1Mbed TLS ChangeLog (Sorted per branch, date) 2 3= Mbed TLS 2.28.7 branch released 2024-01-26 4 5Security 6 * Fix a timing side channel in private key RSA operations. This side channel 7 could be sufficient for an attacker to recover the plaintext. A local 8 attacker or a remote attacker who is close to the victim on the network 9 might have precise enough timing measurements to exploit this. It requires 10 the attacker to send a large number of messages for decryption. For 11 details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported 12 by Hubert Kario, Red Hat. 13 * Fix a failure to validate input when writing x509 extensions lengths which 14 could result in an integer overflow, causing a zero-length buffer to be 15 allocated to hold the extension. The extension would then be copied into 16 the buffer, causing a heap buffer overflow. 17 18= Mbed TLS 2.28.6 branch released 2023-11-06 19 20Changes 21 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later 22 license. Users may choose which license they take the code under. 23 24= Mbed TLS 2.28.5 branch released 2023-10-05 25 26Features 27 * The documentation of mbedtls_ecp_group now describes the optimized 28 representation of A for some curves. Fixes #8045. 29 30Security 31 * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should 32 review the size of the output buffer passed to this function, and note 33 that the output after decryption may include CBC padding. Consider moving 34 to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() 35 which checks for overflow of the output buffer and reports the actual 36 length of the output. 37 * Improve padding calculations in CBC decryption, NIST key unwrapping and 38 RSA OAEP decryption. With the previous implementation, some compilers 39 (notably recent versions of Clang and IAR) could produce non-constant 40 time code, which could allow a padding oracle attack if the attacker 41 has access to precise timing measurements. 42 * Fix a buffer overread when parsing short TLS application data records in 43 ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz. 44 45Bugfix 46 * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when 47 using ECC key. The certificate was rejected by some crypto frameworks. 48 Fixes #2924. 49 * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA 50 signature can silently return an incorrect result in low memory conditions. 51 * Fix IAR compiler warnings. Fixes #7873, #4300. 52 * Fix an issue when parsing an otherName subject alternative name into a 53 mbedtls_x509_san_other_name struct. The type-id of the otherName was not 54 copied to the struct. This meant that the struct had incomplete 55 information about the otherName SAN and contained uninitialized memory. 56 * Fix the detection of HardwareModuleName otherName SANs. These were being 57 detected by comparing the wrong field and the check was erroneously 58 inverted. 59 * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not 60 MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498. 61 * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx 62 error code on failure. Before, they returned 1 to indicate failure in 63 some cases involving a missing entry or a full cache. 64 65Changes 66 * In configurations with ARIA or Camellia but not AES, the value of 67 MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might 68 suggest. This did not affect any library code, because this macro was 69 only used in relation with CMAC which does not support these ciphers. 70 Its value is now 16 if ARIA or Camellia are present. This may affect 71 application code that uses this macro. 72 73= Mbed TLS 2.28.4 branch released 2023-08-04 74 75Features 76 * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by 77 setting the CMake variable of the same name at configuration time. 78 79Bugfix 80 * Fix crypt_and_hash decryption fail when used with a stream cipher 81 mode of operation, due to the input not being a multiple of the block 82 size. Resolves #7417. 83 * Fix a bug where mbedtls_x509_string_to_names() would return success 84 when given a invalid name string, if it did not contain '=' or ','. 85 * Fix missing PSA initialization in sample programs when 86 MBEDTLS_USE_PSA_CRYPTO is enabled. 87 * Fix clang and armclang compilation error when targeting certain Arm 88 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23, 89 SecurCore SC000). Fixes #1077. 90 * Fixed an issue that caused compile errors when using CMake and the IAR 91 toolchain. 92 * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516. 93 * Fix builds on Windows with clang. 94 * Fix compilation warnings in aes.c for certain combinations 95 of configuration options. 96 * Fix a compilation error on some platforms when including mbedtls/ssl.h 97 with all TLS support disabled. Fixes #6628. 98 99Changes 100 * Update test data to avoid failures of unit tests after 2023-08-07, and 101 update expiring certififcates in the certs module. 102 103= Mbed TLS 2.28.3 branch released 2023-03-28 104 105Features 106 * Use HOSTCC (if it is set) when compiling C code during generation of the 107 configuration-independent files. This allows them to be generated when 108 CC is set for cross compilation. 109 * AES-NI is now supported with Visual Studio. 110 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM 111 is disabled, when compiling with GCC or Clang or a compatible compiler 112 for a target CPU that supports the requisite instructions (for example 113 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like 114 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.) 115 116Security 117 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on 118 builds that couldn't compile the GCC-style assembly implementation 119 (most notably builds with Visual Studio), leaving them vulnerable to 120 timing side-channel attacks. There is now an intrinsics-based AES-NI 121 implementation as a fallback for when the assembly one cannot be used. 122 123Bugfix 124 * Fix a build issue on Windows where the source and build directory could 125 not be on different drives (#5751). 126 * Fix possible integer overflow in mbedtls_timing_hardclock(), which 127 could cause a crash for certain platforms & compiler options. 128 * Fix IAR compiler warnings. Fixes #6924. 129 * Fix a bug in the build where directory names containing spaces were 130 causing generate_errors.pl to error out resulting in a build failure. 131 Fixes issue #6879. 132 * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are 133 defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. 134 * Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST. 135 The library would not link if the user didn't provide an external self-test 136 function. The self-test is now provided regardless of the choice of 137 internal/alternative timing implementation. Fixes #6923. 138 * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers 139 whose binary representation is longer than 20 bytes. This was already 140 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being 141 enforced also at code level. 142 * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by 143 Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by 144 Aaron Ucko under Valgrind. 145 * Fix behavior of certain sample programs which could, when run with no 146 arguments, access uninitialized memory in some cases. Fixes #6700 (which 147 was found by TrustInSoft Analyzer during REDOCS'22) and #1120. 148 * Fix build errors in test programs when MBEDTLS_CERTS_C is disabled. 149 Fixes #6243. 150 * Fix parsing of X.509 SubjectAlternativeName extension. Previously, 151 malformed alternative name components were not caught during initial 152 certificate parsing, but only on subsequent calls to 153 mbedtls_x509_parse_subject_alt_name(). Fixes #2838. 154 * Fix bug in conversion from OID to string in 155 mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed 156 correctly. 157 * Reject OIDs with overlong-encoded subidentifiers when converting 158 them to a string. 159 * Reject OIDs with subidentifier values exceeding UINT_MAX. Such 160 subidentifiers can be valid, but Mbed TLS cannot currently handle them. 161 * Reject OIDs that have unterminated subidentifiers, or (equivalently) 162 have the most-significant bit set in their last byte. 163 * Silence a warning about an unused local variable in bignum.c on 164 some architectures. Fixes #7166. 165 * Silence warnings from clang -Wdocumentation about empty \retval 166 descriptions, which started appearing with Clang 15. Fixes #6960. 167 * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if 168 len argument is 0 and buffer is NULL. 169 170Changes 171 * The C code follows a new coding style. This is transparent for users but 172 affects contributors and maintainers of local patches. For more 173 information, see 174 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/ 175 * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. 176 As tested in issue 6790, the correlation between this define and 177 RSA decryption performance has changed lately due to security fixes. 178 To fix the performance degradation when using default values the 179 window was reduced from 6 to 2, a value that gives the best or close 180 to best results when tested on Cortex-M4 and Intel i7. 181 182= Mbed TLS 2.28.2 branch released 2022-12-14 183 184Security 185 * Fix potential heap buffer overread and overwrite in DTLS if 186 MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and 187 MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. 188 * Fix an issue where an adversary with access to precise enough information 189 about memory accesses (typically, an untrusted operating system attacking 190 a secure enclave) could recover an RSA private key after observing the 191 victim performing a single private-key operation if the window size used 192 for the exponentiation was 3 or smaller. Found and reported by Zili KOU, 193 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks 194 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation 195 and Test in Europe 2023. 196 197Bugfix 198 * Fix a long-standing build failure when building x86 PIC code with old 199 gcc (4.x). The code will be slower, but will compile. We do however 200 recommend upgrading to a more recent compiler instead. Fixes #1910. 201 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined. 202 Contributed by Kazuyuki Kimura to fix #2020. 203 * Use double quotes to include private header file psa_crypto_cipher.h. 204 Fixes 'file not found with <angled> include' error 205 when building with Xcode. 206 * Fix handling of broken symlinks when loading certificates using 207 mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a 208 broken link is encountered, skip the broken link and continue parsing 209 other certificate files. Contributed by Eduardo Silva in #2602. 210 * Fix a compilation error when using CMake with an IAR toolchain. 211 Fixes #5964. 212 * Fix bugs and missing dependencies when building and testing 213 configurations with only one encryption type enabled in TLS 1.2. 214 * Provide the missing definition of mbedtls_setbuf() in some configurations 215 with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196. 216 * Fix compilation errors when trying to build with 217 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305). 218 * Fix memory leak in ssl_parse_certificate_request() caused by 219 mbedtls_x509_get_name() not freeing allocated objects in case of error. 220 Change mbedtls_x509_get_name() to clean up allocated objects on error. 221 * Fix checks on PK in check_config.h for builds with PSA and RSA. This does 222 not change which builds actually work, only moving a link-time error to 223 an early check. 224 * Fix ECDSA verification, where it was not always validating the 225 public key. This bug meant that it was possible to verify a 226 signature with an invalid public key, in some cases. Reported by 227 Guido Vranken using Cryptofuzz in #4420. 228 * Fix a possible null pointer dereference if a memory allocation fails 229 in TLS PRF code. Reported by Michael Madsen in #6516. 230 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable 231 bytes when parsing certificates containing a binary RFC 4108 232 HardwareModuleName as a Subject Alternative Name extension. Hardware 233 serial numbers are now rendered in hex format. Fixes #6262. 234 * Fix bug in error reporting in dh_genprime.c where upon failure, 235 the error code returned by mbedtls_mpi_write_file() is overwritten 236 and therefore not printed. 237 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) 238 with A > 0 created an unintended representation of the value 0 which was 239 not processed correctly by some bignum operations. Fix this. This had no 240 consequence on cryptography code, but might affect applications that call 241 bignum directly and use negative numbers. 242 * Fix undefined behavior (typically harmless in practice) of 243 mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() 244 when both operands are 0 and the left operand is represented with 0 limbs. 245 * Fix undefined behavior (typically harmless in practice) when some bignum 246 functions receive the most negative value of mbedtls_mpi_sint. Credit 247 to OSS-Fuzz. Fixes #6597. 248 * Fix undefined behavior (typically harmless in practice) in PSA ECB 249 encryption and decryption. 250 251= Mbed TLS 2.28.1 branch released 2022-07-11 252 253Default behavior changes 254 * mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305 255 for IV lengths other than 12. The library was silently overwriting this 256 length with 12, but did not inform the caller about it. Fixes #4301. 257 258Features 259 * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto 260 feature requirements in the file named by the new macro 261 MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h. 262 Furthermore you may name an additional file to include after the main 263 file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE. 264 265Security 266 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage 267 module before freeing them. These buffers contain secret key material, and 268 could thus potentially leak the key through freed heap. 269 * Fix a potential heap buffer overread in TLS 1.2 server-side when 270 MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with 271 mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite 272 is selected. This may result in an application crash or potentially an 273 information leak. 274 * Fix a buffer overread in DTLS ClientHello parsing in servers with 275 MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client 276 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes 277 after the end of the SSL input buffer. The buffer overread only happens 278 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on 279 the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(), 280 and possibly up to 571 bytes with a custom cookie check function. 281 Reported by the Cybeats PSI Team. 282 283Bugfix 284 * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice. 285 * Fix several bugs (warnings, compiler and linker errors, test failures) 286 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled. 287 * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was 288 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the 289 client would fail to check that the curve selected by the server for 290 ECDHE was indeed one that was offered. As a result, the client would 291 accept any curve that it supported, even if that curve was not allowed 292 according to its configuration. Fixes #5291. 293 * Fix unit tests that used 0 as the file UID. This failed on some 294 implementations of PSA ITS. Fixes #3838. 295 * Fix API violation in mbedtls_md_process() test by adding a call to 296 mbedtls_md_starts(). Fixes #2227. 297 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests 298 to catch bad uses of time.h. 299 * Fix the library search path when building a shared library with CMake 300 on Windows. 301 * Fix bug in the alert sending function mbedtls_ssl_send_alert_message() 302 potentially leading to corrupted alert messages being sent in case 303 the function needs to be re-called after initially returning 304 MBEDTLS_SSL_WANT_WRITE. Fixes #1916. 305 * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of 306 MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, 307 DTLS handshakes using CID would crash due to a null pointer dereference. 308 Fix this. Fixes #3998. 309 * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous 310 documentation stated that the `allowed_pks` field applies to signatures 311 only, but in fact it does apply to the public key type of the end entity 312 certificate, too. Fixes #1992. 313 * Fix PSA cipher multipart operations using ARC4. Previously, an IV was 314 required but discarded. Now, an IV is rejected, as it should be. 315 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is 316 not NULL and val_len is zero. 317 * psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when 318 applicable. Fixes #5735. 319 * Fix a bug in the x25519 example program where the removal of 320 MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and 321 #3191. 322 * Encode X.509 dates before 1/1/2000 as UTCTime rather than 323 GeneralizedTime. Fixes #5465. 324 * Fix order value of curve x448. 325 * Fix string representation of DNs when outputting values containing commas 326 and other special characters, conforming to RFC 1779. Fixes #769. 327 * Silence a warning from GCC 12 in the selftest program. Fixes #5974. 328 * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0. 329 * Fix resource leaks in mbedtls_pk_parse_public_key() in low 330 memory conditions. 331 * Fix server connection identifier setting for outgoing encrypted records 332 on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with 333 connection identifier, the Mbed TLS client now properly sends the server 334 connection identifier in encrypted record headers. Fix #5872. 335 * Fix a null pointer dereference when performing some operations on zero 336 represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing 337 by 2, and mbedtls_mpi_write_string() in base 2). 338 * Fix record sizes larger than 16384 being sometimes accepted despite being 339 non-compliant. This could not lead to a buffer overflow. In particular, 340 application data size was already checked correctly. 341 342Changes 343 * Assume source files are in UTF-8 when using MSVC with CMake. 344 345= mbed TLS 2.28.0 branch released 2021-12-17 346 347API changes 348 * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a 349 different order. This only affects applications that define such 350 structures directly or serialize them. 351 352Requirement changes 353 * Sign-magnitude and one's complement representations for signed integers are 354 not supported. Two's complement is the only supported representation. 355 356Removals 357 * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES, 358 which allowed SHA-1 in the default TLS configuration for certificate 359 signing. It was intended to facilitate the transition in environments 360 with SHA-1 certificates. SHA-1 is considered a weak message digest and 361 its use constitutes a security risk. 362 * Remove the partial support for running unit tests via Greentea on Mbed OS, 363 which had been unmaintained since 2018. 364 365Features 366 * The identifier of the CID TLS extension can be configured by defining 367 MBEDTLS_TLS_EXT_CID at compile time. 368 * Warn if errors from certain functions are ignored. This is currently 369 supported on GCC-like compilers and on MSVC and can be configured through 370 the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled 371 (where supported) for critical functions where ignoring the return 372 value is almost always a bug. Enable the new configuration option 373 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This 374 is currently implemented in the AES, DES and md modules, and will be 375 extended to other modules in the future. 376 * Add missing PSA macros declared by PSA Crypto API 1.0.0: 377 PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. 378 * Add new API mbedtls_ct_memcmp for constant time buffer comparison. 379 * Add PSA API definition for ARIA. 380 381Security 382 * Zeroize several intermediate variables used to calculate the expected 383 value when verifying a MAC or AEAD tag. This hardens the library in 384 case the value leaks through a memory disclosure vulnerability. For 385 example, a memory disclosure vulnerability could have allowed a 386 man-in-the-middle to inject fake ciphertext into a DTLS connection. 387 * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back 388 from the output buffer. This fixes a potential policy bypass or decryption 389 oracle vulnerability if the output buffer is in memory that is shared with 390 an untrusted application. 391 * Fix a double-free that happened after mbedtls_ssl_set_session() or 392 mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED 393 (out of memory). After that, calling mbedtls_ssl_session_free() 394 and mbedtls_ssl_free() would cause an internal session buffer to 395 be free()'d twice. 396 397Bugfix 398 * Stop using reserved identifiers as local variables. Fixes #4630. 399 * The GNU makefiles invoke python3 in preference to python except on Windows. 400 The check was accidentally not performed when cross-compiling for Windows 401 on Linux. Fix this. Fixes #4774. 402 * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or 403 PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. 404 * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. 405 * Don't use the obsolete header path sys/fcntl.h in unit tests. 406 These header files cause compilation errors in musl. 407 Fixes #4969. 408 * Fix missing constraints on x86_64 and aarch64 assembly code 409 for bignum multiplication that broke some bignum operations with 410 (at least) Clang 12. 411 Fixes #4116, #4786, #4917, #4962. 412 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. 413 * Failures of alternative implementations of AES or DES single-block 414 functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, 415 MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. 416 This does not concern the implementation provided with Mbed TLS, 417 where this function cannot fail, or full-module replacements with 418 MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. 419 * Some failures of HMAC operations were ignored. These failures could only 420 happen with an alternative implementation of the underlying hash module. 421 * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. 422 * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor 423 MBEDTLS_ERROR_STRERROR_DUMMY is enabled. 424 * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. 425 This algorithm now accepts only the same salt length for verification 426 that it produces when signing, as documented. Use the new algorithm 427 PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. 428 * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved 429 for algorithm values that fully encode the hashing step, as per the PSA 430 Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and 431 PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers 432 all algorithms that can be used with psa_{sign,verify}_hash(), including 433 these two. 434 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries 435 not to list other shared libraries they need. 436 * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv 437 exceeds 2^32. Fixes #4884. 438 * Fix an uninitialized variable warning in test_suite_ssl.function with GCC 439 version 11. 440 * Fix the build when no SHA2 module is included. Fixes #4930. 441 * Fix the build when only the bignum module is included. Fixes #4929. 442 * Fix a potential invalid pointer dereference and infinite loop bugs in 443 pkcs12 functions when the password is empty. Fix the documentation to 444 better describe the inputs to these functions and their possible values. 445 Fixes #5136. 446 * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC 447 operations psa_mac_compute() and psa_mac_sign_setup(). 448 * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC 449 operations psa_mac_verify() and psa_mac_verify_setup(). 450 451Changes 452 * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be 453 disabled by default. 454 * Improve the performance of base64 constant-flow code. The result is still 455 slower than the original non-constant-flow implementation, but much faster 456 than the previous constant-flow implementation. Fixes #4814. 457 * Indicate in the error returned if the nonce length used with 458 ChaCha20-Poly1305 is invalid, and not just unsupported. 459 * The mbedcrypto library includes a new source code module constant_time.c, 460 containing various functions meant to resist timing side channel attacks. 461 This module does not have a separate configuration option, and functions 462 from this module will be included in the build as required. Currently 463 most of the interface of this module is private and may change at any 464 time. 465 466= mbed TLS 2.27.0 branch released 2021-07-07 467 468API changes 469 * Update AEAD output size macros to bring them in line with the PSA Crypto 470 API version 1.0 spec. This version of the spec parameterizes them on the 471 key type used, as well as the key bit-size in the case of 472 PSA_AEAD_TAG_LENGTH. 473 The old versions of these macros were renamed and deprecated as follows: 474 - PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG 475 - PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG 476 - PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG 477 - PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG 478 - PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG 479 - PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG 480 * Implement one-shot cipher functions, psa_cipher_encrypt and 481 psa_cipher_decrypt, according to the PSA Crypto API 1.0.0 482 specification. 483 484Requirement changes 485 * The library now uses the %zu format specifier with the printf() family of 486 functions, so requires a toolchain that supports it. This change does not 487 affect the maintained LTS branches, so when contributing changes please 488 bear this in mind and do not add them to backported code. 489 490Features 491 * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a 492 signature with a specific salt length. This function allows to validate 493 test cases provided in the NIST's CAVP test suite. Contributed by Cédric 494 Meuter in PR #3183. 495 * Added support for built-in driver keys through the PSA opaque crypto 496 driver interface. Refer to the documentation of 497 MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. 498 * Implement psa_sign_message() and psa_verify_message(). 499 * The new function mbedtls_mpi_random() generates a random value in a 500 given range uniformly. 501 * Implement psa_mac_compute() and psa_mac_verify() as defined in the 502 PSA Cryptograpy API 1.0.0 specification. 503 * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured 504 curves and no longer needs to be configured explicitly to save RAM. 505 506Security 507 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) 508 private keys and of blinding values for DHM and elliptic curves (ECP) 509 computations. Reported by FlorianF89 in #4245. 510 * Fix a potential side channel vulnerability in ECDSA ephemeral key generation. 511 An adversary who is capable of very precise timing measurements could 512 learn partial information about the leading bits of the nonce used for the 513 signature, allowing the recovery of the private key after observing a 514 large number of signature operations. This completes a partial fix in 515 Mbed TLS 2.20.0. 516 * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is 517 too small, leading to buffer overflows in ECC operations. Fail the build 518 in such a case. 519 * Fix an issue where an adversary with access to precise enough information 520 about memory accesses (typically, an untrusted operating system attacking 521 a secure enclave) could recover an RSA private key after observing the 522 victim performing a single private-key operation. Found and reported by 523 Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. 524 * Fix an issue where an adversary with access to precise enough timing 525 information (typically, a co-located process) could recover a Curve25519 526 or Curve448 static ECDH key after inputting a chosen public key and 527 observing the victim performing the corresponding private-key operation. 528 Found and reported by Leila Batina, Lukas Chmielewski, Björn Haase, Niels 529 Samwel and Peter Schwabe. 530 531Bugfix 532 * Add printf function attributes to mbedtls_debug_print_msg to ensure we 533 get printf format specifier warnings. 534 * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may 535 lead to seed file corruption in the case where the path to the seed file is 536 equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor 537 Krasnoshchok in #3616. 538 * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE 539 rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them 540 in line with version 1.0.0 of the specification. Fix #4162. 541 * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather 542 than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key 543 to create is not valid, bringing them in line with version 1.0.0 of the 544 specification. Fix #4271. 545 * Fix some cases in the bignum module where the library constructed an 546 unintended representation of the value 0 which was not processed 547 correctly by some bignum operations. This could happen when 548 mbedtls_mpi_read_string() was called on "-0", or when 549 mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of 550 the arguments being negative and the other being 0. Fixes #4643. 551 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits 552 zero. Fixes #1792 553 * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is 554 defined. Fixes #4217. 555 * Fix an incorrect error code when parsing a PKCS#8 private key. 556 * In a TLS client, enforce the Diffie-Hellman minimum parameter size 557 set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the 558 minimum size was rounded down to the nearest multiple of 8. 559 * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are 560 defined to specific values. If the code is used in a context 561 where these are already defined, this can result in a compilation 562 error. Instead, assume that if they are defined, the values will 563 be adequate to build Mbed TLS. 564 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available 565 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 566 was disabled. Fix the dependency. Fixes #4472. 567 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499. 568 * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built 569 nonetheless, resulting in undefined reference errors when building a 570 shared library. Reported by Guillermo Garcia M. in #4411. 571 * Fix test suite code on platforms where int32_t is not int, such as 572 Arm Cortex-M. Fixes #4530. 573 * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced 574 directive in a header and a missing initialization in the self-test. 575 * Fix a missing initialization in the Camellia self-test, affecting 576 MBEDTLS_CAMELLIA_ALT implementations. 577 * Restore the ability to configure PSA via Mbed TLS options to support RSA 578 key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME 579 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). 580 Fixes #4512. 581 * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites 582 (when the encrypt-then-MAC extension is not in use) with some ALT 583 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing 584 the affected side to wrongly reject valid messages. Fixes #4118. 585 * Remove outdated check-config.h check that prevented implementing the 586 timing module on Mbed OS. Fixes #4633. 587 * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive 588 about missing inputs. 589 * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with 590 MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. 591 * Fix a resource leak in a test suite with an alternative AES 592 implementation. Fixes #4176. 593 * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This 594 could notably be triggered by setting the TLS debug level to 3 or above 595 and using a Montgomery curve for the key exchange. Reported by lhuang04 596 in #4578. Fixes #4608. 597 * psa_verify_hash() was relying on implementation-specific behavior of 598 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT 599 implementations. This reliance is now removed. Fixes #3990. 600 * Disallow inputs of length different from the corresponding hash when 601 signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates 602 that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.) 603 * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with 604 A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug 605 could not be triggered by code that constructed A with one of the 606 mbedtls_mpi_read_xxx functions (including in particular TLS code) since 607 those always built an mpi object with at least one limb. 608 Credit to OSS-Fuzz. Fixes #4641. 609 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no 610 effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect 611 applications that call mbedtls_mpi_gcd() directly. Fixes #4642. 612 * The PSA API no longer allows the creation or destruction of keys with a 613 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY 614 can now only be used as intended, for keys that cannot be modified through 615 normal use of the API. 616 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included 617 in all the right places. Include it from crypto_platform.h, which is 618 the natural place. Fixes #4649. 619 * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and 620 restartable variants now always honor the specified hash length if 621 nonzero. Before, for RSA, hash_len was ignored in favor of the length of 622 the specified hash algorithm. 623 * Fix which alert is sent in some cases to conform to the 624 applicable RFC: on an invalid Finished message value, an 625 invalid max_fragment_length extension, or an 626 unsupported extension used by the server. 627 * Correct (change from 12 to 13 bytes) the value of the macro describing the 628 maximum nonce length returned by psa_aead_generate_nonce(). 629 630Changes 631 * Add extra printf compiler warning flags to builds. 632 * Fix memsan build false positive in x509_crt.c with Clang 11 633 * Fix the setting of the read timeout in the DTLS sample programs. 634 * Remove the AES sample application programs/aes/aescrypt2 which shows 635 bad cryptographic practice. Fix #1906. 636 * Alternative implementations of CMAC may now opt to not support 3DES as a 637 CMAC block cipher, and still pass the CMAC self test. 638 * Remove configs/config-psa-crypto.h, which was identical to the default 639 configuration except for having some extra cryptographic mechanisms 640 enabled and for unintended differences. This configuration was primarily 641 intended to demonstrate the PSA API, and lost most of its usefulness when 642 MBEDTLS_PSA_CRYPTO_C became enabled by default. 643 * When building the test suites with GNU make, invoke python3 or python, not 644 python2, which is no longer supported upstream. 645 * When using session cache based session resumption on the server, 646 double-check that custom session cache implementations return 647 sessions which are consistent with the negotiated ciphersuite 648 and compression method. 649 * Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on. 650 When that flag is on, standard GNU C printf format specifiers 651 should be used. 652 * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage 653 during ECC operations at a negligible performance cost. 654 * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and 655 mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs 656 when their input has length 0. Note that this is an implementation detail 657 and can change at any time, so this change should be transparent, but it 658 may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string() 659 now writing an empty string where it previously wrote one or more 660 zero digits when operating from values constructed with an mpi_read 661 function and some mpi operations. 662 * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when 663 PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag 664 when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension 665 is also applied when loading a key from storage. 666 667= mbed TLS 2.26.0 branch released 2021-03-08 668 669API changes 670 * Renamed the PSA Crypto API output buffer size macros to bring them in line 671 with version 1.0.0 of the specification. 672 * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size 673 in bits rather than bytes, with an additional flag to indicate if the 674 size may have been rounded up to a whole number of bytes. 675 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line 676 with version 1.0.0 of the specification. 677 678Default behavior changes 679 * In mbedtls_rsa_context objects, the ver field was formerly documented 680 as always 0. It is now reserved for internal purposes and may take 681 different values. 682 683New deprecations 684 * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE, 685 PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and 686 PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names 687 deprecated. 688 * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH 689 have been renamed, and the old names deprecated. 690 691Features 692 * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG. 693 CTR_DRBG is used by default if it is available, but you can override 694 this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time. 695 Fix #3354. 696 * Automatic fallback to a software implementation of ECP when 697 MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off 698 through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. 699 * The PSA crypto subsystem can now be configured to use less static RAM by 700 tweaking the setting for the maximum amount of keys simultaneously in RAM. 701 MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that 702 can exist simultaneously. It has a sensible default if not overridden. 703 * Partial implementation of the PSA crypto driver interface: Mbed TLS can 704 now use an external random generator instead of the library's own 705 entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 706 and see the documentation of mbedtls_psa_external_get_random() for details. 707 * Applications using both mbedtls_xxx and psa_xxx functions (for example, 708 applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA 709 random generator with mbedtls_xxx functions. See the documentation of 710 mbedtls_psa_get_random() for details. 711 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a 712 minimum MAC or tag length thanks to the new wildcards 713 PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and 714 PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. 715 716Security 717 * Fix a security reduction in CTR_DRBG when the initial seeding obtained a 718 nonce from entropy. Applications were affected if they called 719 mbedtls_ctr_drbg_set_nonce_len(), if they called 720 mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key 721 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. 722 In such cases, a random nonce was necessary to achieve the advertised 723 security strength, but the code incorrectly used a constant instead of 724 entropy from the nonce. 725 Found by John Stroebel in #3819 and fixed in #3973. 726 * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating 727 |A| - |B| where |B| is larger than |A| and has more limbs (so the 728 function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only 729 applications calling mbedtls_mpi_sub_abs() directly are affected: 730 all calls inside the library were safe since this function is 731 only called with |A| >= |B|. Reported by Guido Vranken in #4042. 732 * Fix an errorneous estimation for an internal buffer in 733 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd 734 value the function might fail to write a private RSA keys of the largest 735 supported size. 736 Found by Daniel Otte, reported in #4093 and fixed in #4094. 737 * Fix a stack buffer overflow with mbedtls_net_poll() and 738 mbedtls_net_recv_timeout() when given a file descriptor that is 739 beyond FD_SETSIZE. Reported by FigBug in #4169. 740 * Guard against strong local side channel attack against base64 tables by 741 making access aceess to them use constant flow code. 742 743Bugfix 744 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c 745 * Fix memory leak that occured when calling psa_close_key() on a 746 wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. 747 * Fix an incorrect error code if an RSA private operation glitched. 748 * Fix a memory leak in an error case in psa_generate_derived_key_internal(). 749 * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C 750 is enabled, on platforms where initializing a mutex allocates resources. 751 This was a regression introduced in the previous release. Reported in 752 #4017, #4045 and #4071. 753 * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free() 754 twice is safe. This happens for RSA when some Mbed TLS library functions 755 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was 756 enabled on platforms where freeing a mutex twice is not safe. 757 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key() 758 when MBEDTLS_THREADING_C is enabled on platforms where initializing 759 a mutex allocates resources. 760 * Fixes a bug where, if the library was configured to include support for 761 both the old SE interface and the new PSA driver interface, external keys were 762 not loaded from storage. This was fixed by #3996. 763 * This change makes 'mbedtls_x509write_crt_set_basic_constraints' 764 consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST 765 include this extension in all CA certificates that contain public keys 766 used to validate digital signatures on certificates and MUST mark the 767 extension as critical in such certificates." Previous to this change, 768 the extension was always marked as non-critical. This was fixed by 769 #3698. 770 771Changes 772 * A new library C file psa_crypto_client.c has been created to contain 773 the PSA code needed by a PSA crypto client when the PSA crypto 774 implementation is not included into the library. 775 * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module 776 now uses the getrandom syscall instead of reading from /dev/urandom. 777 778= mbed TLS 2.25.0 branch released 2020-12-11 779 780API changes 781 * The numerical values of the PSA Crypto API macros have been updated to 782 conform to version 1.0.0 of the specification. 783 * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4. 784 The underlying stream cipher is determined by the key type 785 (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4). 786 * The functions mbedtls_cipher_auth_encrypt() and 787 mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, 788 as they have no way to check if the output buffer is large enough. 789 Please use mbedtls_cipher_auth_encrypt_ext() and 790 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and 791 Cryptofuzz. Fixes #3665. 792 793Requirement changes 794 * Update the minimum required CMake version to 2.8.12. This silences a 795 warning on CMake 3.19.0. #3801 796 797New deprecations 798 * PSA_ALG_CHACHA20 and PSA_ALG_ARC4 have been deprecated. 799 Use PSA_ALG_STREAM_CIPHER instead. 800 * The functions mbedtls_cipher_auth_encrypt() and 801 mbedtls_cipher_auth_decrypt() are deprecated in favour of the new 802 functions mbedtls_cipher_auth_encrypt_ext() and 803 mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, 804 these new functions always append the tag to the ciphertext, and include 805 the tag in the ciphertext length. 806 807Features 808 * Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric 809 ciphers, asymmetric signing/verification and key generation, validate_key 810 entry point, and export_public_key interface.) 811 * Add support for ECB to the PSA cipher API. 812 * In PSA, allow using a key declared with a base key agreement algorithm 813 in combined key agreement and derivation operations, as long as the key 814 agreement algorithm in use matches the algorithm the key was declared with. 815 This is currently non-standard behaviour, but expected to make it into a 816 future revision of the PSA Crypto standard. 817 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls, 818 mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by 819 external CMake projects that include this one to avoid CMake target name 820 clashes. The default value of this variable is "", so default target names 821 are unchanged. 822 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan 823 Pascal, improved by Ron Eldor. 824 * In the PSA API, it is no longer necessary to open persistent keys: 825 operations now accept the key identifier. The type psa_key_handle_t is now 826 identical to psa_key_id_t instead of being platform-defined. This bridges 827 the last major gap to compliance with the PSA Cryptography specification 828 version 1.0.0. Opening persistent keys is still supported for backward 829 compatibility, but will be deprecated and later removed in future 830 releases. 831 * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and 832 PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version 833 1.0.0 of the PSA Crypto API specification. 834 835Security 836 * The functions mbedtls_cipher_auth_encrypt() and 837 mbedtls_cipher_auth_decrypt() would write past the minimum documented 838 size of the output buffer when used with NIST_KW. As a result, code using 839 those functions as documented with NIST_KW could have a buffer overwrite 840 of up to 15 bytes, with consequences ranging up to arbitrary code 841 execution depending on the location of the output buffer. 842 * Limit the size of calculations performed by mbedtls_mpi_exp_mod to 843 MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when 844 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. 845 * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), 846 which is how most uses of randomization in asymmetric cryptography 847 (including key generation, intermediate value randomization and blinding) 848 are implemented. This could cause failures or the silent use of non-random 849 values. A random generator can fail if it needs reseeding and cannot not 850 obtain entropy, or due to an internal failure (which, for Mbed TLS's own 851 CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). 852 * Fix a compliance issue whereby we were not checking the tag on the 853 algorithm parameters (only the size) when comparing the signature in the 854 description part of the cert to the real signature. This meant that a 855 NULL algorithm parameters entry would look identical to an array of REAL 856 (size zero) to the library and thus the certificate would be considered 857 valid. However, if the parameters do not match in *any* way then the 858 certificate should be considered invalid, and indeed OpenSSL marks these 859 certs as invalid when mbedtls did not. 860 Many thanks to guidovranken who found this issue via differential fuzzing 861 and reported it in #3629. 862 * Zeroising of local buffers and variables which are used for calculations 863 in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), 864 mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() 865 functions to erase sensitive data from memory. Reported by 866 Johan Malmgren and Johan Uppman Bruce from Sectra. 867 868Bugfix 869 * Fix an invalid (but non-zero) return code from mbedtls_pk_parse_subpubkey() 870 when the input has trailing garbage. Fixes #2512. 871 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is 872 enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294. 873 * Include the psa_constant_names generated source code in the source tree 874 instead of generating it at build time. Fixes #3524. 875 * Fix rsa_prepare_blinding() to retry when the blinding value is not 876 invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This 877 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). 878 Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). 879 Fixes #3647. 880 * Use socklen_t on Android and other POSIX-compliant system 881 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. 882 Fix #3432. 883 * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input 884 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the 885 psa_cipher_* functions compliant with the PSA Crypto API specification. 886 * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names 887 "x25519" and "x448". These curves support ECDH but not ECDSA. If you need 888 only the curves that support ECDSA, filter the list with 889 mbedtls_ecdsa_can_do(). 890 * Fix psa_generate_key() returning an error when asked to generate 891 an ECC key pair on Curve25519 or secp244k1. 892 * Fix psa_key_derivation_output_key() to allow the output of a combined key 893 agreement and subsequent key derivation operation to be used as a key 894 inside of the PSA Crypto core. 895 * Fix handling of EOF against 0xff bytes and on platforms with unsigned 896 chars. Fixes a build failure on platforms where char is unsigned. Fixes 897 #3794. 898 * Fix an off-by-one error in the additional data length check for 899 CCM, which allowed encryption with a non-standard length field. 900 Fixes #3719. 901 * Correct the default IV size for mbedtls_cipher_info_t structures using 902 MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs. 903 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is 904 defined. Fix contributed in #3571. 905 * Fix conditions for including string.h in error.c. Fixes #3866. 906 * psa_set_key_id() now also sets the lifetime to persistent for keys located 907 in a secure element. 908 * Attempting to create a volatile key with a non-zero key identifier now 909 fails. Previously the key identifier was just ignored when creating a 910 volatile key. 911 * Attempting to create or register a key with a key identifier in the vendor 912 range now fails. 913 * Fix build failures on GCC 11. Fixes #3782. 914 * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf. 915 * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative 916 (an error condition) and the second operand was aliased to the result. 917 * Fix a case in elliptic curve arithmetic where an out-of-memory condition 918 could go undetected, resulting in an incorrect result. 919 * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). 920 Fixes #2927. 921 * In PEM writing functions, fill the trailing part of the buffer with null 922 bytes. This guarantees that the corresponding parsing function can read 923 the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem 924 until this property was inadvertently broken in Mbed TLS 2.19.0. 925 Fixes #3682. 926 * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT 927 option on. In this configuration key management methods that are required 928 for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. 929 Fixes #3818. Reported by John Stroebel. 930 931Changes 932 * Reduce stack usage significantly during sliding window exponentiation. 933 Reported in #3591 and fix contributed in #3592 by Daniel Otte. 934 * The PSA persistent storage format is updated to always store the key bits 935 attribute. No automatic upgrade path is provided. Previously stored keys 936 must be erased, or manually upgraded based on the key storage format 937 specification (docs/architecture/mbed-crypto-storage-specification.md). 938 Fixes #3740. 939 * Remove the zeroization of a pointer variable in AES rounds. It was valid 940 but spurious and misleading since it looked like a mistaken attempt to 941 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA 942 Leti, France. 943 944= mbed TLS 2.24.0 branch released 2020-09-01 945 946API changes 947 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman 948 group families to psa_ecc_family_t and psa_dh_family_t, in line with the 949 PSA Crypto API specification version 1.0.0. 950 Rename associated macros as well: 951 PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx 952 PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx 953 PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY 954 PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY 955 956Default behavior changes 957 * Stop storing persistent information about externally stored keys created 958 through PSA Crypto with a volatile lifetime. Reported in #3288 and 959 contributed by Steven Cooreman in #3382. 960 961Features 962 * The new function mbedtls_ecp_write_key() exports private ECC keys back to 963 a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key(). 964 * Support building on e2k (Elbrus) architecture: correctly enable 965 -Wformat-signedness, and fix the code that causes signed-one-bit-field 966 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) 967 <akemi_homura@kurisa.ch>. 968 969Security 970 * Fix a vulnerability in the verification of X.509 certificates when 971 matching the expected common name (the cn argument of 972 mbedtls_x509_crt_verify()) with the actual certificate name: when the 973 subjecAltName extension is present, the expected name was compared to any 974 name in that extension regardless of its type. This means that an 975 attacker could for example impersonate a 4-bytes or 16-byte domain by 976 getting a certificate for the corresponding IPv4 or IPv6 (this would 977 require the attacker to control that IP address, though). Similar attacks 978 using other subjectAltName name types might be possible. Found and 979 reported by kFYatek in #3498. 980 * When checking X.509 CRLs, a certificate was only considered as revoked if 981 its revocationDate was in the past according to the local clock if 982 available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, 983 certificates were never considered as revoked. On builds with 984 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for 985 example, an untrusted OS attacking a secure enclave) could prevent 986 revocation of certificates via CRLs. Fixed by no longer checking the 987 revocationDate field, in accordance with RFC 5280. Reported by 988 yuemonangong in #3340. Reported independently and fixed by 989 Raoul Strackx and Jethro Beekman in #3433. 990 * In (D)TLS record decryption, when using a CBC ciphersuites without the 991 Encrypt-then-Mac extension, use constant code flow memory access patterns 992 to extract and check the MAC. This is an improvement to the existing 993 countermeasure against Lucky 13 attacks. The previous countermeasure was 994 effective against network-based attackers, but less so against local 995 attackers. The new countermeasure defends against local attackers, even 996 if they have access to fine-grained measurements. In particular, this 997 fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, 998 Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler 999 (University of Florida) and Dave Tian (Purdue University). 1000 * Fix side channel in RSA private key operations and static (finite-field) 1001 Diffie-Hellman. An adversary with precise enough timing and memory access 1002 information (typically an untrusted operating system attacking a secure 1003 enclave) could bypass an existing counter-measure (base blinding) and 1004 potentially fully recover the private key. 1005 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). 1006 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine 1007 for pinpointing the problematic code. 1008 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused 1009 application data from memory. Reported in #689 by 1010 Johan Uppman Bruce of Sectra. 1011 1012Bugfix 1013 * Library files installed after a CMake build no longer have execute 1014 permission. 1015 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol 1016 redefinition if the function is inlined. 1017 Reported in #3451 and fix contributed in #3452 by okhowang. 1018 * Fix the endianness of Curve25519 keys imported/exported through the PSA 1019 APIs. psa_import_key and psa_export_key will now correctly expect/output 1020 Montgomery keys in little-endian as defined by RFC7748. Contributed by 1021 Steven Cooreman in #3425. 1022 * Fix build errors when the only enabled elliptic curves are Montgomery 1023 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This 1024 also fixes missing declarations reported by Steven Cooreman in #1147. 1025 * Fix self-test failure when the only enabled short Weierstrass elliptic 1026 curve is secp192k1. Fixes #2017. 1027 * PSA key import will now correctly import a Curve25519/Curve448 public key 1028 instead of erroring out. Contributed by Steven Cooreman in #3492. 1029 * Use arc4random_buf on NetBSD instead of rand implementation with cyclical 1030 lower bits. Fix contributed in #3540. 1031 * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory 1032 conditions. Reported and fix suggested by Guido Vranken in #3486. 1033 * Fix bug in redirection of unit test outputs on platforms where stdout is 1034 defined as a macro. First reported in #2311 and fix contributed in #3528. 1035 1036Changes 1037 * Only pass -Wformat-signedness to versions of GCC that support it. Reported 1038 in #3478 and fix contributed in #3479 by okhowang. 1039 * Reduce the stack consumption of mbedtls_x509write_csr_der() which 1040 previously could lead to stack overflow on constrained devices. 1041 Contributed by Doru Gucea and Simon Leet in #3464. 1042 * Undefine the ASSERT macro before defining it locally, in case it is defined 1043 in a platform header. Contributed by Abdelatif Guettouche in #3557. 1044 * Update copyright notices to use Linux Foundation guidance. As a result, 1045 the copyright of contributors other than Arm is now acknowledged, and the 1046 years of publishing are no longer tracked in the source files. This also 1047 eliminates the need for the lines declaring the files to be part of 1048 MbedTLS. Fixes #3457. 1049 * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 1050 example applications which allows to provide a password for the key file 1051 specified through the existing key_file argument. This allows the use of 1052 these applications with password-protected key files. Analogously but for 1053 ssl_server2 only, add the command line parameter key_pwd2 which allows to 1054 set a password for the key file provided through the existing key_file2 1055 argument. 1056 1057= mbed TLS 2.23.0 branch released 2020-07-01 1058 1059Default behavior changes 1060 * In the experimental PSA secure element interface, change the encoding of 1061 key lifetimes to encode a persistence level and the location. Although C 1062 prototypes do not effectively change, code calling 1063 psa_register_se_driver() must be modified to pass the driver's location 1064 instead of the keys' lifetime. If the library is upgraded on an existing 1065 device, keys created with the old lifetime value will not be readable or 1066 removable through Mbed TLS after the upgrade. 1067 1068Features 1069 * New functions in the error module return constant strings for 1070 high- and low-level error codes, complementing mbedtls_strerror() 1071 which constructs a string for any error code, including compound 1072 ones, but requires a writable buffer. Contributed by Gaurav Aggarwal 1073 in #3176. 1074 * The new utility programs/ssl/ssl_context_info prints a human-readable 1075 dump of an SSL context saved with mbedtls_ssl_context_save(). 1076 * Add support for midipix, a POSIX layer for Microsoft Windows. 1077 * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows 1078 parsing unsupported certificate extensions via user provided callback. 1079 Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as 1080 a solution to #3241. 1081 * Pass the "certificate policies" extension to the callback supplied to 1082 mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported 1083 policies (#3419). 1084 * Added support to entropy_poll for the kern.arandom syscall supported on 1085 some BSD systems. Contributed by Nia Alarie in #3423. 1086 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 1087 1088Security 1089 * Fix a side channel vulnerability in modular exponentiation that could 1090 reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, 1091 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute 1092 of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul 1093 Strackx (Fortanix) in #3394. 1094 * Fix side channel in mbedtls_ecp_check_pub_priv() and 1095 mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a 1096 private key that didn't include the uncompressed public key), as well as 1097 mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL 1098 f_rng argument. An attacker with access to precise enough timing and 1099 memory access information (typically an untrusted operating system 1100 attacking a secure enclave) could fully recover the ECC private key. 1101 Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. 1102 * Fix issue in Lucky 13 counter-measure that could make it ineffective when 1103 hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT 1104 macros). This would cause the original Lucky 13 attack to be possible in 1105 those configurations, allowing an active network attacker to recover 1106 plaintext after repeated timing measurements under some conditions. 1107 Reported and fix suggested by Luc Perneel in #3246. 1108 1109Bugfix 1110 * Fix the Visual Studio Release x64 build configuration for mbedtls itself. 1111 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for 1112 the example programs. Reported in #1430 and fix contributed by irwir. 1113 * Fix undefined behavior in X.509 certificate parsing if the 1114 pathLenConstraint basic constraint value is equal to INT_MAX. 1115 The actual effect with almost every compiler is the intended 1116 behavior, so this is unlikely to be exploitable anywhere. #3192 1117 * Fix issue with a detected HW accelerated record error not being exposed 1118 due to shadowed variable. Contributed by Sander Visser in #3310. 1119 * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a 1120 NULL pointer argument. Contributed by Sander Visser in #3312. 1121 * Fix potential linker errors on dual world platforms by inlining 1122 mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately 1123 from psa_crypto.c. Fixes #3300. 1124 * Remove dead code in X.509 certificate parsing. Contributed by irwir in 1125 #2855. 1126 * Include asn1.h in error.c. Fixes #3328 reported by David Hu. 1127 * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() 1128 when PRNG function fails. Contributed by Jonas Lejeune in #3318. 1129 * Remove unused macros from MSVC projects. Reported in #3297 and fix 1130 submitted in #3333 by irwir. 1131 * Add additional bounds checks in ssl_write_client_hello() preventing 1132 output buffer overflow if the configuration declared a buffer that was 1133 too small. 1134 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and 1135 fix submitted in #3421 by Nia Alarie. 1136 * Fix building library/net_sockets.c and the ssl_mail_client program on 1137 NetBSD. Contributed by Nia Alarie in #3422. 1138 * Fix false positive uninitialised variable reported by cpp-check. 1139 Contributed by Sander Visser in #3311. 1140 * Update iv and len context pointers manually when reallocating buffers 1141 using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues 1142 when receiving a connection with CID, when these fields were shifted 1143 in ssl_parse_record_header(). 1144 1145Changes 1146 * Fix warnings about signedness issues in format strings. The build is now 1147 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen 1148 in #3153. 1149 * Fix minor performance issue in operations on Curve25519 caused by using a 1150 suboptimal modular reduction in one place. Found and fix contributed by 1151 Aurelien Jarno in #3209. 1152 * Combine identical cases in switch statements in md.c. Contributed 1153 by irwir in #3208. 1154 * Simplify a bounds check in ssl_write_certificate_request(). Contributed 1155 by irwir in #3150. 1156 * Unify the example programs termination to call mbedtls_exit() instead of 1157 using a return command. This has been done to enable customization of the 1158 behavior in bare metal environments. 1159 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". 1160 Contributed by Koh M. Nakagawa in #3326. 1161 * Use FindPython3 when cmake version >= 3.15.0 1162 * Abort the ClientHello writing function as soon as some extension doesn't 1163 fit into the record buffer. Previously, such extensions were silently 1164 dropped. As a consequence, the TLS handshake now fails when the output 1165 buffer is not large enough to hold the ClientHello. 1166 * The unit tests now rely on header files in tests/include/test and source 1167 files in tests/src. When building with make or cmake, the files in 1168 tests/src are compiled and the resulting object linked into each test 1169 executable. 1170 * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on 1171 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel 1172 coutermeasures. If side channels are not a concern, this dependency can 1173 be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. 1174 * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes 1175 Martinho. #3147 1176 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported 1177 in #3182 and fix submitted by irwir. #3217 1178 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319 1179 1180= mbed TLS 2.22.0 branch released 2020-04-14 1181 1182New deprecations 1183 * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the 1184 SSL module for hardware acceleration of individual records. 1185 * Deprecate mbedtls_ssl_get_max_frag_len() in favour of 1186 mbedtls_ssl_get_output_max_frag_len() and 1187 mbedtls_ssl_get_input_max_frag_len() to be more precise about which max 1188 fragment length is desired. 1189 1190Security 1191 * Fix issue in DTLS handling of new associations with the same parameters 1192 (RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to 1193 the server could cause it to drop established associations with 1194 legitimate clients, resulting in a Denial of Service. This could only 1195 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h 1196 (which it is by default). 1197 * Fix side channel in ECC code that allowed an adversary with access to 1198 precise enough timing and memory access information (typically an 1199 untrusted operating system attacking a secure enclave) to fully recover 1200 an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, 1201 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932 1202 * Fix a potentially remotely exploitable buffer overread in a 1203 DTLS client when parsing the Hello Verify Request message. 1204 1205Features 1206 * The new build option MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH automatically 1207 resizes the I/O buffers before and after handshakes, reducing the memory 1208 consumption during application data transfer. 1209 1210Bugfix 1211 * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and 1212 MBEDTLS_SSL_HW_RECORD_ACCEL are enabled. 1213 * Remove a spurious check in ssl_parse_client_psk_identity that triggered 1214 a warning with some compilers. Fix contributed by irwir in #2856. 1215 * Fix a function name in a debug message. Contributed by Ercan Ozturk in 1216 #3013. 1217 1218Changes 1219 * Mbed Crypto is no longer a Git submodule. The crypto part of the library 1220 is back directly in the present repository. 1221 * Split mbedtls_ssl_get_max_frag_len() into 1222 mbedtls_ssl_get_output_max_frag_len() and 1223 mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input 1224 buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1225 is defined), regardless of what MFL was configured for it. 1226 1227= mbed TLS 2.21.0 branch released 2020-02-20 1228 1229New deprecations 1230 * Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing 1231 SSLv2 ClientHello messages. 1232 * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3. 1233 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper 1234 library which allows TLS authentication to use keys stored in a 1235 PKCS#11 token such as a smartcard. 1236 1237Security 1238 * Fix potential memory overread when performing an ECDSA signature 1239 operation. The overread only happens with cryptographically low 1240 probability (of the order of 2^-n where n is the bitsize of the curve) 1241 unless the RNG is broken, and could result in information disclosure or 1242 denial of service (application crash or extra resource consumption). 1243 Found by Auke Zeilstra and Peter Schwabe, using static analysis. 1244 * To avoid a side channel vulnerability when parsing an RSA private key, 1245 read all the CRT parameters from the DER structure rather than 1246 reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob 1247 Brumley. Reported and fix contributed by Jack Lloyd. 1248 ARMmbed/mbed-crypto#352 1249 1250Features 1251 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512 1252 support without SHA-384. 1253 1254API changes 1255 * Change the encoding of key types and curves in the PSA API. The new 1256 values are aligned with the upcoming release of the PSA Crypto API 1257 specification version 1.0.0. The main change which may break some 1258 existing code is that elliptic curve key types no longer encode the 1259 exact curve: a psa_ecc_curve_t or psa_key_type_t value only encodes 1260 a curve family and the key size determines the exact curve (for example, 1261 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330 1262 1263Bugfix 1264 * Fix an unchecked call to mbedtls_md() in the x509write module. 1265 * Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by 1266 Jack Lloyd in #2859. Fix submitted by jiblime in #2963. 1267 * Fix some false-positive uninitialized variable warnings in X.509. Fix 1268 contributed by apple-ihack-geek in #2663. 1269 * Fix a possible error code mangling in psa_mac_verify_finish() when 1270 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345 1271 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some 1272 RSA keys that would later be rejected by functions expecting private 1273 keys. Found by Catena cyber using oss-fuzz (issue 20467). 1274 * Fix a bug in mbedtls_pk_parse_key() that would cause it to 1275 accept some RSA keys with invalid values by silently fixing those values. 1276 1277= mbed TLS 2.20.0 branch released 2020-01-15 1278 1279Default behavior changes 1280 * The initial seeding of a CTR_DRBG instance makes a second call to the 1281 entropy function to obtain entropy for a nonce if the entropy size is less 1282 than 3/2 times the key size. In case you want to disable the extra call to 1283 grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the 1284 nonce length to 0. 1285 1286Security 1287 * Enforce that mbedtls_entropy_func() gathers a total of 1288 MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the 1289 default configuration, on a platform with a single entropy source, the 1290 entropy module formerly only grabbed 32 bytes, which is good enough for 1291 security if the source is genuinely strong, but less than the expected 64 1292 bytes (size of the entropy accumulator). 1293 * Zeroize local variables in mbedtls_internal_aes_encrypt() and 1294 mbedtls_internal_aes_decrypt() before exiting the function. The value of 1295 these variables can be used to recover the last round key. To follow best 1296 practice and to limit the impact of buffer overread vulnerabilities (like 1297 Heartbleed) we need to zeroize them before exiting the function. 1298 Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, 1299 Grant Hernandez, and Kevin Butler (University of Florida) and 1300 Dave Tian (Purdue University). 1301 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not 1302 constant time/constant trace, so side channel attacks can retrieve the 1303 blinded value, factor it (as it is smaller than RSA keys and not guaranteed 1304 to have only large prime factors), and then, by brute force, recover the 1305 key. Reported by Alejandro Cabrera Aldaya and Billy Brumley. 1306 * Fix side channel vulnerability in ECDSA key generation. Obtaining precise 1307 timings on the comparison in the key generation enabled the attacker to 1308 learn leading bits of the ephemeral key used during ECDSA signatures and to 1309 recover the private key. Reported by Jeremy Dubeuf. 1310 * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught 1311 failures could happen with alternative implementations of AES. Bug 1312 reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, 1313 Sectra. 1314 1315Features 1316 * Key derivation inputs in the PSA API can now either come from a key object 1317 or from a buffer regardless of the step type. 1318 * The CTR_DRBG module can grab a nonce from the entropy source during the 1319 initial seeding. The default nonce length is chosen based on the key size 1320 to achieve the security strength defined by NIST SP 800-90A. You can 1321 change it with mbedtls_ctr_drbg_set_nonce_len(). 1322 * Add ENUMERATED tag support to the ASN.1 module. Contributed by 1323 msopiha-linaro in ARMmbed/mbed-crypto#307. 1324 1325API changes 1326 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a 1327 key derivation function, use a buffer instead (this is now always 1328 possible). 1329 * Rename psa_asymmetric_sign() to psa_sign_hash() and 1330 psa_asymmetric_verify() to psa_verify_hash(). 1331 1332Bugfix 1333 * Fix an incorrect size in a debugging message. Reported and fix 1334 submitted by irwir. Fixes #2717. 1335 * Fix an unused variable warning when compiling without DTLS. 1336 Reported and fix submitted by irwir. Fixes #2800. 1337 * Remove a useless assignment. Reported and fix submitted by irwir. 1338 Fixes #2801. 1339 * Fix a buffer overflow in the PSA HMAC code when using a long key with an 1340 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254. 1341 * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit 1342 to OSS-Fuzz for finding a bug in an intermediate version of the fix. 1343 * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at 1344 most 2 bytes. 1345 * mbedtls_ctr_drbg_set_entropy_len() and 1346 mbedtls_hmac_drbg_set_entropy_len() now work if you call them before 1347 mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed(). 1348 1349Changes 1350 * Remove the technical possibility to define custom mbedtls_md_info 1351 structures, which was exposed only in an internal header. 1352 * psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as 1353 before). 1354 * Variables containing error codes are now initialized to an error code 1355 rather than success, so that coding mistakes or memory corruption tends to 1356 cause functions to return this error code rather than a success. There are 1357 no known instances where this changes the behavior of the library: this is 1358 merely a robustness improvement. ARMmbed/mbed-crypto#323 1359 * Remove a useless call to mbedtls_ecp_group_free(). Contributed by 1360 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210. 1361 * Speed up PBKDF2 by caching the digest calculation. Contributed by Jack 1362 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277. 1363 * Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by 1364 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308. 1365 1366= mbed TLS 2.19.1 branch released 2019-09-16 1367 1368Features 1369 * Declare include headers as PUBLIC to propagate to CMake project consumers 1370 Contributed by Zachary J. Fields in PR #2949. 1371 * Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of 1372 TLS sessions with tools like Wireshark. 1373 1374API Changes 1375 * Make client_random and server_random const in 1376 mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged 1377 from modifying the client/server hello. 1378 1379Bugfix 1380 * Fix some false-positive uninitialized variable warnings in crypto. Fix 1381 contributed by apple-ihack-geek in #2663. 1382 1383= mbed TLS 2.19.0 branch released 2019-09-06 1384 1385Security 1386 * Fix a missing error detection in ECJPAKE. This could have caused a 1387 predictable shared secret if a hardware accelerator failed and the other 1388 side of the key exchange had a similar bug. 1389 * When writing a private EC key, use a constant size for the private 1390 value, as specified in RFC 5915. Previously, the value was written 1391 as an ASN.1 INTEGER, which caused the size of the key to leak 1392 about 1 bit of information on average and could cause the value to be 1393 1 byte too large for the output buffer. 1394 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to 1395 implement blinding. Because of this for the same key and message the same 1396 blinding value was generated. This reduced the effectiveness of the 1397 countermeasure and leaked information about the private key through side 1398 channels. Reported by Jack Lloyd. 1399 1400Features 1401 * Add new API functions mbedtls_ssl_session_save() and 1402 mbedtls_ssl_session_load() to allow serializing a session, for example to 1403 store it in non-volatile storage, and later using it for TLS session 1404 resumption. 1405 * Add a new API function mbedtls_ssl_check_record() to allow checking that 1406 an incoming record is valid, authentic and has not been seen before. This 1407 feature can be used alongside Connection ID and SSL context serialisation. 1408 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING 1409 option. 1410 * New implementation of X25519 (ECDH using Curve25519) from Project Everest 1411 (https://project-everest.github.io/). It can be enabled at compile time 1412 with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally 1413 verified and significantly faster, but is only supported on x86 platforms 1414 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by 1415 Christoph Wintersteiger from Microsoft Research. 1416 * Add mbedtls_net_close(), enabling the building of forking servers where 1417 the parent process closes the client socket and continue accepting, and 1418 the child process closes the listening socket and handles the client 1419 socket. Contributed by Robert Larsen in #2803. 1420 1421API Changes 1422 * Add DER-encoded test CRTs to library/certs.c, allowing 1423 the example programs ssl_server2 and ssl_client2 to be run 1424 if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. 1425 * The HAVEGE state type now uses uint32_t elements instead of int. 1426 * The functions mbedtls_ecp_curve_list() and mbedtls_ecp_grp_id_list() now 1427 list all curves for which at least one of ECDH or ECDSA is supported, not 1428 just curves for which both are supported. Call mbedtls_ecdsa_can_do() or 1429 mbedtls_ecdh_can_do() on each result to check whether each algorithm is 1430 supported. 1431 * The new function mbedtls_ecdsa_sign_det_ext() is similar to 1432 mbedtls_ecdsa_sign_det() but allows passing an external RNG for the 1433 purpose of blinding. 1434 1435New deprecations 1436 * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an 1437 RNG function as an input. 1438 * Calling mbedtls_ecdsa_write_signature() with NULL as the f_rng argument 1439 is now deprecated. 1440 1441Bugfix 1442 * Fix missing bounds checks in X.509 parsing functions that could 1443 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. 1444 * Fix multiple X.509 functions previously returning ASN.1 low-level error 1445 codes to always wrap these codes into X.509 high level error codes before 1446 returning. Fixes #2431. 1447 * Fix to allow building test suites with any warning that detects unused 1448 functions. Fixes #1628. 1449 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. 1450 * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. 1451 * Fix build failure when building with mingw on Windows by including 1452 stdarg.h where needed. Fixes #2656. 1453 * Fix Visual Studio Release x64 build configuration by inheriting 1454 PlatformToolset from the project configuration. Fixes #1430 reported by 1455 irwir. 1456 * Enable Suite B with subset of ECP curves. Make sure the code compiles even 1457 if some curves are not defined. Fixes #1591 reported by dbedev. 1458 * Fix misuse of signed arithmetic in the HAVEGE module. #2598 1459 * Avoid use of statically sized stack buffers for certificate writing. 1460 This previously limited the maximum size of DER encoded certificates 1461 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. 1462 * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716. 1463 * Update test certificates that were about to expire. Reported by 1464 Bernhard M. Wiedemann in #2357. 1465 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions 1466 that are only available in Thumb mode. Fix contributed by Aurelien Jarno 1467 in #2169. 1468 * Fix propagation of restart contexts in restartable EC operations. 1469 This could previously lead to segmentation faults in builds using an 1470 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. 1471 * Fix memory leak in in mpi_miller_rabin(). Contributed by 1472 Jens Wiklander <jens.wiklander@linaro.org> in #2363 1473 * Improve code clarity in x509_crt module, removing false-positive 1474 uninitialized variable warnings on some recent toolchains (GCC8, etc). 1475 Discovered and fixed by Andy Gross (Linaro), #2392. 1476 * Fix bug in endianness conversion in bignum module. This lead to 1477 functionally incorrect code on bigendian systems which don't have 1478 __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. 1479 1480Changes 1481 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. 1482 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h 1483 suggests). #2671 1484 * Make `make clean` clean all programs always. Fixes #1862. 1485 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh, 1486 docker-env.sh) to simplify running test suites on a Linux host. Contributed 1487 by Peter Kolbus (Garmin). 1488 * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable 1489 test runs without variability. Contributed by Philippe Antoine (Catena 1490 cyber) in #2681. 1491 * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi. 1492 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz. 1493 Contributed by Philippe Antoine (Catena cyber). 1494 * Remove the crypto part of the library from Mbed TLS. The crypto 1495 code and tests are now only available via Mbed Crypto, which 1496 Mbed TLS references as a Git submodule. 1497 1498= mbed TLS 2.18.1 branch released 2019-07-12 1499 1500Bugfix 1501 * Fix build failure when building with mingw on Windows by including 1502 stdarg.h where needed. Fixes #2656. 1503 1504Changes 1505 * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by 1506 Ashley Duncan in #2609. 1507 1508= mbed TLS 2.18.0 branch released 2019-06-11 1509 1510Features 1511 * Add the Any Policy certificate policy oid, as defined in 1512 rfc 5280 section 4.2.1.4. 1513 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API. 1514 Contributed by Jack Lloyd and Fortanix Inc. 1515 * Add the Wi-SUN Field Area Network (FAN) device extended key usage. 1516 * Add the oid certificate policy x509 extension. 1517 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest. 1518 Contributed by Jack Lloyd and Fortanix Inc. 1519 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, 1520 and the used tls-prf. 1521 * Add public API for tls-prf function, according to requested enum. 1522 * Add support for parsing otherName entries in the Subject Alternative Name 1523 X.509 certificate extension, specifically type hardware module name, 1524 as defined in RFC 4108 section 5. 1525 * Add support for parsing certificate policies extension, as defined in 1526 RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is 1527 supported. 1528 * List all SAN types in the subject_alt_names field of the certificate. 1529 Resolves #459. 1530 * Add support for draft-05 of the Connection ID extension, as specified 1531 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05. 1532 The Connection ID extension allows to keep DTLS connections beyond the 1533 lifetime of the underlying transport by adding a connection identifier 1534 to the DTLS record header. This identifier can be used to associated an 1535 incoming record with the correct connection data even after the peer has 1536 changed its IP or port. The feature is enabled at compile-time by setting 1537 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time 1538 through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid(). 1539 1540 1541API Changes 1542 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, 1543 and the used tls-prf. 1544 * Add public API for tls-prf function, according to requested enum. 1545 1546Bugfix 1547 * Fix private key DER output in the key_app_writer example. File contents 1548 were shifted by one byte, creating an invalid ASN.1 tag. Fixed by 1549 Christian Walther in #2239. 1550 * Fix potential memory leak in X.509 self test. Found and fixed by 1551 Junhwan Park, #2106. 1552 * Reduce stack usage of hkdf tests. Fixes #2195. 1553 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when 1554 used with negative inputs. Found by Guido Vranken in #2404. Credit to 1555 OSS-Fuzz. 1556 * Fix bugs in the AEAD test suite which would be exposed by ciphers which 1557 either used both encrypt and decrypt key schedules, or which perform padding. 1558 GCM and CCM were not affected. Fixed by Jack Lloyd. 1559 * Fix incorrect default port number in ssl_mail_client example's usage. 1560 Found and fixed by irwir. #2337 1561 * Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx. 1562 Fixed by Peter Kolbus (Garmin). #2579 1563 * Add missing parentheses around parameters in the definition of the 1564 public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation 1565 in case operators binding less strongly than subtraction were used 1566 for the parameter. 1567 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl 1568 sni entry parameter. Reported by inestlerode in #560. 1569 * Set the next sequence of the subject_alt_name to NULL when deleting 1570 sequence on failure. Found and fix suggested by Philippe Antoine. 1571 Credit to OSS-Fuzz. 1572 1573Changes 1574 * Server's RSA certificate in certs.c was SHA-1 signed. In the default 1575 mbedTLS configuration only SHA-2 signed certificates are accepted. 1576 This certificate is used in the demo server programs, which lead the 1577 client programs to fail at the peer's certificate verification 1578 due to an unacceptable hash signature. The certificate has been 1579 updated to one that is SHA-256 signed. Fix contributed by 1580 Illya Gerasymchuk. 1581 * Return from various debugging routines immediately if the 1582 provided SSL context is unset. 1583 * Remove dead code from bignum.c in the default configuration. 1584 Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. 1585 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. 1586 Contributed by Peter Kolbus (Garmin). 1587 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to 1588 improve clarity. Fixes #2258. 1589 1590= mbed TLS 2.17.0 branch released 2019-03-19 1591 1592Features 1593 * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()` 1594 which allows copy-less parsing of DER encoded X.509 CRTs, 1595 at the cost of additional lifetime constraints on the input 1596 buffer, but at the benefit of reduced RAM consumption. 1597 * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 1598 named bitstring in DER as required by RFC 5280 Appendix B. 1599 * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites 1600 from the default list (enabled by default). See 1601 https://sweet32.info/SWEET32_CCS16.pdf. 1602 1603API Changes 1604 * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. 1605 See the Features section for more information. 1606 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert() 1607 for the benefit of saving RAM, by disabling the new compile-time 1608 option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for 1609 API stability). Disabling this option makes mbedtls_ssl_get_peer_cert() 1610 always return NULL, and removes the peer_cert field from the 1611 mbedtls_ssl_session structure which otherwise stores the peer's 1612 certificate. 1613 1614Security 1615 * Make mbedtls_ecdh_get_params return an error if the second key 1616 belongs to a different group from the first. Before, if an application 1617 passed keys that belonged to different group, the first key's data was 1618 interpreted according to the second group, which could lead to either 1619 an error or a meaningless output from mbedtls_ecdh_get_params. In the 1620 latter case, this could expose at most 5 bits of the private key. 1621 1622Bugfix 1623 * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined 1624 when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. 1625 * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. 1626 Raised as a comment in #1996. 1627 * Reduce the stack consumption of mbedtls_mpi_fill_random() which could 1628 previously lead to a stack overflow on constrained targets. 1629 * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions 1630 in the header files, which missed the precompilation check. #971 1631 * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. 1632 * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. 1633 * Remove the mbedtls namespacing from the header file, to fix a "file not found" 1634 build error. Fixed by Haijun Gu #2319. 1635 * Fix signed-to-unsigned integer conversion warning 1636 in X.509 module. Fixes #2212. 1637 * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. 1638 Fixes #2190. 1639 * Fix false failure in all.sh when backup files exist in include/mbedtls 1640 (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. 1641 * Ensure that unused bits are zero when writing ASN.1 bitstrings when using 1642 mbedtls_asn1_write_bitstring(). 1643 * Fix issue when writing the named bitstrings in KeyUsage and NsCertType 1644 extensions in CSRs and CRTs that caused these bitstrings to not be encoded 1645 correctly as trailing zeroes were not accounted for as unused bits in the 1646 leading content octet. Fixes #1610. 1647 1648Changes 1649 * Reduce RAM consumption during session renegotiation by not storing 1650 the peer CRT chain and session ticket twice. 1651 * Include configuration file in all header files that use configuration, 1652 instead of relying on other header files that they include. 1653 Inserted as an enhancement for #1371 1654 * Add support for alternative CSR headers, as used by Microsoft and defined 1655 in RFC 7468. Found by Michael Ernst. Fixes #767. 1656 * Correct many misspellings. Fixed by MisterDA #2371. 1657 * Provide an abstraction of vsnprintf to allow alternative implementations 1658 for platforms that don't provide it. Based on contributions by Joris Aerts 1659 and Nathaniel Wesley Filardo. 1660 * Fix clobber list in MIPS assembly for large integer multiplication. 1661 Previously, this could lead to functionally incorrect assembly being 1662 produced by some optimizing compilers, showing up as failures in 1663 e.g. RSA or ECC signature operations. Reported in #1722, fix suggested 1664 by Aurelien Jarno and submitted by Jeffrey Martin. 1665 * Reduce the complexity of the timing tests. They were assuming more than the 1666 underlying OS actually guarantees. 1667 * Fix configuration queries in ssl-opt.h. #2030 1668 * Ensure that ssl-opt.h can be run in OS X. #2029 1669 * Re-enable certain interoperability tests in ssl-opt.sh which had previously 1670 been disabled for lack of a sufficiently recent version of GnuTLS on the CI. 1671 * Ciphersuites based on 3DES now have the lowest priority by default when 1672 they are enabled. 1673 1674= mbed TLS 2.16.0 branch released 2018-12-21 1675 1676Features 1677 * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation 1678 of parameters in the API. This allows detection of obvious misuses of the 1679 API, such as passing NULL pointers. The API of existing functions hasn't 1680 changed, but requirements on parameters have been made more explicit in 1681 the documentation. See the corresponding API documentation for each 1682 function to see for which parameter values it is defined. This feature is 1683 disabled by default. See its API documentation in config.h for additional 1684 steps you have to take when enabling it. 1685 1686API Changes 1687 * The following functions in the random generator modules have been 1688 deprecated and replaced as shown below. The new functions change 1689 the return type from void to int to allow returning error codes when 1690 using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest 1691 primitive. Fixes #1798. 1692 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() 1693 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() 1694 * Extend ECDH interface to enable alternative implementations. 1695 * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for 1696 ARIA, CAMELLIA and Blowfish. These error codes will be replaced by 1697 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. 1698 * Additional parameter validation checks have been added for the following 1699 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, 1700 ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. 1701 Where modules have had parameter validation added, existing parameter 1702 checks may have changed. Some modules, such as Chacha20 had existing 1703 parameter validation whereas other modules had little. This has now been 1704 changed so that the same level of validation is present in all modules, and 1705 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default 1706 is off. That means that checks which were previously present by default 1707 will no longer be. 1708 1709New deprecations 1710 * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update 1711 in favor of functions that can return an error code. 1712 1713Bugfix 1714 * Fix for Clang, which was reporting a warning for the bignum.c inline 1715 assembly for AMD64 targets creating string literals greater than those 1716 permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. 1717 * Fix runtime error in `mbedtls_platform_entropy_poll()` when run 1718 through qemu user emulation. Reported and fix suggested by randombit 1719 in #1212. Fixes #1212. 1720 * Fix an unsafe bounds check when restoring an SSL session from a ticket. 1721 This could lead to a buffer overflow, but only in case ticket authentication 1722 was broken. Reported and fix suggested by Guido Vranken in #659. 1723 * Add explicit integer to enumeration type casts to example program 1724 programs/pkey/gen_key which previously led to compilation failure 1725 on some toolchains. Reported by phoenixmcallister. Fixes #2170. 1726 * Fix double initialization of ECC hardware that made some accelerators 1727 hang. 1728 * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence 1729 of check for certificate/key matching. Reported by Attila Molnar, #507. 1730 1731 = mbed TLS 2.15.1 branch released 2018-11-30 1732 1733 Changes 1734 * Update the Mbed Crypto submodule to version 0.1.0b2. 1735 1736 = mbed TLS 2.15.0 branch released 2018-11-23 1737 1738 Features 1739 * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of 1740 Mbed Crypto as the source of the cryptography implementation. 1741 * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable 1742 the PSA Crypto API from Mbed Crypto when additionally used with the 1743 USE_CRYPTO_SUBMODULE build option. 1744 1745 Changes 1746 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() 1747 from the cipher abstraction layer. Fixes #2198. 1748 1749= mbed TLS 2.14.1 branch released 2018-11-30 1750 1751Security 1752 * Fix timing variations and memory access variations in RSA PKCS#1 v1.5 1753 decryption that could lead to a Bleichenbacher-style padding oracle 1754 attack. In TLS, this affects servers that accept ciphersuites based on 1755 RSA decryption (i.e. ciphersuites whose name contains RSA but not 1756 (EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham 1757 (University of Adelaide), Daniel Genkin (University of Michigan), 1758 Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom 1759 (University of Adelaide, Data61). The attack is described in more detail 1760 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608 1761 * In mbedtls_mpi_write_binary(), don't leak the exact size of the number 1762 via branching and memory access patterns. An attacker who could submit 1763 a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing 1764 of the decryption and not its result could nonetheless decrypt RSA 1765 plaintexts and forge RSA signatures. Other asymmetric algorithms may 1766 have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham, 1767 Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom. 1768 * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG 1769 modules. 1770 1771API Changes 1772 * The new functions mbedtls_ctr_drbg_update_ret() and 1773 mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() 1774 and mbedtls_hmac_drbg_update() respectively, but the new functions 1775 report errors whereas the old functions return void. We recommend that 1776 applications use the new functions. 1777 1778= mbed TLS 2.14.0 branch released 2018-11-19 1779 1780Security 1781 * Fix overly strict DN comparison when looking for CRLs belonging to a 1782 particular CA. This previously led to ignoring CRLs when the CRL's issuer 1783 name and the CA's subject name differed in their string encoding (e.g., 1784 one using PrintableString and the other UTF8String) or in the choice of 1785 upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue 1786 #1784. 1787 * Fix a flawed bounds check in server PSK hint parsing. In case the 1788 incoming message buffer was placed within the first 64KiB of address 1789 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker 1790 to trigger a memory access up to 64KiB beyond the incoming message buffer, 1791 potentially leading to an application crash or information disclosure. 1792 * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The 1793 previous settings for the number of rounds made it practical for an 1794 adversary to construct non-primes that would be erroneously accepted as 1795 primes with high probability. This does not have an impact on the 1796 security of TLS, but can matter in other contexts with numbers chosen 1797 potentially by an adversary that should be prime and can be validated. 1798 For example, the number of rounds was enough to securely generate RSA key 1799 pairs or Diffie-Hellman parameters, but was insufficient to validate 1800 Diffie-Hellman parameters properly. 1801 See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and 1802 Kenneth G. Paterson and Juraj Somorovsky. 1803 1804Features 1805 * Add support for temporarily suspending expensive ECC computations after 1806 some configurable amount of operations. This is intended to be used in 1807 constrained, single-threaded systems where ECC is time consuming and can 1808 block other operations until they complete. This is disabled by default, 1809 but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and 1810 configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new 1811 xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported 1812 yet), and to existing functions in ECDH and SSL (currently only 1813 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, 1814 including client authentication). 1815 * Add support for Arm CPU DSP extensions to accelerate asymmetric key 1816 operations. On CPUs where the extensions are available, they can accelerate 1817 MPI multiplications used in ECC and RSA cryptography. Contributed by 1818 Aurelien Jarno. 1819 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS 1820 signature always used a salt with the same length as the hash, and returned 1821 an error if this was not possible. Now the salt size may be up to two bytes 1822 shorter. This allows the library to support all hash and signature sizes 1823 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key. 1824 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter 1825 than 256 bits limits the security of generated material to 128 bits. 1826 1827API Changes 1828 * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for 1829 a feature that is not supported by underlying alternative 1830 implementations implementing cryptographic primitives. This is useful for 1831 hardware accelerators that don't implement all options or features. 1832 1833New deprecations 1834 * All module specific errors following the form 1835 MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not 1836 supported are deprecated and are now replaced by the new equivalent 1837 platform error. 1838 * All module specific generic hardware acceleration errors following the 1839 form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced 1840 by the equivalent plaform error. 1841 * Deprecate the function mbedtls_mpi_is_prime() in favor of 1842 mbedtls_mpi_is_prime_ext() which allows specifying the number of 1843 Miller-Rabin rounds. 1844 1845Bugfix 1846 * Fix wrong order of freeing in programs/ssl/ssl_server2 example 1847 application leading to a memory leak in case both 1848 MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. 1849 Fixes #2069. 1850 * Fix a bug in the update function for SSL ticket keys which previously 1851 invalidated keys of a lifetime of less than a 1s. Fixes #1968. 1852 * Fix failure in hmac_drbg in the benchmark sample application, when 1853 MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095 1854 * Fix a bug in the record decryption routine ssl_decrypt_buf() 1855 which lead to accepting properly authenticated but improperly 1856 padded records in case of CBC ciphersuites using Encrypt-then-MAC. 1857 * Fix memory leak and freeing without initialization in the example 1858 program programs/x509/cert_write. Fixes #1422. 1859 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is 1860 MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091. 1861 * Zeroize memory used for buffering or reassembling handshake messages 1862 after use. 1863 * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization 1864 of sensitive data in the example programs aescrypt2 and crypt_and_hash. 1865 * Change the default string format used for various X.509 DN attributes to 1866 UTF8String. Previously, the use of the PrintableString format led to 1867 wildcards and non-ASCII characters being unusable in some DN attributes. 1868 Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by 1869 Thomas-Dee. 1870 * Fix compilation failure for configurations which use compile time 1871 replacements of standard calloc/free functions through the macros 1872 MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. 1873 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706. 1874 1875Changes 1876 * Removed support for Yotta as a build tool. 1877 * Add tests for session resumption in DTLS. 1878 * Close a test gap in (D)TLS between the client side and the server side: 1879 test the handling of large packets and small packets on the client side 1880 in the same way as on the server side. 1881 * Change the dtls_client and dtls_server samples to work by default over 1882 IPv6 and optionally by a build option over IPv4. 1883 * Change the use of Windows threading to use Microsoft Visual C++ runtime 1884 calls, rather than Win32 API calls directly. This is necessary to avoid 1885 conflict with C runtime usage. Found and fixed by irwir. 1886 * Remember the string format of X.509 DN attributes when replicating 1887 X.509 DNs. Previously, DN attributes were always written in their default 1888 string format (mostly PrintableString), which could lead to CRTs being 1889 created which used PrintableStrings in the issuer field even though the 1890 signing CA used UTF8Strings in its subject field; while X.509 compliant, 1891 such CRTs were rejected in some applications, e.g. some versions of 1892 Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by 1893 Thomas-Dee. 1894 * Improve documentation of mbedtls_ssl_get_verify_result(). 1895 Fixes #517 reported by github-monoculture. 1896 * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and 1897 use it to reduce error probability in RSA key generation to levels mandated 1898 by FIPS-186-4. 1899 1900= mbed TLS 2.13.1 branch released 2018-09-06 1901 1902API Changes 1903 * Extend the platform module with an abstraction mbedtls_platform_gmtime_r() 1904 whose implementation should behave as a thread-safe version of gmtime(). 1905 This allows users to configure such an implementation at compile time when 1906 the target system cannot be deduced automatically, by setting the option 1907 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to 1908 automatically select implementations for Windows and POSIX C libraries. 1909 1910Bugfix 1911 * Fix build failures on platforms where only gmtime() is available but 1912 neither gmtime_r() nor gmtime_s() are present. Fixes #1907. 1913 1914= mbed TLS 2.13.0 branch released 2018-08-31 1915 1916Security 1917 * Fix an issue in the X.509 module which could lead to a buffer overread 1918 during certificate extensions parsing. In case of receiving malformed 1919 input (extensions length field equal to 0), an illegal read of one byte 1920 beyond the input buffer is made. Found and analyzed by Nathan Crandall. 1921 1922Features 1923 * Add support for fragmentation of outgoing DTLS handshake messages. This 1924 is controlled by the maximum fragment length as set locally or negotiated 1925 with the peer, as well as by a new per-connection MTU option, set using 1926 mbedtls_ssl_set_mtu(). 1927 * Add support for auto-adjustment of MTU to a safe value during the 1928 handshake when flights do not get through (RFC 6347, section 4.1.1.1, 1929 last paragraph). 1930 * Add support for packing multiple records within a single datagram, 1931 enabled by default. 1932 * Add support for buffering out-of-order handshake messages in DTLS. 1933 The maximum amount of RAM used for this can be controlled by the 1934 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined 1935 in mbedtls/config.h. 1936 1937API Changes 1938 * Add function mbedtls_ssl_set_datagram_packing() to configure 1939 the use of datagram packing (enabled by default). 1940 1941Bugfix 1942 * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation 1943 failure in the function could lead to other buffers being leaked. 1944 * Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if 1945 MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890 1946 * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. 1947 Fix contributed by Espressif Systems. 1948 * Add ecc extensions only if an ecc based ciphersuite is used. 1949 This improves compliance to RFC 4492, and as a result, solves 1950 interoperability issues with BouncyCastle. Raised by milenamil in #1157. 1951 * Replace printf with mbedtls_printf in the ARIA module. Found by 1952 TrinityTonic in #1908. 1953 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len() 1954 and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941. 1955 * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake 1956 with TLS versions 1.1 and earlier when the server requested authentication 1957 without providing a list of CAs. This was due to an overly strict bounds 1958 check in parsing the CertificateRequest message, 1959 introduced in Mbed TLS 2.12.0. Fixes #1954. 1960 * Fix a miscalculation of the maximum record expansion in 1961 mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites, 1962 or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914. 1963 * Fix undefined shifts with negative values in certificates parsing 1964 (found by Catena cyber using oss-fuzz) 1965 * Fix memory leak and free without initialization in pk_encrypt 1966 and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128. 1967 * Remove redundant else statement. Raised by irwir. Fixes #1776. 1968 1969Changes 1970 * Copy headers preserving timestamps when doing a "make install". 1971 Contributed by xueruini. 1972 * Allow the forward declaration of public structs. Contributed by Dawid 1973 Drozd. Fixes #1215 raised by randombit. 1974 * Improve compatibility with some alternative CCM implementations by using 1975 CCM test vectors from RAM. 1976 * Add support for buffering of out-of-order handshake messages. 1977 * Add warnings to the documentation of the HKDF module to reduce the risk 1978 of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand() 1979 functions. Fixes #1775. Reported by Brian J. Murray. 1980 1981= mbed TLS 2.12.0 branch released 2018-07-25 1982 1983Security 1984 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384, 1985 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to 1986 partially recover the plaintext of messages under some conditions by 1987 exploiting timing measurements. With DTLS, the attacker could perform 1988 this recovery by sending many messages in the same connection. With TLS 1989 or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only 1990 worked if the same secret (for example a HTTP Cookie) has been repeatedly 1991 sent over connections manipulated by the attacker. Connections using GCM 1992 or CCM instead of CBC, using hash sizes other than SHA-384, or using 1993 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was 1994 caused by a miscalculation (for SHA-384) in a countermeasure to the 1995 original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi 1996 Shamir. 1997 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to 1998 1.2, that allowed a local attacker, able to execute code on the local 1999 machine as well as manipulate network packets, to partially recover the 2000 plaintext of messages under some conditions by using a cache attack 2001 targeting an internal MD/SHA buffer. With TLS or if 2002 mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if 2003 the same secret (for example a HTTP Cookie) has been repeatedly sent over 2004 connections manipulated by the attacker. Connections using GCM or CCM 2005 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. 2006 Found by Kenny Paterson, Eyal Ronen and Adi Shamir. 2007 * Add a counter-measure against a vulnerability in TLS ciphersuites based 2008 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to 2009 execute code on the local machine as well as manipulate network packets, 2010 to partially recover the plaintext of messages under some conditions (see 2011 previous entry) by using a cache attack targeting the SSL input record 2012 buffer. Connections using GCM or CCM instead of CBC or using 2013 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson, 2014 Eyal Ronen and Adi Shamir. 2015 2016Features 2017 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time 2018 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed 2019 by Daniel King. 2020 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905. 2021 * Add platform support for the Haiku OS. (https://www.haiku-os.org). 2022 Contributed by Augustin Cavalier. 2023 * Make the receive and transmit buffers independent sizes, for situations 2024 where the outgoing buffer can be fixed at a smaller size than the incoming 2025 buffer, which can save some RAM. If buffer lengths are kept equal, there 2026 is no functional difference. Contributed by Angus Gratton, and also 2027 independently contributed again by Paul Sokolovsky. 2028 * Add support for key wrapping modes based on AES as defined by 2029 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649. 2030 2031Bugfix 2032 * Fix the key_app_writer example which was writing a leading zero byte which 2033 was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257. 2034 * Fix compilation error on C++, because of a variable named new. 2035 Found and fixed by Hirotaka Niisato in #1783. 2036 * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix 2037 contributed by tabascoeye. 2038 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid 2039 return value. Found by @davidwu2000. #839 2040 * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber, 2041 Philippe Antoine. Fixes #1623. 2042 * Remove unused headers included in x509.c. Found by Chris Hanson and fixed 2043 by Brendan Shanks. Part of a fix for #992. 2044 * Fix compilation error when MBEDTLS_ARC4_C is disabled and 2045 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719. 2046 * Added length checks to some TLS parsing functions. Found and fixed by 2047 Philippe Antoine from Catena cyber. #1663. 2048 * Fix the inline assembly for the MPI multiply helper function for i386 and 2049 i386 with SSE2. Found by László Langó. Fixes #1550 2050 * Fix namespacing in header files. Remove the `mbedtls` namespacing in 2051 the `#include` in the header files. Resolves #857 2052 * Fix compiler warning of 'use before initialisation' in 2053 mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid 2054 Drozd. #1098 2055 * Fix decryption for zero length messages (which contain all padding) when a 2056 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously, 2057 such a message was wrongly reported as an invalid record and therefore lead 2058 to the connection being terminated. Seen most often with OpenSSL using 2059 TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix 2060 contributed by Espressif Systems. Fixes #1632 2061 * Fix ssl_client2 example to send application data with 0-length content 2062 when the request_size argument is set to 0 as stated in the documentation. 2063 Fixes #1833. 2064 * Correct the documentation for `mbedtls_ssl_get_session()`. This API has 2065 deep copy of the session, and the peer certificate is not lost. Fixes #926. 2066 * Fix build using -std=c99. Fixed by Nick Wilson. 2067 2068Changes 2069 * Fail when receiving a TLS alert message with an invalid length, or invalid 2070 zero-length messages when using TLS 1.2. Contributed by Espressif Systems. 2071 * Change the default behaviour of mbedtls_hkdf_extract() to return an error 2072 when calling with a NULL salt and non-zero salt_len. Contributed by 2073 Brian J Murray 2074 * Change the shebang line in Perl scripts to look up perl in the PATH. 2075 Contributed by fbrosson. 2076 * Allow overriding the time on Windows via the platform-time abstraction. 2077 Fixed by Nick Wilson. 2078 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson. 2079 2080= mbed TLS 2.11.0 branch released 2018-06-18 2081 2082Features 2083 * Add additional block mode, OFB (Output Feedback), to the AES module and 2084 cipher abstraction module. 2085 * Implement the HMAC-based extract-and-expand key derivation function 2086 (HKDF) per RFC 5869. Contributed by Thomas Fossati. 2087 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4. 2088 * Add support for the XTS block cipher mode with AES (AES-XTS). 2089 Contributed by Aorimn in pull request #414. 2090 * In TLS servers, support offloading private key operations to an external 2091 cryptoprocessor. Private key operations can be asynchronous to allow 2092 non-blocking operation of the TLS server stack. 2093 2094Bugfix 2095 * Fix the cert_write example to handle certificates signed with elliptic 2096 curves as well as RSA. Fixes #777 found by dbedev. 2097 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition 2098 used by user applications. Found and fixed by Fabio Alessandrelli. 2099 * Fix compilation warnings with IAR toolchain, on 32 bit platform. 2100 Reported by rahmanih in #683 2101 * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552. 2102 2103Changes 2104 * Changed CMake defaults for IAR to treat all compiler warnings as errors. 2105 * Changed the Clang parameters used in the CMake build files to work for 2106 versions later than 3.6. Versions of Clang earlier than this may no longer 2107 work. Fixes #1072 2108 2109= mbed TLS 2.10.0 branch released 2018-06-06 2110 2111Features 2112 * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites 2113 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h 2114 2115API Changes 2116 * Extend the platform module with a util component that contains 2117 functionality shared by multiple Mbed TLS modules. At this stage 2118 platform_util.h (and its associated platform_util.c) only contain 2119 mbedtls_platform_zeroize(), which is a critical function from a security 2120 point of view. mbedtls_platform_zeroize() needs to be regularly tested 2121 against compilers to ensure that calls to it are not removed from the 2122 output binary as part of redundant code elimination optimizations. 2123 Therefore, mbedtls_platform_zeroize() is moved to the platform module to 2124 facilitate testing and maintenance. 2125 2126Bugfix 2127 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the 2128 build to fail. Found by zv-io. Fixes #1651. 2129 2130Changes 2131 * Support TLS testing in out-of-source builds using cmake. Fixes #1193. 2132 * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by 2133 TrinityTonic. #1359. 2134 2135= mbed TLS 2.9.0 branch released 2018-04-30 2136 2137Security 2138 * Fix an issue in the X.509 module which could lead to a buffer overread 2139 during certificate validation. Additionally, the issue could also lead to 2140 unnecessary callback checks being made or to some validation checks to be 2141 omitted. The overread could be triggered remotely, while the other issues 2142 would require a non DER-compliant certificate to be correctly signed by a 2143 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by 2144 luocm. Fixes #825. 2145 * Fix the buffer length assertion in the ssl_parse_certificate_request() 2146 function which led to an arbitrary overread of the message buffer. The 2147 overreads could be caused by receiving a malformed message at the point 2148 where an optional signature algorithms list is expected when the signature 2149 algorithms section is too short. In builds with debug output, the overread 2150 data is output with the debug data. 2151 * Fix a client-side bug in the validation of the server's ciphersuite choice 2152 which could potentially lead to the client accepting a ciphersuite it didn't 2153 offer or a ciphersuite that cannot be used with the TLS or DTLS version 2154 chosen by the server. This could lead to corruption of internal data 2155 structures for some configurations. 2156 2157Features 2158 * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES 2159 tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB. 2160 Suggested and contributed by jkivilin in pull request #394. 2161 * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and 2162 ECDH primitive functions (mbedtls_ecdh_gen_public(), 2163 mbedtls_ecdh_compute_shared()) are supported for now. Contributed by 2164 Nicholas Wilson in pull request #348. 2165 2166API Changes 2167 * Extend the public API with the function of mbedtls_net_poll() to allow user 2168 applications to wait for a network context to become ready before reading 2169 or writing. 2170 * Add function mbedtls_ssl_check_pending() to the public API to allow 2171 a check for whether more more data is pending to be processed in the 2172 internal message buffers. 2173 This function is necessary to determine when it is safe to idle on the 2174 underlying transport in case event-driven IO is used. 2175 2176Bugfix 2177 * Fix a spurious uninitialized variable warning in cmac.c. Fix independently 2178 contributed by Brian J Murray and David Brown. 2179 * Add missing dependencies in test suites that led to build failures 2180 in configurations that omit certain hashes or public-key algorithms. 2181 Fixes #1040. 2182 * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks. 2183 #1353 2184 * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and 2185 MBEDTLS_VERSION_FEATURES in some test suites. Contributed by 2186 Deomid Ryabkov. Fixes #1299, #1475. 2187 * Fix the Makefile build process for building shared libraries on Mac OS X. 2188 Fixed by mnacamura. 2189 * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was 2190 unable to parse keys which had only the optional parameters field of the 2191 ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379. 2192 * Return the plaintext data more quickly on unpadded CBC decryption, as 2193 stated in the mbedtls_cipher_update() documentation. Contributed by 2194 Andy Leiserson. 2195 * Fix overriding and ignoring return values when parsing and writing to 2196 a file in pk_sign program. Found by kevlut in #1142. 2197 * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations 2198 where data needs to be fetched from the underlying transport in order 2199 to make progress. Previously, this error code was also occasionally 2200 returned when unexpected messages were being discarded, ignoring that 2201 further messages could potentially already be pending to be processed 2202 in the internal buffers; these cases led to deadlocks when event-driven 2203 I/O was used. Found and reported by Hubert Mis in #772. 2204 * Fix buffer length assertions in the ssl_parse_certificate_request() 2205 function which leads to a potential one byte overread of the message 2206 buffer. 2207 * Fix invalid buffer sizes passed to zlib during record compression and 2208 decompression. 2209 * Fix the soversion of libmbedcrypto to match the soversion of the 2210 maintained 2.7 branch. The soversion was increased in Mbed TLS 2211 version 2.7.1 to reflect breaking changes in that release, but the 2212 increment was missed in 2.8.0 and later releases outside of the 2.7 branch. 2213 2214Changes 2215 * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub. 2216 * Support cmake builds where Mbed TLS is a subproject. Fix contributed 2217 independently by Matthieu Volat and Arne Schwabe. 2218 * Improve testing in configurations that omit certain hashes or 2219 public-key algorithms. Includes contributions by Gert van Dijk. 2220 * Improve negative testing of X.509 parsing. 2221 * Do not define global mutexes around readdir() and gmtime() in 2222 configurations where the feature is disabled. Found and fixed by Gergely 2223 Budai. 2224 * Harden the function mbedtls_ssl_config_free() against misuse, so that it 2225 doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and 2226 instead incorrectly manipulates the configuration structure directly. 2227 Found and fix submitted by junyeonLEE in #1220. 2228 * Provide an empty implementation of mbedtls_pkcs5_pbes2() when 2229 MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2 2230 without PBES2. Fixed by Marcos Del Sol Vives. 2231 * Add the order of the base point as N in the mbedtls_ecp_group structure 2232 for Curve25519 (other curves had it already). Contributed by Nicholas 2233 Wilson #481 2234 * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan 2235 Krylov. 2236 * Improve the documentation of mbedtls_ssl_write(). Suggested by 2237 Paul Sokolovsky in #1356. 2238 * Add an option in the Makefile to support ar utilities where the operation 2239 letter must not be prefixed by '-', such as LLVM. Found and fixed by 2240 Alex Hixon. 2241 * Allow configuring the shared library extension by setting the DLEXT 2242 environment variable when using the project makefiles. 2243 * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution 2244 by Alexey Skalozub in #405. 2245 * In the SSL module, when f_send, f_recv or f_recv_timeout report 2246 transmitting more than the required length, return an error. Raised by 2247 Sam O'Connor in #1245. 2248 * Improve robustness of mbedtls_ssl_derive_keys against the use of 2249 HMAC functions with non-HMAC ciphersuites. Independently contributed 2250 by Jiayuan Chen in #1377. Fixes #1437. 2251 * Improve security of RSA key generation by including criteria from 2252 FIPS 186-4. Contributed by Jethro Beekman. #1380 2253 * Declare functions in header files even when an alternative implementation 2254 of the corresponding module is activated by defining the corresponding 2255 MBEDTLS_XXX_ALT macro. This means that alternative implementations do 2256 not need to copy the declarations, and ensures that they will have the 2257 same API. 2258 * Add platform setup and teardown calls in test suites. 2259 2260= mbed TLS 2.8.0 branch released 2018-03-16 2261 2262Default behavior changes 2263 * The truncated HMAC extension now conforms to RFC 6066. This means 2264 that when both sides of a TLS connection negotiate the truncated 2265 HMAC extension, Mbed TLS can now interoperate with other 2266 compliant implementations, but this breaks interoperability with 2267 prior versions of Mbed TLS. To restore the old behavior, enable 2268 the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in 2269 config.h. Found by Andreas Walz (ivESK, Offenburg University of 2270 Applied Sciences). 2271 2272Security 2273 * Fix implementation of the truncated HMAC extension. The previous 2274 implementation allowed an offline 2^80 brute force attack on the 2275 HMAC key of a single, uninterrupted connection (with no 2276 resumption of the session). 2277 * Verify results of RSA private key operations to defend 2278 against Bellcore glitch attack. 2279 * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause 2280 a crash on invalid input. 2281 * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a 2282 crash on invalid input. 2283 * Fix CRL parsing to reject CRLs containing unsupported critical 2284 extensions. Found by Falko Strenzke and Evangelos Karatsiolis. 2285 2286Features 2287 * Extend PKCS#8 interface by introducing support for the entire SHA 2288 algorithms family when encrypting private keys using PKCS#5 v2.0. 2289 This allows reading encrypted PEM files produced by software that 2290 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, 2291 OpenVPN Inc. Fixes #1339 2292 * Add support for public keys encoded in PKCS#1 format. #1122 2293 2294New deprecations 2295 * Deprecate support for record compression (configuration option 2296 MBEDTLS_ZLIB_SUPPORT). 2297 2298Bugfix 2299 * Fix the name of a DHE parameter that was accidentally changed in 2.7.0. 2300 Fixes #1358. 2301 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849 2302 * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates 2303 with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. 2304 In the context of SSL, this resulted in handshake failure. Reported by 2305 daniel in the Mbed TLS forum. #1351 2306 * Fix Windows x64 builds with the included mbedTLS.sln file. #1347 2307 * Fix setting version TLSv1 as minimal version, even if TLS 1 2308 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION 2309 and MBEDTLS_SSL_MIN_MINOR_VERSION instead of 2310 MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664 2311 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE 2312 only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and 2313 Nick Wilson on issue #355 2314 * In test_suite_pk, pass valid parameters when testing for hash length 2315 overflow. #1179 2316 * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found 2317 by Guido Vranken. #639 2318 * Log correct number of ciphersuites used in Client Hello message. #918 2319 * Fix X509 CRT parsing that would potentially accept an invalid tag when 2320 parsing the subject alternative names. 2321 * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() 2322 that could cause a key exchange to fail on valid data. 2323 * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that 2324 could cause a key exchange to fail on valid data. 2325 * Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under 2326 MBEDTLS_DEPRECATED_REMOVED. #1388 2327 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing. 2328 Found through fuzz testing. 2329 2330Changes 2331 * Fix tag lengths and value ranges in the documentation of CCM encryption. 2332 Contributed by Mathieu Briand. 2333 * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky. 2334 * Remove support for the library reference configuration for picocoin. 2335 * MD functions deprecated in 2.7.0 are no longer inline, to provide 2336 a migration path for those depending on the library's ABI. 2337 * Clarify the documentation of mbedtls_ssl_setup. 2338 * Use (void) when defining functions with no parameters. Contributed by 2339 Joris Aerts. #678 2340 2341= mbed TLS 2.7.0 branch released 2018-02-03 2342 2343Security 2344 * Fix a heap corruption issue in the implementation of the truncated HMAC 2345 extension. When the truncated HMAC extension is enabled and CBC is used, 2346 sending a malicious application packet could be used to selectively corrupt 2347 6 bytes on the peer's heap, which could potentially lead to crash or remote 2348 code execution. The issue could be triggered remotely from either side in 2349 both TLS and DTLS. CVE-2018-0488 2350 * Fix a buffer overflow in RSA-PSS verification when the hash was too large 2351 for the key size, which could potentially lead to crash or remote code 2352 execution. Found by Seth Terashima, Qualcomm Product Security Initiative, 2353 Qualcomm Technologies Inc. CVE-2018-0487 2354 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all 2355 zeros. 2356 * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding 2357 64 KiB to the address of the SSL buffer and causing a wrap around. 2358 * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by 2359 default enabled) maximum fragment length extension is disabled in the 2360 config and the application data buffer passed to mbedtls_ssl_write 2361 is larger than the internal message buffer (16384 bytes by default), the 2362 latter overflows. The exploitability of this issue depends on whether the 2363 application layer can be forced into sending such large packets. The issue 2364 was independently reported by Tim Nordell via e-mail and by Florin Petriuc 2365 and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. 2366 Fixes #707. 2367 * Add a provision to prevent compiler optimizations breaking the time 2368 constancy of mbedtls_ssl_safer_memcmp(). 2369 * Ensure that buffers are cleared after use if they contain sensitive data. 2370 Changes were introduced in multiple places in the library. 2371 * Set PEM buffer to zero before freeing it, to avoid decoded private keys 2372 being leaked to memory after release. 2373 * Fix dhm_check_range() failing to detect trivial subgroups and potentially 2374 leaking 1 bit of the private key. Reported by prashantkspatil. 2375 * Make mbedtls_mpi_read_binary() constant-time with respect to the input 2376 data. Previously, trailing zero bytes were detected and omitted for the 2377 sake of saving memory, but potentially leading to slight timing 2378 differences. Reported by Marco Macchetti, Kudelski Group. 2379 * Wipe stack buffer temporarily holding EC private exponent 2380 after keypair generation. 2381 * Fix a potential heap buffer over-read in ALPN extension parsing 2382 (server-side). Could result in application crash, but only if an ALPN 2383 name larger than 16 bytes had been configured on the server. 2384 * Change default choice of DHE parameters from untrustworthy RFC 5114 2385 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve 2386 manner. 2387 2388Features 2389 * Allow comments in test data files. 2390 * The selftest program can execute a subset of the tests based on command 2391 line arguments. 2392 * New unit tests for timing. Improve the self-test to be more robust 2393 when run on a heavily-loaded machine. 2394 * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, 2395 MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs. 2396 * Add support for alternative implementations of GCM, selected by the 2397 configuration flag MBEDTLS_GCM_ALT. 2398 * Add support for alternative implementations for ECDSA, controlled by new 2399 configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and 2400 MBEDTLS_ECDSDA_GENKEY_AT in config.h. 2401 The following functions from the ECDSA module can be replaced 2402 with alternative implementation: 2403 mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). 2404 * Add support for alternative implementation of ECDH, controlled by the 2405 new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and 2406 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h. 2407 The following functions from the ECDH module can be replaced 2408 with an alternative implementation: 2409 mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). 2410 * Add support for alternative implementation of ECJPAKE, controlled by 2411 the new configuration flag MBEDTLS_ECJPAKE_ALT. 2412 * Add mechanism to provide alternative implementation of the DHM module. 2413 2414API Changes 2415 * Extend RSA interface by multiple functions allowing structure- 2416 independent setup and export of RSA contexts. Most notably, 2417 mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting 2418 up RSA contexts from partial key material and having them completed to the 2419 needs of the implementation automatically. This allows to setup private RSA 2420 contexts from keys consisting of N,D,E only, even if P,Q are needed for the 2421 purpose or CRT and/or blinding. 2422 * The configuration option MBEDTLS_RSA_ALT can be used to define alternative 2423 implementations of the RSA interface declared in rsa.h. 2424 * The following functions in the message digest modules (MD2, MD4, MD5, 2425 SHA1, SHA256, SHA512) have been deprecated and replaced as shown below. 2426 The new functions change the return type from void to int to allow 2427 returning error codes when using MBEDTLS_<MODULE>_ALT. 2428 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret() 2429 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret() 2430 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret() 2431 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process() 2432 2433New deprecations 2434 * Deprecate usage of RSA primitives with non-matching key-type 2435 (e.g. signing with a public key). 2436 * Direct manipulation of structure fields of RSA contexts is deprecated. 2437 Users are advised to use the extended RSA API instead. 2438 * Deprecate usage of message digest functions that return void 2439 (mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update, 2440 mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is 2441 any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions 2442 that can return an error code. 2443 * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by 2444 parameters from RFC 3526 or the newly added parameters from RFC 7919. 2445 * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. 2446 Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN 2447 etc. 2448 * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters 2449 from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin() 2450 accepting DHM parameters in binary form, matching the new constants. 2451 2452Bugfix 2453 * Fix ssl_parse_record_header() to silently discard invalid DTLS records 2454 as recommended in RFC 6347 Section 4.1.2.7. 2455 * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. 2456 Found by projectgus and Jethro Beekman, #836. 2457 * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin. 2458 * Parse signature algorithm extension when renegotiating. Previously, 2459 renegotiated handshakes would only accept signatures using SHA-1 2460 regardless of the peer's preferences, or fail if SHA-1 was disabled. 2461 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid 2462 dates on leap years with 100 and 400 intervals are handled correctly. Found 2463 by Nicholas Wilson. #694 2464 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were 2465 accepted. Generating these signatures required the private key. 2466 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys. 2467 Found independently by Florian in the mbed TLS forum and by Mishamax. 2468 #878, #1019. 2469 * Fix variable used before assignment compilation warnings with IAR 2470 toolchain. Found by gkerrien38. 2471 * Fix unchecked return codes from AES, DES and 3DES functions in 2472 pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively. 2473 If a call to one of the functions of the cryptographic primitive modules 2474 failed, the error may not be noticed by the function 2475 mbedtls_pem_read_buffer() causing it to return invalid values. Found by 2476 Guido Vranken. #756 2477 * Include configuration file in md.h, to fix compilation warnings. 2478 Reported by aaronmdjones in #1001 2479 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR 2480 writing routines that prevented these functions to work with alternative 2481 RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011. 2482 * Don't print X.509 version tag for v1 CRT's, and omit extensions for 2483 non-v3 CRT's. 2484 * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 2485 * Fix net_would_block() to avoid modification by errno through fcntl() call. 2486 Found by nkolban. Fixes #845. 2487 * Fix handling of handshake messages in mbedtls_ssl_read() in case 2488 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp. 2489 * Add a check for invalid private parameters in mbedtls_ecdsa_sign(). 2490 Reported by Yolan Romailler. 2491 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64. 2492 * Fix incorrect unit in benchmark output. #850 2493 * Add size-checks for record and handshake message content, securing 2494 fragile yet non-exploitable code-paths. 2495 * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by 2496 MilenkoMitrovic, #1104 2497 * Fix mbedtls_timing_alarm(0) on Unix and MinGW. 2498 * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1. 2499 * Fix possible memory leaks in mbedtls_gcm_self_test(). 2500 * Added missing return code checks in mbedtls_aes_self_test(). 2501 * Fix issues in RSA key generation program programs/x509/rsa_genkey and the 2502 RSA test suite where the failure of CTR DRBG initialization lead to 2503 freeing an RSA context and several MPI's without proper initialization 2504 beforehand. 2505 * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. 2506 * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. 2507 Found and fixed by Martijn de Milliano. 2508 * Fix an issue in the cipher decryption with the mode 2509 MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding. 2510 Note, this padding mode is not used by the TLS protocol. Found and fixed by 2511 Micha Kraus. 2512 * Fix the entropy.c module to not call mbedtls_sha256_starts() or 2513 mbedtls_sha512_starts() in the mbedtls_entropy_init() function. 2514 * Fix the entropy.c module to ensure that mbedtls_sha256_init() or 2515 mbedtls_sha512_init() is called before operating on the relevant context 2516 structure. Do not assume that zeroizing a context is a correct way to 2517 reset it. Found independently by ccli8 on Github. 2518 * In mbedtls_entropy_free(), properly free the message digest context. 2519 * Fix status handshake status message in programs/ssl/dtls_client.c. Found 2520 and fixed by muddog. 2521 2522Changes 2523 * Extend cert_write example program by options to set the certificate version 2524 and the message digest. Further, allow enabling/disabling of authority 2525 identifier, subject identifier and basic constraints extensions. 2526 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In 2527 particular, don't require P,Q if neither CRT nor blinding are 2528 used. Reported and fix proposed independently by satur9nine and sliai 2529 on GitHub. 2530 * Only run AES-192 self-test if AES-192 is available. Fixes #963. 2531 * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the 2532 undeclared dependency of the RSA module on the ASN.1 module. 2533 * Update all internal usage of deprecated message digest functions to the 2534 new ones with return codes. In particular, this modifies the 2535 mbedtls_md_info_t structure. Propagate errors from these functions 2536 everywhere except some locations in the ssl_tls.c module. 2537 * Improve CTR_DRBG error handling by propagating underlying AES errors. 2538 * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography 2539 modules where the software implementation can be replaced by a hardware 2540 implementation. 2541 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4 2542 throughout the library. 2543 2544= mbed TLS 2.6.0 branch released 2017-08-10 2545 2546Security 2547 * Fix authentication bypass in SSL/TLS: when authmode is set to optional, 2548 mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's 2549 X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA 2550 (default: 8) intermediates, even when it was not trusted. This could be 2551 triggered remotely from either side. (With authmode set to 'required' 2552 (the default), the handshake was correctly aborted). 2553 * Reliably wipe sensitive data after use in the AES example applications 2554 programs/aes/aescrypt2 and programs/aes/crypt_and_hash. 2555 Found by Laurent Simon. 2556 2557Features 2558 * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown() 2559 and the context struct mbedtls_platform_context to perform 2560 platform-specific setup and teardown operations. The macro 2561 MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden 2562 by the user in a platform_alt.h file. These new functions are required in 2563 some embedded environments to provide a means of initialising underlying 2564 cryptographic acceleration hardware. 2565 2566API Changes 2567 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the 2568 API consistent with mbed TLS 2.5.0. Specifically removed the inline 2569 qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt, 2570 mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found 2571 by James Cowgill. #978 2572 * Certificate verification functions now set flags to -1 in case the full 2573 chain was not verified due to an internal error (including in the verify 2574 callback) or chain length limitations. 2575 * With authmode set to optional, the TLS handshake is now aborted if the 2576 verification of the peer's certificate failed due to an overlong chain or 2577 a fatal error in the verify callback. 2578 2579Bugfix 2580 * Add a check if iv_len is zero in GCM, and return an error if it is zero. 2581 Reported by roberto. #716 2582 * Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD) 2583 to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will 2584 always be implemented by pthread support. #696 2585 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(), 2586 in the case of an error. Found by redplait. #590 2587 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random. 2588 Reported and fix suggested by guidovranken. #740 2589 * Fix conditional preprocessor directives in bignum.h to enable 64-bit 2590 compilation when using ARM Compiler 6. 2591 * Fix a potential integer overflow in the version verification for DER 2592 encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs 2593 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, 2594 KNOX Security, Samsung Research America 2595 * Fix potential integer overflow in the version verification for DER 2596 encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs 2597 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, 2598 KNOX Security, Samsung Research America 2599 * Fix a potential integer overflow in the version verification for DER 2600 encoded X.509 certificates. The overflow could enable maliciously 2601 constructed certificates to bypass the certificate verification check. 2602 * Fix a call to the libc function time() to call the platform abstraction 2603 function mbedtls_time() instead. Found by wairua. #666 2604 * Avoid shadowing of time and index functions through mbed TLS function 2605 arguments. Found by inestlerode. #557. 2606 2607Changes 2608 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of 2609 64-bit division. This is useful on embedded platforms where 64-bit division 2610 created a dependency on external libraries. #708 2611 * Removed mutexes from ECP hardware accelerator code. Now all hardware 2612 accelerator code in the library leaves concurrency handling to the 2613 platform. Reported by Steven Cooreman. #863 2614 * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file 2615 config-no-entropy.h to reduce the RAM footprint. 2616 * Added a test script that can be hooked into git that verifies commits 2617 before they are pushed. 2618 * Improve documentation of PKCS1 decryption functions. 2619 2620= mbed TLS 2.5.1 released 2017-06-21 2621 2622Security 2623 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read(). 2624 The issue could only happen client-side with renegotiation enabled. 2625 Could result in DoS (application crash) or information leak 2626 (if the application layer sent data read from mbedtls_ssl_read() 2627 back to the server or to a third party). Can be triggered remotely. 2628 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for 2629 certificate verification. SHA-1 can be turned back on with a compile-time 2630 option if needed. 2631 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to 2632 detect it sometimes. Reported by Hugo Leisink. #810 2633 * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a 2634 potential Bleichenbacher/BERserk-style attack. 2635 2636Bugfix 2637 * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not 2638 valid C and they prevented the test from compiling in Visual Studio 2015 2639 and with GCC using the -Wpedantic compilation option. 2640 * Fix insufficient support for signature-hash-algorithm extension, 2641 resulting in compatibility problems with Chrome. Found by hfloyrd. #823 2642 * Fix behaviour that hid the original cause of fatal alerts in some cases 2643 when sending the alert failed. The fix makes sure not to hide the error 2644 that triggered the alert. 2645 * Fix SSLv3 renegotiation behaviour and stop processing data received from 2646 peer after sending a fatal alert to refuse a renegotiation attempt. 2647 Previous behaviour was to keep processing data even after the alert has 2648 been sent. 2649 * Accept empty trusted CA chain in authentication mode 2650 MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864 2651 * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate 2652 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to 2653 reflect bad EC curves within verification result. 2654 * Fix bug that caused the modular inversion function to accept the invalid 2655 modulus 1 and therefore to hang. Found by blaufish. #641. 2656 * Fix incorrect sign computation in modular exponentiation when the base is 2657 a negative MPI. Previously the result was always negative. Found by Guido 2658 Vranken. 2659 * Fix a numerical underflow leading to stack overflow in mpi_read_file() 2660 that was triggered uppon reading an empty line. Found by Guido Vranken. 2661 2662Changes 2663 * Send fatal alerts in more cases. The previous behaviour was to skip 2664 sending the fatal alert and just drop the connection. 2665 * Clarify ECDSA documentation and improve the sample code to avoid 2666 misunderstanding and potentially dangerous use of the API. Pointed out 2667 by Jean-Philippe Aumasson. 2668 2669= mbed TLS 2.5.0 branch released 2017-05-17 2670 2671Security 2672 * Wipe stack buffers in RSA private key operations 2673 (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent 2674 Simon. 2675 * Add exponent blinding to RSA private operations as a countermeasure 2676 against side-channel attacks like the cache attack described in 2677 https://arxiv.org/abs/1702.08719v2. 2678 Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss, 2679 Clémentine Maurice and Stefan Mangard. 2680 2681Features 2682 * Add hardware acceleration support for the Elliptic Curve Point module. 2683 This involved exposing parts of the internal interface to enable 2684 replacing the core functions and adding and alternative, module level 2685 replacement support for enabling the extension of the interface. 2686 * Add a new configuration option to 'mbedtls_ssl_config' to enable 2687 suppressing the CA list in Certificate Request messages. The default 2688 behaviour has not changed, namely every configured CAs name is included. 2689 2690API Changes 2691 * The following functions in the AES module have been deprecated and replaced 2692 by the functions shown below. The new functions change the return type from 2693 void to int to allow returning error codes when using MBEDTLS_AES_ALT, 2694 MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT. 2695 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt() 2696 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt() 2697 2698Bugfix 2699 * Remove macros from compat-1.3.h that correspond to deleted items from most 2700 recent versions of the library. Found by Kyle Keen. 2701 * Fixed issue in the Threading module that prevented mutexes from 2702 initialising. Found by sznaider. #667 #843 2703 * Add checks in the PK module for the RSA functions on 64-bit systems. 2704 The PK and RSA modules use different types for passing hash length and 2705 without these checks the type cast could lead to data loss. Found by Guido 2706 Vranken. 2707 2708= mbed TLS 2.4.2 branch released 2017-03-08 2709 2710Security 2711 * Add checks to prevent signature forgeries for very large messages while 2712 using RSA through the PK module in 64-bit systems. The issue was caused by 2713 some data loss when casting a size_t to an unsigned int value in the 2714 functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and 2715 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson. 2716 * Fixed potential livelock during the parsing of a CRL in PEM format in 2717 mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing 2718 characters after the footer could result in the execution of an infinite 2719 loop. The issue can be triggered remotely. Found by Greg Zaverucha, 2720 Microsoft. 2721 * Removed MD5 from the allowed hash algorithms for CertificateRequest and 2722 CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. 2723 Introduced by interoperability fix for #513. 2724 * Fixed a bug that caused freeing a buffer that was allocated on the stack, 2725 when verifying the validity of a key on secp224k1. This could be 2726 triggered remotely for example with a maliciously constructed certificate 2727 and potentially could lead to remote code execution on some platforms. 2728 Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos 2729 team. #569 CVE-2017-2784 2730 2731Bugfix 2732 * Fix output certificate verification flags set by x509_crt_verify_top() when 2733 traversing a chain of trusted CA. The issue would cause both flags, 2734 MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be 2735 set when the verification conditions are not met regardless of the cause. 2736 Found by Harm Verhagen and inestlerode. #665 #561 2737 * Fix the redefinition of macro ssl_set_bio to an undefined symbol 2738 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it. 2739 Found by omlib-lin. #673 2740 * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and 2741 x509_csr.c that are reported when building mbed TLS with a config.h that 2742 does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562 2743 * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that 2744 would compare 64 bits of the record counter instead of 48 bits as indicated 2745 in RFC 6347 Section 4.3.1. This could cause the execution of the 2746 renegotiation routines at unexpected times when the protocol is DTLS. Found 2747 by wariua. #687 2748 * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing 2749 the input string in PEM format to extract the different components. Found 2750 by Eyal Itkin. 2751 * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could 2752 cause buffer bound checks to be bypassed. Found by Eyal Itkin. 2753 * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could 2754 cause buffer bound checks to be bypassed. Found by Eyal Itkin. 2755 * Fixed potential arithmetic overflow in mbedtls_md2_update() that could 2756 cause buffer bound checks to be bypassed. Found by Eyal Itkin. 2757 * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could 2758 cause buffer bound checks to be bypassed. Found by Eyal Itkin. 2759 * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng 2760 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America. 2761 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused 2762 by missing calls to mbedtls_pem_free() in cases when a 2763 MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and 2764 fix proposed by Guido Vranken. #722 2765 * Fixed the templates used to generate project and solution files for Visual 2766 Studio 2015 as well as the files themselves, to remove a build warning 2767 generated in Visual Studio 2015. Reported by Steve Valliere. #742 2768 * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C. 2769 Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771 2770 * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI 2771 number to write in hexadecimal is negative and requires an odd number of 2772 digits. Found and fixed by Guido Vranken. 2773 * Fix unlisted DES configuration dependency in some pkparse test cases. Found 2774 by inestlerode. #555 2775 2776= mbed TLS 2.4.1 branch released 2016-12-13 2777 2778Changes 2779 * Update to CMAC test data, taken from - NIST Special Publication 800-38B - 2780 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for 2781 Authentication – October 2016 2782 2783= mbed TLS 2.4.0 branch released 2016-10-17 2784 2785Security 2786 * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant 2787 with RFC-5116 and could lead to session key recovery in very long TLS 2788 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in 2789 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic. 2790 https://eprint.iacr.org/2016/475.pdf 2791 * Fixed potential stack corruption in mbedtls_x509write_crt_der() and 2792 mbedtls_x509write_csr_der() when the signature is copied to the buffer 2793 without checking whether there is enough space in the destination. The 2794 issue cannot be triggered remotely. Found by Jethro Beekman. 2795 2796Features 2797 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by 2798 NIST SP 800-38B, RFC-4493 and RFC-4615. 2799 * Added hardware entropy selftest to verify that the hardware entropy source 2800 is functioning correctly. 2801 * Added a script to print build environment info for diagnostic use in test 2802 scripts, which is also now called by all.sh. 2803 * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to 2804 configure the maximum length of a file path that can be buffered when 2805 calling mbedtls_x509_crt_parse_path(). 2806 * Added a configuration file config-no-entropy.h that configures the subset of 2807 library features that do not require an entropy source. 2808 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users 2809 to configure the minimum number of bytes for entropy sources using the 2810 mbedtls_hardware_poll() function. 2811 2812Bugfix 2813 * Fix for platform time abstraction to avoid dependency issues where a build 2814 may need time but not the standard C library abstraction, and added 2815 configuration consistency checks to check_config.h 2816 * Fix dependency issue in Makefile to allow parallel builds. 2817 * Fix incorrect handling of block lengths in crypt_and_hash.c sample program, 2818 when GCM is used. Found by udf2457. #441 2819 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't 2820 enabled unless others were also present. Found by David Fernandez. #428 2821 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on 2822 a contribution from Tobias Tangemann. #541 2823 * Fixed cert_app.c sample program for debug output and for use when no root 2824 certificates are provided. 2825 * Fix conditional statement that would cause a 1 byte overread in 2826 mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599 2827 * Fixed pthread implementation to avoid unintended double initialisations 2828 and double frees. Found by Niklas Amnebratt. 2829 * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for 2830 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found 2831 by inestlerode. #559. 2832 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf 2833 data structure until after error checks are successful. Found by 2834 subramanyam-c. #622 2835 * Fix documentation and implementation missmatch for function arguments of 2836 mbedtls_gcm_finish(). Found by cmiatpaar. #602 2837 * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558 2838 * Fix potential byte overread when verifying malformed SERVER_HELLO in 2839 ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken. 2840 * Fix check for validity of date when parsing in mbedtls_x509_get_time(). 2841 Found by subramanyam-c. #626 2842 * Fix compatibility issue with Internet Explorer client authentication, 2843 where the limited hash choices prevented the client from sending its 2844 certificate. Found by teumas. #513 2845 * Fix compilation without MBEDTLS_SELF_TEST enabled. 2846 2847Changes 2848 * Extended test coverage of special cases, and added new timing test suite. 2849 * Removed self-tests from the basic-built-test.sh script, and added all 2850 missing self-tests to the test suites, to ensure self-tests are only 2851 executed once. 2852 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len(). 2853 * Added support for a Yotta specific configuration file - 2854 through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE. 2855 * Added optimization for code space for X.509/OID based on configured 2856 features. Contributed by Aviv Palivoda. 2857 * Renamed source file library/net.c to library/net_sockets.c to avoid 2858 naming collision in projects which also have files with the common name 2859 net.c. For consistency, the corresponding header file, net.h, is marked as 2860 deprecated, and its contents moved to net_sockets.h. 2861 * Changed the strategy for X.509 certificate parsing and validation, to no 2862 longer disregard certificates with unrecognised fields. 2863 2864= mbed TLS 2.3.0 branch released 2016-06-28 2865 2866Security 2867 * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt 2868 required by PKCS1 v2.2 2869 * Fix potential integer overflow to buffer overflow in 2870 mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt 2871 (not triggerable remotely in (D)TLS). 2872 * Fix a potential integer underflow to buffer overread in 2873 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in 2874 SSL/TLS. 2875 2876Features 2877 * Support for platform abstraction of the standard C library time() 2878 function. 2879 2880Bugfix 2881 * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three 2882 arguments where the same (in-place doubling). Found and fixed by Janos 2883 Follath. #309 2884 * Fix potential build failures related to the 'apidoc' target, introduced 2885 in the previous patch release. Found by Robert Scheck. #390 #391 2886 * Fix issue in Makefile that prevented building using armar. #386 2887 * Fix memory leak that occurred only when ECJPAKE was enabled and ECDHE and 2888 ECDSA was disabled in config.h . The leak didn't occur by default. 2889 * Fix an issue that caused valid certificates to be rejected whenever an 2890 expired or not yet valid certificate was parsed before a valid certificate 2891 in the trusted certificate list. 2892 * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the 2893 buffer after DER certificates to be included in the raw representation. 2894 * Fix issue that caused a hang when generating RSA keys of odd bitlength 2895 * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer 2896 dereference possible. 2897 * Fix issue that caused a crash if invalid curves were passed to 2898 mbedtls_ssl_conf_curves. #373 2899 * Fix issue in ssl_fork_server which was preventing it from functioning. #429 2900 * Fix memory leaks in test framework 2901 * Fix test in ssl-opt.sh that does not run properly with valgrind 2902 * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502 2903 2904Changes 2905 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, 2906 don't use the optimized assembly for bignum multiplication. This removes 2907 the need to pass -fomit-frame-pointer to avoid a build error with -O0. 2908 * Disabled SSLv3 in the default configuration. 2909 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey 2910 Skalozub). 2911 * Fix non-compliance server extension handling. Extensions for SSLv3 are now 2912 ignored, as required by RFC6101. 2913 2914= mbed TLS 2.2.1 released 2016-01-05 2915 2916Security 2917 * Fix potential double free when mbedtls_asn1_store_named_data() fails to 2918 allocate memory. Only used for certificate generation, not triggerable 2919 remotely in SSL/TLS. Found by Rafał Przywara. #367 2920 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the 2921 SLOTH attack on TLS 1.2 server authentication (other attacks from the 2922 SLOTH paper do not apply to any version of mbed TLS or PolarSSL). 2923 https://www.mitls.org/pages/attacks/SLOTH 2924 2925Bugfix 2926 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362 2927 * Fix bug in certificate validation that caused valid chains to be rejected 2928 when the first intermediate certificate has pathLenConstraint=0. Found by 2929 Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280 2930 * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by 2931 JayaraghavendranK. #372 2932 * Fix suboptimal handling of unexpected records that caused interop issues 2933 with some peers over unreliable links. Avoid dropping an entire DTLS 2934 datagram if a single record in a datagram is unexpected, instead only 2935 drop the record and look at subsequent records (if any are present) in 2936 the same datagram. Found by jeannotlapin. #345 2937 2938= mbed TLS 2.2.0 released 2015-11-04 2939 2940Security 2941 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than 2942 once and some allocation fails. Cannot be forced remotely. Found by Guido 2943 Vranken, Intelworks. 2944 * Fix potential heap corruption on Windows when 2945 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be 2946 triggered remotely. Found by Guido Vranken, Intelworks. 2947 * Fix potential buffer overflow in some asn1_write_xxx() functions. 2948 Cannot be triggered remotely unless you create X.509 certificates based 2949 on untrusted input or write keys of untrusted origin. Found by Guido 2950 Vranken, Intelworks. 2951 * The X509 max_pathlen constraint was not enforced on intermediate 2952 certificates. Found by Nicholas Wilson, fix and tests provided by 2953 Janos Follath. #280 and #319 2954 2955Features 2956 * Experimental support for EC J-PAKE as defined in Thread 1.0.0. 2957 Disabled by default as the specification might still change. 2958 * Added a key extraction callback to accees the master secret and key 2959 block. (Potential uses include EAP-TLS and Thread.) 2960 2961Bugfix 2962 * Self-signed certificates were not excluded from pathlen counting, 2963 resulting in some valid X.509 being incorrectly rejected. Found and fix 2964 provided by Janos Follath. #319 2965 * Fix build error with configurations where ECDHE-PSK is the only key 2966 exchange. Found and fix provided by Chris Hammond. #270 2967 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or 2968 ECHD-ECDSA if the only key exchange. Multiple reports. #310 2969 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts 2970 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308 2971 * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and 2972 size/curve against the profile. Before that, there was no way to set a 2973 minimum key size for end-entity certificates with RSA keys. Found by 2974 Matthew Page of Scannex Electronics Ltd. 2975 * Fix failures in MPI on Sparc(64) due to use of bad assembly code. 2976 Found by Kurt Danielson. #292 2977 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314 2978 * Fix bug in ASN.1 encoding of booleans that caused generated CA 2979 certificates to be rejected by some applications, including OS X 2980 Keychain. Found and fixed by Jonathan Leroy, Inikup. 2981 2982Changes 2983 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1 2984 or -1. 2985 2986= mbed TLS 2.1.2 released 2015-10-06 2987 2988Security 2989 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer 2990 overflow of the hostname or session ticket. Found by Guido Vranken, 2991 Intelworks. 2992 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than 2993 once in the same handhake and mbedtls_ssl_conf_psk() was used. 2994 Found and patch provided by Guido Vranken, Intelworks. Cannot be forced 2995 remotely. 2996 * Fix stack buffer overflow in pkcs12 decryption (used by 2997 mbedtls_pk_parse_key(file)() when the password is > 129 bytes. 2998 Found by Guido Vranken, Intelworks. Not triggerable remotely. 2999 * Fix potential buffer overflow in mbedtls_mpi_read_string(). 3000 Found by Guido Vranken, Intelworks. Not exploitable remotely in the context 3001 of TLS, but might be in other uses. On 32 bit machines, requires reading a 3002 string of close to or larger than 1GB to exploit; on 64 bit machines, would 3003 require reading a string of close to or larger than 2^62 bytes. 3004 * Fix potential random memory allocation in mbedtls_pem_read_buffer() 3005 on crafted PEM input data. Found and fix provided by Guido Vranken, 3006 Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you 3007 accept PEM data from an untrusted source. 3008 * Fix possible heap buffer overflow in base64_encoded() when the input 3009 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken, 3010 Intelworks. Not trigerrable remotely in TLS. 3011 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on 3012 the same mbedtls_ssl_config object and memory allocation fails. Found by 3013 Guido Vranken, Intelworks. Cannot be forced remotely. 3014 * Fix potential heap buffer overflow in servers that perform client 3015 authentication against a crafted CA cert. Cannot be triggered remotely 3016 unless you allow third parties to pick trust CAs for client auth. 3017 Found by Guido Vranken, Intelworks. 3018 3019Bugfix 3020 * Fix compile error in net.c with musl libc. Found and patch provided by 3021 zhasha (#278). 3022 * Fix macroization of 'inline' keyword when building as C++. (#279) 3023 3024Changes 3025 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure 3026 domain names are compliant with RFC 1035. 3027 * Fixed paths for check_config.h in example config files. (Found by bachp) 3028 (#291) 3029 3030= mbed TLS 2.1.1 released 2015-09-17 3031 3032Security 3033 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5 3034 signatures. (Found by Florian Weimer, Red Hat.) 3035 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ 3036 * Fix possible client-side NULL pointer dereference (read) when the client 3037 tries to continue the handshake after it failed (a misuse of the API). 3038 (Found and patch provided by Fabian Foerg, Gotham Digital Science using 3039 afl-fuzz.) 3040 3041Bugfix 3042 * Fix warning when using a 64bit platform. (found by embedthis) (#275) 3043 * Fix off-by-one error in parsing Supported Point Format extension that 3044 caused some handshakes to fail. 3045 3046Changes 3047 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow 3048 use of mbedtls_x509_crt_profile_next. (found by NWilson) 3049 * When a client initiates a reconnect from the same port as a live 3050 connection, if cookie verification is available 3051 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie 3052 callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be 3053 detected and mbedtls_ssl_read() will return 3054 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new 3055 handshake with the same context. (See RFC 6347 section 4.2.8.) 3056 3057= mbed TLS 2.1.0 released 2015-09-04 3058 3059Features 3060 * Added support for yotta as a build system. 3061 * Primary open source license changed to Apache 2.0 license. 3062 3063Bugfix 3064 * Fix segfault in the benchmark program when benchmarking DHM. 3065 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo 3066 Leisink). 3067 * Fix bug when parsing a ServerHello without extensions (found by David 3068 Sears). 3069 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed 3070 (found by Benoit Lecocq). 3071 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be 3072 installed (found by Rawi666). 3073 * Fix compile error with armcc 5 with --gnu option. 3074 * Fix bug in Makefile that caused programs not to be installed correctly 3075 (found by robotanarchy) (#232). 3076 * Fix bug in Makefile that prevented from installing without building the 3077 tests (found by robotanarchy) (#232). 3078 * Fix missing -static-libgcc when building shared libraries for Windows 3079 with make. 3080 * Fix link error when building shared libraries for Windows with make. 3081 * Fix error when loading libmbedtls.so. 3082 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to 3083 be always used (found by dcb314) (#235) 3084 * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could 3085 result trying to unlock an unlocked mutex on invalid input (found by 3086 Fredrik Axelsson) (#257) 3087 * Fix -Wshadow warnings (found by hnrkp) (#240) 3088 * Fix memory corruption on client with overlong PSK identity, around 3089 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by 3090 Aleksandrs Saveljevs) (#238) 3091 * Fix unused function warning when using MBEDTLS_MDx_ALT or 3092 MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) 3093 * Fix memory corruption in pkey programs (found by yankuncheng) (#210) 3094 3095Changes 3096 * The PEM parser now accepts a trailing space at end of lines (#226). 3097 * It is now possible to #include a user-provided configuration file at the 3098 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the 3099 compiler's command line. 3100 * When verifying a certificate chain, if an intermediate certificate is 3101 trusted, no later cert is checked. (suggested by hannes-landeholm) 3102 (#220). 3103 * Prepend a "thread identifier" to debug messages (issue pointed out by 3104 Hugo Leisink) (#210). 3105 * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment 3106 length. 3107 3108= mbed TLS 2.0.0 released 2015-07-13 3109 3110Features 3111 * Support for DTLS 1.0 and 1.2 (RFC 6347). 3112 * Ability to override core functions from MDx, SHAx, AES and DES modules 3113 with custom implementation (eg hardware accelerated), complementing the 3114 ability to override the whole module. 3115 * New server-side implementation of session tickets that rotate keys to 3116 preserve forward secrecy, and allows sharing across multiple contexts. 3117 * Added a concept of X.509 cerificate verification profile that controls 3118 which algorithms and key sizes (curves for ECDSA) are acceptable. 3119 * Expanded configurability of security parameters in the SSL module with 3120 mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes(). 3121 * Introduced a concept of presets for SSL security-relevant configuration 3122 parameters. 3123 3124API Changes 3125 * The library has been split into libmbedcrypto, libmbedx509, libmbedtls. 3126 You now need to link to all of them if you use TLS for example. 3127 * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace. 3128 Some names have been further changed to make them more consistent. 3129 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are 3130 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt 3131 * Renamings of fields inside structures, not covered by the previous list: 3132 mbedtls_cipher_info_t.key_length -> key_bitlen 3133 mbedtls_cipher_context_t.key_length -> key_bitlen 3134 mbedtls_ecp_curve_info.size -> bit_size 3135 * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). 3136 * The following _init() functions that could return errors have 3137 been split into an _init() that returns void and another function that 3138 should generally be the first function called on this context after init: 3139 mbedtls_ssl_init() -> mbedtls_ssl_setup() 3140 mbedtls_ccm_init() -> mbedtls_ccm_setkey() 3141 mbedtls_gcm_init() -> mbedtls_gcm_setkey() 3142 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() 3143 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() 3144 Note that for mbedtls_ssl_setup(), you need to be done setting up the 3145 ssl_config structure before calling it. 3146 * Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(), 3147 ssl_set_session() and ssl_set_client_transport_id(), plus 3148 ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() 3149 (see rename.pl and compat-1.3.h above) and their first argument's type 3150 changed from ssl_context to ssl_config. 3151 * ssl_set_bio() changed signature (contexts merged, order switched, one 3152 additional callback for read-with-timeout). 3153 * The following functions have been introduced and must be used in callback 3154 implementations (SNI, PSK) instead of their *conf counterparts: 3155 mbedtls_ssl_set_hs_own_cert() 3156 mbedtls_ssl_set_hs_ca_chain() 3157 mbedtls_ssl_set_hs_psk() 3158 * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set 3159 using mbedtls_ssl_set_hostname(). 3160 * mbedtls_ssl_conf_session_cache() changed prototype (only one context 3161 pointer, parameters reordered). 3162 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in 3163 place of mbedtls_ssl_conf_session_tickets() to enable session tickets. 3164 * The SSL debug callback gained two new arguments (file name, line number). 3165 * Debug modes were removed. 3166 * mbedtls_ssl_conf_truncated_hmac() now returns void. 3167 * mbedtls_memory_buffer_alloc_init() now returns void. 3168 * X.509 verification flags are now an uint32_t. Affect the signature of: 3169 mbedtls_ssl_get_verify_result() 3170 mbedtls_x509_ctr_verify_info() 3171 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated) 3172 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated) 3173 * The following functions changed prototype to avoid an in-out length 3174 parameter: 3175 mbedtls_base64_encode() 3176 mbedtls_base64_decode() 3177 mbedtls_mpi_write_string() 3178 mbedtls_dhm_calc_secret() 3179 * In the NET module, all "int" and "int *" arguments for file descriptors 3180 changed type to "mbedtls_net_context *". 3181 * net_accept() gained new arguments for the size of the client_ip buffer. 3182 * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now 3183 return void. 3184 * ecdsa_write_signature() gained an additional md_alg argument and 3185 ecdsa_write_signature_det() was deprecated. 3186 * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA. 3187 * Last argument of x509_crt_check_key_usage() and 3188 mbedtls_x509write_crt_set_key_usage() changed from int to unsigned. 3189 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only 3190 available if POLARSSL_PEM_PARSE_C is defined (it never worked without). 3191 * Test certificates in certs.c are no longer guaranteed to be nul-terminated 3192 strings; use the new *_len variables instead of strlen(). 3193 * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(), 3194 mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the 3195 length parameter to include the terminating null byte for PEM input. 3196 * Signature of mpi_mul_mpi() changed to make the last argument unsigned 3197 * calloc() is now used instead of malloc() everywhere. API of platform 3198 layer and the memory_buffer_alloc module changed accordingly. 3199 (Thanks to Mansour Moufid for helping with the replacement.) 3200 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION 3201 (support for renegotiation now needs explicit enabling in config.h). 3202 * Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE 3203 in config.h 3204 * net_connect() and net_bind() have a new 'proto' argument to choose 3205 between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP. 3206 Their 'port' argument type is changed to a string. 3207 * Some constness fixes 3208 3209Removals 3210 * Removed mbedtls_ecp_group_read_string(). Only named groups are supported. 3211 * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use 3212 mbedtls_ecp_muladd(). 3213 * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions 3214 (use generic functions from md.h) 3215 * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom 3216 waiting function. 3217 * Removed test DHM parameters from the test certs module. 3218 * Removed the PBKDF2 module (use PKCS5). 3219 * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()). 3220 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3). 3221 * Removed openssl.h (very partial OpenSSL compatibility layer). 3222 * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on). 3223 * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have 3224 been removed (compiler is required to support 32-bit operations). 3225 * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled). 3226 * Removed test program o_p_test, the script compat.sh does more. 3227 * Removed test program ssl_test, superseded by ssl-opt.sh. 3228 * Removed helper script active-config.pl 3229 3230New deprecations 3231 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third 3232 argument (allowing memory savings if HMAC is not used) 3233 3234Semi-API changes (technically public, morally private) 3235 * Renamed a few headers to include _internal in the name. Those headers are 3236 not supposed to be included by users. 3237 * Changed md_info_t into an opaque structure (use md_get_xxx() accessors). 3238 * Changed pk_info_t into an opaque structure. 3239 * Changed cipher_base_t into an opaque structure. 3240 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl. 3241 * x509_crt.key_usage changed from unsigned char to unsigned int. 3242 * Removed r and s from ecdsa_context 3243 * Removed mode from des_context and des3_context 3244 3245Default behavior changes 3246 * The default minimum TLS version is now TLS 1.0. 3247 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the 3248 default ciphersuite list returned by ssl_list_ciphersuites() 3249 * Support for receiving SSLv2 ClientHello is now disabled by default at 3250 compile time. 3251 * The default authmode for SSL/TLS clients is now REQUIRED. 3252 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is 3253 enabled in the default configuration, this is only noticeable if using a 3254 custom config.h 3255 * Default DHM parameters server-side upgraded from 1024 to 2048 bits. 3256 * A minimum RSA key size of 2048 bits is now enforced during ceritificate 3257 chain verification. 3258 * Negotiation of truncated HMAC is now disabled by default on server too. 3259 * The following functions are now case-sensitive: 3260 mbedtls_cipher_info_from_string() 3261 mbedtls_ecp_curve_info_from_name() 3262 mbedtls_md_info_from_string() 3263 mbedtls_ssl_ciphersuite_from_string() 3264 mbedtls_version_check_feature() 3265 3266Requirement changes 3267 * The minimum MSVC version required is now 2010 (better C99 support). 3268 * The NET layer now unconditionnaly relies on getaddrinfo() and select(). 3269 * Compiler is required to support C99 types such as long long and uint32_t. 3270 3271API changes from the 1.4 preview branch 3272 * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with 3273 new prototype, and mbedtls_ssl_set_read_timeout(). 3274 * The following functions now return void: 3275 mbedtls_ssl_conf_transport() 3276 mbedtls_ssl_conf_max_version() 3277 mbedtls_ssl_conf_min_version() 3278 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface 3279 instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing 3280 an example implementation, see mbedtls_timing_delay_context and 3281 mbedtls_timing_set/get_delay(). 3282 * With UDP sockets, it is no longer necessary to call net_bind() again 3283 after a successful net_accept(). 3284 3285Changes 3286 * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now 3287 thread-safe if MBEDTLS_THREADING_C is enabled. 3288 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even 3289 more (at the expense of performance) MBEDTLS_SHA256_SMALLER. 3290 3291= mbed TLS 1.3 branch 3292 3293Security 3294 * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and 3295 extendedKeyUsage on the leaf certificate was lost (results not accessible 3296 via ssl_get_verify_results()). 3297 * Add countermeasure against "Lucky 13 strikes back" cache-based attack, 3298 https://dl.acm.org/citation.cfm?id=2714625 3299 3300Features 3301 * Improve ECC performance by using more efficient doubling formulas 3302 (contributed by Peter Dettman). 3303 * Add x509_crt_verify_info() to display certificate verification results. 3304 * Add support for reading DH parameters with privateValueLength included 3305 (contributed by Daniel Kahn Gillmor). 3306 * Add support for bit strings in X.509 names (request by Fredrik Axelsson). 3307 * Add support for id-at-uniqueIdentifier in X.509 names. 3308 * Add support for overriding snprintf() (except on Windows) and exit() in 3309 the platform layer. 3310 * Add an option to use macros instead of function pointers in the platform 3311 layer (helps get rid of unwanted references). 3312 * Improved Makefiles for Windows targets by fixing library targets and making 3313 cross-compilation easier (thanks to Alon Bar-Lev). 3314 * The benchmark program also prints heap usage for public-key primitives 3315 if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. 3316 * New script ecc-heap.sh helps measuring the impact of ECC parameters on 3317 speed and RAM (heap only for now) usage. 3318 * New script memory.sh helps measuring the ROM and RAM requirements of two 3319 reduced configurations (PSK-CCM and NSA suite B). 3320 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce 3321 warnings on use of deprecated functions (with GCC and Clang only). 3322 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce 3323 errors on use of deprecated functions. 3324 3325Bugfix 3326 * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. 3327 * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). 3328 * Fix bug in entropy.c when THREADING_C is also enabled that caused 3329 entropy_free() to crash (thanks to Rafał Przywara). 3330 * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than 3331 once on the same context. 3332 * Fix bug in ssl_mail_client when password is longer that username (found 3333 by Bruno Pape). 3334 * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules 3335 (detected by Clang's 3.6 UBSan). 3336 * mpi_size() and mpi_msb() would segfault when called on an mpi that is 3337 initialized but not set (found by pravic). 3338 * Fix detection of support for getrandom() on Linux (reported by syzzer) by 3339 doing it at runtime (using uname) rather that compile time. 3340 * Fix handling of symlinks by "make install" (found by Gaël PORTAY). 3341 * Fix potential NULL pointer dereference (not trigerrable remotely) when 3342 ssl_write() is called before the handshake is finished (introduced in 3343 1.3.10) (first reported by Martin Blumenstingl). 3344 * Fix bug in pk_parse_key() that caused some valid private EC keys to be 3345 rejected. 3346 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). 3347 * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). 3348 * Fix hardclock() (only used in the benchmarking program) with some 3349 versions of mingw64 (found by kxjhlele). 3350 * Fix warnings from mingw64 in timing.c (found by kxjklele). 3351 * Fix potential unintended sign extension in asn1_get_len() on 64-bit 3352 platforms. 3353 * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). 3354 * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and 3355 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced 3356 in 1.3.10). 3357 * Add missing extern "C" guard in aesni.h (reported by amir zamani). 3358 * Add missing dependency on SHA-256 in some x509 programs (reported by 3359 Gergely Budai). 3360 * Fix bug related to ssl_set_curves(): the client didn't check that the 3361 curve picked by the server was actually allowed. 3362 3363Changes 3364 * Remove bias in mpi_gen_prime (contributed by Pascal Junod). 3365 * Remove potential sources of timing variations (some contributed by Pascal 3366 Junod). 3367 * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. 3368 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. 3369 * compat-1.2.h and openssl.h are deprecated. 3370 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now 3371 more flexible (warning: OFLAGS is not used any more) (see the README) 3372 (contributed by Alon Bar-Lev). 3373 * ssl_set_own_cert() no longer calls pk_check_pair() since the 3374 performance impact was bad for some users (this was introduced in 1.3.10). 3375 * Move from SHA-1 to SHA-256 in example programs using signatures 3376 (suggested by Thorsten Mühlfelder). 3377 * Remove some unneeded inclusions of header files from the standard library 3378 "minimize" others (eg use stddef.h if only size_t is needed). 3379 * Change #include lines in test files to use double quotes instead of angle 3380 brackets for uniformity with the rest of the code. 3381 * Remove dependency on sscanf() in X.509 parsing modules. 3382 3383= mbed TLS 1.3.10 released 2015-02-09 3384Security 3385 * NULL pointer dereference in the buffer-based allocator when the buffer is 3386 full and polarssl_free() is called (found by Mark Hasemeyer) 3387 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is 3388 not by default). 3389 * Fix remotely-triggerable uninitialised pointer dereference caused by 3390 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a 3391 client certificate) (found using Codenomicon Defensics). 3392 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates 3393 (TLS server is not affected if it doesn't ask for a client certificate) 3394 (found using Codenomicon Defensics). 3395 * Fix potential stack overflow while parsing crafted X.509 certificates 3396 (TLS server is not affected if it doesn't ask for a client certificate) 3397 (found using Codenomicon Defensics). 3398 * Fix timing difference that could theoretically lead to a 3399 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges 3400 (reported by Sebastian Schinzel). 3401 3402Features 3403 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). 3404 * Add support for Extended Master Secret (draft-ietf-tls-session-hash). 3405 * Add support for Encrypt-then-MAC (RFC 7366). 3406 * Add function pk_check_pair() to test if public and private keys match. 3407 * Add x509_crl_parse_der(). 3408 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the 3409 length of an X.509 verification chain. 3410 * Support for renegotiation can now be disabled at compile-time 3411 * Support for 1/n-1 record splitting, a countermeasure against BEAST. 3412 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 3413 for pre-1.2 clients when multiple certificates are available. 3414 * Add support for getrandom() syscall on recent Linux kernels with Glibc or 3415 a compatible enough libc (eg uClibc). 3416 * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime 3417 while using the default ciphersuite list. 3418 * Added new error codes and debug messages about selection of 3419 ciphersuite/certificate. 3420 3421Bugfix 3422 * Stack buffer overflow if ctr_drbg_update() is called with too large 3423 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). 3424 * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE 3425 if memory_buffer_alloc_init() was called with buf not aligned and len not 3426 a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). 3427 * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found 3428 by Julian Ospald). 3429 * Fix potential undefined behaviour in Camellia. 3430 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a 3431 multiple of 8 (found by Gergely Budai). 3432 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by 3433 Peter Vaskovic). 3434 * Fix assembly selection for MIPS64 (thanks to James Cowgill). 3435 * ssl_get_verify_result() now works even if the handshake was aborted due 3436 to a failed verification (found by Fredrik Axelsson). 3437 * Skip writing and parsing signature_algorithm extension if none of the 3438 key exchanges enabled needs certificates. This fixes a possible interop 3439 issue with some servers when a zero-length extension was sent. (Reported 3440 by Peter Dettman.) 3441 * On a 0-length input, base64_encode() did not correctly set output length 3442 (found by Hendrik van den Boogaard). 3443 3444Changes 3445 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to 3446 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). 3447 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. 3448 * ssl_set_own_cert() now returns an error on key-certificate mismatch. 3449 * Forbid repeated extensions in X.509 certificates. 3450 * debug_print_buf() now prints a text view in addition to hexadecimal. 3451 * A specific error is now returned when there are ciphersuites in common 3452 but none of them is usable due to external factors such as no certificate 3453 with a suitable (extended)KeyUsage or curve or no PSK set. 3454 * It is now possible to disable negotiation of truncated HMAC server-side 3455 at runtime with ssl_set_truncated_hmac(). 3456 * Example programs for SSL client and server now disable SSLv3 by default. 3457 * Example programs for SSL client and server now disable RC4 by default. 3458 * Use platform.h in all test suites and programs. 3459 3460= PolarSSL 1.3.9 released 2014-10-20 3461Security 3462 * Lowest common hash was selected from signature_algorithms extension in 3463 TLS 1.2 (found by Darren Bane) (introduced in 1.3.8). 3464 * Remotely-triggerable memory leak when parsing some X.509 certificates 3465 (server is not affected if it doesn't ask for a client certificate) 3466 (found using Codenomicon Defensics). 3467 * Remotely-triggerable memory leak when parsing crafted ClientHello 3468 (not affected if ECC support was compiled out) (found using Codenomicon 3469 Defensics). 3470 3471Bugfix 3472 * Support escaping of commas in x509_string_to_names() 3473 * Fix compile error in ssl_pthread_server (found by Julian Ospald). 3474 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). 3475 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). 3476 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). 3477 * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST 3478 are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito). 3479 * Remove non-existent file from VS projects (found by Peter Vaskovic). 3480 * ssl_read() could return non-application data records on server while 3481 renegotation was pending, and on client when a HelloRequest was received. 3482 * Server-initiated renegotiation would fail with non-blocking I/O if the 3483 write callback returned WANT_WRITE when requesting renegotiation. 3484 * ssl_close_notify() could send more than one message in some circumstances 3485 with non-blocking I/O. 3486 * Fix compiler warnings on iOS (found by Sander Niemeijer). 3487 * x509_crt_parse() did not increase total_failed on PEM error 3488 * Fix compile error with armcc in mpi_is_prime() 3489 * Fix potential bad read in parsing ServerHello (found by Adrien 3490 Vialletelle). 3491 3492Changes 3493 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no 3494 standard defining how to use SHA-2 with SSL 3.0). 3495 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is 3496 ambiguous on how to encode some packets with SSL 3.0). 3497 * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if 3498 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger. 3499 * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than 3500 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. 3501 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits 3502 RSA keys. 3503 * Accept spaces at end of line or end of buffer in base64_decode(). 3504 * X.509 certificates with more than one AttributeTypeAndValue per 3505 RelativeDistinguishedName are not accepted any more. 3506 3507= PolarSSL 1.3.8 released 2014-07-11 3508Security 3509 * Fix length checking for AEAD ciphersuites (found by Codenomicon). 3510 It was possible to crash the server (and client) using crafted messages 3511 when a GCM suite was chosen. 3512 3513Features 3514 * Add CCM module and cipher mode to Cipher Layer 3515 * Support for CCM and CCM_8 ciphersuites 3516 * Support for parsing and verifying RSASSA-PSS signatures in the X.509 3517 modules (certificates, CRLs and CSRs). 3518 * Blowfish in the cipher layer now supports variable length keys. 3519 * Add example config.h for PSK with CCM, optimized for low RAM usage. 3520 * Optimize for RAM usage in example config.h for NSA Suite B profile. 3521 * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites 3522 from the default list (inactive by default). 3523 * Add server-side enforcement of sent renegotiation requests 3524 (ssl_set_renegotiation_enforced()) 3525 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of 3526 ciphersuites to use and save some memory if the list is small. 3527 3528Changes 3529 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is 3530 required on some platforms (e.g. OpenBSD) 3531 * Migrate zeroizing of data to polarssl_zeroize() instead of memset() 3532 against unwanted compiler optimizations 3533 * md_list() now returns hashes strongest first 3534 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks 3535 strongest offered by client. 3536 * All public contexts have _init() and _free() functions now for simpler 3537 usage pattern 3538 3539Bugfix 3540 * Fix in debug_print_msg() 3541 * Enforce alignment in the buffer allocator even if buffer is not aligned 3542 * Remove less-than-zero checks on unsigned numbers 3543 * Stricter check on SSL ClientHello internal sizes compared to actual packet 3544 size (found by TrustInSoft) 3545 * Fix WSAStartup() return value check (found by Peter Vaskovic) 3546 * Other minor issues (found by Peter Vaskovic) 3547 * Fix symlink command for cross compiling with CMake (found by Andre 3548 Heinecke) 3549 * Fix DER output of gen_key app (found by Gergely Budai) 3550 * Very small records were incorrectly rejected when truncated HMAC was in 3551 use with some ciphersuites and versions (RC4 in all versions, CBC with 3552 versions < TLS 1.1). 3553 * Very large records using more than 224 bytes of padding were incorrectly 3554 rejected with CBC-based ciphersuites and TLS >= 1.1 3555 * Very large records using less padding could cause a buffer overread of up 3556 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1 3557 * Restore ability to use a v1 cert as a CA if trusted locally. (This had 3558 been removed in 1.3.6.) 3559 * Restore ability to locally trust a self-signed cert that is not a proper 3560 CA for use as an end entity certificate. (This had been removed in 3561 1.3.6.) 3562 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). 3563 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers 3564 interpret semicolons as comment delimiters (found by Barry K. Nathan). 3565 * Fix off-by-one error in parsing Supported Point Format extension that 3566 caused some handshakes to fail. 3567 * Fix possible miscomputation of the premaster secret with DHE-PSK key 3568 exchange that caused some handshakes to fail with other implementations. 3569 (Failure rate <= 1/255 with common DHM moduli.) 3570 * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). 3571 * Fix base64_decode() to return and check length correctly (in case of 3572 tight buffers) 3573 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found 3574 by Hui Dong) 3575 3576= PolarSSL 1.3.7 released on 2014-05-02 3577Features 3578 * debug_set_log_mode() added to determine raw or full logging 3579 * debug_set_threshold() added to ignore messages over threshold level 3580 * version_check_feature() added to check for compile-time options at 3581 run-time 3582 3583Changes 3584 * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually 3585 checked and filled in the relevant module headers 3586 * Debug module only outputs full lines instead of parts 3587 * Better support for the different Attribute Types from IETF PKIX (RFC 5280) 3588 * AES-NI now compiles with "old" assemblers too 3589 * Ciphersuites based on RC4 now have the lowest priority by default 3590 3591Bugfix 3592 * Only iterate over actual certificates in ssl_write_certificate_request() 3593 (found by Matthew Page) 3594 * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan 3595 Karger) 3596 * cert_write app should use subject of issuer certificate as issuer of cert 3597 * Fix false reject in padding check in ssl_decrypt_buf() for CBC 3598 ciphersuites, for full SSL frames of data. 3599 * Improve interoperability by not writing extension length in ClientHello / 3600 ServerHello when no extensions are present (found by Matthew Page) 3601 * rsa_check_pubkey() now allows an E up to N 3602 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings 3603 * mpi_fill_random() was creating numbers larger than requested on 3604 big-endian platform when size was not an integer number of limbs 3605 * Fix dependencies issues in X.509 test suite. 3606 * Some parts of ssl_tls.c were compiled even when the module was disabled. 3607 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) 3608 * Fix detection of Clang on some Apple platforms with CMake 3609 (found by Barry K. Nathan) 3610 3611= PolarSSL 1.3.6 released on 2014-04-11 3612 3613Features 3614 * Support for the ALPN SSL extension 3615 * Add option 'use_dev_random' to gen_key application 3616 * Enable verification of the keyUsage extension for CA and leaf 3617 certificates (POLARSSL_X509_CHECK_KEY_USAGE) 3618 * Enable verification of the extendedKeyUsage extension 3619 (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) 3620 3621Changes 3622 * x509_crt_info() now prints information about parsed extensions as well 3623 * pk_verify() now returns a specific error code when the signature is valid 3624 but shorter than the supplied length. 3625 * Use UTC time to check certificate validity. 3626 * Reject certificates with times not in UTC, per RFC 5280. 3627 3628Security 3629 * Avoid potential timing leak in ecdsa_sign() by blinding modular division. 3630 (Found by Watson Ladd.) 3631 * The notAfter date of some certificates was no longer checked since 1.3.5. 3632 This affects certificates in the user-supplied chain except the top 3633 certificate. If the user-supplied chain contains only one certificates, 3634 it is not affected (ie, its notAfter date is properly checked). 3635 * Prevent potential NULL pointer dereference in ssl_read_record() (found by 3636 TrustInSoft) 3637 3638Bugfix 3639 * The length of various ClientKeyExchange messages was not properly checked. 3640 * Some example server programs were not sending the close_notify alert. 3641 * Potential memory leak in mpi_exp_mod() when error occurs during 3642 calculation of RR. 3643 * Fixed malloc/free default #define in platform.c (found by Gergely Budai). 3644 * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by 3645 Gergely Budai). 3646 * Fix #include path in ecdsa.h which wasn't accepted by some compilers. 3647 (found by Gergely Budai) 3648 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by 3649 Shuo Chen). 3650 * oid_get_numeric_string() used to truncate the output without returning an 3651 error if the output buffer was just 1 byte too small. 3652 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len. 3653 * Calling pk_debug() on an RSA-alt key would segfault. 3654 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys. 3655 * Potential buffer overwrite in pem_write_buffer() because of low length 3656 indication (found by Thijs Alkemade) 3657 * EC curves constants, which should be only in ROM since 1.3.3, were also 3658 stored in RAM due to missing 'const's (found by Gergely Budai). 3659 3660= PolarSSL 1.3.5 released on 2014-03-26 3661Features 3662 * HMAC-DRBG as a separate module 3663 * Option to set the Curve preference order (disabled by default) 3664 * Single Platform compatilibity layer (for memory / printf / fprintf) 3665 * Ability to provide alternate timing implementation 3666 * Ability to force the entropy module to use SHA-256 as its basis 3667 (POLARSSL_ENTROPY_FORCE_SHA256) 3668 * Testing script ssl-opt.sh added for testing 'live' ssl option 3669 interoperability against OpenSSL and PolarSSL 3670 * Support for reading EC keys that use SpecifiedECDomain in some cases. 3671 * Entropy module now supports seed writing and reading 3672 3673Changes 3674 * Deprecated the Memory layer 3675 * entropy_add_source(), entropy_update_manual() and entropy_gather() 3676 now thread-safe if POLARSSL_THREADING_C defined 3677 * Improvements to the CMake build system, contributed by Julian Ospald. 3678 * Work around a bug of the version of Clang shipped by Apple with Mavericks 3679 that prevented bignum.c from compiling. (Reported by Rafael Baptista.) 3680 * Revamped the compat.sh interoperatibility script to include support for 3681 testing against GnuTLS 3682 * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt() 3683 * Improvements to tests/Makefile, contributed by Oden Eriksson. 3684 3685Security 3686 * Forbid change of server certificate during renegotiation to prevent 3687 "triple handshake" attack when authentication mode is 'optional' (the 3688 attack was already impossible when authentication is required). 3689 * Check notBefore timestamp of certificates and CRLs from the future. 3690 * Forbid sequence number wrapping 3691 * Fixed possible buffer overflow with overlong PSK 3692 * Possible remotely-triggered out-of-bounds memory access fixed (found by 3693 TrustInSoft) 3694 3695Bugfix 3696 * ecp_gen_keypair() does more tries to prevent failure because of 3697 statistics 3698 * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations 3699 * Fixed testing with out-of-source builds using cmake 3700 * Fixed version-major intolerance in server 3701 * Fixed CMake symlinking on out-of-source builds 3702 * Fixed dependency issues in test suite 3703 * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0 3704 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by 3705 Alex Wilson.) 3706 * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled. 3707 * m_sleep() was sleeping twice too long on most Unix platforms. 3708 * Fixed bug with session tickets and non-blocking I/O in the unlikely case 3709 send() would return an EAGAIN error when sending the ticket. 3710 * ssl_cache was leaking memory when reusing a timed out entry containing a 3711 client certificate. 3712 * ssl_srv was leaking memory when client presented a timed out ticket 3713 containing a client certificate 3714 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of 3715 out_ctr failed 3716 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc 3717 of one of them failed 3718 * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts 3719 * x509_get_current_time() uses localtime_r() to prevent thread issues 3720 3721= PolarSSL 1.3.4 released on 2014-01-27 3722Features 3723 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1 3724 * Support for RIPEMD-160 3725 * Support for AES CFB8 mode 3726 * Support for deterministic ECDSA (RFC 6979) 3727 3728Bugfix 3729 * Potential memory leak in bignum_selftest() 3730 * Replaced expired test certificate 3731 * ssl_mail_client now terminates lines with CRLF, instead of LF 3732 * net module handles timeouts on blocking sockets better (found by Tilman 3733 Sauerbeck) 3734 * Assembly format fixes in bn_mul.h 3735 3736Security 3737 * Missing MPI_CHK calls added around unguarded mpi calls (found by 3738 TrustInSoft) 3739 3740= PolarSSL 1.3.3 released on 2013-12-31 3741Features 3742 * EC key generation support in gen_key app 3743 * Support for adhering to client ciphersuite order preference 3744 (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 3745 * Support for Curve25519 3746 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites 3747 * Support for IPv6 in the NET module 3748 * AES-NI support for AES, AES-GCM and AES key scheduling 3749 * SSL Pthread-based server example added (ssl_pthread_server) 3750 3751Changes 3752 * gen_prime() speedup 3753 * Speedup of ECP multiplication operation 3754 * Relaxed some SHA2 ciphersuite's version requirements 3755 * Dropped use of readdir_r() instead of readdir() with threading support 3756 * More constant-time checks in the RSA module 3757 * Split off curves from ecp.c into ecp_curves.c 3758 * Curves are now stored fully in ROM 3759 * Memory usage optimizations in ECP module 3760 * Removed POLARSSL_THREADING_DUMMY 3761 3762Bugfix 3763 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int 3764 * Fixed X.509 hostname comparison (with non-regular characters) 3765 * SSL now gracefully handles missing RNG 3766 * Missing defines / cases for RSA_PSK key exchange 3767 * crypt_and_hash app checks MAC before final decryption 3768 * Potential memory leak in ssl_ticket_keys_init() 3769 * Memory leak in benchmark application 3770 * Fixed x509_crt_parse_path() bug on Windows platforms 3771 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by 3772 TrustInSoft) 3773 * Fixed potential overflow in certificate size verification in 3774 ssl_write_certificate() (found by TrustInSoft) 3775 3776Security 3777 * Possible remotely-triggered out-of-bounds memory access fixed (found by 3778 TrustInSoft) 3779 3780= PolarSSL 1.3.2 released on 2013-11-04 3781Features 3782 * PK tests added to test framework 3783 * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM) 3784 * Support for Camellia-GCM mode and ciphersuites 3785 3786Changes 3787 * Padding checks in cipher layer are now constant-time 3788 * Value comparisons in SSL layer are now constant-time 3789 * Support for serialNumber, postalAddress and postalCode in X509 names 3790 * SSL Renegotiation was refactored 3791 3792Bugfix 3793 * More stringent checks in cipher layer 3794 * Server does not send out extensions not advertised by client 3795 * Prevent possible alignment warnings on casting from char * to 'aligned *' 3796 * Misc fixes and additions to dependency checks 3797 * Const correctness 3798 * cert_write with selfsign should use issuer_name as subject_name 3799 * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon) 3800 * Defines to handle UEFI environment under MSVC 3801 * Server-side initiated renegotiations send HelloRequest 3802 3803= PolarSSL 1.3.1 released on 2013-10-15 3804Features 3805 * Support for Brainpool curves and TLS ciphersuites (RFC 7027) 3806 * Support for ECDHE-PSK key-exchange and ciphersuites 3807 * Support for RSA-PSK key-exchange and ciphersuites 3808 3809Changes 3810 * RSA blinding locks for a smaller amount of time 3811 * TLS compression only allocates working buffer once 3812 * Introduced POLARSSL_HAVE_READDIR_R for systems without it 3813 * config.h is more script-friendly 3814 3815Bugfix 3816 * Missing MSVC defines added 3817 * Compile errors with POLARSSL_RSA_NO_CRT 3818 * Header files with 'polarssl/' 3819 * Const correctness 3820 * Possible naming collision in dhm_context 3821 * Better support for MSVC 3822 * threading_set_alt() name 3823 * Added missing x509write_crt_set_version() 3824 3825= PolarSSL 1.3.0 released on 2013-10-01 3826Features 3827 * Elliptic Curve Cryptography module added 3828 * Elliptic Curve Diffie Hellman module added 3829 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS 3830 (ECDHE-based ciphersuites) 3831 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS 3832 (ECDSA-based ciphersuites) 3833 * Ability to specify allowed ciphersuites based on the protocol version. 3834 * PSK and DHE-PSK based ciphersuites added 3835 * Memory allocation abstraction layer added 3836 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) 3837 * Threading abstraction layer added (dummy / pthread / alternate) 3838 * Public Key abstraction layer added 3839 * Parsing Elliptic Curve keys 3840 * Parsing Elliptic Curve certificates 3841 * Support for max_fragment_length extension (RFC 6066) 3842 * Support for truncated_hmac extension (RFC 6066) 3843 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros 3844 (ISO/IEC 7816-4) padding and zero padding in the cipher layer 3845 * Support for session tickets (RFC 5077) 3846 * Certificate Request (CSR) generation with extensions (key_usage, 3847 ns_cert_type) 3848 * X509 Certificate writing with extensions (basic_constraints, 3849 issuer_key_identifier, etc) 3850 * Optional blinding for RSA, DHM and EC 3851 * Support for multiple active certificate / key pairs in SSL servers for 3852 the same host (Not to be confused with SNI!) 3853 3854Changes 3855 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 3856 individually 3857 * Introduced separate SSL Ciphersuites module that is based on 3858 Cipher and MD information 3859 * Internals for SSL module adapted to have separate IV pointer that is 3860 dynamically set (Better support for hardware acceleration) 3861 * Moved all OID functionality to a separate module. RSA function 3862 prototypes for the RSA sign and verify functions changed as a result 3863 * Split up the GCM module into a starts/update/finish cycle 3864 * Client and server now filter sent and accepted ciphersuites on minimum 3865 and maximum protocol version 3866 * Ability to disable server_name extension (RFC 6066) 3867 * Renamed error_strerror() to the less conflicting polarssl_strerror() 3868 (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC) 3869 * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly 3870 * All RSA operations require a random generator for blinding purposes 3871 * X509 core refactored 3872 * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4) 3873 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME) 3874 * Support faulty X509 v1 certificates with extensions 3875 (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) 3876 3877Bugfix 3878 * Fixed parse error in ssl_parse_certificate_request() 3879 * zlib compression/decompression skipped on empty blocks 3880 * Support for AIX header locations in net.c module 3881 * Fixed file descriptor leaks 3882 3883Security 3884 * RSA blinding on CRT operations to counter timing attacks 3885 (found by Cyril Arnaud and Pierre-Alain Fouque) 3886 3887 3888= Version 1.2.14 released 2015-05-?? 3889 3890Security 3891 * Fix potential invalid memory read in the server, that allows a client to 3892 crash it remotely (found by Caj Larsson). 3893 * Fix potential invalid memory read in certificate parsing, that allows a 3894 client to crash the server remotely if client authentication is enabled 3895 (found using Codenomicon Defensics). 3896 * Add countermeasure against "Lucky 13 strikes back" cache-based attack, 3897 https://dl.acm.org/citation.cfm?id=2714625 3898 3899Bugfix 3900 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). 3901 * Fix hardclock() (only used in the benchmarking program) with some 3902 versions of mingw64 (found by kxjhlele). 3903 * Fix warnings from mingw64 in timing.c (found by kxjklele). 3904 * Fix potential unintended sign extension in asn1_get_len() on 64-bit 3905 platforms (found with Coverity Scan). 3906 3907= Version 1.2.13 released 2015-02-16 3908Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting 3909 this will be made in the 1.2 branch at this point. 3910 3911Security 3912 * Fix remotely-triggerable uninitialised pointer dereference caused by 3913 crafted X.509 certificate (TLS server is not affected if it doesn't ask 3914 for a client certificate) (found using Codenomicon Defensics). 3915 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates 3916 (TLS server is not affected if it doesn't ask for a client certificate) 3917 (found using Codenomicon Defensics). 3918 * Fix potential stack overflow while parsing crafted X.509 certificates 3919 (TLS server is not affected if it doesn't ask for a client certificate) 3920 found using Codenomicon Defensics). 3921 * Fix buffer overread of size 1 when parsing crafted X.509 certificates 3922 (TLS server is not affected if it doesn't ask for a client certificate). 3923 3924Bugfix 3925 * Fix potential undefined behaviour in Camellia. 3926 * Fix memory leaks in PKCS#5 and PKCS#12. 3927 * Stack buffer overflow if ctr_drbg_update() is called with too large 3928 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). 3929 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced 3930 in 1.2.12). 3931 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by 3932 Peter Vaskovic). 3933 * Fix assembly selection for MIPS64 (thanks to James Cowgill). 3934 * ssl_get_verify_result() now works even if the handshake was aborted due 3935 to a failed verification (found by Fredrik Axelsson). 3936 * Skip writing and parsing signature_algorithm extension if none of the 3937 key exchanges enabled needs certificates. This fixes a possible interop 3938 issue with some servers when a zero-length extension was sent. (Reported 3939 by Peter Dettman.) 3940 * On a 0-length input, base64_encode() did not correctly set output length 3941 (found by Hendrik van den Boogaard). 3942 3943Changes 3944 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. 3945 * Forbid repeated extensions in X.509 certificates. 3946 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the 3947 length of an X.509 verification chain (default = 8). 3948= Version 1.2.12 released 2014-10-24 3949 3950Security 3951 * Remotely-triggerable memory leak when parsing some X.509 certificates 3952 (server is not affected if it doesn't ask for a client certificate). 3953 (Found using Codenomicon Defensics.) 3954 3955Bugfix 3956 * Fix potential bad read in parsing ServerHello (found by Adrien 3957 Vialletelle). 3958 * ssl_close_notify() could send more than one message in some circumstances 3959 with non-blocking I/O. 3960 * x509_crt_parse() did not increase total_failed on PEM error 3961 * Fix compiler warnings on iOS (found by Sander Niemeijer). 3962 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). 3963 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). 3964 * ssl_read() could return non-application data records on server while 3965 renegotation was pending, and on client when a HelloRequest was received. 3966 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). 3967 3968Changes 3969 * X.509 certificates with more than one AttributeTypeAndValue per 3970 RelativeDistinguishedName are not accepted any more. 3971 * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than 3972 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. 3973 * Accept spaces at end of line or end of buffer in base64_decode(). 3974 3975= Version 1.2.11 released 2014-07-11 3976Features 3977 * Entropy module now supports seed writing and reading 3978 3979Changes 3980 * Introduced POLARSSL_HAVE_READDIR_R for systems without it 3981 * Improvements to the CMake build system, contributed by Julian Ospald. 3982 * Work around a bug of the version of Clang shipped by Apple with Mavericks 3983 that prevented bignum.c from compiling. (Reported by Rafael Baptista.) 3984 * Improvements to tests/Makefile, contributed by Oden Eriksson. 3985 * Use UTC time to check certificate validity. 3986 * Reject certificates with times not in UTC, per RFC 5280. 3987 * Migrate zeroizing of data to polarssl_zeroize() instead of memset() 3988 against unwanted compiler optimizations 3989 3990Security 3991 * Forbid change of server certificate during renegotiation to prevent 3992 "triple handshake" attack when authentication mode is optional (the 3993 attack was already impossible when authentication is required). 3994 * Check notBefore timestamp of certificates and CRLs from the future. 3995 * Forbid sequence number wrapping 3996 * Prevent potential NULL pointer dereference in ssl_read_record() (found by 3997 TrustInSoft) 3998 * Fix length checking for AEAD ciphersuites (found by Codenomicon). 3999 It was possible to crash the server (and client) using crafted messages 4000 when a GCM suite was chosen. 4001 4002Bugfix 4003 * Fixed X.509 hostname comparison (with non-regular characters) 4004 * SSL now gracefully handles missing RNG 4005 * crypt_and_hash app checks MAC before final decryption 4006 * Fixed x509_crt_parse_path() bug on Windows platforms 4007 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by 4008 TrustInSoft) 4009 * Fixed potential overflow in certificate size verification in 4010 ssl_write_certificate() (found by TrustInSoft) 4011 * Fix ASM format in bn_mul.h 4012 * Potential memory leak in bignum_selftest() 4013 * Replaced expired test certificate 4014 * ssl_mail_client now terminates lines with CRLF, instead of LF 4015 * Fix bug in RSA PKCS#1 v1.5 "reversed" operations 4016 * Fixed testing with out-of-source builds using cmake 4017 * Fixed version-major intolerance in server 4018 * Fixed CMake symlinking on out-of-source builds 4019 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by 4020 Alex Wilson.) 4021 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of 4022 out_ctr failed 4023 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc 4024 of one of them failed 4025 * x509_get_current_time() uses localtime_r() to prevent thread issues 4026 * Some example server programs were not sending the close_notify alert. 4027 * Potential memory leak in mpi_exp_mod() when error occurs during 4028 calculation of RR. 4029 * Improve interoperability by not writing extension length in ClientHello 4030 when no extensions are present (found by Matthew Page) 4031 * rsa_check_pubkey() now allows an E up to N 4032 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings 4033 * mpi_fill_random() was creating numbers larger than requested on 4034 big-endian platform when size was not an integer number of limbs 4035 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) 4036 * Stricter check on SSL ClientHello internal sizes compared to actual packet 4037 size (found by TrustInSoft) 4038 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). 4039 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers 4040 interpret semicolons as comment delimiters (found by Barry K. Nathan). 4041 * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). 4042 * Fix base64_decode() to return and check length correctly (in case of 4043 tight buffers) 4044 4045= Version 1.2.10 released 2013-10-07 4046Changes 4047 * Changed RSA blinding to a slower but thread-safe version 4048 4049Bugfix 4050 * Fixed memory leak in RSA as a result of introduction of blinding 4051 * Fixed ssl_pkcs11_decrypt() prototype 4052 * Fixed MSVC project files 4053 4054= Version 1.2.9 released 2013-10-01 4055Changes 4056 * x509_verify() now case insensitive for cn (RFC 6125 6.4) 4057 4058Bugfix 4059 * Fixed potential memory leak when failing to resume a session 4060 * Fixed potential file descriptor leaks (found by Remi Gacogne) 4061 * Minor fixes 4062 4063Security 4064 * Fixed potential heap buffer overflow on large hostname setting 4065 * Fixed potential negative value misinterpretation in load_file() 4066 * RSA blinding on CRT operations to counter timing attacks 4067 (found by Cyril Arnaud and Pierre-Alain Fouque) 4068 4069= Version 1.2.8 released 2013-06-19 4070Features 4071 * Parsing of PKCS#8 encrypted private key files 4072 * PKCS#12 PBE and derivation functions 4073 * Centralized module option values in config.h to allow user-defined 4074 settings without editing header files by using POLARSSL_CONFIG_OPTIONS 4075 4076Changes 4077 * HAVEGE random generator disabled by default 4078 * Internally split up x509parse_key() into a (PEM) handler function 4079 and specific DER parser functions for the PKCS#1 and unencrypted 4080 PKCS#8 private key formats 4081 * Added mechanism to provide alternative implementations for all 4082 symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in 4083 config.h) 4084 * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated 4085 old PBKDF2 module 4086 4087Bugfix 4088 * Secure renegotiation extension should only be sent in case client 4089 supports secure renegotiation 4090 * Fixed offset for cert_type list in ssl_parse_certificate_request() 4091 * Fixed const correctness issues that have no impact on the ABI 4092 * x509parse_crt() now better handles PEM error situations 4093 * ssl_parse_certificate() now calls x509parse_crt_der() directly 4094 instead of the x509parse_crt() wrapper that can also parse PEM 4095 certificates 4096 * x509parse_crtpath() is now reentrant and uses more portable stat() 4097 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler 4098 * Fixed values for 2-key Triple DES in cipher layer 4099 * ssl_write_certificate_request() can handle empty ca_chain 4100 4101Security 4102 * A possible DoS during the SSL Handshake, due to faulty parsing of 4103 PEM-encoded certificates has been fixed (found by Jack Lloyd) 4104 4105= Version 1.2.7 released 2013-04-13 4106Features 4107 * Ability to specify allowed ciphersuites based on the protocol version. 4108 4109Changes 4110 * Default Blowfish keysize is now 128-bits 4111 * Test suites made smaller to accommodate Raspberry Pi 4112 4113Bugfix 4114 * Fix for MPI assembly for ARM 4115 * GCM adapted to support sizes > 2^29 4116 4117= Version 1.2.6 released 2013-03-11 4118Bugfix 4119 * Fixed memory leak in ssl_free() and ssl_reset() for active session 4120 * Corrected GCM counter incrementation to use only 32-bits instead of 4121 128-bits (found by Yawning Angel) 4122 * Fixes for 64-bit compilation with MS Visual Studio 4123 * Fixed net_bind() for specified IP addresses on little endian systems 4124 * Fixed assembly code for ARM (Thumb and regular) for some compilers 4125 4126Changes 4127 * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(), 4128 rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and 4129 PKCS#1 v2.1 functions 4130 * Added support for custom labels when using rsa_rsaes_oaep_encrypt() 4131 or rsa_rsaes_oaep_decrypt() 4132 * Re-added handling for SSLv2 Client Hello when the define 4133 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set 4134 * The SSL session cache module (ssl_cache) now also retains peer_cert 4135 information (not the entire chain) 4136 4137Security 4138 * Removed further timing differences during SSL message decryption in 4139 ssl_decrypt_buf() 4140 * Removed timing differences due to bad padding from 4141 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 4142 operations 4143 4144= Version 1.2.5 released 2013-02-02 4145Changes 4146 * Allow enabling of dummy error_strerror() to support some use-cases 4147 * Debug messages about padding errors during SSL message decryption are 4148 disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL 4149 * Sending of security-relevant alert messages that do not break 4150 interoperability can be switched on/off with the flag 4151 POLARSSL_SSL_ALL_ALERT_MESSAGES 4152 4153Security 4154 * Removed timing differences during SSL message decryption in 4155 ssl_decrypt_buf() due to badly formatted padding 4156 4157= Version 1.2.4 released 2013-01-25 4158Changes 4159 * More advanced SSL ciphersuite representation and moved to more dynamic 4160 SSL core 4161 * Added ssl_handshake_step() to allow single stepping the handshake process 4162 4163Bugfix 4164 * Memory leak when using RSA_PKCS_V21 operations fixed 4165 * Handle future version properly in ssl_write_certificate_request() 4166 * Correctly handle CertificateRequest message in client for <= TLS 1.1 4167 without DN list 4168 4169= Version 1.2.3 released 2012-11-26 4170Bugfix 4171 * Server not always sending correct CertificateRequest message 4172 4173= Version 1.2.2 released 2012-11-24 4174Changes 4175 * Added p_hw_data to ssl_context for context specific hardware acceleration 4176 data 4177 * During verify trust-CA is only checked for expiration and CRL presence 4178 4179Bugfixes 4180 * Fixed client authentication compatibility 4181 * Fixed dependency on POLARSSL_SHA4_C in SSL modules 4182 4183= Version 1.2.1 released 2012-11-20 4184Changes 4185 * Depth that the certificate verify callback receives is now numbered 4186 bottom-up (Peer cert depth is 0) 4187 4188Bugfixes 4189 * Fixes for MSVC6 4190 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME 4191 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel 4192 Pégourié-Gonnard) 4193 * Fixed possible segfault in mpi_shift_r() (found by Manuel 4194 Pégourié-Gonnard) 4195 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 4196 4197= Version 1.2.0 released 2012-10-31 4198Features 4199 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak 4200 ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by 4201 default! 4202 * Added support for wildcard certificates 4203 * Added support for multi-domain certificates through the X509 Subject 4204 Alternative Name extension 4205 * Added preliminary ASN.1 buffer writing support 4206 * Added preliminary X509 Certificate Request writing support 4207 * Added key_app_writer example application 4208 * Added cert_req example application 4209 * Added base Galois Counter Mode (GCM) for AES 4210 * Added TLS 1.2 support (RFC 5246) 4211 * Added GCM suites to TLS 1.2 (RFC 5288) 4212 * Added commandline error code convertor (util/strerror) 4213 * Added support for Hardware Acceleration hooking in SSL/TLS 4214 * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and 4215 example application (programs/ssl/o_p_test) (requires OpenSSL) 4216 * Added X509 CA Path support 4217 * Added Thumb assembly optimizations 4218 * Added DEFLATE compression support as per RFC3749 (requires zlib) 4219 * Added blowfish algorithm (Generic and cipher layer) 4220 * Added PKCS#5 PBKDF2 key derivation function 4221 * Added Secure Renegotiation (RFC 5746) 4222 * Added predefined DHM groups from RFC 5114 4223 * Added simple SSL session cache implementation 4224 * Added ServerName extension parsing (SNI) at server side 4225 * Added option to add minimum accepted SSL/TLS protocol version 4226 4227Changes 4228 * Removed redundant POLARSSL_DEBUG_MSG define 4229 * AES code only check for Padlock once 4230 * Fixed const-correctness mpi_get_bit() 4231 * Documentation for mpi_lsb() and mpi_msb() 4232 * Moved out_msg to out_hdr + 32 to support hardware acceleration 4233 * Changed certificate verify behaviour to comply with RFC 6125 section 6.3 4234 to not match CN if subjectAltName extension is present (Closes ticket #56) 4235 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to 4236 POLARSSL_MODE_CFB, to also handle different block size CFB modes. 4237 * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation) 4238 * Revamped session resumption handling 4239 * Generalized external private key implementation handling (like PKCS#11) 4240 in SSL/TLS 4241 * Revamped x509_verify() and the SSL f_vrfy callback implementations 4242 * Moved from unsigned long to fixed width uint32_t types throughout code 4243 * Renamed ciphersuites naming scheme to IANA reserved names 4244 4245Bugfix 4246 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by 4247 Hui Dong) 4248 * Fixed potential heap corruption in x509_name allocation 4249 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) 4250 * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket 4251 #52) 4252 * Handle encryption with private key and decryption with public key as per 4253 RFC 2313 4254 * Handle empty certificate subject names 4255 * Prevent reading over buffer boundaries on X509 certificate parsing 4256 * mpi_add_abs() now correctly handles adding short numbers to long numbers 4257 with carry rollover (found by Ruslan Yushchenko) 4258 * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob 4259 * Fixed MPI assembly for SPARC64 platform 4260 4261Security 4262 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi 4263 Vanderbeken) 4264 4265= Version 1.1.8 released on 2013-10-01 4266Bugfix 4267 * Fixed potential memory leak when failing to resume a session 4268 * Fixed potential file descriptor leaks 4269 4270Security 4271 * Potential buffer-overflow for ssl_read_record() (independently found by 4272 both TrustInSoft and Paul Brodeur of Leviathan Security Group) 4273 * Potential negative value misinterpretation in load_file() 4274 * Potential heap buffer overflow on large hostname setting 4275 4276= Version 1.1.7 released on 2013-06-19 4277Changes 4278 * HAVEGE random generator disabled by default 4279 4280Bugfix 4281 * x509parse_crt() now better handles PEM error situations 4282 * ssl_parse_certificate() now calls x509parse_crt_der() directly 4283 instead of the x509parse_crt() wrapper that can also parse PEM 4284 certificates 4285 * Fixed values for 2-key Triple DES in cipher layer 4286 * ssl_write_certificate_request() can handle empty ca_chain 4287 4288Security 4289 * A possible DoS during the SSL Handshake, due to faulty parsing of 4290 PEM-encoded certificates has been fixed (found by Jack Lloyd) 4291 4292= Version 1.1.6 released on 2013-03-11 4293Bugfix 4294 * Fixed net_bind() for specified IP addresses on little endian systems 4295 4296Changes 4297 * Allow enabling of dummy error_strerror() to support some use-cases 4298 * Debug messages about padding errors during SSL message decryption are 4299 disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL 4300 4301Security 4302 * Removed timing differences during SSL message decryption in 4303 ssl_decrypt_buf() 4304 * Removed timing differences due to bad padding from 4305 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 4306 operations 4307 4308= Version 1.1.5 released on 2013-01-16 4309Bugfix 4310 * Fixed MPI assembly for SPARC64 platform 4311 * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob 4312 * mpi_add_abs() now correctly handles adding short numbers to long numbers 4313 with carry rollover 4314 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME 4315 * Prevent reading over buffer boundaries on X509 certificate parsing 4316 * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket 4317 #52) 4318 * Fixed possible segfault in mpi_shift_r() (found by Manuel 4319 Pégourié-Gonnard) 4320 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel 4321 Pégourié-Gonnard) 4322 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 4323 * Memory leak when using RSA_PKCS_V21 operations fixed 4324 * Handle encryption with private key and decryption with public key as per 4325 RFC 2313 4326 * Fixes for MSVC6 4327 4328Security 4329 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi 4330 Vanderbeken) 4331 4332= Version 1.1.4 released on 2012-05-31 4333Bugfix 4334 * Correctly handle empty SSL/TLS packets (Found by James Yonan) 4335 * Fixed potential heap corruption in x509_name allocation 4336 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) 4337 4338= Version 1.1.3 released on 2012-04-29 4339Bugfix 4340 * Fixed random MPI generation to not generate more size than requested. 4341 4342= Version 1.1.2 released on 2012-04-26 4343Bugfix 4344 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by 4345 Hui Dong) 4346 4347Security 4348 * Fixed potential memory corruption on miscrafted client messages (found by 4349 Frama-C team at CEA LIST) 4350 * Fixed generation of DHM parameters to correct length (found by Ruslan 4351 Yushchenko) 4352 4353= Version 1.1.1 released on 2012-01-23 4354Bugfix 4355 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries() 4356 (Closes ticket #47, found by Hugo Leisink) 4357 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50) 4358 * Fixed multiple compiler warnings for VS6 and armcc 4359 * Fixed bug in CTR_CRBG selftest 4360 4361= Version 1.1.0 released on 2011-12-22 4362Features 4363 * Added ssl_session_reset() to allow better multi-connection pools of 4364 SSL contexts without needing to set all non-connection-specific 4365 data and pointers again. Adapted ssl_server to use this functionality. 4366 * Added ssl_set_max_version() to allow clients to offer a lower maximum 4367 supported version to a server to help buggy server implementations. 4368 (Closes ticket #36) 4369 * Added cipher_get_cipher_mode() and cipher_get_cipher_operation() 4370 introspection functions (Closes ticket #40) 4371 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator 4372 * Added a generic entropy accumulator that provides support for adding 4373 custom entropy sources and added some generic and platform dependent 4374 entropy sources 4375 4376Changes 4377 * Documentation for AES and Camellia in modes CTR and CFB128 clarified. 4378 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for 4379 encryption and private key for decryption. (Closes ticket #34) 4380 * Inceased maximum size of ASN1 length reads to 32-bits. 4381 * Added an EXPLICIT tag number parameter to x509_get_ext() 4382 * Added a separate CRL entry extension parsing function 4383 * Separated the ASN.1 parsing code from the X.509 specific parsing code. 4384 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C. 4385 * Changed the defined key-length of DES ciphers in cipher.h to include the 4386 parity bits, to prevent mistakes in copying data. (Closes ticket #33) 4387 * Loads of minimal changes to better support WINCE as a build target 4388 (Credits go to Marco Lizza) 4389 * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory 4390 trade-off 4391 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size 4392 management (Closes ticket #44) 4393 * Changed the used random function pointer to more flexible format. Renamed 4394 havege_rand() to havege_random() to prevent mistakes. Lots of changes as 4395 a consequence in library code and programs 4396 * Moved all examples programs to use the new entropy and CTR_DRBG 4397 * Added permissive certificate parsing to x509parse_crt() and 4398 x509parse_crtfile(). With permissive parsing the parsing does not stop on 4399 encountering a parse-error. Beware that the meaning of return values has 4400 changed! 4401 * All error codes are now negative. Even on mermory failures and IO errors. 4402 4403Bugfix 4404 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes 4405 ticket #37) 4406 * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag 4407 before version numbers 4408 * Allowed X509 key usage parsing to accept 4 byte values instead of the 4409 standard 1 byte version sometimes used by Microsoft. (Closes ticket #38) 4410 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length 4411 smaller than the hash length. (Closes ticket #41) 4412 * If certificate serial is longer than 32 octets, serial number is now 4413 appended with '....' after first 28 octets 4414 * Improved build support for s390x and sparc64 in bignum.h 4415 * Fixed MS Visual C++ name clash with int64 in sha4.h 4416 * Corrected removal of leading "00:" in printing serial numbers in 4417 certificates and CRLs 4418 4419= Version 1.0.0 released on 2011-07-27 4420Features 4421 * Expanded cipher layer with support for CFB128 and CTR mode 4422 * Added rsa_encrypt and rsa_decrypt simple example programs. 4423 4424Changes 4425 * The generic cipher and message digest layer now have normal error 4426 codes instead of integers 4427 4428Bugfix 4429 * Undid faulty bug fix in ssl_write() when flushing old data (Ticket 4430 #18) 4431 4432= Version 0.99-pre5 released on 2011-05-26 4433Features 4434 * Added additional Cipher Block Modes to symmetric ciphers 4435 (AES CTR, Camellia CTR, XTEA CBC) including the option to 4436 enable and disable individual modes when needed 4437 * Functions requiring File System functions can now be disabled 4438 by undefining POLARSSL_FS_IO 4439 * A error_strerror function() has been added to translate between 4440 error codes and their description. 4441 * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter 4442 functions. 4443 * Added ssl_mail_client and ssl_fork_server as example programs. 4444 4445Changes 4446 * Major argument / variable rewrite. Introduced use of size_t 4447 instead of int for buffer lengths and loop variables for 4448 better unsigned / signed use. Renamed internal bigint types 4449 t_int and t_dbl to t_uint and t_udbl in the process 4450 * mpi_init() and mpi_free() now only accept a single MPI 4451 argument and do not accept variable argument lists anymore. 4452 * The error codes have been remapped and combining error codes 4453 is now done with a PLUS instead of an OR as error codes 4454 used are negative. 4455 * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv(). 4456 net_recv() now returns 0 on EOF instead of 4457 POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns 4458 POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. 4459 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received 4460 after the handshake. 4461 * Network functions now return POLARSSL_ERR_NET_WANT_READ or 4462 POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous 4463 POLARSSL_ERR_NET_TRY_AGAIN 4464 4465= Version 0.99-pre4 released on 2011-04-01 4466Features 4467 * Added support for PKCS#1 v2.1 encoding and thus support 4468 for the RSAES-OAEP and RSASSA-PSS operations. 4469 * Reading of Public Key files incorporated into default x509 4470 functionality as well. 4471 * Added mpi_fill_random() for centralized filling of big numbers 4472 with random data (Fixed ticket #10) 4473 4474Changes 4475 * Debug print of MPI now removes leading zero octets and 4476 displays actual bit size of the value. 4477 * x509parse_key() (and as a consequence x509parse_keyfile()) 4478 does not zeroize memory in advance anymore. Use rsa_init() 4479 before parsing a key or keyfile! 4480 4481Bugfix 4482 * Debug output of MPI's now the same independent of underlying 4483 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads 4484 Kiilerich and Mihai Militaru) 4485 * Fixed bug in ssl_write() when flushing old data (Fixed ticket 4486 #18, found by Nikolay Epifanov) 4487 * Fixed proper handling of RSASSA-PSS verification with variable 4488 length salt lengths 4489 4490= Version 0.99-pre3 released on 2011-02-28 4491This release replaces version 0.99-pre2 which had possible copyright issues. 4492Features 4493 * Parsing PEM private keys encrypted with DES and AES 4494 are now supported as well (Fixes ticket #5) 4495 * Added crl_app program to allow easy reading and 4496 printing of X509 CRLs from file 4497 4498Changes 4499 * Parsing of PEM files moved to separate module (Fixes 4500 ticket #13). Also possible to remove PEM support for 4501 systems only using DER encoding 4502 4503Bugfixes 4504 * Corrected parsing of UTCTime dates before 1990 and 4505 after 1950 4506 * Support more exotic OID's when parsing certificates 4507 (found by Mads Kiilerich) 4508 * Support more exotic name representations when parsing 4509 certificates (found by Mads Kiilerich) 4510 * Replaced the expired test certificates 4511 * Do not bail out if no client certificate specified. Try 4512 to negotiate anonymous connection (Fixes ticket #12, 4513 found by Boris Krasnovskiy) 4514 4515Security fixes 4516 * Fixed a possible Man-in-the-Middle attack on the 4517 Diffie Hellman key exchange (thanks to Larry Highsmith, 4518 Subreption LLC) 4519 4520= Version 0.99-pre1 released on 2011-01-30 4521Features 4522Note: Most of these features have been donated by Fox-IT 4523 * Added Doxygen source code documentation parts 4524 * Added reading of DHM context from memory and file 4525 * Improved X509 certificate parsing to include extended 4526 certificate fields, including Key Usage 4527 * Improved certificate verification and verification 4528 against the available CRLs 4529 * Detection for DES weak keys and parity bits added 4530 * Improvements to support integration in other 4531 applications: 4532 + Added generic message digest and cipher wrapper 4533 + Improved information about current capabilities, 4534 status, objects and configuration 4535 + Added verification callback on certificate chain 4536 verification to allow external blacklisting 4537 + Additional example programs to show usage 4538 * Added support for PKCS#11 through the use of the 4539 libpkcs11-helper library 4540 4541Changes 4542 * x509parse_time_expired() checks time in addition to 4543 the existing date check 4544 * The ciphers member of ssl_context and the cipher member 4545 of ssl_session have been renamed to ciphersuites and 4546 ciphersuite respectively. This clarifies the difference 4547 with the generic cipher layer and is better naming 4548 altogether 4549 4550= Version 0.14.0 released on 2010-08-16 4551Features 4552 * Added support for SSL_EDH_RSA_AES_128_SHA and 4553 SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites 4554 * Added compile-time and run-time version information 4555 * Expanded ssl_client2 arguments for more flexibility 4556 * Added support for TLS v1.1 4557 4558Changes 4559 * Made Makefile cleaner 4560 * Removed dependency on rand() in rsa_pkcs1_encrypt(). 4561 Now using random fuction provided to function and 4562 changed the prototype of rsa_pkcs1_encrypt(), 4563 rsa_init() and rsa_gen_key(). 4564 * Some SSL defines were renamed in order to avoid 4565 future confusion 4566 4567Bug fixes 4568 * Fixed CMake out of source build for tests (found by 4569 kkert) 4570 * rsa_check_private() now supports PKCS1v2 keys as well 4571 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random 4572 generator 4573 4574= Version 0.13.1 released on 2010-03-24 4575Bug fixes 4576 * Fixed Makefile in library that was mistakenly merged 4577 * Added missing const string fixes 4578 4579= Version 0.13.0 released on 2010-03-21 4580Features 4581 * Added option parsing for host and port selection to 4582 ssl_client2 4583 * Added support for GeneralizedTime in X509 parsing 4584 * Added cert_app program to allow easy reading and 4585 printing of X509 certificates from file or SSL 4586 connection. 4587 4588Changes 4589 * Added const correctness for main code base 4590 * X509 signature algorithm determination is now 4591 in a function to allow easy future expansion 4592 * Changed symmetric cipher functions to 4593 identical interface (returning int result values) 4594 * Changed ARC4 to use separate input/output buffer 4595 * Added reset function for HMAC context as speed-up 4596 for specific use-cases 4597 4598Bug fixes 4599 * Fixed bug resulting in failure to send the last 4600 certificate in the chain in ssl_write_certificate() and 4601 ssl_write_certificate_request() (found by fatbob) 4602 * Added small fixes for compiler warnings on a Mac 4603 (found by Frank de Brabander) 4604 * Fixed algorithmic bug in mpi_is_prime() (found by 4605 Smbat Tonoyan) 4606 4607= Version 0.12.1 released on 2009-10-04 4608Changes 4609 * Coverage test definitions now support 'depends_on' 4610 tagging system. 4611 * Tests requiring specific hashing algorithms now honor 4612 the defines. 4613 4614Bug fixes 4615 * Changed typo in #ifdef in x509parse.c (found 4616 by Eduardo) 4617 4618= Version 0.12.0 released on 2009-07-28 4619Features 4620 * Added CMake makefiles as alternative to regular Makefiles. 4621 * Added preliminary Code Coverage tests for AES, ARC4, 4622 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family, 4623 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman 4624 and X509parse. 4625 4626Changes 4627 * Error codes are not (necessarily) negative. Keep 4628 this is mind when checking for errors. 4629 * RSA_RAW renamed to SIG_RSA_RAW for consistency. 4630 * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE. 4631 * Changed interface for AES and Camellia setkey functions 4632 to indicate invalid key lengths. 4633 4634Bug fixes 4635 * Fixed include location of endian.h on FreeBSD (found by 4636 Gabriel) 4637 * Fixed include location of endian.h and name clash on 4638 Apples (found by Martin van Hensbergen) 4639 * Fixed HMAC-MD2 by modifying md2_starts(), so that the 4640 required HMAC ipad and opad variables are not cleared. 4641 (found by code coverage tests) 4642 * Prevented use of long long in bignum if 4643 POLARSSL_HAVE_LONGLONG not defined (found by Giles 4644 Bathgate). 4645 * Fixed incorrect handling of negative strings in 4646 mpi_read_string() (found by code coverage tests). 4647 * Fixed segfault on handling empty rsa_context in 4648 rsa_check_pubkey() and rsa_check_privkey() (found by 4649 code coverage tests). 4650 * Fixed incorrect handling of one single negative input 4651 value in mpi_add_abs() (found by code coverage tests). 4652 * Fixed incorrect handling of negative first input 4653 value in mpi_sub_abs() (found by code coverage tests). 4654 * Fixed incorrect handling of negative first input 4655 value in mpi_mod_mpi() and mpi_mod_int(). Resulting 4656 change also affects mpi_write_string() (found by code 4657 coverage tests). 4658 * Corrected is_prime() results for 0, 1 and 2 (found by 4659 code coverage tests). 4660 * Fixed Camellia and XTEA for 64-bit Windows systems. 4661 4662= Version 0.11.1 released on 2009-05-17 4663 * Fixed missing functionality for SHA-224, SHA-256, SHA384, 4664 SHA-512 in rsa_pkcs1_sign() 4665 4666= Version 0.11.0 released on 2009-05-03 4667 * Fixed a bug in mpi_gcd() so that it also works when both 4668 input numbers are even and added testcases to check 4669 (found by Pierre Habouzit). 4670 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512 4671 one way hash functions with the PKCS#1 v1.5 signing and 4672 verification. 4673 * Fixed minor bug regarding mpi_gcd located within the 4674 POLARSSL_GENPRIME block. 4675 * Fixed minor memory leak in x509parse_crt() and added better 4676 handling of 'full' certificate chains (found by Mathias 4677 Olsson). 4678 * Centralized file opening and reading for x509 files into 4679 load_file() 4680 * Made definition of net_htons() endian-clean for big endian 4681 systems (Found by Gernot). 4682 * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in 4683 padlock and timing code. 4684 * Fixed an off-by-one buffer allocation in ssl_set_hostname() 4685 responsible for crashes and unwanted behaviour. 4686 * Added support for Certificate Revocation List (CRL) parsing. 4687 * Added support for CRL revocation to x509parse_verify() and 4688 SSL/TLS code. 4689 * Fixed compatibility of XTEA and Camellia on a 64-bit system 4690 (found by Felix von Leitner). 4691 4692= Version 0.10.0 released on 2009-01-12 4693 * Migrated XySSL to PolarSSL 4694 * Added XTEA symmetric cipher 4695 * Added Camellia symmetric cipher 4696 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA, 4697 SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA 4698 * Fixed dangerous bug that can cause a heap overflow in 4699 rsa_pkcs1_decrypt (found by Christophe Devine) 4700 4701================================================================ 4702XySSL ChangeLog 4703 4704= Version 0.9 released on 2008-03-16 4705 4706 * Added support for ciphersuite: SSL_RSA_AES_128_SHA 4707 * Enabled support for large files by default in aescrypt2.c 4708 * Preliminary openssl wrapper contributed by David Barrett 4709 * Fixed a bug in ssl_write() that caused the same payload to 4710 be sent twice in non-blocking mode when send returns EAGAIN 4711 * Fixed ssl_parse_client_hello(): session id and challenge must 4712 not be swapped in the SSLv2 ClientHello (found by Greg Robson) 4713 * Added user-defined callback debug function (Krystian Kolodziej) 4714 * Before freeing a certificate, properly zero out all cert. data 4715 * Fixed the "mode" parameter so that encryption/decryption are 4716 not swapped on PadLock; also fixed compilation on older versions 4717 of gcc (bug reported by David Barrett) 4718 * Correctly handle the case in padlock_xcryptcbc() when input or 4719 output data is non-aligned by falling back to the software 4720 implementation, as VIA Nehemiah cannot handle non-aligned buffers 4721 * Fixed a memory leak in x509parse_crt() which was reported by Greg 4722 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to 4723 Matthew Page who reported several bugs 4724 * Fixed x509_get_ext() to accept some rare certificates which have 4725 an INTEGER instead of a BOOLEAN for BasicConstraints::cA. 4726 * Added support on the client side for the TLS "hostname" extension 4727 (patch contributed by David Patino) 4728 * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty 4729 string is passed as the CN (bug reported by spoofy) 4730 * Added an option to enable/disable the BN assembly code 4731 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1) 4732 * Disabled obsolete hash functions by default (MD2, MD4); updated 4733 selftest and benchmark to not test ciphers that have been disabled 4734 * Updated x509parse_cert_info() to correctly display byte 0 of the 4735 serial number, setup correct server port in the ssl client example 4736 * Fixed a critical denial-of-service with X.509 cert. verification: 4737 peer may cause xyssl to loop indefinitely by sending a certificate 4738 for which the RSA signature check fails (bug reported by Benoit) 4739 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC, 4740 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 4741 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin) 4742 * Modified ssl_parse_client_key_exchange() to protect against 4743 Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well 4744 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack 4745 * Updated rsa_gen_key() so that ctx->N is always nbits in size 4746 * Fixed assembly PPC compilation errors on Mac OS X, thanks to 4747 David Barrett and Dusan Semen 4748 4749= Version 0.8 released on 2007-10-20 4750 4751 * Modified the HMAC functions to handle keys larger 4752 than 64 bytes, thanks to Stephane Desneux and gary ng 4753 * Fixed ssl_read_record() to properly update the handshake 4754 message digests, which fixes IE6/IE7 client authentication 4755 * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten 4756 * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan 4757 * Added user-defined callbacks for handling I/O and sessions 4758 * Added lots of debugging output in the SSL/TLS functions 4759 * Added preliminary X.509 cert. writing by Pascal Vizeli 4760 * Added preliminary support for the VIA PadLock routines 4761 * Added AES-CFB mode of operation, contributed by chmike 4762 * Added an SSL/TLS stress testing program (ssl_test.c) 4763 * Updated the RSA PKCS#1 code to allow choosing between 4764 RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett 4765 * Updated ssl_read() to skip 0-length records from OpenSSL 4766 * Fixed the make install target to comply with *BSD make 4767 * Fixed a bug in mpi_read_binary() on 64-bit platforms 4768 * mpi_is_prime() speedups, thanks to Kevin McLaughlin 4769 * Fixed a long standing memory leak in mpi_is_prime() 4770 * Replaced realloc with malloc in mpi_grow(), and set 4771 the sign of zero as positive in mpi_init() (reported 4772 by Jonathan M. McCune) 4773 4774= Version 0.7 released on 2007-07-07 4775 4776 * Added support for the MicroBlaze soft-core processor 4777 * Fixed a bug in ssl_tls.c which sometimes prevented SSL 4778 connections from being established with non-blocking I/O 4779 * Fixed a couple bugs in the VS6 and UNIX Makefiles 4780 * Fixed the "PIC register ebx clobbered in asm" bug 4781 * Added HMAC starts/update/finish support functions 4782 * Added the SHA-224, SHA-384 and SHA-512 hash functions 4783 * Fixed the net_set_*block routines, thanks to Andreas 4784 * Added a few demonstration programs: md5sum, sha1sum, 4785 dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify 4786 * Added new bignum import and export helper functions 4787 * Rewrote README.txt in program/ssl/ca to better explain 4788 how to create a test PKI 4789 4790= Version 0.6 released on 2007-04-01 4791 4792 * Ciphers used in SSL/TLS can now be disabled at compile 4793 time, to reduce the memory footprint on embedded systems 4794 * Added multiply assembly code for the TriCore and modified 4795 havege_struct for this processor, thanks to David Patiño 4796 * Added multiply assembly code for 64-bit PowerPCs, 4797 thanks to Peking University and the OSU Open Source Lab 4798 * Added experimental support of Quantum Cryptography 4799 * Added support for autoconf, contributed by Arnaud Cornet 4800 * Fixed "long long" compilation issues on IA-64 and PPC64 4801 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock 4802 was not being correctly defined on ARM and MIPS 4803 4804= Version 0.5 released on 2007-03-01 4805 4806 * Added multiply assembly code for SPARC and Alpha 4807 * Added (beta) support for non-blocking I/O operations 4808 * Implemented session resuming and client authentication 4809 * Fixed some portability issues on WinCE, MINIX 3, Plan9 4810 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris 4811 * Improved the performance of the EDH key exchange 4812 * Fixed a bug that caused valid packets with a payload 4813 size of 16384 bytes to be rejected 4814 4815= Version 0.4 released on 2007-02-01 4816 4817 * Added support for Ephemeral Diffie-Hellman key exchange 4818 * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K 4819 * Various improvement to the modular exponentiation code 4820 * Rewrote the headers to generate the API docs with doxygen 4821 * Fixed a bug in ssl_encrypt_buf (incorrect padding was 4822 generated) and in ssl_parse_client_hello (max. client 4823 version was not properly set), thanks to Didier Rebeix 4824 * Fixed another bug in ssl_parse_client_hello: clients with 4825 cipherlists larger than 96 bytes were incorrectly rejected 4826 * Fixed a couple memory leak in x509_read.c 4827 4828= Version 0.3 released on 2007-01-01 4829 4830 * Added server-side SSLv3 and TLSv1.0 support 4831 * Multiple fixes to enhance the compatibility with g++, 4832 thanks to Xosé Antón Otero Ferreira 4833 * Fixed a bug in the CBC code, thanks to dowst; also, 4834 the bignum code is no longer dependent on long long 4835 * Updated rsa_pkcs1_sign to handle arbitrary large inputs 4836 * Updated timing.c for improved compatibility with i386 4837 and 486 processors, thanks to Arnaud Cornet 4838 4839= Version 0.2 released on 2006-12-01 4840 4841 * Updated timing.c to support ARM and MIPS arch 4842 * Updated the MPI code to support 8086 on MSVC 1.5 4843 * Added the copyright notice at the top of havege.h 4844 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang 4845 * Fixed a bug reported by Adrian Rüegsegger in x509_read_key 4846 * Fixed a bug reported by Torsten Lauter in ssl_read_record 4847 * Fixed a bug in rsa_check_privkey that would wrongly cause 4848 valid RSA keys to be dismissed (thanks to oldwolf) 4849 * Fixed a bug in mpi_is_prime that caused some primes to fail 4850 the Miller-Rabin primality test 4851 4852 I'd also like to thank Younès Hafri for the CRUX linux port, 4853 Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet 4854 who maintains the Debian package :-) 4855 4856= Version 0.1 released on 2006-11-01 4857