again
4539 thread-safe if MBEDTLS_THREADING_C is enabled.
4540 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4549 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4559 * Add support for id-at-uniqueIdentifier in X.509 names.
4565 cross-compilation easier (thanks to Alon Bar-Lev).
4566 * The benchmark program also prints heap usage for public-key primitives
4568 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4571 reduced configurations (PSK-CCM and NSA suite B).
4580 * Fix bug in entropy.c when THREADING_C is also enabled that caused
4584 * Fix bug in ssl_mail_client when password is longer that username (found
4588 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
4594 ssl_write() is called before the handshake is finished (introduced in
4603 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4610 * Add missing dependency on SHA-256 in some x509 programs (reported by
4620 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
4621 * compat-1.2.h and openssl.h are deprecated.
4622 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
4623 more flexible (warning: OFLAGS is not used any more) (see the README)
4624 (contributed by Alon Bar-Lev).
4627 * Move from SHA-1 to SHA-256 in example programs using signatures
4630 "minimize" others (eg use stddef.h if only size_t is needed).
4635 = mbed TLS 1.3.10 released 2015-02-09
4637 * NULL pointer dereference in the buffer-based allocator when the buffer is
4638 full and polarssl_free() is called (found by Mark Hasemeyer)
4639 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
4641 * Fix remotely-triggerable uninitialised pointer dereference caused by
4642 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
4644 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4645 (TLS server is not affected if it doesn't ask for a client certificate)
4648 (TLS server is not affected if it doesn't ask for a client certificate)
4651 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4655 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
4656 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
4657 * Add support for Encrypt-then-MAC (RFC 7366).
4660 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4662 * Support for renegotiation can now be disabled at compile-time
4663 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
4664 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
4665 for pre-1.2 clients when multiple certificates are available.
4674 * Stack buffer overflow if ctr_drbg_update() is called with too large
4675 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4682 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
4691 issue with some servers when a zero-length extension was sent. (Reported
4693 * On a 0-length input, base64_encode() did not correctly set output length
4699 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
4700 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
4703 * A specific error is now returned when there are ciphersuites in common
4704 but none of them is usable due to external factors such as no certificate
4706 * It is now possible to disable negotiation of truncated HMAC server-side
4712 = PolarSSL 1.3.9 released 2014-10-20
4716 * Remotely-triggerable memory leak when parsing some X.509 certificates
4717 (server is not affected if it doesn't ask for a client certificate)
4719 * Remotely-triggerable memory leak when parsing crafted ClientHello
4726 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4728 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4731 * Remove non-existent file from VS projects (found by Peter Vaskovic).
4732 * ssl_read() could return non-application data records on server while
4734 * Server-initiated renegotiation would fail with non-blocking I/O if the
4737 with non-blocking I/O.
4745 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
4746 standard defining how to use SHA-2 with SSL 3.0).
4747 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
4750 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
4759 = PolarSSL 1.3.8 released 2014-07-11
4768 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4775 * Add server-side enforcement of sent renegotiation requests
4778 ciphersuites to use and save some memory if the list is small.
4781 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
4793 * Enforce alignment in the buffer allocator even if buffer is not aligned
4794 * Remove less-than-zero checks on unsigned numbers
4806 rejected with CBC-based ciphersuites and TLS >= 1.1
4808 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
4811 * Restore ability to locally trust a self-signed cert that is not a proper
4817 * Fix off-by-one error in parsing Supported Point Format extension that
4819 * Fix possible miscomputation of the premaster secret with DHE-PSK key
4828 = PolarSSL 1.3.7 released on 2014-05-02
4832 * version_check_feature() added to check for compile-time options at
4833 run-time
4840 * AES-NI now compiles with "old" assemblers too
4856 big-endian platform when size was not an integer number of limbs
4863 = PolarSSL 1.3.6 released on 2014-04-11
4875 * pk_verify() now returns a specific error code when the signature is valid
4884 This affects certificates in the user-supplied chain except the top
4885 certificate. If the user-supplied chain contains only one certificates,
4886 it is not affected (ie, its notAfter date is properly checked).
4900 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
4904 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
4905 * Calling pk_debug() on an RSA-alt key would segfault.
4906 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
4912 = PolarSSL 1.3.5 released on 2014-03-26
4914 * HMAC-DRBG as a separate module
4918 * Ability to force the entropy module to use SHA-256 as its basis
4920 * Testing script ssl-opt.sh added for testing 'live' ssl option
4928 now thread-safe if POLARSSL_THREADING_C defined
4939 "triple handshake" attack when authentication mode is 'optional' (the
4940 attack was already impossible when authentication is required).
4944 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4951 * Fixed testing with out-of-source builds using cmake
4952 * Fixed version-major intolerance in server
4953 * Fixed CMake symlinking on out-of-source builds
4956 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4960 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
4973 = PolarSSL 1.3.4 released on 2014-01-27
4976 * Support for RIPEMD-160
4992 = PolarSSL 1.3.3 released on 2013-12-31
4998 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5000 * AES-NI support for AES, AES-GCM and AES key scheduling
5001 * SSL Pthread-based server example added (ssl_pthread_server)
5008 * More constant-time checks in the RSA module
5015 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5016 * Fixed X.509 hostname comparison (with non-regular characters)
5029 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5032 = PolarSSL 1.3.2 released on 2013-11-04
5036 * Support for Camellia-GCM mode and ciphersuites
5039 * Padding checks in cipher layer are now constant-time
5040 * Value comparisons in SSL layer are now constant-time
5053 * Server-side initiated renegotiations send HelloRequest
5055 = PolarSSL 1.3.1 released on 2013-10-15
5058 * Support for ECDHE-PSK key-exchange and ciphersuites
5059 * Support for RSA-PSK key-exchange and ciphersuites
5065 * config.h is more script-friendly
5077 = PolarSSL 1.3.0 released on 2013-10-01
5082 (ECDHE-based ciphersuites)
5084 (ECDSA-based ciphersuites)
5086 * PSK and DHE-PSK based ciphersuites added
5088 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5095 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5096 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5109 * Introduced separate SSL Ciphersuites module that is based on
5111 * Internals for SSL module adapted to have separate IV pointer that is
5125 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5137 (found by Cyril Arnaud and Pierre-Alain Fouque)
5140 = Version 1.2.14 released 2015-05-??
5146 client to crash the server remotely if client authentication is enabled
5148 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5156 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5159 = Version 1.2.13 released 2015-02-16
5164 * Fix remotely-triggerable uninitialised pointer dereference caused by
5165 crafted X.509 certificate (TLS server is not affected if it doesn't ask
5167 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5168 (TLS server is not affected if it doesn't ask for a client certificate)
5171 (TLS server is not affected if it doesn't ask for a client certificate)
5174 (TLS server is not affected if it doesn't ask for a client certificate).
5179 * Stack buffer overflow if ctr_drbg_update() is called with too large
5180 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5190 issue with some servers when a zero-length extension was sent. (Reported
5192 * On a 0-length input, base64_encode() did not correctly set output length
5196 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
5198 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5200 = Version 1.2.12 released 2014-10-24
5203 * Remotely-triggerable memory leak when parsing some X.509 certificates
5204 (server is not affected if it doesn't ask for a client certificate).
5211 with non-blocking I/O.
5215 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5216 * ssl_read() could return non-application data records on server while
5218 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5227 = Version 1.2.11 released 2014-07-11
5244 "triple handshake" attack when authentication mode is optional (the
5245 attack was already impossible when authentication is required).
5255 * Fixed X.509 hostname comparison (with non-regular characters)
5268 * Fixed testing with out-of-source builds using cmake
5269 * Fixed version-major intolerance in server
5270 * Fixed CMake symlinking on out-of-source builds
5271 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5286 big-endian platform when size was not an integer number of limbs
5297 = Version 1.2.10 released 2013-10-07
5299 * Changed RSA blinding to a slower but thread-safe version
5306 = Version 1.2.9 released 2013-10-01
5319 (found by Cyril Arnaud and Pierre-Alain Fouque)
5321 = Version 1.2.8 released 2013-06-19
5325 * Centralized module option values in config.h to allow user-defined
5348 * x509parse_crtpath() is now reentrant and uses more portable stat()
5350 * Fixed values for 2-key Triple DES in cipher layer
5355 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5357 = Version 1.2.7 released 2013-04-13
5362 * Default Blowfish keysize is now 128-bits
5369 = Version 1.2.6 released 2013-03-11
5372 * Corrected GCM counter incrementation to use only 32-bits instead of
5373 128-bits (found by Yawning Angel)
5374 * Fixes for 64-bit compilation with MS Visual Studio
5384 * Re-added handling for SSLv2 Client Hello when the define
5385 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
5396 = Version 1.2.5 released 2013-02-02
5398 * Allow enabling of dummy error_strerror() to support some use-cases
5401 * Sending of security-relevant alert messages that do not break
5409 = Version 1.2.4 released 2013-01-25
5421 = Version 1.2.3 released 2012-11-26
5425 = Version 1.2.2 released 2012-11-24
5429 * During verify trust-CA is only checked for expiration and CRL presence
5435 = Version 1.2.1 released 2012-11-20
5437 * Depth that the certificate verify callback receives is now numbered
5438 bottom-up (Peer cert depth is 0)
5444 Pégourié-Gonnard)
5446 Pégourié-Gonnard)
5449 = Version 1.2.0 released 2012-10-31
5455 * Added support for multi-domain certificates through the X509 Subject
5482 * Fixed const-correctness mpi_get_bit()
5486 to not match CN if subjectAltName extension is present (Closes ticket #56)
5487 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
5517 = Version 1.1.8 released on 2013-10-01
5523 * Potential buffer-overflow for ssl_read_record() (independently found by
5528 = Version 1.1.7 released on 2013-06-19
5537 * Fixed values for 2-key Triple DES in cipher layer
5542 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5544 = Version 1.1.6 released on 2013-03-11
5549 * Allow enabling of dummy error_strerror() to support some use-cases
5560 = Version 1.1.5 released on 2013-01-16
5571 Pégourié-Gonnard)
5573 Pégourié-Gonnard)
5584 = Version 1.1.4 released on 2012-05-31
5590 = Version 1.1.3 released on 2012-04-29
5594 = Version 1.1.2 released on 2012-04-26
5601 Frama-C team at CEA LIST)
5605 = Version 1.1.1 released on 2012-01-23
5609 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
5613 = Version 1.1.0 released on 2011-12-22
5615 * Added ssl_session_reset() to allow better multi-connection pools of
5616 SSL contexts without needing to set all non-connection-specific
5623 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
5632 * Inceased maximum size of ASN1 length reads to 32-bits.
5636 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
5637 * Changed the defined key-length of DES ciphers in cipher.h to include the
5642 trade-off
5651 encountering a parse-error. Beware that the meaning of return values has
5656 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
5662 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5664 * If certificate serial is longer than 32 octets, serial number is now
5671 = Version 1.0.0 released on 2011-07-27
5684 = Version 0.99-pre5 released on 2011-05-26
5705 is now done with a PLUS instead of an OR as error codes
5711 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
5717 = Version 0.99-pre4 released on 2011-04-01
5720 for the RSAES-OAEP and RSASSA-PSS operations.
5735 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
5739 * Fixed proper handling of RSASSA-PSS verification with variable
5742 = Version 0.99-pre3 released on 2011-02-28
5743 This release replaces version 0.99-pre2 which had possible copyright issues.
5768 * Fixed a possible Man-in-the-Middle attack on the
5772 = Version 0.99-pre1 released on 2011-01-30
5774 Note: Most of these features have been donated by Fox-IT
5791 libpkcs11-helper library
5799 with the generic cipher layer and is better naming
5802 = Version 0.14.0 released on 2010-08-16
5806 * Added compile-time and run-time version information
5826 = Version 0.13.1 released on 2010-03-24
5831 = Version 0.13.0 released on 2010-03-21
5842 * X509 signature algorithm determination is now
5847 * Added reset function for HMAC context as speed-up
5848 for specific use-cases
5859 = Version 0.12.1 released on 2009-10-04
5870 = Version 0.12.0 released on 2009-07-28
5874 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
5875 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
5880 this is mind when checking for errors.
5891 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
5912 * Fixed Camellia and XTEA for 64-bit Windows systems.
5914 = Version 0.11.1 released on 2009-05-17
5915 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
5916 SHA-512 in rsa_pkcs1_sign()
5918 = Version 0.11.0 released on 2009-05-03
5922 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
5932 * Made definition of net_htons() endian-clean for big endian
5936 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
5941 * Fixed compatibility of XTEA and Camellia on a 64-bit system
5944 = Version 0.10.0 released on 2009-01-12
5956 = Version 0.9 released on 2008-03-16
5962 be sent twice in non-blocking mode when send returns EAGAIN
5965 * Added user-defined callback debug function (Krystian Kolodziej)
5971 output data is non-aligned by falling back to the software
5972 implementation, as VIA Nehemiah cannot handle non-aligned buffers
5974 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
5981 string is passed as the CN (bug reported by spoofy)
5983 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
5988 * Fixed a critical denial-of-service with X.509 cert. verification:
5991 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
5992 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
5993 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
5996 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
5997 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6001 = Version 0.8 released on 2007-10-20
6009 * Added user-defined callbacks for handling I/O and sessions
6013 * Added AES-CFB mode of operation, contributed by chmike
6017 * Updated ssl_read() to skip 0-length records from OpenSSL
6019 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6026 = Version 0.7 released on 2007-07-07
6028 * Added support for the MicroBlaze soft-core processor
6030 connections from being established with non-blocking I/O
6034 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6042 = Version 0.6 released on 2007-04-01
6048 * Added multiply assembly code for 64-bit PowerPCs,
6052 * Fixed "long long" compilation issues on IA-64 and PPC64
6053 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6056 = Version 0.5 released on 2007-03-01
6059 * Added (beta) support for non-blocking I/O operations
6062 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6067 = Version 0.4 released on 2007-02-01
6069 * Added support for Ephemeral Diffie-Hellman key exchange
6080 = Version 0.3 released on 2007-01-01
6082 * Added server-side SSLv3 and TLSv1.0 support
6086 the bignum code is no longer dependent on long long
6091 = Version 0.2 released on 2006-12-01
6102 the Miller-Rabin primality test
6106 who maintains the Debian package :-)
6108 = Version 0.1 released on 2006-11-01