Lines Matching +full:check +full:- +full:size
3 = Mbed TLS 3.6.0 branch released 2024-03-28
42 * Support Armv8-A Crypto Extension acceleration for SHA-256
43 when compiling for Thumb (T32) or 32-bit Arm (A32).
44 * AES-NI is now supported in Windows builds with clang and clang-cl.
50 This affects both the low-level modules and the high-level APIs
53 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
54 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
56 library without the corresponding built-in implementation. Generally
58 or they'll both be built in. However, for CCM and GCM the built-in
61 docs/driver-only-builds.md for full details and current limitations.
66 size by disabling it in more circumstances. In particular, the CCM and
69 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
70 fully provided by drivers. See docs/driver-only-builds.md for full
73 * Add support for record size limit extension as defined by RFC 8449
76 Record size limits negotiated during handshake.
77 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
78 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
92 * Add support for using AES-CBC 128, 192, and 256 bit schemes
95 in bits, i.e. the key size for an RSA key.
96 * Add pc files for pkg-config, e.g.:
97 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
105 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
107 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
127 * Add new accessors to expose the private session-id,
128 session-id length, and ciphersuite-id members of
130 Add new accessor to expose the ciphersuite-id of
133 docs/tls13-early-data.md). The support enablement is controlled at build
140 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
152 This feature increases code size and memory usage. If buffers passed to
156 Note that setting this option will cause input-output buffer overlap to
158 Fixes CVE-2024-28960.
164 Fixes CVE-2024-28755.
167 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
168 client could put the TLS 1.3-only server in an infinite loop processing
171 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
174 Fixes CVE-2024-28836.
177 * Fix the build with CMake when Everest or P256-m is enabled through
188 * Fix build failure in conda-forge. Fixes #8422.
201 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
205 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
206 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
210 * mbedtls_pem_read_buffer() now performs a check on the padding data of
213 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
249 for each size you want to support. Also, if you have an FFDH accelerator,
252 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
253 saving code size when those are not otherwise enabled.
263 = Mbed TLS 3.5.2 branch released 2024-01-26
274 could result in an integer overflow, causing a zero-length buffer to be
278 = Mbed TLS 3.5.1 branch released 2023-11-06
281 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
288 = Mbed TLS 3.5.0 branch released 2023-10-05
291 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
292 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
293 there was a flaw in the logic checking if the built-in implementation, in
294 that it failed to check if all the relevant curves were supported by the
296 accelerated and still have the built-in implementation compiled out.
299 considered not accelerated, and the built-in implementation of the curves
319 maximum size of any supported block cipher) or the new name
321 maximum size of a block cipher supported by the CMAC module).
334 provided - these limitations are lifted in this version. A new set of
336 to check for availability of hash algorithms, regardless of whether
337 they're provided by a built-in implementation, a driver or both. See
338 docs/driver-only-builds.md.
340 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
343 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
345 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
348 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
352 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
364 parameters from RFC 7919. This includes a built-in implementation based
376 string to a DER-encoded mbedtls_asn1_buf.
377 * Add SHA-3 family hash functions.
378 * Add support to restrict AES to 128-bit keys in order to save code size.
383 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
384 On Aarch64, uplift is typically around 20 - 110%.
385 When compiling with gcc -Os on Aarch64, AES-XTS improves
387 * Add support for PBKDF2-HMAC through the PSA API.
393 - DERIVE is only available for ECC keys, not for RSA or DH ones.
394 - implementations are free to enable more than what it was strictly
399 and the ephemeral or psk-ephemeral key exchange mode are enabled.
412 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
421 * Add support for PBKDF2-CMAC through the PSA API.
423 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
424 disables the plain C implementation and the run-time detection for the
425 CPU feature, which reduces code size and avoids the vulnerability of the
444 review the size of the output buffer passed to this function, and note
451 (notably recent versions of Clang and IAR) could produce non-constant
454 * Updates to constant-time C code so that compilers are less likely to use
457 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
465 null-cipher cipher suites. Credit to OSS-Fuzz.
467 In TLS 1.3, all configurations are affected except PSK-only ones, and
472 Credit to OSS-Fuzz.
477 than all built-in ones and RSA is disabled.
491 * Fix the J-PAKE driver interface for user and peer to accept any values
494 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
507 mode of operation due to the input not being multiple of block size.
512 example TF-M configuration in configs/ from building cleanly:
527 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
537 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
541 detected by comparing the wrong field and the check was erroneously
544 enabled, where some low-level modules required by requested PSA crypto
553 * Fix the build with CMake when Everest or P256-m is enabled through
558 compiling with gcc, clang or armclang and -O0.
559 * Enforce minimum RSA key size when generating a key
576 = Mbed TLS 3.4.1 branch released 2023-08-04
582 * Update test data to avoid failures of unit tests after 2023-08-07.
584 = Mbed TLS 3.4.0 branch released 2023-03-28
599 optionally providing file-specific error pairs. Please see psa_util.h for
606 - Only the signed-data content type, version 1 is supported.
607 - Only DER encoding is supported.
608 - Only a single digest algorithm per message is supported.
609 - Certificates must be in X.509 format. A message must have either 0
611 - There is no support for certificate revocation lists.
612 - The authenticated and unauthenticated attribute fields of SignerInfo
615 contributing this feature, and to Demi-Marie Obenour for contributing
619 * Improvements to use of unaligned and byte-swapped memory, reducing code
620 size and improving performance (depending on compiler and target
628 This helps in saving code size when some of the above hashes are not
630 * Add parsing of V3 extensions (key usage, Netscape cert-type,
633 configuration-independent files. This allows them to be generated when
645 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
650 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
651 implementations of EC J-PAKE through the driver entry points.
655 * Add support for AES with the Armv8-A Cryptographic Extension on
656 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
657 be used to enable this feature. Run-time detection is supported
659 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
660 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
664 to read non-public fields for padding mode and hash id from
666 * AES-NI is now supported with Visual Studio.
667 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
670 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
671 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
672 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
677 * Use platform-provided secure zeroization function where possible, such as
680 * Fix a potential heap buffer overread in TLS 1.3 client-side when
682 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
683 Arm, so that these systems are no longer vulnerable to timing side-channel
687 builds that couldn't compile the GCC-style assembly implementation
689 timing side-channel attacks. There is now an intrinsics-based AES-NI
714 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
732 * Reject OIDs with overlong-encoded subidentifiers when converting
737 have the most-significant bit set in their last byte.
738 * Silence warnings from clang -Wdocumentation about empty \retval
742 * Fix an unused-variable warning in TLS 1.3-only builds if
746 * Allow setting user and peer identifiers for EC J-PAKE operation
753 * Fix TLS 1.3 session resumption when the established pre-shared key is
754 384 bits long. That is the length of pre-shared keys created under a
765 * Mixed-endian systems are explicitly not supported any more.
774 - now it accepts the serial number in 2 different formats: decimal and
776 - "serial" is used for the decimal format and it's limted in size to
778 - "serial_hex" is used for the hex format; max length here is
783 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
789 to best results when tested on Cortex-M4 and Intel i7.
795 = Mbed TLS 3.3.0 branch released 2022-12-14
801 RFC 9146, which is not interoperable with the draft-05 version.
805 standard (non-draft) version.
829 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
830 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
833 built-in implementation present, but only in some configurations.
834 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
836 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
842 all hashes only provided by drivers (no built-in hash) is to use
846 As a consequence, they now work in configurations where the built-in
848 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
852 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
853 Signature verification is production-ready, but generation is for testing
859 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
862 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
863 The pre-shared keys can be provisioned externally or via the ticket
881 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
892 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
894 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
904 victim performing a single private-key operation if the window size used
906 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
907 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
911 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
912 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
915 * Fix a long-standing build failure when building x86 PIC code with old
918 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
946 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
961 * Add a configuration check to exclude optional client authentication
963 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
970 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
984 to OSS-Fuzz. Fixes #6597.
987 * Move some SSL-specific code out of libmbedcrypto where it had been placed
994 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
995 should not be done - they are documented for use only by AES-GCM and
999 = Mbed TLS 3.2.1 branch released 2022-07-12
1002 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1004 = Mbed TLS 3.2.0 branch released 2022-07-11
1060 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1076 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1085 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1086 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1092 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1098 establishment only). See docs/architecture/tls13-support.md for a
1106 docs/use-psa-crypto.md for the list of exceptions.
1110 * Opaque pre-shared keys for TLS, provisioned with
1113 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1114 * cmake now detects if it is being built as a sub-project, and in that case
1123 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1132 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1139 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1143 and possibly up to 571 bytes with a custom cookie check function.
1148 amount minus the size of the input buffer. As overread data undergoes
1150 buffer is rather small but increases as its size
1152 * Fix check of certificate key usage in TLS 1.3. The usage of the public key
1169 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1170 client would fail to check that the curve selected by the server for
1183 * Fix a race condition in out-of-source builds with CMake when generated data
1189 the function needs to be re-called after initially returning
1219 * Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
1235 non-compliant. This could not lead to a buffer overflow. In particular,
1236 application data size was already checked correctly.
1255 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1256 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1261 * Assume source files are in UTF-8 when using MSVC with CMake.
1274 = mbed TLS 3.1.0 branch released 2021-12-17
1286 POSIX/Unix-like platforms.
1289 * Sign-magnitude and one's complement representations for signed integers are
1308 supported on GCC-like compilers and on MSVC and can be configured through
1317 * Add support for CCM*-no-tag cipher to the PSA.
1318 Currently only 13-byte long IV's are supported.
1319 For decryption a minimum of 16-byte long input is expected.
1322 * Add functions to get the IV and block size from cipher_info structs.
1323 * Add functions to check if a cipher supports variable IV or key size.
1327 protocol. See docs/architecture/tls13-support.md for the definition of
1339 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1348 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1357 The check was accidentally not performed when cross-compiling for Windows
1369 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1370 * Failures of alternative implementations of AES or DES single-block
1374 where this function cannot fail, or full-module replacements with
1379 * Fix compile-time or run-time errors in PSA
1383 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1386 the built-in implementation of the GCM.
1387 The requirement for output buffer size to be equal or greater then
1388 input buffer size is valid only for the built-in implementation of GCM.
1422 oversight during the run-up to the release of Mbed TLS 3.0.
1424 * Implement multi-part CCM API.
1425 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1432 code size by about 80B on an M0 build. This option only gated an ability
1435 * Improve the performance of base64 constant-flow code. The result is still
1436 slower than the original non-constant-flow implementation, but much faster
1437 than the previous constant-flow implementation. Fixes #4814.
1438 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1442 ChaCha20-Poly1305 is invalid, and not just unsupported.
1449 * The generated configuration-independent files are now automatically
1450 generated by the CMake build system on Unix-like systems. This is not
1451 yet supported when cross-compiling.
1453 = Mbed TLS 3.0.0 branch released 2021-07-07
1462 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1466 header compat-1.3.h and the script rename.pl.
1485 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1487 * Drop support for single-DES ciphersuites.
1489 * Update AEAD output size macros to bring them in line with the PSA Crypto
1491 key type used, as well as the key bit-size in the case of
1506 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1507 the hash size.
1527 session-ID based session resumption) has changed to that of
1528 a key-value store with keys being session IDs and values
1542 * For multi-part AEAD operations with the cipher module, calling
1547 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1549 code size, and it does not increase RAM usage in runtime anymore.
1589 context are now connection-specific.
1591 length parameter to be the size of the hash input. For RSA signatures
1592 other than raw PKCS#1 v1.5, this must match the output size of the
1597 indicating the size of the output buffer for the signature.
1598 * Implement one-shot cipher functions, psa_cipher_encrypt and
1611 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
1612 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
1624 release, some configuration-independent files are now generated at build
1635 compile-time option, which was off by default. Users should not trust
1636 certificates signed with SHA-1 due to the known attacks against SHA-1.
1637 If needed, SHA-1 certificates can still be verified by using a custom
1645 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
1649 compile-time option. This option has been inactive for a long time.
1652 * Remove the following deprecated functions and constants of hex-encoded
1678 * The RSA module no longer supports private-key operations with the public
1718 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
1720 * Remove the compile-time option
1728 * Added support for built-in driver keys through the PSA opaque crypto
1732 * The multi-part GCM interface (mbedtls_gcm_update() or
1733 mbedtls_cipher_update()) no longer requires the size of partial inputs to
1735 * The multi-part GCM interface now supports chunked associated data through
1742 See docs/architecture/alternative-implementations.md for the remaining
1745 query the size of the modulus in a Diffie-Hellman context.
1747 Diffie-Hellman context.
1755 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
1767 victim performing a single private-key operation. Found and reported by
1770 information (typically, a co-located process) could recover a Curve25519
1772 observing the victim performing the corresponding private-key operation.
1790 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
1795 mbedtls_mpi_read_string() was called on "-0", or when
1801 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
1803 minimum size was rounded down to the nearest multiple of 8.
1812 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
1813 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
1815 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
1817 Arm Cortex-M. Fixes #4530.
1819 directive in a header and a missing initialization in the self-test.
1820 * Fix a missing initialization in the Camellia self-test, affecting
1827 (when the encrypt-then-MAC extension is not in use) with some ALT
1828 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
1830 * Remove outdated check-config.h check that prevented implementing the
1842 * psa_verify_hash() was relying on implementation-specific behavior of
1853 Credit to OSS-Fuzz. Fixes #4641.
1858 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
1879 * Remove configs/config-psa-crypto.h, which no longer had any intended
1919 = mbed TLS 2.26.0 branch released 2021-03-08
1922 * Renamed the PSA Crypto API output buffer size macros to bring them in line
1924 * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
1926 size may have been rounded up to a whole number of bytes.
1972 mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
1973 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
1979 |A| - |B| where |B| is larger than |A| and has more limbs (so the
1987 supported size.
1996 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2007 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2009 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2020 the extension was always marked as non-critical. This was fixed by
2030 = mbed TLS 2.25.0 branch released 2020-12-11
2040 as they have no way to check if the output buffer is large enough.
2042 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2067 This is currently non-standard behaviour, but expected to make it into a
2074 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2078 identical to psa_key_id_t instead of being platform-defined. This bridges
2090 size of the output buffer when used with NIST_KW. As a result, code using
2094 * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
2096 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2100 are implemented. This could cause failures or the silent use of non-random
2105 algorithm parameters (only the size) when comparing the signature in the
2108 (size zero) to the library and thus the certificate would be considered
2132 * Use socklen_t on Android and other POSIX-compliant system
2133 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2150 * Fix an off-by-one error in the additional data length check for
2151 CCM, which allowed encryption with a non-standard length field.
2153 * Correct the default IV size for mbedtls_cipher_info_t structures using
2160 * Attempting to create a volatile key with a non-zero key identifier now
2169 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2189 specification (docs/architecture/mbed-crypto-storage-specification.md).
2193 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2196 = mbed TLS 2.24.0 branch released 2020-09-01
2199 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2217 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2218 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2227 attacker could for example impersonate a 4-bytes or 16-byte domain by
2243 Encrypt-then-Mac extension, use constant code flow memory access patterns
2244 to extract and check the MAC. This is an improvement to the existing
2246 effective against network-based attackers, but less so against local
2248 if they have access to fine-grained measurements. In particular, this
2252 * Fix side channel in RSA private key operations and static (finite-field)
2253 Diffie-Hellman. An adversary with precise enough timing and memory access
2255 enclave) could bypass an existing counter-measure (base blinding) and
2257 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2258 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2272 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2275 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2277 * Fix self-test failure when the only enabled short Weierstrass elliptic
2289 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2304 these applications with password-protected key files. Analogously but for
2309 = mbed TLS 2.23.0 branch released 2020-07-01
2322 high- and low-level error codes, complementing mbedtls_strerror()
2326 * The new utility programs/ssl/ssl_context_info prints a human-readable
2343 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2354 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2390 * Fix false positive uninitialised variable reported by cpp-check.
2399 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2406 * Simplify a bounds check in ssl_write_certificate_request(). Contributed
2411 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2423 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2432 = mbed TLS 2.22.0 branch released 2020-04-14
2453 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2465 * Remove a spurious check in ssl_parse_client_psk_identity that triggered
2479 = mbed TLS 2.21.0 branch released 2020-02-20
2485 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2492 probability (of the order of 2^-n where n is the bitsize of the curve)
2500 ARMmbed/mbed-crypto#352
2503 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2504 support without SHA-384.
2512 a curve family and the key size determines the exact curve (for example,
2513 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2519 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2520 contributed by apple-ihack-geek in #2663.
2522 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2525 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2529 = mbed TLS 2.20.0 branch released 2020-01-15
2533 entropy function to obtain entropy for a nonce if the entropy size is less
2534 than 3/2 times the key size. In case you want to disable the extra call to
2544 bytes (size of the entropy accumulator).
2571 initial seeding. The default nonce length is chosen based on the key size
2572 to achieve the security strength defined by NIST SP 800-90A. You can
2575 msopiha-linaro in ARMmbed/mbed-crypto#307.
2578 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2585 * Fix an incorrect size in a debugging message. Reported and fix
2592 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2594 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2610 merely a robustness improvement. ARMmbed/mbed-crypto#323
2612 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
2614 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
2616 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
2618 = mbed TLS 2.19.1 branch released 2019-09-16
2632 * Fix some false-positive uninitialized variable warnings in crypto. Fix
2633 contributed by apple-ihack-geek in #2663.
2635 = mbed TLS 2.19.0 branch released 2019-09-06
2641 * When writing a private EC key, use a constant size for the private
2643 as an ASN.1 INTEGER, which caused the size of the key to leak
2646 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
2655 store it in non-volatile storage, and later using it for TLS session
2660 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
2663 (https://project-everest.github.io/). It can be enabled at compile time
2666 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
2674 * Add DER-encoded test CRTs to library/certs.c, allowing
2681 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
2695 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
2696 * Fix multiple X.509 functions previously returning ASN.1 low-level error
2701 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
2712 This previously limited the maximum size of DER encoded certificates
2722 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
2725 * Improve code clarity in x509_crt module, removing false-positive
2733 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
2737 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
2738 docker-env.sh) to simplify running test suites on a Linux host. Contributed
2744 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
2750 = mbed TLS 2.18.1 branch released 2019-07-12
2760 = mbed TLS 2.18.0 branch released 2019-06-11
2767 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
2769 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
2772 and the used tls-prf.
2773 * Add public API for tls-prf function, according to requested enum.
2782 * Add support for draft-05 of the Connection ID extension, as specified
2783 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
2788 changed its IP or port. The feature is enabled at compile-time by setting
2789 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
2795 and the used tls-prf.
2796 * Add public API for tls-prf function, according to requested enum.
2805 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
2807 OSS-Fuzz.
2819 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
2823 Credit to OSS-Fuzz.
2826 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
2827 mbedTLS configuration only SHA-2 signed certificates are accepted.
2831 updated to one that is SHA-256 signed. Fix contributed by
2842 = mbed TLS 2.17.0 branch released 2019-03-19
2846 which allows copy-less parsing of DER encoded X.509 CRTs,
2859 for the benefit of saving RAM, by disabling the new compile-time
2882 in the header files, which missed the precompilation check. #971
2887 * Fix signed-to-unsigned integer conversion warning
2919 * Fix configuration queries in ssl-opt.h. #2030
2920 * Ensure that ssl-opt.h can be run in OS X. #2029
2921 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
2926 = mbed TLS 2.16.0 branch released 2018-12-21
2944 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
2945 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
2949 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
2951 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
2972 * Fix an unsafe bounds check when restoring an SSL session from a ticket.
2981 of check for certificate/key matching. Reported by Attila Molnar, #507.
2983 = mbed TLS 2.15.1 branch released 2018-11-30
2988 = mbed TLS 2.15.0 branch released 2018-11-23
2998 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3001 = mbed TLS 2.14.1 branch released 2018-11-30
3005 decryption that could lead to a Bleichenbacher-style padding oracle
3012 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3013 * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
3030 = mbed TLS 2.14.0 branch released 2018-11-19
3039 * Fix a flawed bounds check in server PSK hint parsing. In case the
3041 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3046 adversary to construct non-primes that would be erroneously accepted as
3051 pairs or Diffie-Hellman parameters, but was insufficient to validate
3052 Diffie-Hellman parameters properly.
3059 constrained, single-threaded systems where ECC is time consuming and can
3065 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3071 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3073 an error if this was not possible. Now the salt size may be up to two bytes
3075 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3076 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3095 Miller-Rabin rounds.
3108 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3119 wildcards and non-ASCII characters being unusable in some DN attributes.
3121 Thomas-Dee.
3125 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3145 Thomas-Dee.
3147 Fixes #517 reported by github-monoculture.
3150 by FIPS-186-4.
3152 = mbed TLS 2.13.1 branch released 2018-09-06
3156 whose implementation should behave as a thread-safe version of gmtime().
3166 = mbed TLS 2.13.0 branch released 2018-08-31
3177 with the peer, as well as by a new per-connection MTU option, set using
3179 * Add support for auto-adjustment of MTU to a safe value during the
3184 * Add support for buffering out-of-order handshake messages in DTLS.
3186 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3205 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3210 check in parsing the CertificateRequest message,
3216 (found by Catena cyber using oss-fuzz)
3228 * Add support for buffering of out-of-order handshake messages.
3233 = mbed TLS 2.12.0 branch released 2018-07-25
3236 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3244 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3245 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3246 caused by a miscalculation (for SHA-384) in a countermeasure to the
3257 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3259 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3265 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3269 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3270 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3272 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3273 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3276 where the outgoing buffer can be fixed at a smaller size than the incoming
3281 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3308 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3313 * Fix ssl_client2 example to send application data with 0-length content
3318 * Fix build using -std=c99. Fixed by Nick Wilson.
3322 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3324 when calling with a NULL salt and non-zero salt_len. Contributed by
3328 * Allow overriding the time on Windows via the platform-time abstraction.
3330 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3332 = mbed TLS 2.11.0 branch released 2018-06-18
3337 * Implement the HMAC-based extract-and-expand key derivation function
3340 * Add support for the XTS block cipher mode with AES (AES-XTS).
3344 non-blocking operation of the TLS server stack.
3361 = mbed TLS 2.10.0 branch released 2018-06-06
3380 build to fail. Found by zv-io. Fixes #1651.
3383 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3387 = mbed TLS 2.9.0 branch released 2018-04-30
3394 would require a non DER-compliant certificate to be correctly signed by a
3395 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3403 * Fix a client-side bug in the validation of the server's ciphersuite choice
3423 a check for whether more more data is pending to be processed in the
3426 underlying transport in case event-driven IO is used.
3432 in configurations that omit certain hashes or public-key algorithms.
3454 in the internal buffers; these cases led to deadlocks when event-driven
3471 public-key algorithms. Includes contributions by Gert van Dijk.
3491 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3501 HMAC functions with non-HMAC ciphersuites. Independently contributed
3504 FIPS 186-4. Contributed by Jethro Beekman. #1380
3512 = mbed TLS 2.8.0 branch released 2018-03-16
3542 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3553 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3579 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3593 = mbed TLS 2.7.0 branch released 2018-02-03
3601 both TLS and DTLS. CVE-2018-0488
3602 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3603 for the key size, which could potentially lead to crash or remote code
3605 Qualcomm Technologies Inc. CVE-2018-0487
3606 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3608 * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
3616 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
3627 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
3633 * Fix a potential heap buffer over-read in ALPN extension parsing
3634 (server-side). Could result in application crash, but only if an ALPN
3637 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
3644 * New unit tests for timing. Improve the self-test to be more robust
3645 when run on a heavily-loaded machine.
3667 * Extend RSA interface by multiple functions allowing structure-
3680 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
3681 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
3682 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
3683 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
3686 * Deprecate usage of RSA primitives with non-matching key-type
3711 renegotiated handshakes would only accept signatures using SHA-1
3712 regardless of the peer's preferences, or fail if SHA-1 was disabled.
3716 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
3718 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
3731 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
3735 non-v3 CRT's.
3740 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
3741 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
3743 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
3745 * Add size-checks for record and handshake message content, securing
3746 fragile yet non-exploitable code-paths.
3778 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
3782 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
3793 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
3796 = mbed TLS 2.6.0 branch released 2017-08-10
3812 platform-specific setup and teardown operations. The macro
3824 * Certificate verification functions now set flags to -1 in case the full
3832 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
3839 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
3841 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
3845 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3849 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
3853 constructed certificates to bypass the certificate verification check.
3861 64-bit division. This is useful on embedded platforms where 64-bit division
3867 config-no-entropy.h to reduce the RAM footprint.
3872 = mbed TLS 2.5.1 released 2017-06-21
3875 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
3876 The issue could only happen client-side with renegotiation enabled.
3880 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
3881 certificate verification. SHA-1 can be turned back on with a compile-time
3886 potential Bleichenbacher/BERserk-style attack.
3889 * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
3891 and with GCC using the -Wpedantic compilation option.
3892 * Fix insufficient support for signature-hash-algorithm extension,
3919 by Jean-Philippe Aumasson.
3921 = mbed TLS 2.5.0 branch released 2017-05-17
3928 against side-channel attacks like the cache attack described in
3947 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
3948 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
3951 * Remove macros from compat-1.3.h that correspond to deleted items from most
3955 * Add checks in the PK module for the RSA functions on 64-bit systems.
3960 = mbed TLS 2.4.2 branch released 2017-03-08
3964 using RSA through the PK module in 64-bit systems. The issue was caused by
3967 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
3981 team. #569 CVE-2017-2784
3990 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
3991 Found by omlib-lin. #673
4012 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4028 = mbed TLS 2.4.1 branch released 2016-12-13
4031 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4035 = mbed TLS 2.4.0 branch released 2016-10-17
4039 with RFC-5116 and could lead to session key recovery in very long TLS
4040 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4041 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4049 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4050 NIST SP 800-38B, RFC-4493 and RFC-4615.
4058 * Added a configuration file config-no-entropy.h that configures the subset of
4071 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4073 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4086 subramanyam-c. #622
4092 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4093 Found by subramanyam-c. #626
4101 * Removed self-tests from the basic-built-test.sh script, and added all
4102 missing self-tests to the test suites, to ensure self-tests are only
4105 * Added support for a Yotta specific configuration file -
4116 = mbed TLS 2.3.0 branch released 2016-06-28
4119 * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
4134 arguments where the same (in-place doubling). Found and fixed by Janos
4153 * Fix test in ssl-opt.sh that does not run properly with valgrind
4157 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4159 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4161 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
4163 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4166 = mbed TLS 2.2.1 released 2016-01-05
4178 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4190 = mbed TLS 2.2.0 released 2015-11-04
4208 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4211 block. (Potential uses include EAP-TLS and Thread.)
4214 * Self-signed certificates were not excluded from pathlen counting,
4217 * Fix build error with configurations where ECDHE-PSK is the only key
4219 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4220 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4221 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4222 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4224 size/curve against the profile. Before that, there was no way to set a
4225 minimum key size for end-entity certificates with RSA keys. Found by
4236 or -1.
4238 = mbed TLS 2.1.2 released 2015-10-06
4241 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4244 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4261 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4263 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4282 = mbed TLS 2.1.1 released 2015-09-17
4285 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4287 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4288 * Fix possible client-side NULL pointer dereference (read) when the client
4291 afl-fuzz.)
4295 * Fix off-by-one error in parsing Supported Point Format extension that
4306 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4309 = mbed TLS 2.1.0 released 2015-09-04
4317 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4325 * Fix compile error with armcc 5 with --gnu option.
4330 * Fix missing -static-libgcc when building shared libraries for Windows
4339 * Fix -Wshadow warnings (found by hnrkp) (#240)
4341 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4349 * It is now possible to #include a user-provided configuration file at the
4353 trusted, no later cert is checked. (suggested by hannes-landeholm)
4360 = mbed TLS 2.0.0 released 2015-07-13
4367 * New server-side implementation of session tickets that rotate keys to
4373 * Introduced a concept of presets for SSL security-relevant configuration
4381 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4382 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4384 mbedtls_cipher_info_t.key_length -> key_bitlen
4385 mbedtls_cipher_context_t.key_length -> key_bitlen
4386 mbedtls_ecp_curve_info.size -> bit_size
4391 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4392 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4393 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4394 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4395 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4401 (see rename.pl and compat-1.3.h above) and their first argument's type
4404 additional callback for read-with-timeout).
4423 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4424 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4425 * The following functions changed prototype to avoid an in-out length
4433 * net_accept() gained new arguments for the size of the client_ip buffer.
4443 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4472 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4476 been removed (compiler is required to support 32-bit operations).
4479 * Removed test program ssl_test, superseded by ssl-opt.sh.
4480 * Removed helper script active-config.pl
4486 Semi-API changes (technically public, morally private)
4507 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4508 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
4511 * The following functions are now case-sensitive:
4530 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4539 thread-safe if MBEDTLS_THREADING_C is enabled.
4540 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4549 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4559 * Add support for id-at-uniqueIdentifier in X.509 names.
4565 cross-compilation easier (thanks to Alon Bar-Lev).
4566 * The benchmark program also prints heap usage for public-key primitives
4568 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4571 reduced configurations (PSK-CCM and NSA suite B).
4603 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4610 * Add missing dependency on SHA-256 in some x509 programs (reported by
4612 * Fix bug related to ssl_set_curves(): the client didn't check that the
4621 * compat-1.2.h and openssl.h are deprecated.
4624 (contributed by Alon Bar-Lev).
4627 * Move from SHA-1 to SHA-256 in example programs using signatures
4635 = mbed TLS 1.3.10 released 2015-02-09
4637 * NULL pointer dereference in the buffer-based allocator when the buffer is
4641 * Fix remotely-triggerable uninitialised pointer dereference caused by
4644 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
4651 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
4655 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
4656 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
4657 * Add support for Encrypt-then-MAC (RFC 7366).
4660 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
4662 * Support for renegotiation can now be disabled at compile-time
4663 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
4664 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
4665 for pre-1.2 clients when multiple certificates are available.
4675 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
4691 issue with some servers when a zero-length extension was sent. (Reported
4693 * On a 0-length input, base64_encode() did not correctly set output length
4700 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
4706 * It is now possible to disable negotiation of truncated HMAC server-side
4712 = PolarSSL 1.3.9 released 2014-10-20
4716 * Remotely-triggerable memory leak when parsing some X.509 certificates
4719 * Remotely-triggerable memory leak when parsing crafted ClientHello
4726 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
4728 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
4731 * Remove non-existent file from VS projects (found by Peter Vaskovic).
4732 * ssl_read() could return non-application data records on server while
4734 * Server-initiated renegotiation would fail with non-blocking I/O if the
4737 with non-blocking I/O.
4745 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
4746 standard defining how to use SHA-2 with SSL 3.0).
4747 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
4749 * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
4759 = PolarSSL 1.3.8 released 2014-07-11
4768 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
4775 * Add server-side enforcement of sent renegotiation requests
4794 * Remove less-than-zero checks on unsigned numbers
4795 * Stricter check on SSL ClientHello internal sizes compared to actual packet
4796 size (found by TrustInSoft)
4797 * Fix WSAStartup() return value check (found by Peter Vaskovic)
4806 rejected with CBC-based ciphersuites and TLS >= 1.1
4808 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
4811 * Restore ability to locally trust a self-signed cert that is not a proper
4817 * Fix off-by-one error in parsing Supported Point Format extension that
4819 * Fix possible miscomputation of the premaster secret with DHE-PSK key
4823 * Fix base64_decode() to return and check length correctly (in case of
4828 = PolarSSL 1.3.7 released on 2014-05-02
4832 * version_check_feature() added to check for compile-time options at
4833 run-time
4840 * AES-NI now compiles with "old" assemblers too
4849 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
4856 big-endian platform when size was not an integer number of limbs
4863 = PolarSSL 1.3.6 released on 2014-04-11
4877 * Use UTC time to check certificate validity.
4884 This affects certificates in the user-supplied chain except the top
4885 certificate. If the user-supplied chain contains only one certificates,
4904 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
4905 * Calling pk_debug() on an RSA-alt key would segfault.
4906 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
4912 = PolarSSL 1.3.5 released on 2014-03-26
4914 * HMAC-DRBG as a separate module
4918 * Ability to force the entropy module to use SHA-256 as its basis
4920 * Testing script ssl-opt.sh added for testing 'live' ssl option
4928 now thread-safe if POLARSSL_THREADING_C defined
4941 * Check notBefore timestamp of certificates and CRLs from the future.
4944 * Possible remotely-triggered out-of-bounds memory access fixed (found by
4951 * Fixed testing with out-of-source builds using cmake
4952 * Fixed version-major intolerance in server
4953 * Fixed CMake symlinking on out-of-source builds
4956 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
4960 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
4973 = PolarSSL 1.3.4 released on 2014-01-27
4976 * Support for RIPEMD-160
4992 = PolarSSL 1.3.3 released on 2013-12-31
4998 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5000 * AES-NI support for AES, AES-GCM and AES key scheduling
5001 * SSL Pthread-based server example added (ssl_pthread_server)
5008 * More constant-time checks in the RSA module
5016 * Fixed X.509 hostname comparison (with non-regular characters)
5025 * Fixed potential overflow in certificate size verification in
5029 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5032 = PolarSSL 1.3.2 released on 2013-11-04
5036 * Support for Camellia-GCM mode and ciphersuites
5039 * Padding checks in cipher layer are now constant-time
5040 * Value comparisons in SSL layer are now constant-time
5053 * Server-side initiated renegotiations send HelloRequest
5055 = PolarSSL 1.3.1 released on 2013-10-15
5058 * Support for ECDHE-PSK key-exchange and ciphersuites
5059 * Support for RSA-PSK key-exchange and ciphersuites
5065 * config.h is more script-friendly
5077 = PolarSSL 1.3.0 released on 2013-10-01
5082 (ECDHE-based ciphersuites)
5084 (ECDSA-based ciphersuites)
5086 * PSK and DHE-PSK based ciphersuites added
5088 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5095 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5096 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5125 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5137 (found by Cyril Arnaud and Pierre-Alain Fouque)
5140 = Version 1.2.14 released 2015-05-??
5148 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5156 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5159 = Version 1.2.13 released 2015-02-16
5164 * Fix remotely-triggerable uninitialised pointer dereference caused by
5167 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5173 * Fix buffer overread of size 1 when parsing crafted X.509 certificates
5180 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5190 issue with some servers when a zero-length extension was sent. (Reported
5192 * On a 0-length input, base64_encode() did not correctly set output length
5198 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5200 = Version 1.2.12 released 2014-10-24
5203 * Remotely-triggerable memory leak when parsing some X.509 certificates
5211 with non-blocking I/O.
5215 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5216 * ssl_read() could return non-application data records on server while
5218 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5227 = Version 1.2.11 released 2014-07-11
5237 * Use UTC time to check certificate validity.
5246 * Check notBefore timestamp of certificates and CRLs from the future.
5255 * Fixed X.509 hostname comparison (with non-regular characters)
5261 * Fixed potential overflow in certificate size verification in
5268 * Fixed testing with out-of-source builds using cmake
5269 * Fixed version-major intolerance in server
5270 * Fixed CMake symlinking on out-of-source builds
5271 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5286 big-endian platform when size was not an integer number of limbs
5288 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5289 size (found by TrustInSoft)
5294 * Fix base64_decode() to return and check length correctly (in case of
5297 = Version 1.2.10 released 2013-10-07
5299 * Changed RSA blinding to a slower but thread-safe version
5306 = Version 1.2.9 released 2013-10-01
5319 (found by Cyril Arnaud and Pierre-Alain Fouque)
5321 = Version 1.2.8 released 2013-06-19
5325 * Centralized module option values in config.h to allow user-defined
5350 * Fixed values for 2-key Triple DES in cipher layer
5355 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5357 = Version 1.2.7 released 2013-04-13
5362 * Default Blowfish keysize is now 128-bits
5369 = Version 1.2.6 released 2013-03-11
5372 * Corrected GCM counter incrementation to use only 32-bits instead of
5373 128-bits (found by Yawning Angel)
5374 * Fixes for 64-bit compilation with MS Visual Studio
5384 * Re-added handling for SSLv2 Client Hello when the define
5396 = Version 1.2.5 released 2013-02-02
5398 * Allow enabling of dummy error_strerror() to support some use-cases
5401 * Sending of security-relevant alert messages that do not break
5409 = Version 1.2.4 released 2013-01-25
5421 = Version 1.2.3 released 2012-11-26
5425 = Version 1.2.2 released 2012-11-24
5429 * During verify trust-CA is only checked for expiration and CRL presence
5435 = Version 1.2.1 released 2012-11-20
5438 bottom-up (Peer cert depth is 0)
5444 Pégourié-Gonnard)
5446 Pégourié-Gonnard)
5447 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5449 = Version 1.2.0 released 2012-10-31
5455 * Added support for multi-domain certificates through the X509 Subject
5481 * AES code only check for Padlock once
5482 * Fixed const-correctness mpi_get_bit()
5488 POLARSSL_MODE_CFB, to also handle different block size CFB modes.
5517 = Version 1.1.8 released on 2013-10-01
5523 * Potential buffer-overflow for ssl_read_record() (independently found by
5528 = Version 1.1.7 released on 2013-06-19
5537 * Fixed values for 2-key Triple DES in cipher layer
5542 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5544 = Version 1.1.6 released on 2013-03-11
5549 * Allow enabling of dummy error_strerror() to support some use-cases
5560 = Version 1.1.5 released on 2013-01-16
5571 Pégourié-Gonnard)
5573 Pégourié-Gonnard)
5574 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5584 = Version 1.1.4 released on 2012-05-31
5590 = Version 1.1.3 released on 2012-04-29
5592 * Fixed random MPI generation to not generate more size than requested.
5594 = Version 1.1.2 released on 2012-04-26
5601 Frama-C team at CEA LIST)
5605 = Version 1.1.1 released on 2012-01-23
5607 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
5609 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
5613 = Version 1.1.0 released on 2011-12-22
5615 * Added ssl_session_reset() to allow better multi-connection pools of
5616 SSL contexts without needing to set all non-connection-specific
5623 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
5632 * Inceased maximum size of ASN1 length reads to 32-bits.
5637 * Changed the defined key-length of DES ciphers in cipher.h to include the
5642 trade-off
5643 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
5651 encountering a parse-error. Beware that the meaning of return values has
5656 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
5662 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
5671 = Version 1.0.0 released on 2011-07-27
5684 = Version 0.99-pre5 released on 2011-05-26
5717 = Version 0.99-pre4 released on 2011-04-01
5720 for the RSAES-OAEP and RSASSA-PSS operations.
5728 displays actual bit size of the value.
5735 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
5739 * Fixed proper handling of RSASSA-PSS verification with variable
5742 = Version 0.99-pre3 released on 2011-02-28
5743 This release replaces version 0.99-pre2 which had possible copyright issues.
5768 * Fixed a possible Man-in-the-Middle attack on the
5772 = Version 0.99-pre1 released on 2011-01-30
5774 Note: Most of these features have been donated by Fox-IT
5791 libpkcs11-helper library
5795 the existing date check
5802 = Version 0.14.0 released on 2010-08-16
5806 * Added compile-time and run-time version information
5826 = Version 0.13.1 released on 2010-03-24
5831 = Version 0.13.0 released on 2010-03-21
5847 * Added reset function for HMAC context as speed-up
5848 for specific use-cases
5859 = Version 0.12.1 released on 2009-10-04
5870 = Version 0.12.0 released on 2009-07-28
5874 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
5875 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
5891 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
5912 * Fixed Camellia and XTEA for 64-bit Windows systems.
5914 = Version 0.11.1 released on 2009-05-17
5915 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
5916 SHA-512 in rsa_pkcs1_sign()
5918 = Version 0.11.0 released on 2009-05-03
5920 input numbers are even and added testcases to check
5922 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
5932 * Made definition of net_htons() endian-clean for big endian
5936 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
5941 * Fixed compatibility of XTEA and Camellia on a 64-bit system
5944 = Version 0.10.0 released on 2009-01-12
5956 = Version 0.9 released on 2008-03-16
5962 be sent twice in non-blocking mode when send returns EAGAIN
5965 * Added user-defined callback debug function (Krystian Kolodziej)
5971 output data is non-aligned by falling back to the software
5972 implementation, as VIA Nehemiah cannot handle non-aligned buffers
5974 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
5983 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
5988 * Fixed a critical denial-of-service with X.509 cert. verification:
5990 for which the RSA signature check fails (bug reported by Benoit)
5991 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
5992 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
5993 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
5996 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
5997 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6001 = Version 0.8 released on 2007-10-20
6009 * Added user-defined callbacks for handling I/O and sessions
6013 * Added AES-CFB mode of operation, contributed by chmike
6017 * Updated ssl_read() to skip 0-length records from OpenSSL
6019 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6026 = Version 0.7 released on 2007-07-07
6028 * Added support for the MicroBlaze soft-core processor
6030 connections from being established with non-blocking I/O
6034 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6042 = Version 0.6 released on 2007-04-01
6048 * Added multiply assembly code for 64-bit PowerPCs,
6052 * Fixed "long long" compilation issues on IA-64 and PPC64
6053 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6056 = Version 0.5 released on 2007-03-01
6059 * Added (beta) support for non-blocking I/O operations
6062 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6065 size of 16384 bytes to be rejected
6067 = Version 0.4 released on 2007-02-01
6069 * Added support for Ephemeral Diffie-Hellman key exchange
6080 = Version 0.3 released on 2007-01-01
6082 * Added server-side SSLv3 and TLSv1.0 support
6091 = Version 0.2 released on 2006-12-01
6102 the Miller-Rabin primality test
6106 who maintains the Debian package :-)
6108 = Version 0.1 released on 2006-11-01