Lines Matching +full:is +full:- +full:potential +full:- +full:custom +full:- +full:element +full:- +full:name
3 = Mbed TLS 3.5.2 branch released 2024-01-26
8 attacker or a remote attacker who is close to the victim on the network
14 could result in an integer overflow, causing a zero-length buffer to be
18 = Mbed TLS 3.5.1 branch released 2023-11-06
21 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
28 = Mbed TLS 3.5.0 branch released 2023-10-05
31 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
32 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
33 there was a flaw in the logic checking if the built-in implementation, in
36 accelerated and still have the built-in implementation compiled out.
37 Starting with this release, it is necessary to declare which curves are
39 considered not accelerated, and the built-in implementation of the curves
47 * Minimum required Windows version is now Windows Vista, or
52 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
55 IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
57 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
58 MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
59 maximum size of any supported block cipher) or the new name
70 drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
74 provided - these limitations are lifted in this version. A new set of
77 they're provided by a built-in implementation, a driver or both. See
78 docs/driver-only-builds.md.
79 * When a PSA driver for ECDH is present, it is now possible to disable
83 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
85 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
86 a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
88 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
92 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
104 parameters from RFC 7919. This includes a built-in implementation based
107 * It is now possible to generate certificates with SubjectAltNames.
116 string to a DER-encoded mbedtls_asn1_buf.
117 * Add SHA-3 family hash functions.
118 * Add support to restrict AES to 128-bit keys in order to save code size.
123 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
124 On Aarch64, uplift is typically around 20 - 110%.
125 When compiling with gcc -Os on Aarch64, AES-XTS improves
127 * Add support for PBKDF2-HMAC through the PSA API.
129 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
133 - DERIVE is only available for ECC keys, not for RSA or DH ones.
134 - implementations are free to enable more than what it was strictly
138 This is automatically enabled as soon as PSA_WANT_ALG_FFDH
139 and the ephemeral or psk-ephemeral key exchange mode are enabled.
145 setting the CMake variable of the same name at configuration time.
152 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
153 extended: it is now possible to use mbedtls_pk_write_key_der(),
161 * Add support for PBKDF2-CMAC through the PSA API.
163 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
164 disables the plain C implementation and the run-time detection for the
179 MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
191 (notably recent versions of Clang and IAR) could produce non-constant
194 * Updates to constant-time C code so that compilers are less likely to use
197 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
205 null-cipher cipher suites. Credit to OSS-Fuzz.
207 In TLS 1.3, all configurations are affected except PSK-only ones, and
212 Credit to OSS-Fuzz.
216 PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
217 than all built-in ones and RSA is disabled.
222 a message that one of the required defines is missing.
227 * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
230 MBEDTLS_USE_PSA_CRYPTO is enabled.
231 * Fix the J-PAKE driver interface for user and peer to accept any values
234 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
238 way to detect the crypto extensions required. A warning is still issued.
250 when given a invalid name string if it did not contain '=' or ','.
252 example TF-M configuration in configs/ from building cleanly:
267 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
268 is called with zero length and padlock is not enabled.
274 MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
276 * Fix an issue when parsing an otherName subject alternative name into a
277 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
284 enabled, where some low-level modules required by requested PSA crypto
286 * Fix undefined symbols in some builds using TLS 1.3 with a custom
293 * Fix the build with CMake when Everest or P256-m is enabled through
298 compiling with gcc, clang or armclang and -O0.
303 operations when MBEDTLS_PSA_CRYPTO_C is defined.
312 mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
316 = Mbed TLS 3.4.1 branch released 2023-08-04
322 * Update test data to avoid failures of unit tests after 2023-08-07.
324 = Mbed TLS 3.4.0 branch released 2023-03-28
329 ssl_ciphersuites.c). The preferred cipher suite is now
333 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
334 mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
336 * PSA to mbedtls error translation is now unified in psa_util.h,
339 optionally providing file-specific error pairs. Please see psa_util.h for
344 Syntax, as defined in RFC 2315. Currently, support is limited to the
346 - Only the signed-data content type, version 1 is supported.
347 - Only DER encoding is supported.
348 - Only a single digest algorithm per message is supported.
349 - Certificates must be in X.509 format. A message must have either 0
351 - There is no support for certificate revocation lists.
352 - The authenticated and unauthenticated attribute fields of SignerInfo
355 contributing this feature, and to Demi-Marie Obenour for contributing
359 * Improvements to use of unaligned and byte-swapped memory, reducing code
370 * Add parsing of V3 extensions (key usage, Netscape cert-type,
372 * Use HOSTCC (if it is set) when compiling C code during generation of the
373 configuration-independent files. This allows them to be generated when
374 CC is set for cross compilation.
384 * When a PSA driver for ECDSA is present, it is now possible to disable
389 operations is not present yet.
390 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
391 implementations of EC J-PAKE through the driver entry points.
395 * Add support for AES with the Armv8-A Cryptographic Extension on
396 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
397 be used to enable this feature. Run-time detection is supported
399 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
404 to read non-public fields for padding mode and hash id from
406 * AES-NI is now supported with Visual Studio.
407 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
408 is disabled, when compiling with GCC or Clang or a compatible compiler
410 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
411 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
412 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
417 * Use platform-provided secure zeroization function where possible, such as
420 * Fix a potential heap buffer overread in TLS 1.3 client-side when
421 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
422 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
423 Arm, so that these systems are no longer vulnerable to timing side-channel
424 attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
426 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
427 builds that couldn't compile the GCC-style assembly implementation
429 timing side-channel attacks. There is now an intrinsics-based AES-NI
446 defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
453 whose binary representation is longer than 20 bytes. This was already
454 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
456 * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
463 malformed alternative name components were not caught during initial
472 * Reject OIDs with overlong-encoded subidentifiers when converting
477 have the most-significant bit set in their last byte.
478 * Silence warnings from clang -Wdocumentation about empty \retval
482 * Fix an unused-variable warning in TLS 1.3-only builds if
485 len argument is 0 and buffer is NULL.
486 * Allow setting user and peer identifiers for EC J-PAKE operation
488 This is a partial fix that allows only "client" and "server" identifiers.
489 * Fix a compilation error when PSA Crypto is built with support for
493 * Fix TLS 1.3 session resumption when the established pre-shared key is
494 384 bits long. That is the length of pre-shared keys created under a
495 session where the cipher suite is TLS_AES_256_GCM_SHA384.
505 * Mixed-endian systems are explicitly not supported any more.
514 - now it accepts the serial number in 2 different formats: decimal and
516 - "serial" is used for the decimal format and it's limted in size to
518 - "serial_hex" is used for the hex format; max length here is
520 * The C code follows a new coding style. This is transparent for users but
523 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
529 to best results when tested on Cortex-M4 and Intel i7.
531 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
535 = Mbed TLS 3.3.0 branch released 2022-12-14
540 It is now no longer experimental, and implements the final version from
541 RFC 9146, which is not interoperable with the draft-05 version.
545 standard (non-draft) version.
553 from a release, the Python module jsonschema is now necessary, in
554 addition to jinja2. The official list of required Python modules is
569 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
570 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
573 built-in implementation present, but only in some configurations.
574 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
575 hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
576 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
577 when) MBEDTLS_MD5_C is disabled.
582 all hashes only provided by drivers (no built-in hash) is to use
584 * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
586 As a consequence, they now work in configurations where the built-in
588 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
589 though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
592 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
593 Signature verification is production-ready, but generation is for testing
596 1024 messages. As such, it is not intended for use in TLS, but instead
599 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
601 be used to sign one message so is impractical for most circumstances.
602 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
603 The pre-shared keys can be provisioned externally or via the ticket
605 The ticket mechanism is supported when the configuration option
606 MBEDTLS_SSL_SESSION_TICKETS is enabled.
621 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
630 entry point. This entry point is specified in the proposed PSA driver
632 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
634 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
638 * Fix potential heap buffer overread and overwrite in DTLS if
639 MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
644 victim performing a single private-key operation if the window size used
646 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
647 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
651 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
652 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
655 * Fix a long-standing build failure when building x86 PIC code with old
658 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
665 broken link is encountered, skip the broken link and continue parsing
675 MBEDTLS_DEPRECATED_REMOVED is enabled.
677 MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
686 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
702 in TLS 1.3 (where it is forbidden).
703 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
705 HardwareModuleName as a Subject Alternative Name extension. Hardware
708 the error code returned by mbedtls_mpi_write_file() is overwritten
710 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
721 when both operands are 0 and the left operand is represented with 0 limbs.
724 to OSS-Fuzz. Fixes #6597.
727 * Move some SSL-specific code out of libmbedcrypto where it had been placed
734 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
735 should not be done - they are documented for use only by AES-GCM and
739 = Mbed TLS 3.2.1 branch released 2022-07-12
742 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
744 = Mbed TLS 3.2.0 branch released 2022-07-11
764 * Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated.
779 a piece of user data which is reserved for the application. The user
800 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
801 PSA Crypto is enabled.
816 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
818 * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
821 Furthermore you may name an additional file to include after the main
825 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
826 * Add support for the ARMv8 SHA-2 acceleration instructions when building
829 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
832 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
838 establishment only). See docs/architecture/tls13-support.md for a
846 docs/use-psa-crypto.md for the list of exceptions.
848 Opaque keys can now be used everywhere a private key is expected in the
850 * Opaque pre-shared keys for TLS, provisioned with
853 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
854 * cmake now detects if it is being built as a sub-project, and in that case
859 by side in order to illustrate how the operation is performed in PSA.
863 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
866 * Fix potential memory leak inside mbedtls_ssl_cache_set() with
872 * Fix a potential heap buffer overread in TLS 1.2 server-side when
873 MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
874 mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
875 is selected. This may result in an application crash or potentially an
879 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
881 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
883 and possibly up to 571 bytes with a custom cookie check function.
890 buffer is rather small but increases as its size
903 * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
907 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
909 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
914 * The TLS 1.3 implementation is now compatible with the
921 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
923 * Fix a race condition in out-of-source builds with CMake when generated data
929 the function needs to be re-called after initially returning
939 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
940 not NULL and val_len is zero.
954 an X509 name, to allow walking the name list. Fixes #5431.
960 when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
975 non-compliant. This could not lead to a buffer overflow. In particular,
992 * The file library/psa_crypto_driver_wrappers.c is now generated
995 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
996 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
997 AEAD functions is not an AEAD algorithm. This aligns them with the
999 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1001 * Assume source files are in UTF-8 when using MSVC with CMake.
1005 Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
1007 LIB_INSTALL_DIR is set.
1011 targets work when MbedTLS is built as a subdirectory. This allows the
1014 = mbed TLS 3.1.0 branch released 2021-12-17
1020 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1026 POSIX/Unix-like platforms.
1029 * Sign-magnitude and one's complement representations for signed integers are
1030 not supported. Two's complement is the only supported representation.
1047 * Warn if errors from certain functions are ignored. This is currently
1048 supported on GCC-like compilers and on MSVC and can be configured through
1051 value is almost always a bug. Enable the new configuration option
1053 is currently implemented in the AES, DES and md modules, and will be
1057 * Add support for CCM*-no-tag cipher to the PSA.
1058 Currently only 13-byte long IV's are supported.
1059 For decryption a minimum of 16-byte long input is expected.
1067 protocol. See docs/architecture/tls13-support.md for the definition of
1079 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1081 This fixes a potential policy bypass or decryption oracle vulnerability
1082 if the output buffer is in memory that is shared with an untrusted
1085 from the output buffer. This fixes a potential policy bypass or decryption
1086 oracle vulnerability if the output buffer is in memory that is shared with
1088 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1097 The check was accidentally not performed when cross-compiling for Windows
1109 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1110 * Failures of alternative implementations of AES or DES single-block
1114 where this function cannot fail, or full-module replacements with
1119 * Fix compile-time or run-time errors in PSA
1120 AEAD functions when ChachaPoly is disabled. Fixes #5065.
1123 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1126 the built-in implementation of the GCM.
1128 input buffer size is valid only for the built-in implementation of GCM.
1131 MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
1136 * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
1148 * Fix the build when no SHA2 module is included. Fixes #4930.
1149 * Fix the build when only the bignum module is included. Fixes #4929.
1150 * Fix a potential invalid pointer dereference and infinite loop bugs in
1151 pkcs12 functions when the password is empty. Fix the documentation to
1162 oversight during the run-up to the release of Mbed TLS 3.0.
1164 * Implement multi-part CCM API.
1165 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1175 * Improve the performance of base64 constant-flow code. The result is still
1176 slower than the original non-constant-flow implementation, but much faster
1177 than the previous constant-flow implementation. Fixes #4814.
1178 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1182 ChaCha20-Poly1305 is invalid, and not just unsupported.
1187 most of the interface of this module is private and may change at any
1189 * The generated configuration-independent files are now automatically
1190 generated by the CMake build system on Unix-like systems. This is not
1191 yet supported when cross-compiling.
1193 = Mbed TLS 3.0.0 branch released 2021-07-07
1202 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1206 header compat-1.3.h and the script rename.pl.
1225 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1227 * Drop support for single-DES ciphersuites.
1231 key type used, as well as the key bit-size in the case of
1246 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1250 how the input to multipart operations is broken down. mbedtls_gcm_finish()
1267 session-ID based session resumption) has changed to that of
1268 a key-value store with keys being session IDs and values
1282 * For multi-part AEAD operations with the cipher module, calling
1283 mbedtls_cipher_finish() is now mandatory. Previously the documentation
1286 possible to skip calling it, which is no longer supported.
1287 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1304 * Instead of accessing the len field of a DHM context, which is no longer
1312 parameter, this parameter is now mandatory (that is, NULL is not an
1329 context are now connection-specific.
1338 * Implement one-shot cipher functions, psa_cipher_encrypt and
1341 * Direct access to fields of structures declared in public headers is no
1351 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
1352 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1364 release, some configuration-independent files are now generated at build
1375 compile-time option, which was off by default. Users should not trust
1376 certificates signed with SHA-1 due to the known attacks against SHA-1.
1377 If needed, SHA-1 certificates can still be verified by using a custom
1385 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
1389 compile-time option. This option has been inactive for a long time.
1392 * Remove the following deprecated functions and constants of hex-encoded
1418 * The RSA module no longer supports private-key operations with the public
1431 MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
1436 backward compatibility which is no longer supported. Addresses #4404.
1441 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
1446 * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
1458 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
1460 * Remove the compile-time option
1468 * Added support for built-in driver keys through the PSA opaque crypto
1472 * The multi-part GCM interface (mbedtls_gcm_update() or
1475 * The multi-part GCM interface now supports chunked associated data through
1482 See docs/architecture/alternative-implementations.md for the remaining
1485 query the size of the modulus in a Diffie-Hellman context.
1487 Diffie-Hellman context.
1490 directly, which is no longer supported.
1495 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1498 * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
1499 An adversary who is capable of very precise timing measurements could
1507 victim performing a single private-key operation. Found and reported by
1510 information (typically, a co-located process) could recover a Curve25519
1512 observing the victim performing the corresponding private-key operation.
1518 lead to the seed file corruption in case if the path to the seed file is
1523 to create is not valid, bringing them in line with version 1.0.0 of the
1530 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1535 mbedtls_mpi_read_string() was called on "-0", or when
1538 * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
1541 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
1545 defined to specific values. If the code is used in a context
1552 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
1553 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
1555 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
1556 * Fix test suite code on platforms where int32_t is not int, such as
1557 Arm Cortex-M. Fixes #4530.
1559 directive in a header and a missing initialization in the self-test.
1560 * Fix a missing initialization in the Camellia self-test, affecting
1564 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
1567 (when the encrypt-then-MAC extension is not in use) with some ALT
1568 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
1570 * Remove outdated check-config.h check that prevented implementing the
1582 * psa_verify_hash() was relying on implementation-specific behavior of
1584 implementations. This reliance is now removed. Fixes #3990.
1593 Credit to OSS-Fuzz. Fixes #4641.
1594 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
1598 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
1601 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
1602 in all the right places. Include it from crypto_platform.h, which is
1604 * Fix which alert is sent in some cases to conform to the
1619 * Remove configs/config-psa-crypto.h, which no longer had any intended
1622 python2, which is no longer supported upstream.
1623 * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
1624 When that flag is on, standard GNU C printf format specifiers
1633 when their input has length 0. Note that this is an implementation detail
1641 build_info.h is intended to be included from C code directly, while
1642 mbedtls_config.h is intended to be edited by end users wishing to
1651 The only value supported by Mbed TLS 3.0.0 is 0x03000000.
1655 PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
1656 when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
1657 is also applied when loading a key from storage.
1659 = mbed TLS 2.26.0 branch released 2021-03-08
1672 as always 0. It is now reserved for internal purposes and may take
1685 CTR_DRBG is used by default if it is available, but you can override
1713 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
1719 |A| - |B| where |B| is larger than |A| and has more limbs (so the
1722 all calls inside the library were safe since this function is
1725 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
1730 mbedtls_net_recv_timeout() when given a file descriptor that is
1736 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
1742 is enabled, on platforms where initializing a mutex allocates resources.
1746 twice is safe. This happens for RSA when some Mbed TLS library functions
1747 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
1748 enabled on platforms where freeing a mutex twice is not safe.
1749 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
1750 when MBEDTLS_THREADING_C is enabled on platforms where initializing
1760 the extension was always marked as non-critical. This was fixed by
1766 implementation is not included into the library.
1770 = mbed TLS 2.25.0 branch released 2020-12-11
1776 The underlying stream cipher is determined by the key type
1780 as they have no way to check if the output buffer is large enough.
1782 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
1807 This is currently non-standard behaviour, but expected to make it into a
1809 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
1811 external CMake projects that include this one to avoid CMake target name
1812 clashes. The default value of this variable is "", so default target names
1814 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
1816 * In the PSA API, it is no longer necessary to open persistent keys:
1817 operations now accept the key identifier. The type psa_key_handle_t is now
1818 identical to psa_key_id_t instead of being platform-defined. This bridges
1820 version 1.0.0. Opening persistent keys is still supported for backward
1835 MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
1836 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
1838 which is how most uses of randomization in asymmetric cryptography
1840 are implemented. This could cause failures or the silent use of non-random
1863 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
1864 enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
1867 * Fix rsa_prepare_blinding() to retry when the blinding value is not
1869 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
1872 * Use socklen_t on Android and other POSIX-compliant system
1873 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
1888 chars. Fixes a build failure on platforms where char is unsigned. Fixes
1890 * Fix an off-by-one error in the additional data length check for
1891 CCM, which allowed encryption with a non-standard length field.
1895 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
1899 in a secure element.
1900 * Attempting to create a volatile key with a non-zero key identifier now
1909 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
1926 * The PSA persistent storage format is updated to always store the key bits
1927 attribute. No automatic upgrade path is provided. Previously stored keys
1929 specification (docs/architecture/mbed-crypto-storage-specification.md).
1933 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
1936 = mbed TLS 2.24.0 branch released 2020-09-01
1939 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
1955 a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
1957 -Wformat-signedness, and fix the code that causes signed-one-bit-field
1958 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
1963 matching the expected common name (the cn argument of
1964 mbedtls_x509_crt_verify()) with the actual certificate name: when the
1965 subjecAltName extension is present, the expected name was compared to any
1966 name in that extension regardless of its type. This means that an
1967 attacker could for example impersonate a 4-bytes or 16-byte domain by
1970 using other subjectAltName name types might be possible. Found and
1983 Encrypt-then-Mac extension, use constant code flow memory access patterns
1984 to extract and check the MAC. This is an improvement to the existing
1986 effective against network-based attackers, but less so against local
1988 if they have access to fine-grained measurements. In particular, this
1992 * Fix side channel in RSA private key operations and static (finite-field)
1993 Diffie-Hellman. An adversary with precise enough timing and memory access
1995 enclave) could bypass an existing counter-measure (base blinding) and
1997 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
1998 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2008 redefinition if the function is inlined.
2012 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2015 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2017 * Fix self-test failure when the only enabled short Weierstrass elliptic
2018 curve is secp192k1. Fixes #2017.
2025 * Fix bug in redirection of unit test outputs on platforms where stdout is
2029 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2034 * Undefine the ASSERT macro before defining it locally, in case it is defined
2037 the copyright of contributors other than Arm is now acknowledged, and the
2044 these applications with password-protected key files. Analogously but for
2049 = mbed TLS 2.23.0 branch released 2020-07-01
2052 * In the experimental PSA secure element interface, change the encoding of
2056 instead of the keys' lifetime. If the library is upgraded on an existing
2062 high- and low-level error codes, complementing mbedtls_strerror()
2066 * The new utility programs/ssl/ssl_context_info prints a human-readable
2083 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2094 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2106 pathLenConstraint basic constraint value is equal to INT_MAX.
2107 The actual effect with almost every compiler is the intended
2108 behavior, so this is unlikely to be exploitable anywhere. #3192
2111 * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
2113 * Fix potential linker errors on dual world platforms by inlining
2119 * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
2130 * Fix false positive uninitialised variable reported by cpp-check.
2138 * Fix warnings about signedness issues in format strings. The build is now
2139 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2151 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2157 buffer is not large enough to hold the ClientHello.
2163 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2172 = mbed TLS 2.22.0 branch released 2020-04-14
2180 fragment length is desired.
2188 (which it is by default).
2193 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2207 * Fix a function name in a debug message. Contributed by Ercan Ozturk in
2211 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
2212 is back directly in the present repository.
2216 buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
2217 is defined), regardless of what MFL was configured for it.
2219 = mbed TLS 2.21.0 branch released 2020-02-20
2225 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2230 * Fix potential memory overread when performing an ECDSA signature
2232 probability (of the order of 2^-n where n is the bitsize of the curve)
2233 unless the RNG is broken, and could result in information disclosure or
2240 ARMmbed/mbed-crypto#352
2243 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2244 support without SHA-384.
2250 existing code is that elliptic curve key types no longer encode the
2253 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2259 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2260 contributed by apple-ihack-geek in #2663.
2262 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2265 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2269 = mbed TLS 2.20.0 branch released 2020-01-15
2273 entropy function to obtain entropy for a nonce if the entropy size is less
2282 entropy module formerly only grabbed 32 bytes, which is good enough for
2283 security if the source is genuinely strong, but less than the expected 64
2293 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2295 blinded value, factor it (as it is smaller than RSA keys and not guaranteed
2311 initial seeding. The default nonce length is chosen based on the key size
2312 to achieve the security strength defined by NIST SP 800-90A. You can
2315 msopiha-linaro in ARMmbed/mbed-crypto#307.
2318 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2319 key derivation function, use a buffer instead (this is now always
2332 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2334 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2342 * Remove the technical possibility to define custom mbedtls_md_info
2349 no known instances where this changes the behavior of the library: this is
2350 merely a robustness improvement. ARMmbed/mbed-crypto#323
2352 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2354 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2356 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2358 = mbed TLS 2.19.1 branch released 2019-09-16
2368 mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
2372 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2373 contributed by apple-ihack-geek in #2663.
2375 = mbed TLS 2.19.0 branch released 2019-09-06
2386 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
2395 store it in non-volatile storage, and later using it for TLS session
2398 an incoming record is valid, authentic and has not been seen before. This
2400 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
2403 (https://project-everest.github.io/). It can be enabled at compile time
2404 with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
2405 verified and significantly faster, but is only supported on x86 platforms
2406 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
2414 * Add DER-encoded test CRTs to library/certs.c, allowing
2419 list all curves for which at least one of ECDH or ECDSA is supported, not
2421 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
2423 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
2431 is now deprecated.
2435 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
2436 * Fix multiple X.509 functions previously returning ASN.1 low-level error
2441 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2462 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
2465 * Improve code clarity in x509_crt module, removing false-positive
2473 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2477 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2478 docker-env.sh) to simplify running test suites on a Linux host. Contributed
2484 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
2490 = mbed TLS 2.18.1 branch released 2019-07-12
2500 = mbed TLS 2.18.0 branch released 2019-06-11
2505 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
2507 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
2509 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
2512 and the used tls-prf.
2513 * Add public API for tls-prf function, according to requested enum.
2514 * Add support for parsing otherName entries in the Subject Alternative Name
2515 X.509 certificate extension, specifically type hardware module name,
2518 RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
2522 * Add support for draft-05 of the Connection ID extension, as specified
2523 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2528 changed its IP or port. The feature is enabled at compile-time by setting
2529 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
2535 and the used tls-prf.
2536 * Add public API for tls-prf function, according to requested enum.
2542 * Fix potential memory leak in X.509 self test. Found and fixed by
2545 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
2547 OSS-Fuzz.
2563 Credit to OSS-Fuzz.
2566 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
2567 mbedTLS configuration only SHA-2 signed certificates are accepted.
2568 This certificate is used in the demo server programs, which lead the
2571 updated to one that is SHA-256 signed. Fix contributed by
2574 provided SSL context is unset.
2582 = mbed TLS 2.17.0 branch released 2019-03-19
2586 which allows copy-less parsing of DER encoded X.509 CRTs,
2599 for the benefit of saving RAM, by disabling the new compile-time
2616 when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
2617 * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
2627 * Fix signed-to-unsigned integer conversion warning
2659 * Fix configuration queries in ssl-opt.h. #2030
2660 * Ensure that ssl-opt.h can be run in OS X. #2029
2661 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
2666 = mbed TLS 2.16.0 branch released 2018-12-21
2674 function to see for which parameter values it is defined. This feature is
2684 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
2685 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
2689 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
2691 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
2696 changed so that the same level of validation is present in all modules, and
2697 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
2698 is off. That means that checks which were previously present by default
2723 = mbed TLS 2.15.1 branch released 2018-11-30
2728 = mbed TLS 2.15.0 branch released 2018-11-23
2738 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
2741 = mbed TLS 2.14.1 branch released 2018-11-30
2745 decryption that could lead to a Bleichenbacher-style padding oracle
2747 RSA decryption (i.e. ciphersuites whose name contains RSA but not
2751 (University of Adelaide, Data61). The attack is described in more detail
2752 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
2770 = mbed TLS 2.14.0 branch released 2018-11-19
2775 name and the CA's subject name differed in their string encoding (e.g.,
2781 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
2786 adversary to construct non-primes that would be erroneously accepted as
2791 pairs or Diffie-Hellman parameters, but was insufficient to validate
2792 Diffie-Hellman parameters properly.
2798 some configurable amount of operations. This is intended to be used in
2799 constrained, single-threaded systems where ECC is time consuming and can
2800 block other operations until they complete. This is disabled by default,
2805 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
2811 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
2815 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
2816 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
2821 a feature that is not supported by underlying alternative
2822 implementations implementing cryptographic primitives. This is useful for
2827 MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
2835 Miller-Rabin rounds.
2845 MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
2848 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
2851 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
2859 wildcards and non-ASCII characters being unusable in some DN attributes.
2861 Thomas-Dee.
2865 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
2876 calls, rather than Win32 API calls directly. This is necessary to avoid
2885 Thomas-Dee.
2887 Fixes #517 reported by github-monoculture.
2890 by FIPS-186-4.
2892 = mbed TLS 2.13.1 branch released 2018-09-06
2896 whose implementation should behave as a thread-safe version of gmtime().
2899 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
2903 * Fix build failures on platforms where only gmtime() is available but
2906 = mbed TLS 2.13.0 branch released 2018-08-31
2912 beyond the input buffer is made. Found and analyzed by Nathan Crandall.
2916 is controlled by the maximum fragment length as set locally or negotiated
2917 with the peer, as well as by a new per-connection MTU option, set using
2919 * Add support for auto-adjustment of MTU to a safe value during the
2924 * Add support for buffering out-of-order handshake messages in DTLS.
2926 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
2934 * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
2940 * Add ecc extensions only if an ecc based ciphersuite is used.
2945 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
2956 (found by Catena cyber using oss-fuzz)
2968 * Add support for buffering of out-of-order handshake messages.
2973 = mbed TLS 2.12.0 branch released 2018-07-25
2976 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
2984 or CCM instead of CBC, using hash sizes other than SHA-384, or using
2985 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
2986 caused by a miscalculation (for SHA-384) in a countermeasure to the
2997 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
2999 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3005 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3009 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3010 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3012 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3013 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3018 is no functional difference. Contributed by Angus Gratton, and also
3021 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3036 * Fix compilation error when MBEDTLS_ARC4_C is disabled and
3037 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3048 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3053 * Fix ssl_client2 example to send application data with 0-length content
3054 when the request_size argument is set to 0 as stated in the documentation.
3057 deep copy of the session, and the peer certificate is not lost. Fixes #926.
3058 * Fix build using -std=c99. Fixed by Nick Wilson.
3062 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3064 when calling with a NULL salt and non-zero salt_len. Contributed by
3068 * Allow overriding the time on Windows via the platform-time abstraction.
3070 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3072 = mbed TLS 2.11.0 branch released 2018-06-18
3077 * Implement the HMAC-based extract-and-expand key derivation function
3080 * Add support for the XTS block cipher mode with AES (AES-XTS).
3084 non-blocking operation of the TLS server stack.
3101 = mbed TLS 2.10.0 branch released 2018-06-06
3111 mbedtls_platform_zeroize(), which is a critical function from a security
3115 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
3120 build to fail. Found by zv-io. Fixes #1651.
3123 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3127 = mbed TLS 2.9.0 branch released 2018-04-30
3134 would require a non DER-compliant certificate to be correctly signed by a
3135 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3140 where an optional signature algorithms list is expected when the signature
3141 algorithms section is too short. In builds with debug output, the overread
3142 data is output with the debug data.
3143 * Fix a client-side bug in the validation of the server's ciphersuite choice
3163 a check for whether more more data is pending to be processed in the
3165 This function is necessary to determine when it is safe to idle on the
3166 underlying transport in case event-driven IO is used.
3172 in configurations that omit certain hashes or public-key algorithms.
3194 in the internal buffers; these cases led to deadlocks when event-driven
3197 function which leads to a potential one byte overread of the message
3208 * Support cmake builds where Mbed TLS is a subproject. Fix contributed
3211 public-key algorithms. Includes contributions by Gert van Dijk.
3214 configurations where the feature is disabled. Found and fixed by Gergely
3221 MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
3231 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3241 HMAC functions with non-HMAC ciphersuites. Independently contributed
3244 FIPS 186-4. Contributed by Jethro Beekman. #1380
3246 of the corresponding module is activated by defining the corresponding
3252 = mbed TLS 2.8.0 branch released 2018-03-16
3282 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3291 * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
3293 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3300 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
3303 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
3319 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3333 = mbed TLS 2.7.0 branch released 2018-02-03
3337 extension. When the truncated HMAC extension is enabled and CBC is used,
3341 both TLS and DTLS. CVE-2018-0488
3342 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3345 Qualcomm Technologies Inc. CVE-2018-0487
3346 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3350 * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
3351 default enabled) maximum fragment length extension is disabled in the
3353 is larger than the internal message buffer (16384 bytes by default), the
3356 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
3367 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
3373 * Fix a potential heap buffer over-read in ALPN extension parsing
3374 (server-side). Could result in application crash, but only if an ALPN
3375 name larger than 16 bytes had been configured on the server.
3377 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3384 * New unit tests for timing. Improve the self-test to be more robust
3385 when run on a heavily-loaded machine.
3407 * Extend RSA interface by multiple functions allowing structure-
3420 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
3421 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
3422 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
3423 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
3426 * Deprecate usage of RSA primitives with non-matching key-type
3428 * Direct manipulation of structure fields of RSA contexts is deprecated.
3432 mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
3451 renegotiated handshakes would only accept signatures using SHA-1
3452 regardless of the peer's preferences, or fail if SHA-1 was disabled.
3456 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
3458 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
3471 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3475 non-v3 CRT's.
3480 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
3485 * Add size-checks for record and handshake message content, securing
3486 fragile yet non-exploitable code-paths.
3502 Note, this padding mode is not used by the TLS protocol. Found and fixed by
3507 mbedtls_sha512_init() is called before operating on the relevant context
3508 structure. Do not assume that zeroizing a context is a correct way to
3522 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
3533 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
3536 = mbed TLS 2.6.0 branch released 2017-08-10
3539 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
3552 platform-specific setup and teardown operations. The macro
3564 * Certificate verification functions now set flags to -1 in case the full
3567 * With authmode set to optional, the TLS handshake is now aborted if the
3572 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
3581 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
3583 * Fix a potential integer overflow in the version verification for DER
3585 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3587 * Fix potential integer overflow in the version verification for DER
3589 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3591 * Fix a potential integer overflow in the version verification for DER
3601 64-bit division. This is useful on embedded platforms where 64-bit division
3607 config-no-entropy.h to reduce the RAM footprint.
3612 = mbed TLS 2.5.1 released 2017-06-21
3615 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
3616 The issue could only happen client-side with renegotiation enabled.
3620 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
3621 certificate verification. SHA-1 can be turned back on with a compile-time
3626 potential Bleichenbacher/BERserk-style attack.
3631 and with GCC using the -Wpedantic compilation option.
3632 * Fix insufficient support for signature-hash-algorithm extension,
3648 * Fix incorrect sign computation in modular exponentiation when the base is
3659 by Jean-Philippe Aumasson.
3661 = mbed TLS 2.5.0 branch released 2017-05-17
3668 against side-channel attacks like the cache attack described in
3680 behaviour has not changed, namely every configured CAs name is included.
3687 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
3688 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
3691 * Remove macros from compat-1.3.h that correspond to deleted items from most
3695 * Add checks in the PK module for the RSA functions on 64-bit systems.
3700 = mbed TLS 2.4.2 branch released 2017-03-08
3704 using RSA through the PK module in 64-bit systems. The issue was caused by
3707 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
3708 * Fixed potential livelock during the parsing of a CRL in PEM format in
3721 team. #569 CVE-2017-2784
3730 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
3731 Found by omlib-lin. #673
3738 renegotiation routines at unexpected times when the protocol is DTLS. Found
3743 * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
3745 * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
3747 * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
3749 * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
3752 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
3753 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
3763 number to write in hexadecimal is negative and requires an odd number of
3768 = mbed TLS 2.4.1 branch released 2016-12-13
3771 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
3775 = mbed TLS 2.4.0 branch released 2016-10-17
3779 with RFC-5116 and could lead to session key recovery in very long TLS
3780 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
3781 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
3783 * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
3784 mbedtls_x509write_csr_der() when the signature is copied to the buffer
3785 without checking whether there is enough space in the destination. The
3789 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
3790 NIST SP 800-38B, RFC-4493 and RFC-4615.
3792 is functioning correctly.
3794 scripts, which is also now called by all.sh.
3798 * Added a configuration file config-no-entropy.h that configures the subset of
3810 when GCM is used. Found by udf2457. #441
3811 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
3813 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
3822 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
3826 subramanyam-c. #622
3830 * Fix potential byte overread when verifying malformed SERVER_HELLO in
3833 Found by subramanyam-c. #626
3841 * Removed self-tests from the basic-built-test.sh script, and added all
3842 missing self-tests to the test suites, to ensure self-tests are only
3845 * Added support for a Yotta specific configuration file -
3850 naming collision in projects which also have files with the common name
3851 net.c. For consistency, the corresponding header file, net.h, is marked as
3856 = mbed TLS 2.3.0 branch released 2016-06-28
3861 * Fix potential integer overflow to buffer overflow in
3864 * Fix a potential integer underflow to buffer overread in
3865 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
3874 arguments where the same (in-place doubling). Found and fixed by Janos
3876 * Fix potential build failures related to the 'apidoc' target, introduced
3893 * Fix test in ssl-opt.sh that does not run properly with valgrind
3897 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
3899 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
3903 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
3906 = mbed TLS 2.2.1 released 2016-01-05
3909 * Fix potential double free when mbedtls_asn1_store_named_data() fails to
3918 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
3922 * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
3926 datagram if a single record in a datagram is unexpected, instead only
3930 = mbed TLS 2.2.0 released 2015-11-04
3933 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
3936 * Fix potential heap corruption on Windows when
3937 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
3939 * Fix potential buffer overflow in some asn1_write_xxx() functions.
3948 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
3951 block. (Potential uses include EAP-TLS and Thread.)
3954 * Self-signed certificates were not excluded from pathlen counting,
3957 * Fix build error with configurations where ECDHE-PSK is the only key
3959 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
3960 ECHD-ECDSA if the only key exchange. Multiple reports. #310
3961 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
3962 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
3965 minimum key size for end-entity certificates with RSA keys. Found by
3969 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
3975 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
3976 or -1.
3978 = mbed TLS 2.1.2 released 2015-10-06
3981 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
3984 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
3989 mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
3991 * Fix potential buffer overflow in mbedtls_mpi_read_string().
3996 * Fix potential random memory allocation in mbedtls_pem_read_buffer()
4001 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4003 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4006 * Fix potential heap buffer overflow in servers that perform client
4022 = mbed TLS 2.1.1 released 2015-09-17
4025 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4027 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4028 * Fix possible client-side NULL pointer dereference (read) when the client
4031 afl-fuzz.)
4035 * Fix off-by-one error in parsing Supported Point Format extension that
4042 connection, if cookie verification is available
4046 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4049 = mbed TLS 2.1.0 released 2015-09-04
4057 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4065 * Fix compile error with armcc 5 with --gnu option.
4070 * Fix missing -static-libgcc when building shared libraries for Windows
4079 * Fix -Wshadow warnings (found by hnrkp) (#240)
4081 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4089 * It is now possible to #include a user-provided configuration file at the
4092 * When verifying a certificate chain, if an intermediate certificate is
4093 trusted, no later cert is checked. (suggested by hannes-landeholm)
4100 = mbed TLS 2.0.0 released 2015-07-13
4105 with custom implementation (eg hardware accelerated), complementing the
4107 * New server-side implementation of session tickets that rotate keys to
4113 * Introduced a concept of presets for SSL security-relevant configuration
4121 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4122 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4124 mbedtls_cipher_info_t.key_length -> key_bitlen
4125 mbedtls_cipher_context_t.key_length -> key_bitlen
4126 mbedtls_ecp_curve_info.size -> bit_size
4131 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4132 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4133 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4134 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4135 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4141 (see rename.pl and compat-1.3.h above) and their first argument's type
4144 additional callback for read-with-timeout).
4156 * The SSL debug callback gained two new arguments (file name, line number).
4163 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4164 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4165 * The following functions changed prototype to avoid an in-out length
4181 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
4182 available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
4183 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4189 * calloc() is now used instead of malloc() everywhere. API of platform
4198 Their 'port' argument type is changed to a string.
4207 * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
4212 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4216 been removed (compiler is required to support 32-bit operations).
4219 * Removed test program ssl_test, superseded by ssl-opt.sh.
4220 * Removed helper script active-config.pl
4223 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4224 argument (allowing memory savings if HMAC is not used)
4226 Semi-API changes (technically public, morally private)
4227 * Renamed a few headers to include _internal in the name. Those headers are
4238 * The default minimum TLS version is now TLS 1.0.
4239 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4241 * Support for receiving SSLv2 ClientHello is now disabled by default at
4243 * The default authmode for SSL/TLS clients is now REQUIRED.
4244 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4245 enabled in the default configuration, this is only noticeable if using a
4246 custom config.h
4247 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4248 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
4250 * Negotiation of truncated HMAC is now disabled by default on server too.
4251 * The following functions are now case-sensitive:
4259 * The minimum MSVC version required is now 2010 (better C99 support).
4261 * Compiler is required to support C99 types such as long long and uint32_t.
4270 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4274 * With UDP sockets, it is no longer necessary to call net_bind() again
4279 thread-safe if MBEDTLS_THREADING_C is enabled.
4280 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4289 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4299 * Add support for id-at-uniqueIdentifier in X.509 names.
4305 cross-compilation easier (thanks to Alon Bar-Lev).
4306 * The benchmark program also prints heap usage for public-key primitives
4308 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4311 reduced configurations (PSK-CCM and NSA suite B).
4320 * Fix bug in entropy.c when THREADING_C is also enabled that caused
4324 * Fix bug in ssl_mail_client when password is longer that username (found
4328 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
4333 * Fix potential NULL pointer dereference (not trigerrable remotely) when
4334 ssl_write() is called before the handshake is finished (introduced in
4343 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4345 * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
4350 * Add missing dependency on SHA-256 in some x509 programs (reported by
4357 * Remove potential sources of timing variations (some contributed by Pascal
4360 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
4361 * compat-1.2.h and openssl.h are deprecated.
4362 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
4363 more flexible (warning: OFLAGS is not used any more) (see the README)
4364 (contributed by Alon Bar-Lev).
4367 * Move from SHA-1 to SHA-256 in example programs using signatures
4370 "minimize" others (eg use stddef.h if only size_t is needed).
4375 = mbed TLS 1.3.10 released 2015-02-09
4377 * NULL pointer dereference in the buffer-based allocator when the buffer is
4378 full and polarssl_free() is called (found by Mark Hasemeyer)
4379 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
4381 * Fix remotely-triggerable uninitialised pointer dereference caused by
4382 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
4384 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4385 (TLS server is not affected if it doesn't ask for a client certificate)
4387 * Fix potential stack overflow while parsing crafted X.509 certificates
4388 (TLS server is not affected if it doesn't ask for a client certificate)
4391 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4395 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
4396 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
4397 * Add support for Encrypt-then-MAC (RFC 7366).
4400 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4402 * Support for renegotiation can now be disabled at compile-time
4403 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
4404 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
4405 for pre-1.2 clients when multiple certificates are available.
4414 * Stack buffer overflow if ctr_drbg_update() is called with too large
4415 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4421 * Fix potential undefined behaviour in Camellia.
4422 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
4431 issue with some servers when a zero-length extension was sent. (Reported
4433 * On a 0-length input, base64_encode() did not correctly set output length
4439 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
4440 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
4443 * A specific error is now returned when there are ciphersuites in common
4444 but none of them is usable due to external factors such as no certificate
4446 * It is now possible to disable negotiation of truncated HMAC server-side
4452 = PolarSSL 1.3.9 released 2014-10-20
4456 * Remotely-triggerable memory leak when parsing some X.509 certificates
4457 (server is not affected if it doesn't ask for a client certificate)
4459 * Remotely-triggerable memory leak when parsing crafted ClientHello
4466 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4468 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4471 * Remove non-existent file from VS projects (found by Peter Vaskovic).
4472 * ssl_read() could return non-application data records on server while
4474 * Server-initiated renegotiation would fail with non-blocking I/O if the
4477 with non-blocking I/O.
4481 * Fix potential bad read in parsing ServerHello (found by Adrien
4485 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
4486 standard defining how to use SHA-2 with SSL 3.0).
4487 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
4490 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
4499 = PolarSSL 1.3.8 released 2014-07-11
4508 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4515 * Add server-side enforcement of sent renegotiation requests
4518 ciphersuites to use and save some memory if the list is small.
4521 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
4533 * Enforce alignment in the buffer allocator even if buffer is not aligned
4534 * Remove less-than-zero checks on unsigned numbers
4546 rejected with CBC-based ciphersuites and TLS >= 1.1
4548 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
4551 * Restore ability to locally trust a self-signed cert that is not a proper
4557 * Fix off-by-one error in parsing Supported Point Format extension that
4559 * Fix possible miscomputation of the premaster secret with DHE-PSK key
4568 = PolarSSL 1.3.7 released on 2014-05-02
4572 * version_check_feature() added to check for compile-time options at
4573 run-time
4580 * AES-NI now compiles with "old" assemblers too
4596 big-endian platform when size was not an integer number of limbs
4603 = PolarSSL 1.3.6 released on 2014-04-11
4615 * pk_verify() now returns a specific error code when the signature is valid
4621 * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
4624 This affects certificates in the user-supplied chain except the top
4625 certificate. If the user-supplied chain contains only one certificates,
4626 it is not affected (ie, its notAfter date is properly checked).
4627 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
4633 * Potential memory leak in mpi_exp_mod() when error occurs during
4640 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
4644 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
4645 * Calling pk_debug() on an RSA-alt key would segfault.
4646 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
4647 * Potential buffer overwrite in pem_write_buffer() because of low length
4652 = PolarSSL 1.3.5 released on 2014-03-26
4654 * HMAC-DRBG as a separate module
4658 * Ability to force the entropy module to use SHA-256 as its basis
4660 * Testing script ssl-opt.sh added for testing 'live' ssl option
4668 now thread-safe if POLARSSL_THREADING_C defined
4679 "triple handshake" attack when authentication mode is 'optional' (the
4680 attack was already impossible when authentication is required).
4684 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4691 * Fixed testing with out-of-source builds using cmake
4692 * Fixed version-major intolerance in server
4693 * Fixed CMake symlinking on out-of-source builds
4696 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4700 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
4713 = PolarSSL 1.3.4 released on 2014-01-27
4716 * Support for RIPEMD-160
4721 * Potential memory leak in bignum_selftest()
4732 = PolarSSL 1.3.3 released on 2013-12-31
4738 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
4740 * AES-NI support for AES, AES-GCM and AES key scheduling
4741 * SSL Pthread-based server example added (ssl_pthread_server)
4748 * More constant-time checks in the RSA module
4755 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
4756 * Fixed X.509 hostname comparison (with non-regular characters)
4760 * Potential memory leak in ssl_ticket_keys_init()
4765 * Fixed potential overflow in certificate size verification in
4769 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4772 = PolarSSL 1.3.2 released on 2013-11-04
4776 * Support for Camellia-GCM mode and ciphersuites
4779 * Padding checks in cipher layer are now constant-time
4780 * Value comparisons in SSL layer are now constant-time
4793 * Server-side initiated renegotiations send HelloRequest
4795 = PolarSSL 1.3.1 released on 2013-10-15
4798 * Support for ECDHE-PSK key-exchange and ciphersuites
4799 * Support for RSA-PSK key-exchange and ciphersuites
4805 * config.h is more script-friendly
4814 * threading_set_alt() name
4817 = PolarSSL 1.3.0 released on 2013-10-01
4822 (ECDHE-based ciphersuites)
4824 (ECDSA-based ciphersuites)
4826 * PSK and DHE-PSK based ciphersuites added
4828 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
4835 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
4836 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
4849 * Introduced separate SSL Ciphersuites module that is based on
4851 * Internals for SSL module adapted to have separate IV pointer that is
4865 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
4877 (found by Cyril Arnaud and Pierre-Alain Fouque)
4880 = Version 1.2.14 released 2015-05-??
4883 * Fix potential invalid memory read in the server, that allows a client to
4885 * Fix potential invalid memory read in certificate parsing, that allows a
4886 client to crash the server remotely if client authentication is enabled
4888 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4896 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4899 = Version 1.2.13 released 2015-02-16
4904 * Fix remotely-triggerable uninitialised pointer dereference caused by
4905 crafted X.509 certificate (TLS server is not affected if it doesn't ask
4907 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4908 (TLS server is not affected if it doesn't ask for a client certificate)
4910 * Fix potential stack overflow while parsing crafted X.509 certificates
4911 (TLS server is not affected if it doesn't ask for a client certificate)
4914 (TLS server is not affected if it doesn't ask for a client certificate).
4917 * Fix potential undefined behaviour in Camellia.
4919 * Stack buffer overflow if ctr_drbg_update() is called with too large
4920 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4930 issue with some servers when a zero-length extension was sent. (Reported
4932 * On a 0-length input, base64_encode() did not correctly set output length
4936 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
4938 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4940 = Version 1.2.12 released 2014-10-24
4943 * Remotely-triggerable memory leak when parsing some X.509 certificates
4944 (server is not affected if it doesn't ask for a client certificate).
4948 * Fix potential bad read in parsing ServerHello (found by Adrien
4951 with non-blocking I/O.
4955 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4956 * ssl_read() could return non-application data records on server while
4958 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4967 = Version 1.2.11 released 2014-07-11
4984 "triple handshake" attack when authentication mode is optional (the
4985 attack was already impossible when authentication is required).
4988 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
4995 * Fixed X.509 hostname comparison (with non-regular characters)
5001 * Fixed potential overflow in certificate size verification in
5004 * Potential memory leak in bignum_selftest()
5008 * Fixed testing with out-of-source builds using cmake
5009 * Fixed version-major intolerance in server
5010 * Fixed CMake symlinking on out-of-source builds
5011 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5019 * Potential memory leak in mpi_exp_mod() when error occurs during
5026 big-endian platform when size was not an integer number of limbs
5037 = Version 1.2.10 released 2013-10-07
5039 * Changed RSA blinding to a slower but thread-safe version
5046 = Version 1.2.9 released 2013-10-01
5051 * Fixed potential memory leak when failing to resume a session
5052 * Fixed potential file descriptor leaks (found by Remi Gacogne)
5056 * Fixed potential heap buffer overflow on large hostname setting
5057 * Fixed potential negative value misinterpretation in load_file()
5059 (found by Cyril Arnaud and Pierre-Alain Fouque)
5061 = Version 1.2.8 released 2013-06-19
5065 * Centralized module option values in config.h to allow user-defined
5088 * x509parse_crtpath() is now reentrant and uses more portable stat()
5090 * Fixed values for 2-key Triple DES in cipher layer
5095 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5097 = Version 1.2.7 released 2013-04-13
5102 * Default Blowfish keysize is now 128-bits
5109 = Version 1.2.6 released 2013-03-11
5112 * Corrected GCM counter incrementation to use only 32-bits instead of
5113 128-bits (found by Yawning Angel)
5114 * Fixes for 64-bit compilation with MS Visual Studio
5122 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
5124 * Re-added handling for SSLv2 Client Hello when the define
5125 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
5136 = Version 1.2.5 released 2013-02-02
5138 * Allow enabling of dummy error_strerror() to support some use-cases
5141 * Sending of security-relevant alert messages that do not break
5149 = Version 1.2.4 released 2013-01-25
5161 = Version 1.2.3 released 2012-11-26
5165 = Version 1.2.2 released 2012-11-24
5169 * During verify trust-CA is only checked for expiration and CRL presence
5175 = Version 1.2.1 released 2012-11-20
5177 * Depth that the certificate verify callback receives is now numbered
5178 bottom-up (Peer cert depth is 0)
5184 Pégourié-Gonnard)
5186 Pégourié-Gonnard)
5189 = Version 1.2.0 released 2012-10-31
5195 * Added support for multi-domain certificates through the X509 Subject
5196 Alternative Name extension
5222 * Fixed const-correctness mpi_get_bit()
5226 to not match CN if subjectAltName extension is present (Closes ticket #56)
5227 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
5240 * Fixed potential heap corruption in x509_name allocation
5254 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
5257 = Version 1.1.8 released on 2013-10-01
5259 * Fixed potential memory leak when failing to resume a session
5260 * Fixed potential file descriptor leaks
5263 * Potential buffer-overflow for ssl_read_record() (independently found by
5265 * Potential negative value misinterpretation in load_file()
5266 * Potential heap buffer overflow on large hostname setting
5268 = Version 1.1.7 released on 2013-06-19
5277 * Fixed values for 2-key Triple DES in cipher layer
5282 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5284 = Version 1.1.6 released on 2013-03-11
5289 * Allow enabling of dummy error_strerror() to support some use-cases
5300 = Version 1.1.5 released on 2013-01-16
5311 Pégourié-Gonnard)
5313 Pégourié-Gonnard)
5321 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
5324 = Version 1.1.4 released on 2012-05-31
5327 * Fixed potential heap corruption in x509_name allocation
5330 = Version 1.1.3 released on 2012-04-29
5334 = Version 1.1.2 released on 2012-04-26
5340 * Fixed potential memory corruption on miscrafted client messages (found by
5341 Frama-C team at CEA LIST)
5345 = Version 1.1.1 released on 2012-01-23
5349 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
5353 = Version 1.1.0 released on 2011-12-22
5355 * Added ssl_session_reset() to allow better multi-connection pools of
5356 SSL contexts without needing to set all non-connection-specific
5363 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
5365 custom entropy sources and added some generic and platform dependent
5372 * Inceased maximum size of ASN1 length reads to 32-bits.
5376 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
5377 * Changed the defined key-length of DES ciphers in cipher.h to include the
5382 trade-off
5391 encountering a parse-error. Beware that the meaning of return values has
5396 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
5402 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5404 * If certificate serial is longer than 32 octets, serial number is now
5407 * Fixed MS Visual C++ name clash with int64 in sha4.h
5411 = Version 1.0.0 released on 2011-07-27
5424 = Version 0.99-pre5 released on 2011-05-26
5445 is now done with a PLUS instead of an OR as error codes
5451 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
5457 = Version 0.99-pre4 released on 2011-04-01
5460 for the RSAES-OAEP and RSASSA-PSS operations.
5475 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
5479 * Fixed proper handling of RSASSA-PSS verification with variable
5482 = Version 0.99-pre3 released on 2011-02-28
5483 This release replaces version 0.99-pre2 which had possible copyright issues.
5500 * Support more exotic name representations when parsing
5508 * Fixed a possible Man-in-the-Middle attack on the
5512 = Version 0.99-pre1 released on 2011-01-30
5514 Note: Most of these features have been donated by Fox-IT
5531 libpkcs11-helper library
5539 with the generic cipher layer and is better naming
5542 = Version 0.14.0 released on 2010-08-16
5546 * Added compile-time and run-time version information
5566 = Version 0.13.1 released on 2010-03-24
5571 = Version 0.13.0 released on 2010-03-21
5582 * X509 signature algorithm determination is now
5587 * Added reset function for HMAC context as speed-up
5588 for specific use-cases
5599 = Version 0.12.1 released on 2009-10-04
5610 = Version 0.12.0 released on 2009-07-28
5614 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
5615 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
5620 this is mind when checking for errors.
5622 * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
5629 * Fixed include location of endian.h and name clash on
5631 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
5652 * Fixed Camellia and XTEA for 64-bit Windows systems.
5654 = Version 0.11.1 released on 2009-05-17
5655 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
5656 SHA-512 in rsa_pkcs1_sign()
5658 = Version 0.11.0 released on 2009-05-03
5662 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
5672 * Made definition of net_htons() endian-clean for big endian
5676 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
5681 * Fixed compatibility of XTEA and Camellia on a 64-bit system
5684 = Version 0.10.0 released on 2009-01-12
5696 = Version 0.9 released on 2008-03-16
5702 be sent twice in non-blocking mode when send returns EAGAIN
5705 * Added user-defined callback debug function (Krystian Kolodziej)
5711 output data is non-aligned by falling back to the software
5712 implementation, as VIA Nehemiah cannot handle non-aligned buffers
5714 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
5721 string is passed as the CN (bug reported by spoofy)
5723 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
5728 * Fixed a critical denial-of-service with X.509 cert. verification:
5731 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
5732 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
5733 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
5736 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
5737 * Updated rsa_gen_key() so that ctx->N is always nbits in size
5741 = Version 0.8 released on 2007-10-20
5749 * Added user-defined callbacks for handling I/O and sessions
5753 * Added AES-CFB mode of operation, contributed by chmike
5757 * Updated ssl_read() to skip 0-length records from OpenSSL
5759 * Fixed a bug in mpi_read_binary() on 64-bit platforms
5766 = Version 0.7 released on 2007-07-07
5768 * Added support for the MicroBlaze soft-core processor
5770 connections from being established with non-blocking I/O
5774 * Added the SHA-224, SHA-384 and SHA-512 hash functions
5782 = Version 0.6 released on 2007-04-01
5788 * Added multiply assembly code for 64-bit PowerPCs,
5792 * Fixed "long long" compilation issues on IA-64 and PPC64
5793 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
5796 = Version 0.5 released on 2007-03-01
5799 * Added (beta) support for non-blocking I/O operations
5802 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
5807 = Version 0.4 released on 2007-02-01
5809 * Added support for Ephemeral Diffie-Hellman key exchange
5820 = Version 0.3 released on 2007-01-01
5822 * Added server-side SSLv3 and TLSv1.0 support
5826 the bignum code is no longer dependent on long long
5831 = Version 0.2 released on 2006-12-01
5842 the Miller-Rabin primality test
5846 who maintains the Debian package :-)
5848 = Version 0.1 released on 2006-11-01