Lines Matching refs:in
6 * Fix a buffer underrun in mbedtls_pk_write_key_der() when
9 Fix a related buffer underrun in mbedtls_pk_write_key_pem()
19 in C++. This resolves a build failure under C++ compilers that do not
30 in the protocol version negotiation.
39 psa_key_derivation_output_key_ext() are deprecated in favor of
42 data is passed in a separate parameter instead of a flexible array
45 in Mbed TLS 4.0:
53 in Mbed TLS 4.0:
63 from the public API in Mbed TLS 4.0:
77 in Mbed TLS 4.0:
86 of increased code size. This option is off by default, but enabled in
94 * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
97 all values of bits are affected. This never happens in internal library
102 in keyUsage or extKeyUsage extensions, then the return value of
119 passing in zero length additional data to multipart AEAD.
123 * Fix error handling when creating a key in a dynamic secure element
127 * Fix issue of redefinition warning messages for _GNU_SOURCE in
131 * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
132 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
133 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
139 * Fix interference between PSA volatile keys and built-in keys
145 but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
147 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
149 some code was defining 0-size arrays, resulting in compilation errors.
150 Fixed by disabling the offending code in configurations without PSA
156 legacy_compression_methods in the ClientHello.
159 in an application that does not call psa_crypto_init().
161 * Fix TLS connection failure in applications using an Mbed TLS client in
169 * Fixed a regression introduced in 3.6.0 where the CA callback set with
173 * Fixed a regression introduced in 3.6.0 where clients that relied on
181 * Fixed a regression introduced in 3.6.0 where context-specific certificate
185 callback in TLS 1.3.
191 potentially resulting in buffer overflows.
195 in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
200 * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
202 feature may not be TLS 1.3 specific in the future. Fixes #6909.
205 * psa_import_key() now only accepts RSA keys in the PSA standard formats.
219 They are deprecated and will be removed in a future version of the
221 * mbedtls_ecp_write_key() is deprecated in favor of
238 * AES-NI is now supported in Windows builds with clang and clang-cl.
246 that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
250 library without the corresponding built-in implementation. Generally
252 or they'll both be built in. However, for CCM and GCM the built-in
257 disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
260 size by disabling it in more circumstances. In particular, the CCM and
265 details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
289 in bits, i.e. the key size for an RSA key.
298 ECDH in all ECDH configurations.
311 the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
316 used as random number generator function (f_rng) and context (p_rng) in
329 the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
339 ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
342 * Passing buffers that are stored in untrusted memory as arguments
349 the function call (i.e. no buffer parameters are in shared memory),
357 TLS 1.3 connection potentially resulting in a Denial of Service or forced
363 client could put the TLS 1.3-only server in an infinite loop processing
364 a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
374 * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
376 * Fix possible NULL dereference issue in X509 cert_req program if an entry
377 in the san parameter is not separated by a colon.
378 * Fix possible NULL dereference issue in X509 cert_write program if an entry
379 in the san parameter is not separated by a colon.
383 * Fix build failure in conda-forge. Fixes #8422.
392 in TLS Suite B Profile. Fixes #8221.
404 entropy resource in gen_key example. Fixes #8809.
408 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
413 * Fix missing bitflags in SSL session serialization headers. Their absence
414 allowed SSL sessions saved in one configuration to be loaded in a
420 * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
434 individually enabled in order to enable respective support; also the
435 corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
447 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
456 * The TLS 1.3 protocol is now enabled in the default configuration.
461 * Fix a timing side channel in private key RSA operations. This side channel
469 could result in an integer overflow, causing a zero-length buffer to be
480 * Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
481 in CMake.
486 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
488 there was a flaw in the logic checking if the built-in implementation, in
491 accelerated and still have the built-in implementation compiled out.
494 considered not accelerated, and the built-in implementation of the curves
495 and any algorithm possible using them will be included in the build.
508 are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
512 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
518 deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
526 been called. Previously (in 3.3), this was restricted to a few modules,
527 and only in builds where MBEDTLS_MD_C was disabled; in particular the
529 provided - these limitations are lifted in this version. A new set of
532 they're provided by a built-in implementation, a driver or both. See
535 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
537 MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
538 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
543 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
545 * Add parsing of directoryName subtype for subjectAltName extension in
553 public and private keys in RFC 8410 format using the existing PK APIs.
558 * Add support for the FFDH algorithm and DH key types in PSA, with
559 parameters from RFC 7919. This includes a built-in implementation based
564 IP address, OtherName, and DirectoryName, as defined in RFC 5280.
569 described in 7.4 of RFC5280, will result in a positive URI verification.
573 * Add support to restrict AES to 128-bit keys in order to save code size.
585 or DH) were introduced in order to have finer accuracy in defining the
591 (useful for testing purposes), but this might change in the future.
592 * Add support for FFDH key exchange in TLS 1.3.
607 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
615 of subjectAltName extension in x509 certificates.
622 * Accept arbitrary AttributeType and AttributeValue in certificate
630 * Fix a case where potentially sensitive information held in memory would not
631 be completely zeroized during TLS 1.2 handshake, in both server and client
636 only used in relation with CMAC which does not support these ciphers.
644 * Improve padding calculations in CBC decryption, NIST key unwrapping and
650 conditional instructions, which can have an observable difference in
659 * Fix a buffer overread when parsing short TLS application data records in
661 * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
672 than all built-in ones and RSA is disabled.
679 in the ecdsa.h header file. There was a build warning when the
684 * Fix missing PSA initialization in sample programs when
691 * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
696 * Fix very high stack usage in SSL debug code. Reported by Maximilian
697 Gerhardt in #7804.
698 * Fix a compilation failure in the constant_time module when
700 Coutinho in #7787.
704 * Fix a bug in which mbedtls_x509_string_to_names() would return success
706 * Fix compilation warnings in aes.c, which prevented the
707 example TF-M configuration in configs/ from building cleanly:
710 * In TLS 1.3, fix handshake failure when a client in its ClientHello
714 * Fix CCM* with no tag being not supported in a build with CCM as the only
722 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
724 * Fix compile failure due to empty enum in cipher_wrap.c, when building
727 signature can silently return an incorrect result in low memory conditions.
738 * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
741 * Fix undefined symbols in some builds using TLS 1.3 with a custom
744 * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
745 error code on failure. Before, they returned 1 to indicate failure in
747 * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
788 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
791 * PSA to mbedtls error translation is now unified in psa_util.h,
799 Syntax, as defined in RFC 2315. Currently, support is limited to the
804 - Certificates must be in X.509 format. A message must have either 0
817 * Add support for reading points in compressed format
823 This helps in saving code size when some of the above hashes are not
826 Subject Alternative Names) in x509 Certificate Sign Requests.
831 extension in x509 certificates.
835 extension in x509 certificates.
840 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
842 Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
843 supported in those builds yet, as driver support for interruptible ECDSA
855 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
860 an mbedtls_rsa_context, as requested in #6917.
862 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
875 * Fix a potential heap buffer overread in TLS 1.3 client-side when
876 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
888 * Fix possible integer overflow in mbedtls_timing_hardclock(), which
889 could cause a crash in programs/test/benchmark.
891 * Fix a bug in the build where directory names containing spaces were
892 causing generate_errors.pl to error out resulting in a build failure.
896 ticket timestamps (typically timestamps in milliseconds) compared to the
897 Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
902 * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
911 * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
912 Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
915 arguments, access uninitialized memory in some cases. Fixes #6700 (which
924 * Fix bug in conversion from OID to string in
932 have the most-significant bit set in their last byte.
935 * Fix the handling of renegotiation attempts in TLS 1.3. They are now
937 * Fix an unused-variable warning in TLS 1.3-only builds if
939 * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
942 instead of role in PAKE PSA Crypto API as described in the specification.
945 TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
947 least preferred. The selection error was introduced in Mbed TLS 3.3.0.
953 Extensions, where some compilers would emit EOR3 instructions in other
969 - now it accepts the serial number in 2 different formats: decimal and
971 - "serial" is used for the decimal format and it's limted in size to
980 As tested in issue 6790, the correlation between this define and
1008 from a release, the Python module jsonschema is now necessary, in
1010 maintained in scripts/basic.requirements.txt and may change again
1011 in the future.
1019 * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
1022 resulting in library names like "libmbedtls.so" rather than
1026 are supported in this implementation.
1028 built-in implementation present, but only in some configurations.
1033 See the documentation of the corresponding macros in mbedtls_config.h for
1037 all hashes only provided by drivers (no built-in hash) is to use
1040 properly negotiate/accept hashes based on their availability in PSA.
1041 As a consequence, they now work in configurations where the built-in
1046 for authentication in TLS 1.3.
1051 1024 messages. As such, it is not intended for use in TLS, but instead
1065 corresponding new public API call has been added in the library,
1067 * cert_write: support for writing certificate files in either PEM
1075 of memory in named data lists in X.509 structures.
1077 Additional PSA key slots will be allocated in the process of such key
1085 entry point. This entry point is specified in the proposed PSA driver
1088 calculation that can be used to derive the session secret in TLS 1.2,
1089 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1093 * Fix potential heap buffer overread and overwrite in DTLS if
1102 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1103 and Test in Europe 2023.
1107 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1121 other certificate files. Contributed by Eduardo Silva in #2602.
1125 advertised support for PSS in both TLS 1.2 and 1.3, but only
1126 actually supported PSS in TLS 1.3.
1137 configurations with only one encryption type enabled in TLS 1.2.
1138 * Provide the missing definition of mbedtls_setbuf() in some configurations
1142 * Fix memory leak in ssl_parse_certificate_request() caused by
1143 mbedtls_x509_get_name() not freeing allocated objects in case of error.
1151 signature with an invalid public key, in some cases. Reported by
1152 Guido Vranken using Cryptofuzz in #4420.
1154 in TLS PRF code. Reported by Michael Madsen in #6516.
1157 in TLS 1.3 (where it is forbidden).
1158 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1161 serial numbers are now rendered in hex format. Fixes #6262.
1162 * Fix bug in error reporting in dh_genprime.c where upon failure,
1174 * Fix undefined behavior (typically harmless in practice) of
1177 * Fix undefined behavior (typically harmless in practice) when some bignum
1180 * Fix undefined behavior (typically harmless in practice) in PSA ECB
1214 mbedtls_ssl_conf_min_version() in favor of
1223 * Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
1238 * Add a function to access the protocol version from an SSL context in a
1242 * Add ALPN support in TLS 1.3 clients.
1253 final delay field in an mbedtls_timing_delay_context, as requested in
1261 mbedtls_ssl_handshake_step(), requested in #4383.
1263 within mbedtls_ssl_context, as requested in #5184.
1274 feature requirements in the file named by the new macro
1279 field within mbedtls_x509_crt context, as requested in #5585.
1280 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1285 now capable of negotiating another shared secret if the one sent in its
1288 TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
1299 affected only a limited subset of crypto operations in TLS, X.509 and PK,
1303 Opaque keys can now be used everywhere a private key is expected in the
1309 * cmake now detects if it is being built as a sub-project, and in that case
1314 by side in order to illustrate how the operation is performed in PSA.
1325 potentially left in memory after file operations. Reported by
1327 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1330 is selected. This may result in an application crash or potentially an
1332 * Fix a buffer overread in DTLS ClientHello parsing in servers with
1334 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1340 * Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
1347 * Fix check of certificate key usage in TLS 1.3. The usage of the public key
1362 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
1363 * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
1374 * Fix API violation in mbedtls_md_process() test by adding a call to
1378 * Fix a race condition in out-of-source builds with CMake when generated data
1382 * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
1383 potentially leading to corrupted alert messages being sent in case
1389 The fix was released, but not announced, in Mbed TLS 3.1.0.
1392 only, but in fact it does apply to the public key type of the end entity
1394 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
1396 * Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
1398 Miroslav Mastny in #4015.
1401 * Fix a bug in the x25519 example program where the removal of
1408 * Add mbedtls_x509_dn_get_next function to return the next relative DN in
1413 * Silence a warning from GCC 12 in the selftest program. Fixes #5974.
1416 dependencies explicit in the documentation. Fixes #5610.
1420 * Fix resource leaks in mbedtls_pk_parse_public_key() in low
1425 connection identifier in encrypted record headers. Fix #5872.
1428 by 2, and mbedtls_mpi_write_string() in base 2).
1433 which have been broken, resulting in compilation errors, since Mbed TLS
1439 * Fix an error in make where the absence of a generated file caused
1442 in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
1444 issues in CI/CD environments.
1455 temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
1456 * Assume source files are in UTF-8 when using MSVC with CMake.
1458 DLLs are now installed in the bin directory instead of lib.
1464 in Microsoft Visual C++ compiler. Contributed by Microplankton.
1467 use of FetchContent, as requested in #5688.
1475 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1488 * Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
1497 Archana Madhavan in #4626. Fixes #3399 and #4249.
1508 is currently implemented in the AES, DES and md modules, and will be
1509 extended to other modules in the future.
1531 value when verifying a MAC or AEAD tag. This hardens the library in
1534 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1537 if the output buffer is in memory that is shared with an untrusted
1541 oracle vulnerability if the output buffer is in memory that is shared with
1551 * The GNU makefiles invoke python3 in preference to python except on Windows.
1556 * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
1557 * Don't use the obsolete header path sys/fcntl.h in unit tests.
1558 These header files cause compilation errors in musl.
1570 MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
1574 * Fix compile-time or run-time errors in PSA
1577 The requirement of minimum 15 bytes for output buffer in
1578 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1581 the built-in implementation of the GCM.
1583 input buffer size is valid only for the built-in implementation of GCM.
1597 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1599 * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
1601 * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
1605 * Fix a potential invalid pointer dereference and infinite loop bugs in
1622 were introduced in mbedTLS 3.0 release, however their implementation was
1636 * Indicate in the error returned if the nonce length used with
1641 from this module will be included in the build as required. Currently
1663 Transfer keys and certificates embedded in the library to the test
1665 users from using unsafe keys in production.
1667 Various helpers and definitions available for use in alt implementations
1674 were not meant to be used in application code have been moved out of
1684 * Update AEAD output size macros to bring them in line with the PSA Crypto
1686 key type used, as well as the key bit-size in the case of
1700 rather than array type. This removes spurious warnings in some compilers
1734 Support for more than one PSK may be added in 3.X.
1740 anything with the currently implemented AEADs, so in practice it was
1743 instead of computing tables in runtime. Thus, this option now increase
1744 code size, and it does not increase RAM usage in runtime anymore.
1771 in DHM and ECDH that compute the shared secret; the scalar multiplication
1772 functions in ECP.
1783 in TLS 1.3. Finally, the key export callback and
1785 * Signature functions in the RSA and PK modules now require the hash
1796 * Direct access to fields of structures declared in public headers is no
1807 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1810 by default. The default order in TLS now favors faster curves over larger
1817 bear this in mind and do not add them to backported code.
1823 in the development branch” in README.md for more information.
1834 * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
1839 More details on PCKS#11 wrapper removal can be found in the mailing list
1921 test cases provided in the NIST's CAVP test suite. Contributed by Cédric
1922 Meuter in PR #3183.
1923 * Added support for built-in driver keys through the PSA opaque crypto
1932 * The new function mbedtls_mpi_random() generates a random value in a
1940 query the size of the modulus in a Diffie-Hellman context.
1946 * Implement psa_mac_compute() and psa_mac_verify() as defined in the
1950 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1952 computations. Reported by FlorianF89 in #4245.
1953 * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
1957 large number of signature operations. This completes a partial fix in
1972 * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
1973 lead to the seed file corruption in case if the path to the seed file is
1975 Krasnoshchok in #3616.
1978 to create is not valid, bringing them in line with version 1.0.0 of the
1984 in line with version 1.0.0 of the specification. Fix #4162.
1985 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1987 * Fix some cases in the bignum module where the library constructed an
2000 defined to specific values. If the code is used in a context
2001 where these are already defined, this can result in a compilation
2005 nonetheless, resulting in undefined reference errors when building a
2006 shared library. Reported by Guillermo Garcia M. in #4411.
2014 directive in a header and a missing initialization in the self-test.
2015 * Fix a missing initialization in the Camellia self-test, affecting
2021 * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
2022 (when the encrypt-then-MAC extension is not in use) with some ALT
2031 * Fix a resource leak in a test suite with an alternative AES
2033 * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
2036 in #4578. Fixes #4608.
2038 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
2046 mbedtls_mpi_read_xxx functions (including in particular TLS code) since
2057 in all the right places. Include it from crypto_platform.h, which is
2059 * Fix which alert is sent in some cases to conform to the
2067 * Fix the setting of the read timeout in the DTLS sample programs.
2069 * Fix memsan build false positive in x509_crt.c with clang 11
2090 may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
2103 the config file in a way that's compatible with the config file format
2117 * Renamed the PSA Crypto API output buffer size macros to bring them in line
2120 in bits rather than bytes, with an additional flag to indicate if the
2122 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
2144 MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
2147 tweaking the setting for the maximum amount of keys simultaneously in RAM.
2164 * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
2172 Found by John Stroebel in #3819 and fixed in #3973.
2173 * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
2178 only called with |A| >= |B|. Reported by Guido Vranken in #4042.
2179 * Fix an errorneous estimation for an internal buffer in
2183 Found by Daniel Otte, reported in #4093 and fixed in #4094.
2186 beyond FD_SETSIZE. Reported by FigBug in #4169.
2191 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2195 * Fix a memory leak in an error case in psa_generate_derived_key_internal().
2196 * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
2198 This was a regression introduced in the previous release. Reported in
2204 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2212 include this extension in all CA certificates that contain public keys
2214 extension as critical in such certificates." Previous to this change,
2248 mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
2252 the tag in the ciphertext length.
2260 in combined key agreement and derivation operations, as long as the key
2261 agreement algorithm in use matches the algorithm the key was declared with.
2269 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2276 compatibility, but will be deprecated and later removed in future
2279 PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
2292 * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
2293 which is how most uses of randomization in asymmetric cryptography
2300 algorithm parameters (only the size) when comparing the signature in the
2304 valid. However, if the parameters do not match in *any* way then the
2308 and reported it in #3629.
2310 in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
2318 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
2320 * Include the psa_constant_names generated source code in the source tree
2324 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
2331 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
2345 * Fix an off-by-one error in the additional data length check for
2351 defined. Fix contributed in #3571.
2352 * Fix conditions for including string.h in error.c. Fixes #3866.
2354 in a secure element.
2358 * Attempting to create or register a key with a key identifier in the vendor
2361 * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
2362 * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
2364 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2365 could go undetected, resulting in an incorrect result.
2366 * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
2371 until this property was inadvertently broken in Mbed TLS 2.19.0.
2380 Reported in #3591 and fix contributed in #3592 by Daniel Otte.
2386 * Remove the zeroization of a pointer variable in AES rounds. It was valid
2395 group families to psa_ecc_family_t and psa_dh_family_t, in line with the
2405 through PSA Crypto with a volatile lifetime. Reported in #3288 and
2406 contributed by Steven Cooreman in #3382.
2417 * Fix a vulnerability in the verification of X.509 certificates when
2421 name in that extension regardless of its type. This means that an
2426 reported by kFYatek in #3498.
2428 its revocationDate was in the past according to the local clock if
2434 revocationDate field, in accordance with RFC 5280. Reported by
2435 yuemonangong in #3340. Reported independently and fixed by
2436 Raoul Strackx and Jethro Beekman in #3433.
2447 * Fix side channel in RSA private key operations and static (finite-field)
2452 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2455 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
2456 application data from memory. Reported in #689 by
2462 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
2464 Reported in #3451 and fix contributed in #3452 by okhowang.
2467 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2468 Steven Cooreman in #3425.
2470 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2471 also fixes missing declarations reported by Steven Cooreman in #1147.
2475 instead of erroring out. Contributed by Steven Cooreman in #3492.
2477 lower bits. Fix contributed in #3540.
2478 * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
2479 conditions. Reported and fix suggested by Guido Vranken in #3486.
2480 * Fix bug in redirection of unit test outputs on platforms where stdout is
2481 defined as a macro. First reported in #2311 and fix contributed in #3528.
2485 in #3478 and fix contributed in #3479 by okhowang.
2488 Contributed by Doru Gucea and Simon Leet in #3464.
2489 * Undefine the ASSERT macro before defining it locally, in case it is defined
2490 in a platform header. Contributed by Abdelatif Guettouche in #3557.
2493 years of publishing are no longer tracked in the source files. This also
2516 * New functions in the error module return constant strings for
2520 in #3176.
2526 Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
2532 some BSD systems. Contributed by Nia Alarie in #3423.
2533 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2536 * Fix a side channel vulnerability in modular exponentiation that could
2537 reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
2540 Strackx (Fortanix) in #3394.
2541 * Fix side channel in mbedtls_ecp_check_pub_priv() and
2549 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2551 macros). This would cause the original Lucky 13 attack to be possible in
2554 Reported and fix suggested by Luc Perneel in #3246.
2558 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
2559 the example programs. Reported in #1430 and fix contributed by irwir.
2560 * Fix undefined behavior in X.509 certificate parsing if the
2565 due to shadowed variable. Contributed by Sander Visser in #3310.
2567 NULL pointer argument. Contributed by Sander Visser in #3312.
2571 * Remove dead code in X.509 certificate parsing. Contributed by irwir in
2573 * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
2574 * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
2575 when PRNG function fails. Contributed by Jonas Lejeune in #3318.
2576 * Remove unused macros from MSVC projects. Reported in #3297 and fix
2577 submitted in #3333 by irwir.
2578 * Add additional bounds checks in ssl_write_client_hello() preventing
2581 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
2582 fix submitted in #3421 by Nia Alarie.
2584 NetBSD. Contributed by Nia Alarie in #3422.
2586 Contributed by Sander Visser in #3311.
2590 in ssl_parse_record_header().
2593 * Fix warnings about signedness issues in format strings. The build is now
2595 in #3153.
2596 * Fix minor performance issue in operations on Curve25519 caused by using a
2597 suboptimal modular reduction in one place. Found and fix contributed by
2598 Aurelien Jarno in #3209.
2599 * Combine identical cases in switch statements in md.c. Contributed
2600 by irwir in #3208.
2601 * Simplify a bounds check in ssl_write_certificate_request(). Contributed
2602 by irwir in #3150.
2605 behavior in bare metal environments.
2607 Contributed by Koh M. Nakagawa in #3326.
2613 * The unit tests now rely on header files in tests/include/test and source
2614 files in tests/src. When building with make or cmake, the files in
2623 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
2624 in #3182 and fix submitted by irwir. #3217
2625 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2630 * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
2632 * Deprecate mbedtls_ssl_get_max_frag_len() in favour of
2638 * Fix issue in DTLS handling of new associations with the same parameters
2641 legitimate clients, resulting in a Denial of Service. This could only
2642 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
2644 * Fix side channel in ECC code that allowed an adversary with access to
2649 * Fix a potentially remotely exploitable buffer overread in a
2660 * Remove a spurious check in ssl_parse_client_psk_identity that triggered
2661 a warning with some compilers. Fix contributed by irwir in #2856.
2662 * Fix a function name in a debug message. Contributed by Ercan Ozturk in
2667 is back directly in the present repository.
2681 library which allows TLS authentication to use keys stored in a
2688 unless the RNG is broken, and could result in information disclosure or
2702 * Change the encoding of key types and curves in the PSA API. The new
2711 * Fix an unchecked call to mbedtls_md() in the x509write module.
2713 Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
2714 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2715 contributed by apple-ihack-geek in #2663.
2716 * Fix a possible error code mangling in psa_mac_verify_finish() when
2718 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
2721 * Fix a bug in mbedtls_pk_parse_key() that would cause it to
2740 * Zeroize local variables in mbedtls_internal_aes_encrypt() and
2748 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2753 * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
2754 timings on the comparison in the key generation enabled the attacker to
2757 * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
2763 * Key derivation inputs in the PSA API can now either come from a key object
2770 msopiha-linaro in ARMmbed/mbed-crypto#307.
2780 * Fix an incorrect size in a debugging message. Reported and fix
2786 * Fix a buffer overflow in the PSA HMAC code when using a long key with an
2789 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2798 structures, which was exposed only in an internal header.
2807 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2809 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2811 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2817 Contributed by Zachary J. Fields in PR #2949.
2822 * Make client_random and server_random const in
2827 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2828 contributed by apple-ihack-geek in #2663.
2833 * Fix a missing error detection in ECJPAKE. This could have caused a
2837 value, as specified in RFC 5915. Previously, the value was written
2850 store it in non-volatile storage, and later using it for TLS session
2866 socket. Contributed by Robert Larsen in #2803.
2883 * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an
2889 * Fix missing bounds checks in X.509 parsing functions that could
2896 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2897 * Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
2905 * Fix misuse of signed arithmetic in the HAVEGE module. #2598
2908 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
2909 * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
2911 Bernhard M. Wiedemann in #2357.
2912 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
2913 that are only available in Thumb mode. Fix contributed by Aurelien Jarno
2914 in #2169.
2915 * Fix propagation of restart contexts in restartable EC operations.
2916 This could previously lead to segmentation faults in builds using an
2918 * Fix memory leak in in mpi_miller_rabin(). Contributed by
2919 Jens Wiklander <jens.wiklander@linaro.org> in #2363
2920 * Improve code clarity in x509_crt module, removing false-positive
2923 * Fix bug in endianness conversion in bignum module. This lead to
2928 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2932 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2937 cyber) in #2681.
2953 Ashley Duncan in #2609.
2958 * Add the Any Policy certificate policy oid, as defined in
2969 * Add support for parsing otherName entries in the Subject Alternative Name
2971 as defined in RFC 4108 section 5.
2972 * Add support for parsing certificate policies extension, as defined in
2975 * List all SAN types in the subject_alt_names field of the certificate.
2978 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2994 * Fix private key DER output in the key_app_writer example. File contents
2996 Christian Walther in #2239.
2997 * Fix potential memory leak in X.509 self test. Found and fixed by
3000 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3001 used with negative inputs. Found by Guido Vranken in #2404. Credit to
3003 * Fix bugs in the AEAD test suite which would be exposed by ciphers which
3006 * Fix incorrect default port number in ssl_mail_client example's usage.
3010 * Add missing parentheses around parameters in the definition of the
3012 in case operators binding less strongly than subtraction were used
3014 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
3015 sni entry parameter. Reported by inestlerode in #560.
3021 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3023 This certificate is used in the demo server programs, which lead the
3030 * Remove dead code from bignum.c in the default configuration.
3034 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
3045 named bitstring in DER as required by RFC 5280 Appendix B.
3053 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
3073 Raised as a comment in #1996.
3077 in the header files, which missed the precompilation check. #971
3079 * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
3083 in X.509 module. Fixes #2212.
3086 * Fix false failure in all.sh when backup files exist in include/mbedtls
3090 * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
3091 extensions in CSRs and CRTs that caused these bitstrings to not be encoded
3092 correctly as trailing zeroes were not accounted for as unused bits in the
3098 * Include configuration file in all header files that use configuration,
3102 in RFC 7468. Found by Michael Ernst. Fixes #767.
3107 * Fix clobber list in MIPS assembly for large integer multiplication.
3109 produced by some optimizing compilers, showing up as failures in
3110 e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
3114 * Fix configuration queries in ssl-opt.h. #2030
3115 * Ensure that ssl-opt.h can be run in OS X. #2029
3116 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3125 of parameters in the API. This allows detection of obvious misuses of the
3127 changed, but requirements on parameters have been made more explicit in
3130 disabled by default. See its API documentation in config.h for additional
3134 * The following functions in the random generator modules have been
3151 changed so that the same level of validation is present in all modules, and
3158 in favor of functions that can return an error code.
3164 * Fix runtime error in `mbedtls_platform_entropy_poll()` when run
3166 in #1212. Fixes #1212.
3168 This could lead to a buffer overflow, but only in case ticket authentication
3169 was broken. Reported and fix suggested by Guido Vranken in #659.
3199 * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
3206 (University of Adelaide, Data61). The attack is described in more detail
3207 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3215 * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
3230 name and the CA's subject name differed in their string encoding (e.g.,
3231 one using PrintableString and the other UTF8String) or in the choice of
3232 upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
3234 * Fix a flawed bounds check in server PSK hint parsing. In case the
3243 security of TLS, but can matter in other contexts with numbers chosen
3253 some configurable amount of operations. This is intended to be used in
3258 xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
3259 yet), and to existing functions in ECDH and SSL (currently only
3260 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3264 MPI multiplications used in ECC and RSA cryptography. Contributed by
3271 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3288 * Deprecate the function mbedtls_mpi_is_prime() in favor of
3293 * Fix wrong order of freeing in programs/ssl/ssl_server2 example
3294 application leading to a memory leak in case both
3297 * Fix a bug in the update function for SSL ticket keys which previously
3299 * Fix failure in hmac_drbg in the benchmark sample application, when
3301 * Fix a bug in the record decryption routine ssl_decrypt_buf()
3303 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3304 * Fix memory leak and freeing without initialization in the example
3306 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
3311 of sensitive data in the example programs aescrypt2 and crypt_and_hash.
3314 wildcards and non-ASCII characters being unusable in some DN attributes.
3315 Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
3324 * Add tests for session resumption in DTLS.
3325 * Close a test gap in (D)TLS between the client side and the server side:
3327 in the same way as on the server side.
3334 X.509 DNs. Previously, DN attributes were always written in their default
3336 created which used PrintableStrings in the issuer field even though the
3337 signing CA used UTF8Strings in its subject field; while X.509 compliant,
3338 such CRTs were rejected in some applications, e.g. some versions of
3339 Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
3344 use it to reduce error probability in RSA key generation to levels mandated
3364 * Fix an issue in the X.509 module which could lead to a buffer overread
3379 * Add support for buffering out-of-order handshake messages in DTLS.
3382 in mbedtls/config.h.
3389 * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
3390 failure in the function could lead to other buffers being leaked.
3393 * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
3397 interoperability issues with BouncyCastle. Raised by milenamil in #1157.
3398 * Replace printf with mbedtls_printf in the ARIA module. Found by
3399 TrinityTonic in #1908.
3400 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3405 check in parsing the CertificateRequest message,
3406 introduced in Mbed TLS 2.12.0. Fixes #1954.
3407 * Fix a miscalculation of the maximum record expansion in
3408 mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
3409 or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
3410 * Fix undefined shifts with negative values in certificates parsing
3412 * Fix memory leak and free without initialization in pk_encrypt
3431 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3432 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
3435 this recovery by sending many messages in the same connection. With TLS
3441 caused by a miscalculation (for SHA-384) in a countermeasure to the
3444 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3454 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3455 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3482 Found and fixed by Hirotaka Niisato in #1783.
3487 * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
3489 * Remove unused headers included in x509.c. Found by Chris Hanson and fixed
3492 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3497 * Fix namespacing in header files. Remove the `mbedtls` namespacing in
3498 the `#include` in the header files. Resolves #857
3499 * Fix compiler warning of 'use before initialisation' in
3509 when the request_size argument is set to 0 as stated in the documentation.
3521 * Change the shebang line in Perl scripts to look up perl in the PATH.
3534 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3536 Contributed by Aorimn in pull request #414.
3547 Reported by rahmanih in #683
3548 * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
3552 * Changed the Clang parameters used in the CMake build files to work for
3560 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
3574 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
3578 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3585 * Fix an issue in the X.509 module which could lead to a buffer overread
3592 * Fix the buffer length assertion in the ssl_parse_certificate_request()
3598 * Fix a client-side bug in the validation of the server's ciphersuite choice
3607 Suggested and contributed by jkivilin in pull request #394.
3611 Nicholas Wilson in pull request #348.
3618 a check for whether more more data is pending to be processed in the
3621 underlying transport in case event-driven IO is used.
3624 * Fix a spurious uninitialized variable warning in cmac.c. Fix independently
3626 * Add missing dependencies in test suites that led to build failures
3627 in configurations that omit certain hashes or public-key algorithms.
3629 * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
3632 MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
3638 ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
3640 stated in the mbedtls_cipher_update() documentation. Contributed by
3643 a file in pk_sign program. Found by kevlut in #1142.
3645 where data needs to be fetched from the underlying transport in order
3649 in the internal buffers; these cases led to deadlocks when event-driven
3650 I/O was used. Found and reported by Hubert Mis in #772.
3651 * Fix buffer length assertions in the ssl_parse_certificate_request()
3657 maintained 2.7 branch. The soversion was increased in Mbed TLS
3658 version 2.7.1 to reflect breaking changes in that release, but the
3659 increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
3662 * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
3665 * Improve testing in configurations that omit certain hashes or
3668 * Do not define global mutexes around readdir() and gmtime() in
3674 Found and fix submitted by junyeonLEE in #1220.
3678 * Add the order of the base point as N in the mbedtls_ecp_group structure
3684 Paul Sokolovsky in #1356.
3685 * Add an option in the Makefile to support ar utilities where the operation
3690 * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
3691 by Alexey Skalozub in #405.
3694 Sam O'Connor in #1245.
3697 by Jiayuan Chen in #1377. Fixes #1437.
3700 * Declare functions in header files even when an alternative implementation
3705 * Add platform setup and teardown calls in test suites.
3715 the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
3726 * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
3728 * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
3739 * Add support for public keys encoded in PKCS#1 format. #1122
3746 * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
3751 In the context of SSL, this resulted in handshake failure. Reported by
3752 daniel in the Mbed TLS forum. #1351
3763 * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
3765 * Log correct number of ciphersuites used in Client Hello message. #918
3768 * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
3770 * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
3778 * Fix tag lengths and value ranges in the documentation of CCM encryption.
3780 * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
3782 * MD functions deprecated in 2.7.0 are no longer inline, to provide
3791 * Fix a heap corruption issue in the implementation of the truncated HMAC
3795 code execution. The issue could be triggered remotely from either side in
3797 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3801 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3803 * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
3805 * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
3806 default enabled) maximum fragment length extension is disabled in the
3812 and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
3817 Changes were introduced in multiple places in the library.
3828 * Fix a potential heap buffer over-read in ALPN extension parsing
3829 (server-side). Could result in application crash, but only if an ALPN
3832 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3836 * Allow comments in test data files.
3847 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
3853 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
3870 implementations of the RSA interface declared in rsa.h.
3871 * The following functions in the message digest modules (MD2, MD4, MD5,
3888 any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
3897 accepting DHM parameters in binary form, matching the new constants.
3901 as recommended in RFC 6347 Section 4.1.2.7.
3902 * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
3904 * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
3908 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
3914 Found independently by Florian in the mbed TLS forum and by Mishamax.
3918 * Fix unchecked return codes from AES, DES and 3DES functions in
3924 * Include configuration file in md.h, to fix compilation warnings.
3925 Reported by aaronmdjones in #1001
3926 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3928 RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
3931 * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
3934 * Fix handling of handshake messages in mbedtls_ssl_read() in case
3936 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
3938 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
3939 * Fix incorrect unit in benchmark output. #850
3945 * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
3946 * Fix possible memory leaks in mbedtls_gcm_self_test().
3947 * Added missing return code checks in mbedtls_aes_self_test().
3948 * Fix issues in RSA key generation program programs/x509/rsa_genkey and the
3952 * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
3955 * Fix an issue in the cipher decryption with the mode
3960 mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
3966 * Fix status handshake status message in programs/ssl/dtls_client.c. Found
3973 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
3983 everywhere except some locations in the ssl_tls.c module.
3994 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
4000 * Reliably wipe sensitive data after use in the AES example applications
4009 by the user in a platform_alt.h file. These new functions are required in
4014 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
4019 * Certificate verification functions now set flags to -1 in case the full
4020 chain was not verified due to an internal error (including in the verify
4024 a fatal error in the verify callback.
4027 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
4032 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
4033 in the case of an error. Found by redplait. #590
4036 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4038 * Fix a potential integer overflow in the version verification for DER
4042 * Fix potential integer overflow in the version verification for DER
4046 * Fix a potential integer overflow in the version verification for DER
4059 accelerator code in the library leaves concurrency handling to the
4061 * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
4070 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4072 Could result in DoS (application crash) or information leak
4078 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
4085 valid C and they prevented the test from compiling in Visual Studio 2015
4088 resulting in compatibility problems with Chrome. Found by hfloyrd. #823
4089 * Fix behaviour that hid the original cause of fatal alerts in some cases
4096 * Accept empty trusted CA chain in authentication mode
4099 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
4103 * Fix incorrect sign computation in modular exponentiation when the base is
4106 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
4110 * Send fatal alerts in more cases. The previous behaviour was to skip
4119 * Wipe stack buffers in RSA private key operations
4123 against side-channel attacks like the cache attack described in
4134 suppressing the CA list in Certificate Request messages. The default
4138 * The following functions in the AES module have been deprecated and replaced
4148 * Fixed issue in the Threading module that prevented mutexes from
4150 * Add checks in the PK module for the RSA functions on 64-bit systems.
4159 using RSA through the PK module in 64-bit systems. The issue was caused by
4160 some data loss when casting a size_t to an unsigned int value in the
4163 * Fixed potential livelock during the parsing of a CRL in PEM format in
4165 characters after the footer could result in the execution of an infinite
4185 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4187 * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
4190 * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
4192 in RFC 6347 Section 4.3.1. This could cause the execution of the
4195 * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
4196 the input string in PEM format to extract the different components. Found
4198 * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
4200 * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
4202 * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
4204 * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
4206 * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
4208 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
4209 by missing calls to mbedtls_pem_free() in cases when a
4214 generated in Visual Studio 2015. Reported by Steve Valliere. #742
4215 * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
4216 Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
4217 * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
4218 number to write in hexadecimal is negative and requires an odd number of
4220 * Fix unlisted DES configuration dependency in some pkparse test cases. Found
4234 with RFC-5116 and could lead to session key recovery in very long TLS
4235 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4238 * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
4240 without checking whether there is enough space in the destination. The
4248 * Added a script to print build environment info for diagnostic use in test
4255 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
4263 * Fix dependency issue in Makefile to allow parallel builds.
4264 * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
4272 * Fix conditional statement that would cause a 1 byte overread in
4279 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
4285 * Fix potential byte overread when verifying malformed SERVER_HELLO in
4287 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4305 naming collision in projects which also have files with the common name
4314 * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
4316 * Fix potential integer overflow to buffer overflow in
4318 (not triggerable remotely in (D)TLS).
4319 * Fix a potential integer underflow to buffer overread in
4320 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
4328 * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
4329 arguments where the same (in-place doubling). Found and fixed by Janos
4332 in the previous patch release. Found by Robert Scheck. #390 #391
4333 * Fix issue in Makefile that prevented building using armar. #386
4335 ECDSA was disabled in config.h . The leak didn't occur by default.
4338 in the trusted certificate list.
4339 * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
4340 buffer after DER certificates to be included in the raw representation.
4342 * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
4346 * Fix issue in ssl_fork_server which was preventing it from functioning. #429
4347 * Fix memory leaks in test framework
4348 * Fix test in ssl-opt.sh that does not run properly with valgrind
4355 * Disabled SSLv3 in the default configuration.
4366 remotely in SSL/TLS. Found by Rafał Przywara. #367
4367 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
4373 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4374 * Fix bug in certificate validation that caused valid chains to be rejected
4376 Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
4377 * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
4381 datagram if a single record in a datagram is unexpected, instead only
4382 drop the record and look at subsequent records (if any are present) in
4394 * Fix potential buffer overflow in some asn1_write_xxx() functions.
4403 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4410 resulting in some valid X.509 being incorrectly rejected. Found and fix
4422 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4424 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
4425 * Fix bug in ASN.1 encoding of booleans that caused generated CA
4440 once in the same handhake and mbedtls_ssl_conf_psk() was used.
4443 * Fix stack buffer overflow in pkcs12 decryption (used by
4446 * Fix potential buffer overflow in mbedtls_mpi_read_string().
4447 Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
4448 of TLS, but might be in other uses. On 32 bit machines, requires reading a
4451 * Fix potential random memory allocation in mbedtls_pem_read_buffer()
4453 Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
4455 * Fix possible heap buffer overflow in base64_encoded() when the input
4457 Intelworks. Not trigerrable remotely in TLS.
4461 * Fix potential heap buffer overflow in servers that perform client
4467 * Fix compile error in net.c with musl libc. Found and patch provided by
4472 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
4474 * Fixed paths for check_config.h in example config files. (Found by bachp)
4490 * Fix off-by-one error in parsing Supported Point Format extension that
4494 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
4498 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
4511 * Fix segfault in the benchmark program when benchmarking DHM.
4516 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
4518 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
4521 * Fix bug in Makefile that caused programs not to be installed correctly
4523 * Fix bug in Makefile that prevented from installing without building the
4529 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
4531 * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
4540 * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
4566 * Expanded configurability of security parameters in the SSL module with
4577 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4582 * Headers are now found in the 'mbedtls' directory (previously 'polarssl').
4600 * The following functions have been introduced and must be used in callback
4609 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
4620 * The following functions changed prototype to avoid an in-out length
4638 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4648 (support for renegotiation now needs explicit enabling in config.h).
4650 in config.h
4678 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4682 * Renamed a few headers to include _internal in the name. Those headers are
4687 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
4694 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4699 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4700 enabled in the default configuration, this is only noticeable if using a
4753 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4754 * Add support for id-at-uniqueIdentifier in X.509 names.
4755 * Add support for overriding snprintf() (except on Windows) and exit() in
4757 * Add an option to use macros instead of function pointers in the platform
4775 * Fix bug in entropy.c when THREADING_C is also enabled that caused
4779 * Fix bug in ssl_mail_client when password is longer that username (found
4781 * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
4789 ssl_write() is called before the handshake is finished (introduced in
4791 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
4793 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
4794 * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
4795 * Fix hardclock() (only used in the benchmarking program) with some
4797 * Fix warnings from mingw64 in timing.c (found by kxjklele).
4798 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4800 * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
4802 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
4803 in 1.3.10).
4804 * Add missing extern "C" guard in aesni.h (reported by amir zamani).
4805 * Add missing dependency on SHA-256 in some x509 programs (reported by
4811 * Remove bias in mpi_gen_prime (contributed by Pascal Junod).
4821 performance impact was bad for some users (this was introduced in 1.3.10).
4822 * Move from SHA-1 to SHA-256 in example programs using signatures
4826 * Change #include lines in test files to use double quotes instead of angle
4828 * Remove dependency on sscanf() in X.509 parsing modules.
4832 * NULL pointer dereference in the buffer-based allocator when the buffer is
4846 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4874 * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
4876 * Fix potential undefined behaviour in Camellia.
4877 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
4879 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
4892 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
4893 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
4896 * Forbid repeated extensions in X.509 certificates.
4897 * debug_print_buf() now prints a text view in addition to hexadecimal.
4898 * A specific error is now returned when there are ciphersuites in common
4905 * Use platform.h in all test suites and programs.
4909 * Lowest common hash was selected from signature_algorithms extension in
4910 TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
4919 * Support escaping of commas in x509_string_to_names()
4920 * Fix compile error in ssl_pthread_server (found by Julian Ospald).
4922 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
4924 * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
4931 * ssl_close_notify() could send more than one message in some circumstances
4935 * Fix compile error with armcc in mpi_is_prime()
4936 * Fix potential bad read in parsing ServerHello (found by Adrien
4944 * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
4948 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
4950 * Accept spaces at end of line or end of buffer in base64_decode().
4963 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4965 * Blowfish in the cipher layer now supports variable length keys.
4967 * Optimize for RAM usage in example config.h for NSA Suite B profile.
4976 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
4981 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
4987 * Fix in debug_print_msg()
4988 * Enforce alignment in the buffer allocator even if buffer is not aligned
4997 * Very small records were incorrectly rejected when truncated HMAC was in
4998 use with some ciphersuites and versions (RC4 in all versions, CBC with
5005 been removed in 1.3.6.)
5007 CA for use as an end entity certificate. (This had been removed in
5012 * Fix off-by-one error in parsing Supported Point Format extension that
5018 * Fix base64_decode() to return and check length correctly (in case of
5032 checked and filled in the relevant module headers
5039 * Only iterate over actual certificates in ssl_write_certificate_request()
5041 * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
5044 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
5046 * Improve interoperability by not writing extension length in ClientHello /
5052 * Fix dependencies issues in X.509 test suite.
5054 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
5073 * Reject certificates with times not in UTC, per RFC 5280.
5076 * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
5079 This affects certificates in the user-supplied chain except the top
5082 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
5088 * Potential memory leak in mpi_exp_mod() when error occurs during
5090 * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
5093 * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
5102 * Potential buffer overwrite in pem_write_buffer() because of low length
5104 * EC curves constants, which should be only in ROM since 1.3.3, were also
5105 stored in RAM due to missing 'const's (found by Gergely Budai).
5117 * Support for reading EC keys that use SpecifiedECDomain in some cases.
5145 * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
5147 * Fixed version-major intolerance in server
5149 * Fixed dependency issues in test suite
5155 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5161 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5163 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5165 * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
5176 * Potential memory leak in bignum_selftest()
5181 * Assembly format fixes in bn_mul.h
5189 * EC key generation support in gen_key app
5194 * Support for IPv6 in the NET module
5203 * More constant-time checks in the RSA module
5205 * Curves are now stored fully in ROM
5206 * Memory usage optimizations in ECP module
5210 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5215 * Potential memory leak in ssl_ticket_keys_init()
5216 * Memory leak in benchmark application
5218 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
5220 * Fixed potential overflow in certificate size verification in
5234 * Padding checks in cipher layer are now constant-time
5235 * Value comparisons in SSL layer are now constant-time
5236 * Support for serialNumber, postalAddress and postalCode in X509 names
5240 * More stringent checks in cipher layer
5267 * Possible naming collision in dhm_context
5291 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5298 * Support for multiple active certificate / key pairs in SSL servers for
5325 * Fixed parse error in ssl_parse_certificate_request()
5327 * Support for AIX header locations in net.c module
5338 * Fix potential invalid memory read in the server, that allows a client to
5340 * Fix potential invalid memory read in certificate parsing, that allows a
5347 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
5348 * Fix hardclock() (only used in the benchmarking program) with some
5350 * Fix warnings from mingw64 in timing.c (found by kxjklele).
5351 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5356 this will be made in the 1.2 branch at this point.
5372 * Fix potential undefined behaviour in Camellia.
5373 * Fix memory leaks in PKCS#5 and PKCS#12.
5376 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
5377 in 1.2.12).
5378 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5392 * Forbid repeated extensions in X.509 certificates.
5403 * Fix potential bad read in parsing ServerHello (found by Adrien
5405 * ssl_close_notify() could send more than one message in some circumstances
5409 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
5420 * Accept spaces at end of line or end of buffer in base64_decode().
5433 * Reject certificates with times not in UTC, per RFC 5280.
5443 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
5454 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
5456 * Fixed potential overflow in certificate size verification in
5458 * Fix ASM format in bn_mul.h
5459 * Potential memory leak in bignum_selftest()
5462 * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
5464 * Fixed version-major intolerance in server
5468 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5470 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5474 * Potential memory leak in mpi_exp_mod() when error occurs during
5476 * Improve interoperability by not writing extension length in ClientHello
5482 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
5489 * Fix base64_decode() to return and check length correctly (in case of
5497 * Fixed memory leak in RSA as a result of introduction of blinding
5512 * Fixed potential negative value misinterpretation in load_file()
5520 * Centralized module option values in config.h to allow user-defined
5529 symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
5535 * Secure renegotiation extension should only be sent in case client
5537 * Fixed offset for cert_type list in ssl_parse_certificate_request()
5545 * Fixed values for 2-key Triple DES in cipher layer
5566 * Fixed memory leak in ssl_free() and ssl_reset() for active session
5585 * Removed further timing differences during SSL message decryption in
5601 * Removed timing differences during SSL message decryption in
5612 * Handle future version properly in ssl_write_certificate_request()
5613 * Correctly handle CertificateRequest message in client for <= TLS 1.1
5628 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
5638 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5640 * Fixed possible segfault in mpi_shift_r() (found by Manuel
5660 * Added support for Hardware Acceleration hooking in SSL/TLS
5687 in SSL/TLS
5693 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5695 * Fixed potential heap corruption in x509_name allocation
5720 * Potential negative value misinterpretation in load_file()
5732 * Fixed values for 2-key Triple DES in cipher layer
5749 * Removed timing differences during SSL message decryption in
5765 * Fixed possible segfault in mpi_shift_r() (found by Manuel
5767 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5782 * Fixed potential heap corruption in x509_name allocation
5791 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5802 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
5806 * Fixed bug in CTR_CRBG selftest
5824 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
5832 * Changed the defined key-length of DES ciphers in cipher.h to include the
5833 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
5842 a consequence in library code and programs
5857 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5861 * Improved build support for s390x and sparc64 in bignum.h
5862 * Fixed MS Visual C++ name clash with int64 in sha4.h
5863 * Corrected removal of leading "00:" in printing serial numbers in
5876 * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
5896 t_int and t_dbl to t_uint and t_udbl in the process
5925 does not zeroize memory in advance anymore. Use rsa_init()
5932 * Fixed bug in ssl_write() when flushing old data (Fixed ticket
5963 * Fixed a possible Man-in-the-Middle attack on the
5977 * Improvements to support integration in other
5989 * x509parse_time_expired() checks time in addition to
6007 * Removed dependency on rand() in rsa_pkcs1_encrypt().
6011 * Some SSL defines were renamed in order to avoid
6018 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
6023 * Fixed Makefile in library that was mistakenly merged
6030 * Added support for GeneralizedTime in X509 parsing
6038 in a function to allow easy future expansion
6046 * Fixed bug resulting in failure to send the last
6047 certificate in the chain in ssl_write_certificate() and
6051 * Fixed algorithmic bug in mpi_is_prime() (found by
6062 * Changed typo in #ifdef in x509parse.c (found
6077 * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
6089 * Prevented use of long long in bignum if
6092 * Fixed incorrect handling of negative strings in
6094 * Fixed segfault on handling empty rsa_context in
6098 value in mpi_add_abs() (found by code coverage tests).
6100 value in mpi_sub_abs() (found by code coverage tests).
6102 value in mpi_mod_mpi() and mpi_mod_int(). Resulting
6111 SHA-512 in rsa_pkcs1_sign()
6114 * Fixed a bug in mpi_gcd() so that it also works when both
6122 * Fixed minor memory leak in x509parse_crt() and added better
6129 * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
6131 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6145 * Fixed dangerous bug that can cause a heap overflow in
6154 * Enabled support for large files by default in aescrypt2.c
6156 * Fixed a bug in ssl_write() that caused the same payload to
6157 be sent twice in non-blocking mode when send returns EAGAIN
6159 not be swapped in the SSLv2 ClientHello (found by Greg Robson)
6165 * Correctly handle the case in padlock_xcryptcbc() when input or
6168 * Fixed a memory leak in x509parse_crt() which was reported by Greg
6182 serial number, setup correct server port in the ssl client example
6192 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6205 * Added lots of debugging output in the SSL/TLS functions
6214 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6216 * Fixed a long standing memory leak in mpi_is_prime()
6217 * Replaced realloc with malloc in mpi_grow(), and set
6218 the sign of zero as positive in mpi_init() (reported
6224 * Fixed a bug in ssl_tls.c which sometimes prevented SSL
6226 * Fixed a couple bugs in the VS6 and UNIX Makefiles
6227 * Fixed the "PIC register ebx clobbered in asm" bug
6234 * Rewrote README.txt in program/ssl/ca to better explain
6239 * Ciphers used in SSL/TLS can now be disabled at compile
6248 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6268 * Fixed a bug in ssl_encrypt_buf (incorrect padding was
6269 generated) and in ssl_parse_client_hello (max. client
6271 * Fixed another bug in ssl_parse_client_hello: clients with
6273 * Fixed a couple memory leak in x509_read.c
6280 * Fixed a bug in the CBC code, thanks to dowst; also,
6291 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
6292 * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
6293 * Fixed a bug reported by Torsten Lauter in ssl_read_record
6294 * Fixed a bug in rsa_check_privkey that would wrongly cause
6296 * Fixed a bug in mpi_is_prime that caused some primes to fail