Lines Matching +full:enable +full:- +full:weak +full:- +full:ssl +full:- +full:ciphers
3 = mbed TLS 3.1.0 branch released 2021-12-17
15 POSIX/Unix-like platforms.
18 * Sign-magnitude and one's complement representations for signed integers are
30 * Enable support for Curve448 via the PSA API. Contributed by
37 supported on GCC-like compilers and on MSVC and can be configured through
40 value is almost always a bug. Enable the new configuration option
46 * Add support for CCM*-no-tag cipher to the PSA.
47 Currently only 13-byte long IV's are supported.
48 For decryption a minimum of 16-byte long input is expected.
56 protocol. See docs/architecture/tls13-support.md for the definition of
68 man-in-the-middle to inject fake ciphertext into a DTLS connection.
77 * Fix a double-free that happened after mbedtls_ssl_set_session() or
86 The check was accidentally not performed when cross-compiling for Windows
98 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
99 * Failures of alternative implementations of AES or DES single-block
103 where this function cannot fail, or full-module replacements with
108 * Fix compile-time or run-time errors in PSA
112 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
115 the built-in implementation of the GCM.
117 input buffer size is valid only for the built-in implementation of GCM.
151 oversight during the run-up to the release of Mbed TLS 3.0.
153 * Implement multi-part CCM API.
154 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
164 * Improve the performance of base64 constant-flow code. The result is still
165 slower than the original non-constant-flow implementation, but much faster
166 than the previous constant-flow implementation. Fixes #4814.
167 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
171 ChaCha20-Poly1305 is invalid, and not just unsupported.
178 * The generated configuration-independent files are now automatically
179 generated by the CMake build system on Unix-like systems. This is not
180 yet supported when cross-compiling.
182 = Mbed TLS 3.0.0 branch released 2021-07-07
191 https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
195 header compat-1.3.h and the script rename.pl.
214 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
216 * Drop support for single-DES ciphersuites.
220 key type used, as well as the key bit-size in the case of
227 * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
229 returned from the public SSL API.
235 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
255 * The getter and setter API of the SSL session cache (used for
256 session-ID based session resumption) has changed to that of
257 a key-value store with keys being session IDs and values
271 * For multi-part AEAD operations with the cipher module, calling
276 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
279 * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
318 context are now connection-specific.
327 * Implement one-shot cipher functions, psa_cipher_encrypt and
336 SSL context.
339 * Enable by default the functionalities which have no reason to be disabled.
340 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
341 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
353 release, some configuration-independent files are now generated at build
364 compile-time option, which was off by default. Users should not trust
365 certificates signed with SHA-1 due to the known attacks against SHA-1.
366 If needed, SHA-1 certificates can still be verified by using a custom
374 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
378 compile-time option. This option has been inactive for a long time.
381 * Remove the following deprecated functions and constants of hex-encoded
396 * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
407 * The RSA module no longer supports private-key operations with the public
447 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
449 * Remove the compile-time option
457 * Added support for built-in driver keys through the PSA opaque crypto
461 * The multi-part GCM interface (mbedtls_gcm_update() or
464 * The multi-part GCM interface now supports chunked associated data through
471 See docs/architecture/alternative-implementations.md for the remaining
474 query the size of the modulus in a Diffie-Hellman context.
476 Diffie-Hellman context.
484 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
496 performing a single private-key operation. Found and reported by
499 co-located process) could recover a Curve25519 or Curve448 static ECDH key
501 corresponding private-key operation. Found and reported by Leila Batina,
518 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
523 mbedtls_mpi_read_string() was called on "-0", or when
529 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
540 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
541 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
543 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
545 Arm Cortex-M. Fixes #4530.
547 directive in a header and a missing initialization in the self-test.
548 * Fix a missing initialization in the Camellia self-test, affecting
555 (when the encrypt-then-MAC extension is not in use) with some ALT
556 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
558 * Remove outdated check-config.h check that prevented implementing the
570 * psa_verify_hash() was relying on implementation-specific behavior of
581 Credit to OSS-Fuzz. Fixes #4641.
586 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
607 * Remove configs/config-psa-crypto.h, which no longer had any intended
647 = mbed TLS 2.26.0 branch released 2021-03-08
685 entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
701 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
707 |A| - |B| where |B| is larger than |A| and has more limbs (so the
724 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
735 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
737 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
748 the extension was always marked as non-critical. This was fixed by
758 = mbed TLS 2.25.0 branch released 2020-12-11
770 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
783 mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
789 ciphers, asymmetric signing/verification and key generation, validate_key
795 This is currently non-standard behaviour, but expected to make it into a
802 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
806 identical to psa_key_id_t instead of being platform-defined. This bridges
824 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
828 are implemented. This could cause failures or the silent use of non-random
860 * Use socklen_t on Android and other POSIX-compliant system
861 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
878 * Fix an off-by-one error in the additional data length check for
879 CCM, which allowed encryption with a non-standard length field.
882 MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
888 * Attempting to create a volatile key with a non-zero key identifier now
897 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
917 specification (docs/architecture/mbed-crypto-storage-specification.md).
921 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
924 = mbed TLS 2.24.0 branch released 2020-09-01
927 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
944 * Support building on e2k (Elbrus) architecture: correctly enable
945 -Wformat-signedness, and fix the code that causes signed-one-bit-field
946 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
955 attacker could for example impersonate a 4-bytes or 16-byte domain by
971 Encrypt-then-Mac extension, use constant code flow memory access patterns
974 effective against network-based attackers, but less so against local
976 if they have access to fine-grained measurements. In particular, this
980 * Fix side channel in RSA private key operations and static (finite-field)
981 Diffie-Hellman. An adversary with precise enough timing and memory access
983 enclave) could bypass an existing counter-measure (base blinding) and
985 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
986 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
1000 Montgomery keys in little-endian as defined by RFC7748. Contributed by
1003 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
1005 * Fix self-test failure when the only enabled short Weierstrass elliptic
1017 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
1032 these applications with password-protected key files. Analogously but for
1037 = mbed TLS 2.23.0 branch released 2020-07-01
1050 high- and low-level error codes, complementing mbedtls_strerror()
1054 * The new utility programs/ssl/ssl_context_info prints a human-readable
1055 dump of an SSL context saved with mbedtls_ssl_context_save().
1071 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
1082 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
1118 * Fix false positive uninitialised variable reported by cpp-check.
1127 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
1137 using a return command. This has been done to enable customization of the
1139 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
1151 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
1160 = mbed TLS 2.22.0 branch released 2020-04-14
1164 SSL module for hardware acceleration of individual records.
1181 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
1207 = mbed TLS 2.21.0 branch released 2020-02-20
1213 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
1220 probability (of the order of 2^-n where n is the bitsize of the curve)
1228 ARMmbed/mbed-crypto#352
1231 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
1232 support without SHA-384.
1241 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
1247 * Fix some false-positive uninitialized variable warnings in X.509. Fix
1248 contributed by apple-ihack-geek in #2663.
1250 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
1253 keys. Found by Catena cyber using oss-fuzz (issue 20467).
1257 = mbed TLS 2.20.0 branch released 2020-01-15
1300 to achieve the security strength defined by NIST SP 800-90A. You can
1303 msopiha-linaro in ARMmbed/mbed-crypto#307.
1306 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
1320 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
1322 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
1338 merely a robustness improvement. ARMmbed/mbed-crypto#323
1340 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
1342 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
1344 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
1346 = mbed TLS 2.19.1 branch released 2019-09-16
1360 * Fix some false-positive uninitialized variable warnings in crypto. Fix
1361 contributed by apple-ihack-geek in #2663.
1363 = mbed TLS 2.19.0 branch released 2019-09-06
1374 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
1383 store it in non-volatile storage, and later using it for TLS session
1387 feature can be used alongside Connection ID and SSL context serialisation.
1388 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
1391 (https://project-everest.github.io/). It can be enabled at compile time
1394 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
1402 * Add DER-encoded test CRTs to library/certs.c, allowing
1423 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
1424 * Fix multiple X.509 functions previously returning ASN.1 low-level error
1429 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
1436 * Enable Suite B with subset of ECP curves. Make sure the code compiles even
1450 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
1453 * Improve code clarity in x509_crt module, removing false-positive
1461 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
1465 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
1466 docker-env.sh) to simplify running test suites on a Linux host. Contributed
1468 * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
1472 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
1478 = mbed TLS 2.18.1 branch released 2019-07-12
1485 * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
1488 = mbed TLS 2.18.0 branch released 2019-06-11
1495 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
1497 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
1500 and the used tls-prf.
1501 * Add public API for tls-prf function, according to requested enum.
1510 * Add support for draft-05 of the Connection ID extension, as specified
1511 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
1516 changed its IP or port. The feature is enabled at compile-time by setting
1517 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
1523 and the used tls-prf.
1524 * Add public API for tls-prf function, according to requested enum.
1533 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
1535 OSS-Fuzz.
1536 * Fix bugs in the AEAD test suite which would be exposed by ciphers which
1551 Credit to OSS-Fuzz.
1554 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
1555 mbedTLS configuration only SHA-2 signed certificates are accepted.
1559 updated to one that is SHA-256 signed. Fix contributed by
1562 provided SSL context is unset.
1570 = mbed TLS 2.17.0 branch released 2019-03-19
1574 which allows copy-less parsing of DER encoded X.509 CRTs,
1587 for the benefit of saving RAM, by disabling the new compile-time
1615 * Fix signed-to-unsigned integer conversion warning
1647 * Fix configuration queries in ssl-opt.h. #2030
1648 * Ensure that ssl-opt.h can be run in OS X. #2029
1649 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
1654 = mbed TLS 2.16.0 branch released 2018-12-21
1672 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
1673 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
1674 * Extend ECDH interface to enable alternative implementations.
1677 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
1679 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
1700 * Fix an unsafe bounds check when restoring an SSL session from a ticket.
1711 = mbed TLS 2.15.1 branch released 2018-11-30
1716 = mbed TLS 2.15.0 branch released 2018-11-23
1719 * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
1721 * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
1726 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
1729 = mbed TLS 2.14.1 branch released 2018-11-30
1733 decryption that could lead to a Bleichenbacher-style padding oracle
1740 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
1758 = mbed TLS 2.14.0 branch released 2018-11-19
1769 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
1774 adversary to construct non-primes that would be erroneously accepted as
1779 pairs or Diffie-Hellman parameters, but was insufficient to validate
1780 Diffie-Hellman parameters properly.
1787 constrained, single-threaded systems where ECC is time consuming and can
1792 yet), and to existing functions in ECDH and SSL (currently only
1793 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
1799 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
1803 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
1804 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
1823 Miller-Rabin rounds.
1826 * Fix wrong order of freeing in programs/ssl/ssl_server2 example
1830 * Fix a bug in the update function for SSL ticket keys which previously
1836 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
1847 wildcards and non-ASCII characters being unusable in some DN attributes.
1849 Thomas-Dee.
1853 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
1873 Thomas-Dee.
1875 Fixes #517 reported by github-monoculture.
1878 by FIPS-186-4.
1880 = mbed TLS 2.13.1 branch released 2018-09-06
1884 whose implementation should behave as a thread-safe version of gmtime().
1894 = mbed TLS 2.13.0 branch released 2018-08-31
1905 with the peer, as well as by a new per-connection MTU option, set using
1907 * Add support for auto-adjustment of MTU to a safe value during the
1912 * Add support for buffering out-of-order handshake messages in DTLS.
1914 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
1933 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
1935 * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
1944 (found by Catena cyber using oss-fuzz)
1956 * Add support for buffering of out-of-order handshake messages.
1961 = mbed TLS 2.12.0 branch released 2018-07-25
1964 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
1972 or CCM instead of CBC, using hash sizes other than SHA-384, or using
1973 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
1974 caused by a miscalculation (for SHA-384) in a countermeasure to the
1985 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
1987 * Add a counter-measure against a vulnerability in TLS ciphersuites based
1991 previous entry) by using a cache attack targeting the SSL input record
1993 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
1997 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
1998 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
2000 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
2001 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
2009 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
2036 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
2041 * Fix ssl_client2 example to send application data with 0-length content
2046 * Fix build using -std=c99. Fixed by Nick Wilson.
2050 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
2052 when calling with a NULL salt and non-zero salt_len. Contributed by
2056 * Allow overriding the time on Windows via the platform-time abstraction.
2058 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
2060 = mbed TLS 2.11.0 branch released 2018-06-18
2065 * Implement the HMAC-based extract-and-expand key derivation function
2068 * Add support for the XTS block cipher mode with AES (AES-XTS).
2072 non-blocking operation of the TLS server stack.
2089 = mbed TLS 2.10.0 branch released 2018-06-06
2108 build to fail. Found by zv-io. Fixes #1651.
2111 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
2115 = mbed TLS 2.9.0 branch released 2018-04-30
2122 would require a non DER-compliant certificate to be correctly signed by a
2123 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
2131 * Fix a client-side bug in the validation of the server's ciphersuite choice
2154 underlying transport in case event-driven IO is used.
2160 in configurations that omit certain hashes or public-key algorithms.
2182 in the internal buffers; these cases led to deadlocks when event-driven
2199 public-key algorithms. Includes contributions by Gert van Dijk.
2219 letter must not be prefixed by '-', such as LLVM. Found and fixed by
2225 * In the SSL module, when f_send, f_recv or f_recv_timeout report
2229 HMAC functions with non-HMAC ciphersuites. Independently contributed
2232 FIPS 186-4. Contributed by Jethro Beekman. #1380
2240 = mbed TLS 2.8.0 branch released 2018-03-16
2247 prior versions of Mbed TLS. To restore the old behavior, enable
2270 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
2281 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
2284 In the context of SSL, this resulted in handshake failure. Reported by
2307 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
2321 = mbed TLS 2.7.0 branch released 2018-02-03
2329 both TLS and DTLS. CVE-2018-0488
2330 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
2333 Qualcomm Technologies Inc. CVE-2018-0487
2334 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
2337 64 KiB to the address of the SSL buffer and causing a wrap around.
2344 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
2355 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
2361 * Fix a potential heap buffer over-read in ALPN extension parsing
2362 (server-side). Could result in application crash, but only if an ALPN
2365 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
2372 * New unit tests for timing. Improve the self-test to be more robust
2373 when run on a heavily-loaded machine.
2395 * Extend RSA interface by multiple functions allowing structure-
2408 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
2409 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
2410 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
2411 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
2414 * Deprecate usage of RSA primitives with non-matching key-type
2439 renegotiated handshakes would only accept signatures using SHA-1
2440 regardless of the peer's preferences, or fail if SHA-1 was disabled.
2444 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
2446 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
2459 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
2463 non-v3 CRT's.
2468 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
2473 * Add size-checks for record and handshake message content, securing
2474 fragile yet non-exploitable code-paths.
2499 * Fix status handshake status message in programs/ssl/dtls_client.c. Found
2510 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
2521 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
2524 = mbed TLS 2.6.0 branch released 2017-08-10
2527 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
2540 platform-specific setup and teardown operations. The macro
2552 * Certificate verification functions now set flags to -1 in case the full
2569 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
2572 encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs
2573 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
2576 encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs
2577 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
2580 encoded X.509 certificates. The overflow could enable maliciously
2589 64-bit division. This is useful on embedded platforms where 64-bit division
2595 config-no-entropy.h to reduce the RAM footprint.
2600 = mbed TLS 2.5.1 released 2017-06-21
2603 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
2604 The issue could only happen client-side with renegotiation enabled.
2608 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
2609 certificate verification. SHA-1 can be turned back on with a compile-time
2614 potential Bleichenbacher/BERserk-style attack.
2619 and with GCC using the -Wpedantic compilation option.
2620 * Fix insufficient support for signature-hash-algorithm extension,
2647 by Jean-Philippe Aumasson.
2649 = mbed TLS 2.5.0 branch released 2017-05-17
2656 against side-channel attacks like the cache attack described in
2663 This involved exposing parts of the internal interface to enable
2666 * Add a new configuration option to 'mbedtls_ssl_config' to enable
2675 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
2676 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
2679 * Remove macros from compat-1.3.h that correspond to deleted items from most
2683 * Add checks in the PK module for the RSA functions on 64-bit systems.
2688 = mbed TLS 2.4.2 branch released 2017-03-08
2692 using RSA through the PK module in 64-bit systems. The issue was caused by
2695 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
2709 team. #569 CVE-2017-2784
2718 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
2719 Found by omlib-lin. #673
2740 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
2756 = mbed TLS 2.4.1 branch released 2016-12-13
2759 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
2763 = mbed TLS 2.4.0 branch released 2016-10-17
2767 with RFC-5116 and could lead to session key recovery in very long TLS
2768 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
2769 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
2777 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
2778 NIST SP 800-38B, RFC-4493 and RFC-4615.
2786 * Added a configuration file config-no-entropy.h that configures the subset of
2799 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
2801 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
2814 subramanyam-c. #622
2821 Found by subramanyam-c. #626
2829 * Removed self-tests from the basic-built-test.sh script, and added all
2830 missing self-tests to the test suites, to ensure self-tests are only
2833 * Added support for a Yotta specific configuration file -
2844 = mbed TLS 2.3.0 branch released 2016-06-28
2854 SSL/TLS.
2862 arguments where the same (in-place doubling). Found and fixed by Janos
2881 * Fix test in ssl-opt.sh that does not run properly with valgrind
2885 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
2887 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
2891 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
2894 = mbed TLS 2.2.1 released 2016-01-05
2899 remotely in SSL/TLS. Found by Rafał Przywara. #367
2906 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
2918 = mbed TLS 2.2.0 released 2015-11-04
2936 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
2939 block. (Potential uses include EAP-TLS and Thread.)
2942 * Self-signed certificates were not excluded from pathlen counting,
2945 * Fix build error with configurations where ECDHE-PSK is the only key
2947 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
2948 ECHD-ECDSA if the only key exchange. Multiple reports. #310
2949 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
2950 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
2953 minimum key size for end-entity certificates with RSA keys. Found by
2964 or -1.
2966 = mbed TLS 2.1.2 released 2015-10-06
2969 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
2972 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
2989 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
2991 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
3010 = mbed TLS 2.1.1 released 2015-09-17
3013 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
3015 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
3016 * Fix possible client-side NULL pointer dereference (read) when the client
3019 afl-fuzz.)
3023 * Fix off-by-one error in parsing Supported Point Format extension that
3034 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
3037 = mbed TLS 2.1.0 released 2015-09-04
3045 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
3053 * Fix compile error with armcc 5 with --gnu option.
3058 * Fix missing -static-libgcc when building shared libraries for Windows
3067 * Fix -Wshadow warnings (found by hnrkp) (#240)
3069 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
3077 * It is now possible to #include a user-provided configuration file at the
3081 trusted, no later cert is checked. (suggested by hannes-landeholm)
3088 = mbed TLS 2.0.0 released 2015-07-13
3095 * New server-side implementation of session tickets that rotate keys to
3099 * Expanded configurability of security parameters in the SSL module with
3101 * Introduced a concept of presets for SSL security-relevant configuration
3109 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
3110 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
3112 mbedtls_cipher_info_t.key_length -> key_bitlen
3113 mbedtls_cipher_context_t.key_length -> key_bitlen
3114 mbedtls_ecp_curve_info.size -> bit_size
3119 mbedtls_ssl_init() -> mbedtls_ssl_setup()
3120 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
3121 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
3122 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
3123 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
3129 (see rename.pl and compat-1.3.h above) and their first argument's type
3132 additional callback for read-with-timeout).
3143 place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
3144 * The SSL debug callback gained two new arguments (file name, line number).
3151 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
3152 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
3153 * The following functions changed prototype to avoid an in-out length
3171 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
3200 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
3204 been removed (compiler is required to support 32-bit operations).
3207 * Removed test program ssl_test, superseded by ssl-opt.sh.
3208 * Removed helper script active-config.pl
3214 Semi-API changes (technically public, morally private)
3227 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
3231 * The default authmode for SSL/TLS clients is now REQUIRED.
3235 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
3239 * The following functions are now case-sensitive:
3258 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
3267 thread-safe if MBEDTLS_THREADING_C is enabled.
3268 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
3277 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
3287 * Add support for id-at-uniqueIdentifier in X.509 names.
3293 cross-compilation easier (thanks to Alon Bar-Lev).
3294 * The benchmark program also prints heap usage for public-key primitives
3296 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
3299 reduced configurations (PSK-CCM and NSA suite B).
3331 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
3338 * Add missing dependency on SHA-256 in some x509 programs (reported by
3349 * compat-1.2.h and openssl.h are deprecated.
3352 (contributed by Alon Bar-Lev).
3355 * Move from SHA-1 to SHA-256 in example programs using signatures
3363 = mbed TLS 1.3.10 released 2015-02-09
3365 * NULL pointer dereference in the buffer-based allocator when the buffer is
3369 * Fix remotely-triggerable uninitialised pointer dereference caused by
3372 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
3379 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
3383 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
3384 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
3385 * Add support for Encrypt-then-MAC (RFC 7366).
3388 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
3390 * Support for renegotiation can now be disabled at compile-time
3391 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
3392 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
3393 for pre-1.2 clients when multiple certificates are available.
3403 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
3419 issue with some servers when a zero-length extension was sent. (Reported
3421 * On a 0-length input, base64_encode() did not correctly set output length
3425 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
3428 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
3434 * It is now possible to disable negotiation of truncated HMAC server-side
3436 * Example programs for SSL client and server now disable SSLv3 by default.
3437 * Example programs for SSL client and server now disable RC4 by default.
3440 = PolarSSL 1.3.9 released 2014-10-20
3444 * Remotely-triggerable memory leak when parsing some X.509 certificates
3447 * Remotely-triggerable memory leak when parsing crafted ClientHello
3454 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
3456 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
3459 * Remove non-existent file from VS projects (found by Peter Vaskovic).
3460 * ssl_read() could return non-application data records on server while
3462 * Server-initiated renegotiation would fail with non-blocking I/O if the
3465 with non-blocking I/O.
3473 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
3474 standard defining how to use SHA-2 with SSL 3.0).
3475 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
3476 ambiguous on how to encode some packets with SSL 3.0).
3487 = PolarSSL 1.3.8 released 2014-07-11
3496 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
3503 * Add server-side enforcement of sent renegotiation requests
3522 * Remove less-than-zero checks on unsigned numbers
3523 * Stricter check on SSL ClientHello internal sizes compared to actual packet
3534 rejected with CBC-based ciphersuites and TLS >= 1.1
3536 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
3539 * Restore ability to locally trust a self-signed cert that is not a proper
3545 * Fix off-by-one error in parsing Supported Point Format extension that
3547 * Fix possible miscomputation of the premaster secret with DHE-PSK key
3556 = PolarSSL 1.3.7 released on 2014-05-02
3560 * version_check_feature() added to check for compile-time options at
3561 run-time
3568 * AES-NI now compiles with "old" assemblers too
3578 ciphersuites, for full SSL frames of data.
3584 big-endian platform when size was not an integer number of limbs
3591 = PolarSSL 1.3.6 released on 2014-04-11
3594 * Support for the ALPN SSL extension
3596 * Enable verification of the keyUsage extension for CA and leaf
3598 * Enable verification of the extendedKeyUsage extension
3612 This affects certificates in the user-supplied chain except the top
3613 certificate. If the user-supplied chain contains only one certificates,
3632 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
3633 * Calling pk_debug() on an RSA-alt key would segfault.
3634 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
3640 = PolarSSL 1.3.5 released on 2014-03-26
3642 * HMAC-DRBG as a separate module
3646 * Ability to force the entropy module to use SHA-256 as its basis
3648 * Testing script ssl-opt.sh added for testing 'live' ssl option
3656 now thread-safe if POLARSSL_THREADING_C defined
3672 * Possible remotely-triggered out-of-bounds memory access fixed (found by
3679 * Fixed testing with out-of-source builds using cmake
3680 * Fixed version-major intolerance in server
3681 * Fixed CMake symlinking on out-of-source builds
3684 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
3688 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
3701 = PolarSSL 1.3.4 released on 2014-01-27
3704 * Support for RIPEMD-160
3720 = PolarSSL 1.3.3 released on 2013-12-31
3726 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
3728 * AES-NI support for AES, AES-GCM and AES key scheduling
3729 * SSL Pthread-based server example added (ssl_pthread_server)
3736 * More constant-time checks in the RSA module
3744 * Fixed X.509 hostname comparison (with non-regular characters)
3745 * SSL now gracefully handles missing RNG
3757 * Possible remotely-triggered out-of-bounds memory access fixed (found by
3760 = PolarSSL 1.3.2 released on 2013-11-04
3764 * Support for Camellia-GCM mode and ciphersuites
3767 * Padding checks in cipher layer are now constant-time
3768 * Value comparisons in SSL layer are now constant-time
3770 * SSL Renegotiation was refactored
3781 * Server-side initiated renegotiations send HelloRequest
3783 = PolarSSL 1.3.1 released on 2013-10-15
3786 * Support for ECDHE-PSK key-exchange and ciphersuites
3787 * Support for RSA-PSK key-exchange and ciphersuites
3793 * config.h is more script-friendly
3805 = PolarSSL 1.3.0 released on 2013-10-01
3809 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
3810 (ECDHE-based ciphersuites)
3811 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
3812 (ECDSA-based ciphersuites)
3814 * PSK and DHE-PSK based ciphersuites added
3816 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
3823 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
3824 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
3831 * Support for multiple active certificate / key pairs in SSL servers for
3835 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
3837 * Introduced separate SSL Ciphersuites module that is based on
3839 * Internals for SSL module adapted to have separate IV pointer that is
3853 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
3865 (found by Cyril Arnaud and Pierre-Alain Fouque)
3868 = Version 1.2.14 released 2015-05-??
3876 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
3884 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
3887 = Version 1.2.13 released 2015-02-16
3892 * Fix remotely-triggerable uninitialised pointer dereference caused by
3895 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
3908 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
3918 issue with some servers when a zero-length extension was sent. (Reported
3920 * On a 0-length input, base64_encode() did not correctly set output length
3926 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
3928 = Version 1.2.12 released 2014-10-24
3931 * Remotely-triggerable memory leak when parsing some X.509 certificates
3939 with non-blocking I/O.
3943 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
3944 * ssl_read() could return non-application data records on server while
3946 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
3955 = Version 1.2.11 released 2014-07-11
3983 * Fixed X.509 hostname comparison (with non-regular characters)
3984 * SSL now gracefully handles missing RNG
3996 * Fixed testing with out-of-source builds using cmake
3997 * Fixed version-major intolerance in server
3998 * Fixed CMake symlinking on out-of-source builds
3999 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4014 big-endian platform when size was not an integer number of limbs
4016 * Stricter check on SSL ClientHello internal sizes compared to actual packet
4025 = Version 1.2.10 released 2013-10-07
4027 * Changed RSA blinding to a slower but thread-safe version
4034 = Version 1.2.9 released 2013-10-01
4047 (found by Cyril Arnaud and Pierre-Alain Fouque)
4049 = Version 1.2.8 released 2013-06-19
4053 * Centralized module option values in config.h to allow user-defined
4078 * Fixed values for 2-key Triple DES in cipher layer
4082 * A possible DoS during the SSL Handshake, due to faulty parsing of
4083 PEM-encoded certificates has been fixed (found by Jack Lloyd)
4085 = Version 1.2.7 released 2013-04-13
4090 * Default Blowfish keysize is now 128-bits
4097 = Version 1.2.6 released 2013-03-11
4100 * Corrected GCM counter incrementation to use only 32-bits instead of
4101 128-bits (found by Yawning Angel)
4102 * Fixes for 64-bit compilation with MS Visual Studio
4112 * Re-added handling for SSLv2 Client Hello when the define
4114 * The SSL session cache module (ssl_cache) now also retains peer_cert
4118 * Removed further timing differences during SSL message decryption in
4124 = Version 1.2.5 released 2013-02-02
4126 * Allow enabling of dummy error_strerror() to support some use-cases
4127 * Debug messages about padding errors during SSL message decryption are
4129 * Sending of security-relevant alert messages that do not break
4134 * Removed timing differences during SSL message decryption in
4137 = Version 1.2.4 released 2013-01-25
4139 * More advanced SSL ciphersuite representation and moved to more dynamic
4140 SSL core
4149 = Version 1.2.3 released 2012-11-26
4153 = Version 1.2.2 released 2012-11-24
4157 * During verify trust-CA is only checked for expiration and CRL presence
4161 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
4163 = Version 1.2.1 released 2012-11-20
4166 bottom-up (Peer cert depth is 0)
4172 Pégourié-Gonnard)
4174 Pégourié-Gonnard)
4177 = Version 1.2.0 released 2012-10-31
4179 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
4183 * Added support for multi-domain certificates through the X509 Subject
4193 * Added support for Hardware Acceleration hooking in SSL/TLS
4195 example application (programs/ssl/o_p_test) (requires OpenSSL)
4203 * Added simple SSL session cache implementation
4205 * Added option to add minimum accepted SSL/TLS protocol version
4210 * Fixed const-correctness mpi_get_bit()
4220 in SSL/TLS
4221 * Revamped x509_verify() and the SSL f_vrfy callback implementations
4245 = Version 1.1.8 released on 2013-10-01
4251 * Potential buffer-overflow for ssl_read_record() (independently found by
4256 = Version 1.1.7 released on 2013-06-19
4265 * Fixed values for 2-key Triple DES in cipher layer
4269 * A possible DoS during the SSL Handshake, due to faulty parsing of
4270 PEM-encoded certificates has been fixed (found by Jack Lloyd)
4272 = Version 1.1.6 released on 2013-03-11
4277 * Allow enabling of dummy error_strerror() to support some use-cases
4278 * Debug messages about padding errors during SSL message decryption are
4282 * Removed timing differences during SSL message decryption in
4288 = Version 1.1.5 released on 2013-01-16
4299 Pégourié-Gonnard)
4301 Pégourié-Gonnard)
4312 = Version 1.1.4 released on 2012-05-31
4314 * Correctly handle empty SSL/TLS packets (Found by James Yonan)
4318 = Version 1.1.3 released on 2012-04-29
4322 = Version 1.1.2 released on 2012-04-26
4329 Frama-C team at CEA LIST)
4333 = Version 1.1.1 released on 2012-01-23
4337 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
4341 = Version 1.1.0 released on 2011-12-22
4343 * Added ssl_session_reset() to allow better multi-connection pools of
4344 SSL contexts without needing to set all non-connection-specific
4351 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
4360 * Inceased maximum size of ASN1 length reads to 32-bits.
4365 * Changed the defined key-length of DES ciphers in cipher.h to include the
4370 trade-off
4379 encountering a parse-error. Beware that the meaning of return values has
4384 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
4390 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
4399 = Version 1.0.0 released on 2011-07-27
4412 = Version 0.99-pre5 released on 2011-05-26
4414 * Added additional Cipher Block Modes to symmetric ciphers
4416 enable and disable individual modes when needed
4445 = Version 0.99-pre4 released on 2011-04-01
4448 for the RSAES-OAEP and RSASSA-PSS operations.
4463 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
4467 * Fixed proper handling of RSASSA-PSS verification with variable
4470 = Version 0.99-pre3 released on 2011-02-28
4471 This release replaces version 0.99-pre2 which had possible copyright issues.
4496 * Fixed a possible Man-in-the-Middle attack on the
4500 = Version 0.99-pre1 released on 2011-01-30
4502 Note: Most of these features have been donated by Fox-IT
4509 * Detection for DES weak keys and parity bits added
4519 libpkcs11-helper library
4524 * The ciphers member of ssl_context and the cipher member
4530 = Version 0.14.0 released on 2010-08-16
4534 * Added compile-time and run-time version information
4544 * Some SSL defines were renamed in order to avoid
4554 = Version 0.13.1 released on 2010-03-24
4559 = Version 0.13.0 released on 2010-03-21
4565 printing of X509 certificates from file or SSL
4575 * Added reset function for HMAC context as speed-up
4576 for specific use-cases
4587 = Version 0.12.1 released on 2009-10-04
4598 = Version 0.12.0 released on 2009-07-28
4602 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
4603 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
4619 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
4640 * Fixed Camellia and XTEA for 64-bit Windows systems.
4642 = Version 0.11.1 released on 2009-05-17
4643 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
4644 SHA-512 in rsa_pkcs1_sign()
4646 = Version 0.11.0 released on 2009-05-03
4650 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
4660 * Made definition of net_htons() endian-clean for big endian
4664 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
4668 SSL/TLS code.
4669 * Fixed compatibility of XTEA and Camellia on a 64-bit system
4672 = Version 0.10.0 released on 2009-01-12
4684 = Version 0.9 released on 2008-03-16
4690 be sent twice in non-blocking mode when send returns EAGAIN
4693 * Added user-defined callback debug function (Krystian Kolodziej)
4699 output data is non-aligned by falling back to the software
4700 implementation, as VIA Nehemiah cannot handle non-aligned buffers
4702 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
4710 * Added an option to enable/disable the BN assembly code
4711 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
4713 selftest and benchmark to not test ciphers that have been disabled
4715 serial number, setup correct server port in the ssl client example
4716 * Fixed a critical denial-of-service with X.509 cert. verification:
4719 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
4720 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
4721 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
4724 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
4725 * Updated rsa_gen_key() so that ctx->N is always nbits in size
4729 = Version 0.8 released on 2007-10-20
4737 * Added user-defined callbacks for handling I/O and sessions
4738 * Added lots of debugging output in the SSL/TLS functions
4741 * Added AES-CFB mode of operation, contributed by chmike
4742 * Added an SSL/TLS stress testing program (ssl_test.c)
4745 * Updated ssl_read() to skip 0-length records from OpenSSL
4747 * Fixed a bug in mpi_read_binary() on 64-bit platforms
4754 = Version 0.7 released on 2007-07-07
4756 * Added support for the MicroBlaze soft-core processor
4757 * Fixed a bug in ssl_tls.c which sometimes prevented SSL
4758 connections from being established with non-blocking I/O
4762 * Added the SHA-224, SHA-384 and SHA-512 hash functions
4767 * Rewrote README.txt in program/ssl/ca to better explain
4770 = Version 0.6 released on 2007-04-01
4772 * Ciphers used in SSL/TLS can now be disabled at compile
4776 * Added multiply assembly code for 64-bit PowerPCs,
4780 * Fixed "long long" compilation issues on IA-64 and PPC64
4781 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
4784 = Version 0.5 released on 2007-03-01
4787 * Added (beta) support for non-blocking I/O operations
4790 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
4795 = Version 0.4 released on 2007-02-01
4797 * Added support for Ephemeral Diffie-Hellman key exchange
4808 = Version 0.3 released on 2007-01-01
4810 * Added server-side SSLv3 and TLSv1.0 support
4819 = Version 0.2 released on 2006-12-01
4830 the Miller-Rabin primality test
4834 who maintains the Debian package :-)
4836 = Version 0.1 released on 2006-11-01