Lines Matching +full:fuzz +full:- +full:issue +full:- +full:updated +full:- +full:support
3 = Mbed TLS 3.5.2 branch released 2024-01-26
14 could result in an integer overflow, causing a zero-length buffer to be
18 = Mbed TLS 3.5.1 branch released 2023-11-06
21 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
28 = Mbed TLS 3.5.0 branch released 2023-10-05
31 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
32 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
33 there was a flaw in the logic checking if the built-in implementation, in
36 accelerated and still have the built-in implementation compiled out.
39 considered not accelerated, and the built-in implementation of the curves
46 * Officially require Python 3.8 now that earlier versions are out of support.
74 provided - these limitations are lifted in this version. A new set of
77 they're provided by a built-in implementation, a driver or both. See
78 docs/driver-only-builds.md.
83 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
85 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
87 if not required by another module) and still get support for ECC keys and
88 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
92 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
97 * Add support for reading and writing X25519 and X448
99 * When parsing X.509 certificates, support the extensions
103 * Add support for the FFDH algorithm and DH key types in PSA, with
104 parameters from RFC 7919. This includes a built-in implementation based
116 string to a DER-encoded mbedtls_asn1_buf.
117 * Add SHA-3 family hash functions.
118 * Add support to restrict AES to 128-bit keys in order to save code size.
123 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
124 On Aarch64, uplift is typically around 20 - 110%.
125 When compiling with gcc -Os on Aarch64, AES-XTS improves
127 * Add support for PBKDF2-HMAC through the PSA API.
133 - DERIVE is only available for ECC keys, not for RSA or DH ones.
134 - implementations are free to enable more than what it was strictly
137 * Add support for FFDH key exchange in TLS 1.3.
139 and the ephemeral or psk-ephemeral key exchange mode are enabled.
152 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
161 * Add support for PBKDF2-CMAC through the PSA API.
163 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
164 disables the plain C implementation and the run-time detection for the
181 only used in relation with CMAC which does not support these ciphers.
191 (notably recent versions of Clang and IAR) could produce non-constant
194 * Updates to constant-time C code so that compilers are less likely to use
197 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
205 null-cipher cipher suites. Credit to OSS-Fuzz.
207 In TLS 1.3, all configurations are affected except PSK-only ones, and
212 Credit to OSS-Fuzz.
217 than all built-in ones and RSA is disabled.
231 * Fix the J-PAKE driver interface for user and peer to accept any values
234 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
239 * Fixed an issue that caused compile errors when using CMake and the IAR
252 example TF-M configuration in configs/ from building cleanly:
263 with all TLS support disabled. Fixes #6628.
267 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
276 * Fix an issue when parsing an otherName subject alternative name into a
277 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
284 enabled, where some low-level modules required by requested PSA crypto
293 * Fix the build with CMake when Everest or P256-m is enabled through
298 compiling with gcc, clang or armclang and -O0.
316 = Mbed TLS 3.4.1 branch released 2023-08-04
322 * Update test data to avoid failures of unit tests after 2023-08-07.
324 = Mbed TLS 3.4.0 branch released 2023-03-28
339 optionally providing file-specific error pairs. Please see psa_util.h for
343 * Added partial support for parsing the PKCS #7 Cryptographic Message
344 Syntax, as defined in RFC 2315. Currently, support is limited to the
346 - Only the signed-data content type, version 1 is supported.
347 - Only DER encoding is supported.
348 - Only a single digest algorithm per message is supported.
349 - Certificates must be in X.509 format. A message must have either 0
351 - There is no support for certificate revocation lists.
352 - The authenticated and unauthenticated attribute fields of SignerInfo
355 contributing this feature, and to Demi-Marie Obenour for contributing
359 * Improvements to use of unaligned and byte-swapped memory, reducing code
362 * Add support for reading points in compressed format
370 * Add parsing of V3 extensions (key usage, Netscape cert-type,
373 configuration-independent files. This allows them to be generated when
378 backed by internal library support for ECDSA signing and verification.
388 supported in those builds yet, as driver support for interruptible ECDSA
390 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
391 implementations of EC J-PAKE through the driver entry points.
394 * Add support to include the SubjectAltName extension to a CSR.
395 * Add support for AES with the Armv8-A Cryptographic Extension on
396 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
397 be used to enable this feature. Run-time detection is supported
399 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
404 to read non-public fields for padding mode and hash id from
406 * AES-NI is now supported with Visual Studio.
407 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
410 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
411 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
412 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
417 * Use platform-provided secure zeroization function where possible, such as
420 * Fix a potential heap buffer overread in TLS 1.3 client-side when
422 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
423 Arm, so that these systems are no longer vulnerable to timing side-channel
427 builds that couldn't compile the GCC-style assembly implementation
429 timing side-channel attacks. There is now an intrinsics-based AES-NI
438 Fixes issue #6879.
454 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
472 * Reject OIDs with overlong-encoded subidentifiers when converting
477 have the most-significant bit set in their last byte.
478 * Silence warnings from clang -Wdocumentation about empty \retval
482 * Fix an unused-variable warning in TLS 1.3-only builds if
486 * Allow setting user and peer identifiers for EC J-PAKE operation
489 * Fix a compilation error when PSA Crypto is built with support for
493 * Fix TLS 1.3 session resumption when the established pre-shared key is
494 384 bits long. That is the length of pre-shared keys created under a
496 * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
505 * Mixed-endian systems are explicitly not supported any more.
511 visualc/VS2010 to visualc/VS2013 as we do not support building with versions
514 - now it accepts the serial number in 2 different formats: decimal and
516 - "serial" is used for the decimal format and it's limted in size to
518 - "serial_hex" is used for the hex format; max length here is
523 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
525 As tested in issue 6790, the correlation between this define and
529 to best results when tested on Cortex-M4 and Intel i7.
535 = Mbed TLS 3.3.0 branch released 2022-12-14
541 RFC 9146, which is not interoperable with the draft-05 version.
545 standard (non-draft) version.
564 * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
569 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
570 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
573 built-in implementation present, but only in some configurations.
574 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
576 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
582 all hashes only provided by drivers (no built-in hash) is to use
586 As a consequence, they now work in configurations where the built-in
588 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
590 * Add support for opaque keys as the private keys associated to certificates
592 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
593 Signature verification is production-ready, but generation is for testing
599 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
602 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
603 The pre-shared keys can be provisioned externally or via the ticket
608 control the support for the three possible TLS 1.3 key exchange modes.
609 * cert_write: support for setting extended key usage attributes. A
612 * cert_write: support for writing certificate files in either PEM
621 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
625 * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
632 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
634 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
641 * Fix an issue where an adversary with access to precise enough information
644 victim performing a single private-key operation if the window size used
646 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
647 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
651 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
652 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
655 * Fix a long-standing build failure when building x86 PIC code with old
658 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
668 TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
670 advertised support for PSS in both TLS 1.2 and 1.3, but only
679 * Fix a build issue on Windows using CMake where the source and build
686 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
703 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
710 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
724 to OSS-Fuzz. Fixes #6597.
727 * Move some SSL-specific code out of libmbedcrypto where it had been placed
734 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
735 should not be done - they are documented for use only by AES-GCM and
739 = Mbed TLS 3.2.1 branch released 2022-07-12
742 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
744 = Mbed TLS 3.2.0 branch released 2022-07-11
787 * Add ALPN support in TLS 1.3 clients.
795 * Add support for psa crypto key derivation for elliptic curve
800 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
815 * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
816 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
825 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
826 * Add support for the ARMv8 SHA-2 acceleration instructions when building
828 * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
829 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
832 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
835 * Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
836 1.2 protocol support.
838 establishment only). See docs/architecture/tls13-support.md for a
839 description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
846 docs/use-psa-crypto.md for the list of exceptions.
850 * Opaque pre-shared keys for TLS, provisioned with
853 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
854 * cmake now detects if it is being built as a sub-project, and in that case
863 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
872 * Fix a potential heap buffer overread in TLS 1.2 server-side when
879 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
909 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
923 * Fix a race condition in out-of-source builds with CMake when generated data
929 the function needs to be re-called after initially returning
975 non-compliant. This could not lead to a buffer overflow. In particular,
993 from a template. In the future, the generation will support
995 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
996 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1001 * Assume source files are in UTF-8 when using MSVC with CMake.
1014 = mbed TLS 3.1.0 branch released 2021-12-17
1026 POSIX/Unix-like platforms.
1029 * Sign-magnitude and one's complement representations for signed integers are
1037 * Remove the partial support for running unit tests via Greentea on Mbed OS,
1041 * Enable support for Curve448 via the PSA API. Contributed by
1048 supported on GCC-like compilers and on MSVC and can be configured through
1057 * Add support for CCM*-no-tag cipher to the PSA.
1058 Currently only 13-byte long IV's are supported.
1059 For decryption a minimum of 16-byte long input is expected.
1064 * Add the internal implementation of and support for CCM to the PSA multipart
1067 protocol. See docs/architecture/tls13-support.md for the definition of
1069 configuration option controls the enablement of the support. The APIs
1079 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1088 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1097 The check was accidentally not performed when cross-compiling for Windows
1109 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1110 * Failures of alternative implementations of AES or DES single-block
1114 where this function cannot fail, or full-module replacements with
1119 * Fix compile-time or run-time errors in PSA
1123 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1126 the built-in implementation of the GCM.
1128 input buffer size is valid only for the built-in implementation of GCM.
1142 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1162 oversight during the run-up to the release of Mbed TLS 3.0.
1164 * Implement multi-part CCM API.
1165 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1169 Implemented functions support chunked data input for both CCM and CCM*
1175 * Improve the performance of base64 constant-flow code. The result is still
1176 slower than the original non-constant-flow implementation, but much faster
1177 than the previous constant-flow implementation. Fixes #4814.
1178 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1182 ChaCha20-Poly1305 is invalid, and not just unsupported.
1189 * The generated configuration-independent files are now automatically
1190 generated by the CMake build system on Unix-like systems. This is not
1191 yet supported when cross-compiling.
1193 = Mbed TLS 3.0.0 branch released 2021-07-07
1202 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1206 header compat-1.3.h and the script rename.pl.
1222 * Drop support for parsing SSLv2 ClientHello
1224 * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
1225 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1226 * Drop support for RC4 TLS ciphersuites.
1227 * Drop support for single-DES ciphersuites.
1228 * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
1231 key type used, as well as the key bit-size in the case of
1246 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1267 session-ID based session resumption) has changed to that of
1268 a key-value store with keys being session IDs and values
1279 Support for more than one PSK may be added in 3.X.
1282 * For multi-part AEAD operations with the cipher module, calling
1287 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1329 context are now connection-specific.
1338 * Implement one-shot cipher functions, psa_cipher_encrypt and
1351 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
1352 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1364 release, some configuration-independent files are now generated at build
1375 compile-time option, which was off by default. Users should not trust
1376 certificates signed with SHA-1 due to the known attacks against SHA-1.
1377 If needed, SHA-1 certificates can still be verified by using a custom
1385 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
1389 compile-time option. This option has been inactive for a long time.
1392 * Remove the following deprecated functions and constants of hex-encoded
1409 * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
1418 * The RSA module no longer supports private-key operations with the public
1453 * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
1458 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
1459 See issue #4341 for more details.
1460 * Remove the compile-time option
1468 * Added support for built-in driver keys through the PSA opaque crypto
1472 * The multi-part GCM interface (mbedtls_gcm_update() or
1475 * The multi-part GCM interface now supports chunked associated data through
1482 See docs/architecture/alternative-implementations.md for the remaining
1485 query the size of the modulus in a Diffie-Hellman context.
1487 Diffie-Hellman context.
1495 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1504 * Fix an issue where an adversary with access to precise enough information
1507 victim performing a single private-key operation. Found and reported by
1509 * Fix an issue where an adversary with access to precise enough timing
1510 information (typically, a co-located process) could recover a Curve25519
1512 observing the victim performing the corresponding private-key operation.
1530 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1535 mbedtls_mpi_read_string() was called on "-0", or when
1541 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
1552 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
1553 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
1555 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
1557 Arm Cortex-M. Fixes #4530.
1559 directive in a header and a missing initialization in the self-test.
1560 * Fix a missing initialization in the Camellia self-test, affecting
1562 * Restore the ability to configure PSA via Mbed TLS options to support RSA
1567 (when the encrypt-then-MAC extension is not in use) with some ALT
1568 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
1570 * Remove outdated check-config.h check that prevented implementing the
1582 * psa_verify_hash() was relying on implementation-specific behavior of
1593 Credit to OSS-Fuzz. Fixes #4641.
1598 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
1615 * Alternative implementations of CMAC may now opt to not support 3DES as a
1619 * Remove configs/config-psa-crypto.h, which no longer had any intended
1659 = mbed TLS 2.26.0 branch released 2021-03-08
1713 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
1719 |A| - |B| where |B| is larger than |A| and has more limbs (so the
1736 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
1747 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
1749 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
1752 * Fixes a bug where, if the library was configured to include support for
1760 the extension was always marked as non-critical. This was fixed by
1770 = mbed TLS 2.25.0 branch released 2020-12-11
1773 * The numerical values of the PSA Crypto API macros have been updated to
1782 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
1803 * Add support for ECB to the PSA cipher API.
1807 This is currently non-standard behaviour, but expected to make it into a
1814 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
1818 identical to psa_key_id_t instead of being platform-defined. This bridges
1836 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
1840 are implemented. This could cause failures or the silent use of non-random
1844 * Fix a compliance issue whereby we were not checking the tag on the
1852 Many thanks to guidovranken who found this issue via differential fuzzing
1872 * Use socklen_t on Android and other POSIX-compliant system
1873 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
1879 "x25519" and "x448". These curves support ECDH but not ECDSA. If you need
1880 only the curves that support ECDSA, filter the list with
1890 * Fix an off-by-one error in the additional data length check for
1891 CCM, which allowed encryption with a non-standard length field.
1900 * Attempting to create a volatile key with a non-zero key identifier now
1909 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
1926 * The PSA persistent storage format is updated to always store the key bits
1929 specification (docs/architecture/mbed-crypto-storage-specification.md).
1933 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
1936 = mbed TLS 2.24.0 branch released 2020-09-01
1939 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
1956 * Support building on e2k (Elbrus) architecture: correctly enable
1957 -Wformat-signedness, and fix the code that causes signed-one-bit-field
1958 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
1967 attacker could for example impersonate a 4-bytes or 16-byte domain by
1983 Encrypt-then-Mac extension, use constant code flow memory access patterns
1986 effective against network-based attackers, but less so against local
1988 if they have access to fine-grained measurements. In particular, this
1992 * Fix side channel in RSA private key operations and static (finite-field)
1993 Diffie-Hellman. An adversary with precise enough timing and memory access
1995 enclave) could bypass an existing counter-measure (base blinding) and
1997 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
1998 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2012 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2015 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2017 * Fix self-test failure when the only enabled short Weierstrass elliptic
2029 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2044 these applications with password-protected key files. Analogously but for
2049 = mbed TLS 2.23.0 branch released 2020-07-01
2062 high- and low-level error codes, complementing mbedtls_strerror()
2066 * The new utility programs/ssl/ssl_context_info prints a human-readable
2068 * Add support for midipix, a POSIX layer for Microsoft Windows.
2076 * Added support to entropy_poll for the kern.arandom syscall supported on
2078 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2083 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2094 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2109 * Fix issue with a detected HW accelerated record error not being exposed
2130 * Fix false positive uninitialised variable reported by cpp-check.
2139 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2141 * Fix minor performance issue in operations on Curve25519 caused by using a
2151 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2163 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2172 = mbed TLS 2.22.0 branch released 2020-04-14
2183 * Fix issue in DTLS handling of new associations with the same parameters
2193 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2219 = mbed TLS 2.21.0 branch released 2020-02-20
2224 * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
2225 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2232 probability (of the order of 2^-n where n is the bitsize of the curve)
2240 ARMmbed/mbed-crypto#352
2243 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2244 support without SHA-384.
2253 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2259 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2260 contributed by apple-ihack-geek in #2663.
2262 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2265 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2269 = mbed TLS 2.20.0 branch released 2020-01-15
2290 Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
2312 to achieve the security strength defined by NIST SP 800-90A. You can
2314 * Add ENUMERATED tag support to the ASN.1 module. Contributed by
2315 msopiha-linaro in ARMmbed/mbed-crypto#307.
2318 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2332 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2333 * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
2334 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2350 merely a robustness improvement. ARMmbed/mbed-crypto#323
2352 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2354 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2356 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2358 = mbed TLS 2.19.1 branch released 2019-09-16
2372 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2373 contributed by apple-ihack-geek in #2663.
2375 = mbed TLS 2.19.0 branch released 2019-09-06
2386 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
2395 store it in non-volatile storage, and later using it for TLS session
2400 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
2403 (https://project-everest.github.io/). It can be enabled at compile time
2406 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
2414 * Add DER-encoded test CRTs to library/certs.c, allowing
2435 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
2436 * Fix multiple X.509 functions previously returning ASN.1 low-level error
2441 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2462 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
2465 * Improve code clarity in x509_crt module, removing false-positive
2473 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2477 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2478 docker-env.sh) to simplify running test suites on a Linux host. Contributed
2484 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
2490 = mbed TLS 2.18.1 branch released 2019-07-12
2500 = mbed TLS 2.18.0 branch released 2019-06-11
2507 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
2509 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
2512 and the used tls-prf.
2513 * Add public API for tls-prf function, according to requested enum.
2514 * Add support for parsing otherName entries in the Subject Alternative Name
2517 * Add support for parsing certificate policies extension, as defined in
2522 * Add support for draft-05 of the Connection ID extension, as specified
2523 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2528 changed its IP or port. The feature is enabled at compile-time by setting
2529 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
2535 and the used tls-prf.
2536 * Add public API for tls-prf function, according to requested enum.
2545 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
2547 OSS-Fuzz.
2563 Credit to OSS-Fuzz.
2566 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
2567 mbedTLS configuration only SHA-2 signed certificates are accepted.
2571 updated to one that is SHA-256 signed. Fix contributed by
2582 = mbed TLS 2.17.0 branch released 2019-03-19
2586 which allows copy-less parsing of DER encoded X.509 CRTs,
2599 for the benefit of saving RAM, by disabling the new compile-time
2615 * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
2627 * Fix signed-to-unsigned integer conversion warning
2635 * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
2646 * Add support for alternative CSR headers, as used by Microsoft and defined
2659 * Fix configuration queries in ssl-opt.h. #2030
2660 * Ensure that ssl-opt.h can be run in OS X. #2029
2661 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
2666 = mbed TLS 2.16.0 branch released 2018-12-21
2684 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
2685 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
2689 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
2691 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
2723 = mbed TLS 2.15.1 branch released 2018-11-30
2728 = mbed TLS 2.15.0 branch released 2018-11-23
2738 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
2741 = mbed TLS 2.14.1 branch released 2018-11-30
2745 decryption that could lead to a Bleichenbacher-style padding oracle
2752 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
2770 = mbed TLS 2.14.0 branch released 2018-11-19
2777 upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
2781 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
2786 adversary to construct non-primes that would be erroneously accepted as
2791 pairs or Diffie-Hellman parameters, but was insufficient to validate
2792 Diffie-Hellman parameters properly.
2797 * Add support for temporarily suspending expensive ECC computations after
2799 constrained, single-threaded systems where ECC is time consuming and can
2805 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
2807 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
2811 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
2814 shorter. This allows the library to support all hash and signature sizes
2815 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
2816 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
2835 Miller-Rabin rounds.
2848 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
2859 wildcards and non-ASCII characters being unusable in some DN attributes.
2861 Thomas-Dee.
2865 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
2868 * Removed support for Yotta as a build tool.
2885 Thomas-Dee.
2887 Fixes #517 reported by github-monoculture.
2890 by FIPS-186-4.
2892 = mbed TLS 2.13.1 branch released 2018-09-06
2896 whose implementation should behave as a thread-safe version of gmtime().
2906 = mbed TLS 2.13.0 branch released 2018-08-31
2909 * Fix an issue in the X.509 module which could lead to a buffer overread
2915 * Add support for fragmentation of outgoing DTLS handshake messages. This
2917 with the peer, as well as by a new per-connection MTU option, set using
2919 * Add support for auto-adjustment of MTU to a safe value during the
2922 * Add support for packing multiple records within a single datagram,
2924 * Add support for buffering out-of-order handshake messages in DTLS.
2926 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
2936 * Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
2945 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
2956 (found by Catena cyber using oss-fuzz)
2968 * Add support for buffering of out-of-order handshake messages.
2973 = mbed TLS 2.12.0 branch released 2018-07-25
2976 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
2984 or CCM instead of CBC, using hash sizes other than SHA-384, or using
2985 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
2986 caused by a miscalculation (for SHA-384) in a countermeasure to the
2997 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
2999 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3005 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3009 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3010 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3012 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3013 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3020 * Add support for key wrapping modes based on AES as defined by
3021 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3048 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3053 * Fix ssl_client2 example to send application data with 0-length content
3058 * Fix build using -std=c99. Fixed by Nick Wilson.
3062 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3064 when calling with a NULL salt and non-zero salt_len. Contributed by
3068 * Allow overriding the time on Windows via the platform-time abstraction.
3070 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3072 = mbed TLS 2.11.0 branch released 2018-06-18
3077 * Implement the HMAC-based extract-and-expand key derivation function
3079 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3080 * Add support for the XTS block cipher mode with AES (AES-XTS).
3082 * In TLS servers, support offloading private key operations to an external
3084 non-blocking operation of the TLS server stack.
3101 = mbed TLS 2.10.0 branch released 2018-06-06
3104 * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
3119 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
3120 build to fail. Found by zv-io. Fixes #1651.
3123 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3127 = mbed TLS 2.9.0 branch released 2018-04-30
3130 * Fix an issue in the X.509 module which could lead to a buffer overread
3131 during certificate validation. Additionally, the issue could also lead to
3134 would require a non DER-compliant certificate to be correctly signed by a
3135 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3143 * Fix a client-side bug in the validation of the server's ciphersuite choice
3153 * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
3166 underlying transport in case event-driven IO is used.
3172 in configurations that omit certain hashes or public-key algorithms.
3194 in the internal buffers; these cases led to deadlocks when event-driven
3208 * Support cmake builds where Mbed TLS is a subproject. Fix contributed
3211 public-key algorithms. Includes contributions by Gert van Dijk.
3230 * Add an option in the Makefile to support ar utilities where the operation
3231 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3241 HMAC functions with non-HMAC ciphersuites. Independently contributed
3244 FIPS 186-4. Contributed by Jethro Beekman. #1380
3252 = mbed TLS 2.8.0 branch released 2018-03-16
3279 * Extend PKCS#8 interface by introducing support for the entire SHA
3282 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3284 * Add support for public keys encoded in PKCS#1 format. #1122
3287 * Deprecate support for record compression (configuration option
3293 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3305 Nick Wilson on issue #355
3319 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3320 Found through fuzz testing.
3326 * Remove support for the library reference configuration for picocoin.
3333 = mbed TLS 2.7.0 branch released 2018-02-03
3336 * Fix a heap corruption issue in the implementation of the truncated HMAC
3340 code execution. The issue could be triggered remotely from either side in
3341 both TLS and DTLS. CVE-2018-0488
3342 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3345 Qualcomm Technologies Inc. CVE-2018-0487
3346 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3354 latter overflows. The exploitability of this issue depends on whether the
3355 application layer can be forced into sending such large packets. The issue
3356 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
3367 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
3373 * Fix a potential heap buffer over-read in ALPN extension parsing
3374 (server-side). Could result in application crash, but only if an ALPN
3377 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3384 * New unit tests for timing. Improve the self-test to be more robust
3385 when run on a heavily-loaded machine.
3386 * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
3388 * Add support for alternative implementations of GCM, selected by the
3390 * Add support for alternative implementations for ECDSA, controlled by new
3396 * Add support for alternative implementation of ECDH, controlled by the
3402 * Add support for alternative implementation of ECJPAKE, controlled by
3407 * Extend RSA interface by multiple functions allowing structure-
3420 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
3421 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
3422 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
3423 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
3426 * Deprecate usage of RSA primitives with non-matching key-type
3451 renegotiated handshakes would only accept signatures using SHA-1
3452 regardless of the peer's preferences, or fail if SHA-1 was disabled.
3456 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
3458 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
3471 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3475 non-v3 CRT's.
3480 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
3485 * Add size-checks for record and handshake message content, securing
3486 fragile yet non-exploitable code-paths.
3500 * Fix an issue in the cipher decryption with the mode
3522 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
3533 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
3536 = mbed TLS 2.6.0 branch released 2017-08-10
3552 platform-specific setup and teardown operations. The macro
3564 * Certificate verification functions now set flags to -1 in case the full
3576 always be implemented by pthread support. #696
3581 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
3585 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3589 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3601 64-bit division. This is useful on embedded platforms where 64-bit division
3607 config-no-entropy.h to reduce the RAM footprint.
3612 = mbed TLS 2.5.1 released 2017-06-21
3615 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
3616 The issue could only happen client-side with renegotiation enabled.
3620 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
3621 certificate verification. SHA-1 can be turned back on with a compile-time
3626 potential Bleichenbacher/BERserk-style attack.
3631 and with GCC using the -Wpedantic compilation option.
3632 * Fix insufficient support for signature-hash-algorithm extension,
3659 by Jean-Philippe Aumasson.
3661 = mbed TLS 2.5.0 branch released 2017-05-17
3668 against side-channel attacks like the cache attack described in
3674 * Add hardware acceleration support for the Elliptic Curve Point module.
3677 replacement support for enabling the extension of the interface.
3687 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
3688 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
3691 * Remove macros from compat-1.3.h that correspond to deleted items from most
3693 * Fixed issue in the Threading module that prevented mutexes from
3695 * Add checks in the PK module for the RSA functions on 64-bit systems.
3700 = mbed TLS 2.4.2 branch released 2017-03-08
3704 using RSA through the PK module in 64-bit systems. The issue was caused by
3707 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
3711 loop. The issue can be triggered remotely. Found by Greg Zaverucha,
3721 team. #569 CVE-2017-2784
3725 traversing a chain of trusted CA. The issue would cause both flags,
3730 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
3731 Found by omlib-lin. #673
3752 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
3768 = mbed TLS 2.4.1 branch released 2016-12-13
3771 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
3775 = mbed TLS 2.4.0 branch released 2016-10-17
3779 with RFC-5116 and could lead to session key recovery in very long TLS
3780 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
3781 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
3786 issue cannot be triggered remotely. Found by Jethro Beekman.
3789 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
3790 NIST SP 800-38B, RFC-4493 and RFC-4615.
3798 * Added a configuration file config-no-entropy.h that configures the subset of
3808 * Fix dependency issue in Makefile to allow parallel builds.
3811 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
3813 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
3826 subramanyam-c. #622
3833 Found by subramanyam-c. #626
3834 * Fix compatibility issue with Internet Explorer client authentication,
3841 * Removed self-tests from the basic-built-test.sh script, and added all
3842 missing self-tests to the test suites, to ensure self-tests are only
3844 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
3845 * Added support for a Yotta specific configuration file -
3856 = mbed TLS 2.3.0 branch released 2016-06-28
3869 * Support for platform abstraction of the standard C library time()
3874 arguments where the same (in-place doubling). Found and fixed by Janos
3878 * Fix issue in Makefile that prevented building using armar. #386
3881 * Fix an issue that caused valid certificates to be rejected whenever an
3886 * Fix issue that caused a hang when generating RSA keys of odd bitlength
3889 * Fix issue that caused a crash if invalid curves were passed to
3891 * Fix issue in ssl_fork_server which was preventing it from functioning. #429
3893 * Fix test in ssl-opt.sh that does not run properly with valgrind
3897 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
3899 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
3903 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
3906 = mbed TLS 2.2.1 released 2016-01-05
3918 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
3930 = mbed TLS 2.2.0 released 2015-11-04
3948 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
3951 block. (Potential uses include EAP-TLS and Thread.)
3954 * Self-signed certificates were not excluded from pathlen counting,
3957 * Fix build error with configurations where ECDHE-PSK is the only key
3959 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
3960 ECHD-ECDSA if the only key exchange. Multiple reports. #310
3961 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
3962 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
3965 minimum key size for end-entity certificates with RSA keys. Found by
3976 or -1.
3978 = mbed TLS 2.1.2 released 2015-10-06
3981 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
3984 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4001 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4003 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4022 = mbed TLS 2.1.1 released 2015-09-17
4025 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4027 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4028 * Fix possible client-side NULL pointer dereference (read) when the client
4031 afl-fuzz.)
4035 * Fix off-by-one error in parsing Supported Point Format extension that
4046 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4049 = mbed TLS 2.1.0 released 2015-09-04
4052 * Added support for yotta as a build system.
4057 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4065 * Fix compile error with armcc 5 with --gnu option.
4070 * Fix missing -static-libgcc when building shared libraries for Windows
4079 * Fix -Wshadow warnings (found by hnrkp) (#240)
4081 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4089 * It is now possible to #include a user-provided configuration file at the
4093 trusted, no later cert is checked. (suggested by hannes-landeholm)
4095 * Prepend a "thread identifier" to debug messages (issue pointed out by
4100 = mbed TLS 2.0.0 released 2015-07-13
4103 * Support for DTLS 1.0 and 1.2 (RFC 6347).
4107 * New server-side implementation of session tickets that rotate keys to
4113 * Introduced a concept of presets for SSL security-relevant configuration
4121 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4122 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4124 mbedtls_cipher_info_t.key_length -> key_bitlen
4125 mbedtls_cipher_context_t.key_length -> key_bitlen
4126 mbedtls_ecp_curve_info.size -> bit_size
4131 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4132 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4133 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4134 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4135 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4141 (see rename.pl and compat-1.3.h above) and their first argument's type
4144 additional callback for read-with-timeout).
4163 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4164 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4165 * The following functions changed prototype to avoid an in-out length
4183 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4193 (support for renegotiation now needs explicit enabling in config.h).
4212 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4216 been removed (compiler is required to support 32-bit operations).
4219 * Removed test program ssl_test, superseded by ssl-opt.sh.
4220 * Removed helper script active-config.pl
4226 Semi-API changes (technically public, morally private)
4241 * Support for receiving SSLv2 ClientHello is now disabled by default at
4244 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4247 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4251 * The following functions are now case-sensitive:
4259 * The minimum MSVC version required is now 2010 (better C99 support).
4261 * Compiler is required to support C99 types such as long long and uint32_t.
4270 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4279 thread-safe if MBEDTLS_THREADING_C is enabled.
4280 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4289 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4296 * Add support for reading DH parameters with privateValueLength included
4298 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4299 * Add support for id-at-uniqueIdentifier in X.509 names.
4300 * Add support for overriding snprintf() (except on Windows) and exit() in
4305 cross-compilation easier (thanks to Alon Bar-Lev).
4306 * The benchmark program also prints heap usage for public-key primitives
4308 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4311 reduced configurations (PSK-CCM and NSA suite B).
4330 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
4338 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
4343 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4350 * Add missing dependency on SHA-256 in some x509 programs (reported by
4361 * compat-1.2.h and openssl.h are deprecated.
4364 (contributed by Alon Bar-Lev).
4367 * Move from SHA-1 to SHA-256 in example programs using signatures
4375 = mbed TLS 1.3.10 released 2015-02-09
4377 * NULL pointer dereference in the buffer-based allocator when the buffer is
4381 * Fix remotely-triggerable uninitialised pointer dereference caused by
4384 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4391 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4395 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
4396 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
4397 * Add support for Encrypt-then-MAC (RFC 7366).
4400 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4402 * Support for renegotiation can now be disabled at compile-time
4403 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
4404 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
4405 for pre-1.2 clients when multiple certificates are available.
4406 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
4415 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4431 issue with some servers when a zero-length extension was sent. (Reported
4433 * On a 0-length input, base64_encode() did not correctly set output length
4440 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
4446 * It is now possible to disable negotiation of truncated HMAC server-side
4452 = PolarSSL 1.3.9 released 2014-10-20
4456 * Remotely-triggerable memory leak when parsing some X.509 certificates
4459 * Remotely-triggerable memory leak when parsing crafted ClientHello
4460 (not affected if ECC support was compiled out) (found using Codenomicon
4464 * Support escaping of commas in x509_string_to_names()
4466 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4468 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4471 * Remove non-existent file from VS projects (found by Peter Vaskovic).
4472 * ssl_read() could return non-application data records on server while
4474 * Server-initiated renegotiation would fail with non-blocking I/O if the
4477 with non-blocking I/O.
4485 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
4486 standard defining how to use SHA-2 with SSL 3.0).
4487 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
4499 = PolarSSL 1.3.8 released 2014-07-11
4507 * Support for CCM and CCM_8 ciphersuites
4508 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4515 * Add server-side enforcement of sent renegotiation requests
4534 * Remove less-than-zero checks on unsigned numbers
4546 rejected with CBC-based ciphersuites and TLS >= 1.1
4548 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
4551 * Restore ability to locally trust a self-signed cert that is not a proper
4557 * Fix off-by-one error in parsing Supported Point Format extension that
4559 * Fix possible miscomputation of the premaster secret with DHE-PSK key
4568 = PolarSSL 1.3.7 released on 2014-05-02
4572 * version_check_feature() added to check for compile-time options at
4573 run-time
4579 * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
4580 * AES-NI now compiles with "old" assemblers too
4596 big-endian platform when size was not an integer number of limbs
4603 = PolarSSL 1.3.6 released on 2014-04-11
4606 * Support for the ALPN SSL extension
4624 This affects certificates in the user-supplied chain except the top
4625 certificate. If the user-supplied chain contains only one certificates,
4644 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
4645 * Calling pk_debug() on an RSA-alt key would segfault.
4646 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
4652 = PolarSSL 1.3.5 released on 2014-03-26
4654 * HMAC-DRBG as a separate module
4658 * Ability to force the entropy module to use SHA-256 as its basis
4660 * Testing script ssl-opt.sh added for testing 'live' ssl option
4662 * Support for reading EC keys that use SpecifiedECDomain in some cases.
4668 now thread-safe if POLARSSL_THREADING_C defined
4672 * Revamped the compat.sh interoperatibility script to include support for
4684 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4691 * Fixed testing with out-of-source builds using cmake
4692 * Fixed version-major intolerance in server
4693 * Fixed CMake symlinking on out-of-source builds
4696 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4700 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
4713 = PolarSSL 1.3.4 released on 2014-01-27
4715 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
4716 * Support for RIPEMD-160
4717 * Support for AES CFB8 mode
4718 * Support for deterministic ECDSA (RFC 6979)
4732 = PolarSSL 1.3.3 released on 2013-12-31
4734 * EC key generation support in gen_key app
4735 * Support for adhering to client ciphersuite order preference
4737 * Support for Curve25519
4738 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
4739 * Support for IPv6 in the NET module
4740 * AES-NI support for AES, AES-GCM and AES key scheduling
4741 * SSL Pthread-based server example added (ssl_pthread_server)
4747 * Dropped use of readdir_r() instead of readdir() with threading support
4748 * More constant-time checks in the RSA module
4756 * Fixed X.509 hostname comparison (with non-regular characters)
4769 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4772 = PolarSSL 1.3.2 released on 2013-11-04
4776 * Support for Camellia-GCM mode and ciphersuites
4779 * Padding checks in cipher layer are now constant-time
4780 * Value comparisons in SSL layer are now constant-time
4781 * Support for serialNumber, postalAddress and postalCode in X509 names
4793 * Server-side initiated renegotiations send HelloRequest
4795 = PolarSSL 1.3.1 released on 2013-10-15
4797 * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
4798 * Support for ECDHE-PSK key-exchange and ciphersuites
4799 * Support for RSA-PSK key-exchange and ciphersuites
4805 * config.h is more script-friendly
4813 * Better support for MSVC
4817 = PolarSSL 1.3.0 released on 2013-10-01
4821 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
4822 (ECDHE-based ciphersuites)
4823 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
4824 (ECDSA-based ciphersuites)
4826 * PSK and DHE-PSK based ciphersuites added
4828 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
4833 * Support for max_fragment_length extension (RFC 6066)
4834 * Support for truncated_hmac extension (RFC 6066)
4835 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
4836 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
4837 * Support for session tickets (RFC 5077)
4843 * Support for multiple active certificate / key pairs in SSL servers for
4852 dynamically set (Better support for hardware acceleration)
4865 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
4866 * Support faulty X509 v1 certificates with extensions
4872 * Support for AIX header locations in net.c module
4877 (found by Cyril Arnaud and Pierre-Alain Fouque)
4880 = Version 1.2.14 released 2015-05-??
4888 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4892 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
4896 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4899 = Version 1.2.13 released 2015-02-16
4904 * Fix remotely-triggerable uninitialised pointer dereference caused by
4907 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4920 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4930 issue with some servers when a zero-length extension was sent. (Reported
4932 * On a 0-length input, base64_encode() did not correctly set output length
4938 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4940 = Version 1.2.12 released 2014-10-24
4943 * Remotely-triggerable memory leak when parsing some X.509 certificates
4951 with non-blocking I/O.
4955 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4956 * ssl_read() could return non-application data records on server while
4958 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4967 = Version 1.2.11 released 2014-07-11
4995 * Fixed X.509 hostname comparison (with non-regular characters)
5008 * Fixed testing with out-of-source builds using cmake
5009 * Fixed version-major intolerance in server
5010 * Fixed CMake symlinking on out-of-source builds
5011 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5026 big-endian platform when size was not an integer number of limbs
5037 = Version 1.2.10 released 2013-10-07
5039 * Changed RSA blinding to a slower but thread-safe version
5046 = Version 1.2.9 released 2013-10-01
5059 (found by Cyril Arnaud and Pierre-Alain Fouque)
5061 = Version 1.2.8 released 2013-06-19
5065 * Centralized module option values in config.h to allow user-defined
5089 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
5090 * Fixed values for 2-key Triple DES in cipher layer
5095 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5097 = Version 1.2.7 released 2013-04-13
5102 * Default Blowfish keysize is now 128-bits
5107 * GCM adapted to support sizes > 2^29
5109 = Version 1.2.6 released 2013-03-11
5112 * Corrected GCM counter incrementation to use only 32-bits instead of
5113 128-bits (found by Yawning Angel)
5114 * Fixes for 64-bit compilation with MS Visual Studio
5122 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
5124 * Re-added handling for SSLv2 Client Hello when the define
5136 = Version 1.2.5 released 2013-02-02
5138 * Allow enabling of dummy error_strerror() to support some use-cases
5141 * Sending of security-relevant alert messages that do not break
5149 = Version 1.2.4 released 2013-01-25
5161 = Version 1.2.3 released 2012-11-26
5165 = Version 1.2.2 released 2012-11-24
5169 * During verify trust-CA is only checked for expiration and CRL presence
5175 = Version 1.2.1 released 2012-11-20
5178 bottom-up (Peer cert depth is 0)
5184 Pégourié-Gonnard)
5186 Pégourié-Gonnard)
5189 = Version 1.2.0 released 2012-10-31
5191 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
5194 * Added support for wildcard certificates
5195 * Added support for multi-domain certificates through the X509 Subject
5197 * Added preliminary ASN.1 buffer writing support
5198 * Added preliminary X509 Certificate Request writing support
5202 * Added TLS 1.2 support (RFC 5246)
5205 * Added support for Hardware Acceleration hooking in SSL/TLS
5208 * Added X509 CA Path support
5210 * Added DEFLATE compression support as per RFC3749 (requires zlib)
5222 * Fixed const-correctness mpi_get_bit()
5224 * Moved out_msg to out_hdr + 32 to support hardware acceleration
5257 = Version 1.1.8 released on 2013-10-01
5263 * Potential buffer-overflow for ssl_read_record() (independently found by
5268 = Version 1.1.7 released on 2013-06-19
5277 * Fixed values for 2-key Triple DES in cipher layer
5282 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5284 = Version 1.1.6 released on 2013-03-11
5289 * Allow enabling of dummy error_strerror() to support some use-cases
5300 = Version 1.1.5 released on 2013-01-16
5311 Pégourié-Gonnard)
5313 Pégourié-Gonnard)
5324 = Version 1.1.4 released on 2012-05-31
5330 = Version 1.1.3 released on 2012-04-29
5334 = Version 1.1.2 released on 2012-04-26
5341 Frama-C team at CEA LIST)
5345 = Version 1.1.1 released on 2012-01-23
5349 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
5353 = Version 1.1.0 released on 2011-12-22
5355 * Added ssl_session_reset() to allow better multi-connection pools of
5356 SSL contexts without needing to set all non-connection-specific
5363 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
5364 * Added a generic entropy accumulator that provides support for adding
5372 * Inceased maximum size of ASN1 length reads to 32-bits.
5377 * Changed the defined key-length of DES ciphers in cipher.h to include the
5379 * Loads of minimal changes to better support WINCE as a build target
5382 trade-off
5391 encountering a parse-error. Beware that the meaning of return values has
5396 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
5402 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5406 * Improved build support for s390x and sparc64 in bignum.h
5411 = Version 1.0.0 released on 2011-07-27
5413 * Expanded cipher layer with support for CFB128 and CTR mode
5424 = Version 0.99-pre5 released on 2011-05-26
5457 = Version 0.99-pre4 released on 2011-04-01
5459 * Added support for PKCS#1 v2.1 encoding and thus support
5460 for the RSAES-OAEP and RSASSA-PSS operations.
5475 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
5479 * Fixed proper handling of RSASSA-PSS verification with variable
5482 = Version 0.99-pre3 released on 2011-02-28
5483 This release replaces version 0.99-pre2 which had possible copyright issues.
5492 ticket #13). Also possible to remove PEM support for
5498 * Support more exotic OID's when parsing certificates
5500 * Support more exotic name representations when parsing
5508 * Fixed a possible Man-in-the-Middle attack on the
5512 = Version 0.99-pre1 released on 2011-01-30
5514 Note: Most of these features have been donated by Fox-IT
5522 * Improvements to support integration in other
5530 * Added support for PKCS#11 through the use of the
5531 libpkcs11-helper library
5542 = Version 0.14.0 released on 2010-08-16
5544 * Added support for SSL_EDH_RSA_AES_128_SHA and
5546 * Added compile-time and run-time version information
5548 * Added support for TLS v1.1
5566 = Version 0.13.1 released on 2010-03-24
5571 = Version 0.13.0 released on 2010-03-21
5575 * Added support for GeneralizedTime in X509 parsing
5587 * Added reset function for HMAC context as speed-up
5588 for specific use-cases
5599 = Version 0.12.1 released on 2009-10-04
5601 * Coverage test definitions now support 'depends_on'
5610 = Version 0.12.0 released on 2009-07-28
5614 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
5615 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
5631 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
5652 * Fixed Camellia and XTEA for 64-bit Windows systems.
5654 = Version 0.11.1 released on 2009-05-17
5655 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
5656 SHA-512 in rsa_pkcs1_sign()
5658 = Version 0.11.0 released on 2009-05-03
5662 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
5672 * Made definition of net_htons() endian-clean for big endian
5676 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
5678 * Added support for Certificate Revocation List (CRL) parsing.
5679 * Added support for CRL revocation to x509parse_verify() and
5681 * Fixed compatibility of XTEA and Camellia on a 64-bit system
5684 = Version 0.10.0 released on 2009-01-12
5688 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
5696 = Version 0.9 released on 2008-03-16
5698 * Added support for ciphersuite: SSL_RSA_AES_128_SHA
5699 * Enabled support for large files by default in aescrypt2.c
5702 be sent twice in non-blocking mode when send returns EAGAIN
5705 * Added user-defined callback debug function (Krystian Kolodziej)
5711 output data is non-aligned by falling back to the software
5712 implementation, as VIA Nehemiah cannot handle non-aligned buffers
5714 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
5718 * Added support on the client side for the TLS "hostname" extension
5723 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
5724 * Disabled obsolete hash functions by default (MD2, MD4); updated
5726 * Updated x509parse_cert_info() to correctly display byte 0 of the
5728 * Fixed a critical denial-of-service with X.509 cert. verification:
5731 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
5732 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
5733 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
5736 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
5737 * Updated rsa_gen_key() so that ctx->N is always nbits in size
5741 = Version 0.8 released on 2007-10-20
5749 * Added user-defined callbacks for handling I/O and sessions
5752 * Added preliminary support for the VIA PadLock routines
5753 * Added AES-CFB mode of operation, contributed by chmike
5755 * Updated the RSA PKCS#1 code to allow choosing between
5757 * Updated ssl_read() to skip 0-length records from OpenSSL
5759 * Fixed a bug in mpi_read_binary() on 64-bit platforms
5766 = Version 0.7 released on 2007-07-07
5768 * Added support for the MicroBlaze soft-core processor
5770 connections from being established with non-blocking I/O
5773 * Added HMAC starts/update/finish support functions
5774 * Added the SHA-224, SHA-384 and SHA-512 hash functions
5782 = Version 0.6 released on 2007-04-01
5788 * Added multiply assembly code for 64-bit PowerPCs,
5790 * Added experimental support of Quantum Cryptography
5791 * Added support for autoconf, contributed by Arnaud Cornet
5792 * Fixed "long long" compilation issues on IA-64 and PPC64
5793 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
5796 = Version 0.5 released on 2007-03-01
5799 * Added (beta) support for non-blocking I/O operations
5802 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
5807 = Version 0.4 released on 2007-02-01
5809 * Added support for Ephemeral Diffie-Hellman key exchange
5820 = Version 0.3 released on 2007-01-01
5822 * Added server-side SSLv3 and TLSv1.0 support
5827 * Updated rsa_pkcs1_sign to handle arbitrary large inputs
5828 * Updated timing.c for improved compatibility with i386
5831 = Version 0.2 released on 2006-12-01
5833 * Updated timing.c to support ARM and MIPS arch
5834 * Updated the MPI code to support 8086 on MSVC 1.5
5842 the Miller-Rabin primality test
5846 who maintains the Debian package :-)
5848 = Version 0.1 released on 2006-11-01