Lines Matching full:for
23 advisory for details), allowing a local attacker to fully recover the
64 compiled with support for both AESNI and software AES and AESNI is
67 AES to be used for some time when the program starts. This could allow
77 documentation did no suggest it did, making it likely for callers relying
171 uses static storage for keys, enabling malloc-less use of key slots.
206 * Fix invalid JSON schemas for driver descriptions used by
215 GCC-like compilers when building AES for generic x86_64 targets. This
223 mbedtls_ssl_handshake() for details.
247 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
310 For guidance on migrating application code to the PSA API, please consult
341 clear. As a result, an attacker that had a certificate valid for uses other
342 than TLS client authentication could be able to use it for TLS client
349 * Fix TLS 1.3 client build and runtime when support for session tickets is
363 * Fix issue of redefinition warning messages for _GNU_SOURCE in
365 building for linux platform.
400 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more
407 upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS
413 support for optional/none with TLS 1.3 as well. Note that the TLS 1.3
420 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
448 * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
454 * In the PSA API, domain parameters are no longer used for anything.
472 * Support Armv8-A Crypto Extension acceleration for SHA-256
473 when compiling for Thumb (T32) or 32-bit Arm (A32).
483 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
484 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
488 or they'll both be built in. However, for CCM and GCM the built-in
491 docs/driver-only-builds.md for full details and current limitations.
500 fully provided by drivers. See docs/driver-only-builds.md for full
503 * Add support for record size limit extension as defined by RFC 8449
518 * Add partial platform support for z/OS.
519 * Improve performance for gcc (versions older than 9.3.0) and IAR.
522 * Add support for using AES-CBC 128, 192, and 256 bit schemes
525 in bits, i.e. the key size for an RSA key.
526 * Add pc files for pkg-config, e.g.:
533 * The benchmark program now reports times for both ephemeral and static
535 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
566 * Add protection for multithreaded access to the PSA keystore and protection
567 for multithreaded access to the the PSA global state, including
570 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
584 PSA functions are owned exclusively by the PSA core for the duration of
621 * Switch to milliseconds as the unit for ticket creation and reception time
635 * Correct initial capacities for key derivation algorithms:TLS12_PRF,
637 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
646 RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
666 This reduces stack usage significantly for writing a public/private
677 * Extended PSA Crypto configurations options for FFDH by making it possible
680 for each size you want to support. Also, if you have an FFDH accelerator,
682 support for these domain parameters.
698 could be sufficient for an attacker to recover the plaintext. A local
701 the attacker to send a large number of messages for decryption. For
722 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
733 function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
747 the capabilities of the PSA side for either key.
756 for overflow of the output buffer and reporting the actual length
767 to check for availability of hash algorithms, regardless of whether
770 * When a PSA driver for ECDH is present, it is now possible to disable
771 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
775 as PSA does not have an API for restartable ECDH yet.
778 if not required by another module) and still get support for ECC keys and
780 for details.
781 * Add parsing of directoryName subtype for subjectAltName extension in
783 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
788 * Add support for reading and writing X25519 and X448
792 * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
794 * Add support for the FFDH algorithm and DH key types in PSA, with
801 See mbedtls_x509write_crt_set_subject_alternative_name for
818 * Add support for PBKDF2-HMAC through the PSA API.
822 PSA capabilities for each key. These capabilities, named yyy above, can be
824 - DERIVE is only available for ECC keys, not for RSA or DH ones.
826 requested. For example BASIC internally enables IMPORT and EXPORT
827 (useful for testing purposes), but this might change in the future.
828 * Add support for FFDH key exchange in TLS 1.3.
843 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
849 representation of A for some curves. Fixes #8045.
852 * Add support for PBKDF2-CMAC through the PSA API.
855 disables the plain C implementation and the run-time detection for the
863 option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
878 which checks for overflow of the output buffer and reports the actual
888 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
906 * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
912 was sufficient for a particular program to work, it would only print
922 * Fix the J-PAKE driver interface for user and peer to accept any values
935 building for arm64_32 (e.g., for watchos). Reported by Paulo
979 * Fix log level for the got supported group message. Fixes #6765
988 * Enable Arm / Thumb bignum assembly for most Arm platforms when
993 This reduces stack usage significantly for RSA signature
1030 optionally providing file-specific error pairs. Please see psa_util.h for
1034 * Added partial support for parsing the PKCS #7 Cryptographic Message
1042 - There is no support for certificate revocation lists.
1045 Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
1046 contributing this feature, and to Demi-Marie Obenour for contributing
1053 * Add support for reading points in compressed format
1055 (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
1065 CC is set for cross compilation.
1066 * Add parsing of uniformResourceIdentifier subtype for subjectAltName
1069 backed by internal library support for ECDSA signing and verification.
1070 * Add parsing of rfc822Name subtype for subjectAltName
1073 MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
1075 * When a PSA driver for ECDSA is present, it is now possible to disable
1076 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
1079 supported in those builds yet, as driver support for interruptible ECDSA
1081 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
1083 * Add new API mbedtls_ssl_cache_remove for cache entry removal by
1086 * Add support for AES with the Armv8-A Cryptographic Extension on
1090 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1091 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
1095 to read non-public fields for padding mode and hash id from
1100 for a target CPU that supports the requisite instructions (for example
1113 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
1121 implementation as a fallback for when the assembly one cannot be used.
1130 * In TLS 1.3, when using a ticket for session resumption, tweak its age
1177 * Allow setting user and peer identifiers for EC J-PAKE operation
1180 * Fix a compilation error when PSA Crypto is built with support for
1198 defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
1207 - "serial" is used for the decimal format and it's limted in size to
1209 - "serial_hex" is used for the hex format; max length here is
1211 * The C code follows a new coding style. This is transparent for users but
1212 affects contributors and maintainers of local patches. For more
1214 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1263 * Some modules can now use PSA drivers for hashes, including with no
1269 See the documentation of the corresponding macros in mbedtls_config.h for
1272 the entropy module. As a consequence, for now the only way to build with
1279 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
1281 * Add support for opaque keys as the private keys associated to certificates
1282 for authentication in TLS 1.3.
1284 Signature verification is production-ready, but generation is for testing
1287 1024 messages. As such, it is not intended for use in TLS, but instead
1288 for verification of assets transmitted over an insecure channel,
1291 required for LMS. This can be used independently, but each key can only
1292 be used to sign one message so is impractical for most circumstances.
1299 control the support for the three possible TLS 1.3 key exchange modes.
1300 * cert_write: support for setting extended key usage attributes. A
1303 * cert_write: support for writing certificate files in either PEM
1314 exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
1316 * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
1319 * Add a driver dispatch layer for raw key agreement, enabling alternative
1336 for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
1349 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1361 advertised support for PSS in both TLS 1.2 and 1.3, but only
1377 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
1420 * Fix a build error when compiling the bignum module for some Arm platforms.
1425 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
1426 should not be done - they are documented for use only by AES-GCM and
1439 for IV lengths other than 12. The library was silently overwriting this
1460 mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
1467 * Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
1470 a piece of user data which is reserved for the application. The user
1482 mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
1486 * Add support for psa crypto key derivation for elliptic curve
1500 * Introduce mbedtls_ssl_hs_cb_t typedef for use with
1517 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1518 for Aarch64.
1519 * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
1520 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
1523 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1529 establishment only). See docs/architecture/tls13-support.md for a
1532 * Add accessors to configure DN hints for certificate request:
1537 docs/use-psa-crypto.md for the list of exceptions.
1541 * Opaque pre-shared keys for TLS, provisioned with
1543 previously only worked for "pure" PSK key exchange, now can also be used
1544 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1584 provided by a client or server certificate for authentication was not
1592 pattern for PSA_WANT_xxx symbols. Previously you had to specify
1593 PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
1601 client would fail to check that the curve selected by the server for
1658 * Fix server connection identifier setting for outgoing encrypted records
1685 driver descriptions. For the time being, to customize this file,
1697 variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
1701 * In CMake builds, add aliases for libraries so that the normal MbedTLS::*
1708 * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
1712 * You can configure groups for a TLS key exchange with the new function
1720 * Sign-magnitude and one's complement representations for signed integers are
1728 * Remove the partial support for running unit tests via Greentea on Mbed OS,
1732 * Enable support for Curve448 via the PSA API. Contributed by
1741 (where supported) for critical functions where ignoring the return
1743 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
1748 * Add support for CCM*-no-tag cipher to the PSA.
1750 For decryption a minimum of 16-byte long input is expected.
1752 * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
1755 * Add the internal implementation of and support for CCM to the PSA multipart
1758 protocol. See docs/architecture/tls13-support.md for the definition of
1763 * Add PSA API definition for ARIA.
1768 case the value leaks through a memory disclosure vulnerability. For
1788 The check was accidentally not performed when cross-compiling for Windows
1797 for bignum multiplication that broke some bignum operations with
1809 * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
1812 * Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
1813 The requirement of minimum 15 bytes for output buffer in
1818 The requirement for output buffer size to be equal or greater then
1819 input buffer size is valid only for the built-in implementation of GCM.
1824 This algorithm now accepts only the same salt length for verification
1828 for algorithm values that fully encode the hashing step, as per the PSA
1860 Implemented functions support chunked data input for both CCM and CCM*
1869 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1870 For CCM* encryption/decryption without authentication, input
1888 The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
1893 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1896 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
1903 Various helpers and definitions available for use in alt implementations
1909 Header files that were only meant for the library's internal use and
1913 * Drop support for parsing SSLv2 ClientHello
1915 * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
1916 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1917 * Drop support for RC4 TLS ciphersuites.
1918 * Drop support for single-DES ciphersuites.
1919 * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
1942 now takes extra output parameters for the last partial output block.
1943 mbedtls_gcm_update() now takes extra parameters for the output length.
1950 These changes are backward compatible for users of the cipher API.
1957 * The getter and setter API of the SSL session cache (used for
1970 Support for more than one PSK may be added in 3.X.
1973 * For multi-part AEAD operations with the cipher module, calling
1989 * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
1999 function mbedtls_xxx_ret() which was identical except for returning int
2001 migration guide for more information. Fixes #4212.
2002 * For all functions that take a random number generator (RNG) as a
2018 paving the way for the larger number of secrets
2022 length parameter to be the size of the hash input. For RSA signatures
2028 indicating the size of the output buffer for the signature.
2033 longer supported except for fields that are documented public. Use accessor
2034 functions instead. For more information, see the migration guide entry
2037 mbedtls_ssl_{set,get}_session() may now only be called once for any given
2044 * Some default policies for X.509 certificate verification and TLS have
2058 C compiler for the host platform are required. See “Generated source files
2059 in the development branch” in README.md for more information.
2080 compile-time option. This option has been inactive for a long time.
2100 * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
2126 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
2132 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
2144 * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
2150 See issue #4341 for more details.
2159 * Added support for built-in driver keys through the PSA opaque crypto
2161 MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
2173 See docs/architecture/alternative-implementations.md for the remaining
2180 point format for ECJPAKE instead of accessing the point_format field
2187 private keys and of blinding values for DHM and elliptic curves (ECP)
2191 learn partial information about the leading bits of the nonce used for the
2213 than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
2219 rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
2271 and using a Montgomery curve for the key exchange. Reported by lhuang04
2290 can now only be used as intended, for keys that cannot be modified through
2330 * Add CMake package config generation for CMake projects consuming Mbed TLS.
2363 as always 0. It is now reserved for internal purposes and may take
2383 tweaking the setting for the maximum amount of keys simultaneously in RAM.
2389 and see the documentation of mbedtls_psa_external_get_random() for details.
2390 * Applications using both mbedtls_xxx and psa_xxx functions (for example,
2393 mbedtls_psa_get_random() for details.
2394 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
2415 * Fix an errorneous estimation for an internal buffer in
2437 twice is safe. This happens for RSA when some Mbed TLS library functions
2443 * Fixes a bug where, if the library was configured to include support for
2494 * Add support for ECB to the PSA cipher API.
2505 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2511 version 1.0.0. Opening persistent keys is still supported for backward
2533 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
2545 * Zeroising of local buffers and variables which are used for calculations
2581 * Fix an off-by-one error in the additional data length check for
2584 * Correct the default IV size for mbedtls_cipher_info_t structures using
2588 * Fix conditions for including string.h in error.c. Fixes #3866.
2589 * psa_set_key_id() now also sets the lifetime to persistent for keys located
2606 the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
2611 for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
2658 attacker could for example impersonate a 4-bytes or 16-byte domain by
2659 getting a certificate for the corresponding IPv4 or IPv6 (this would
2667 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
2689 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2690 for pinpointing the problematic code.
2730 eliminates the need for the lines declaring the files to be part of
2733 example applications which allows to provide a password for the key file
2735 these applications with password-protected key files. Analogously but for
2737 set a password for the key file provided through the existing key_file2
2752 * New functions in the error module return constant strings for
2754 which constructs a string for any error code, including compound
2759 * Add support for midipix, a POSIX layer for Microsoft Windows.
2767 * Added support to entropy_poll for the kern.arandom syscall supported on
2769 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2793 * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
2794 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
2854 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2867 SSL module for hardware acceleration of individual records.
2908 is defined), regardless of what MFL was configured for it.
2915 * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
2916 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2943 a curve family and the key size determines the exact curve (for example,
2964 entropy function to obtain entropy for a nonce if the entropy size is less
2973 entropy module formerly only grabbed 32 bytes, which is good enough for
3025 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
3072 * When writing a private EC key, use a constant size for the private
3076 1 byte too large for the output buffer.
3078 implement blinding. Because of this for the same key and message the same
3085 mbedtls_ssl_session_load() to allow serializing a session, for example to
3086 store it in non-volatile storage, and later using it for TLS session
3110 list all curves for which at least one of ECDH or ECDSA is supported, not
3111 just curves for which both are supported. Call mbedtls_ecdsa_can_do() or
3115 mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
3142 * Avoid use of statically sized stack buffers for certificate writing.
3175 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
3204 * Add public API for tls-prf function, according to requested enum.
3205 * Add support for parsing otherName entries in the Subject Alternative Name
3208 * Add support for parsing certificate policies extension, as defined in
3213 * Add support for draft-05 of the Connection ID extension, as specified
3227 * Add public API for tls-prf function, according to requested enum.
3249 for the parameter.
3250 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
3268 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
3288 See the Features section for more information.
3290 for the benefit of saving RAM, by disabling the new compile-time
3291 option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
3312 * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
3328 correctly as trailing zeroes were not accounted for as unused bits in the
3336 Inserted as an enhancement for #1371
3337 * Add support for alternative CSR headers, as used by Microsoft and defined
3341 for platforms that don't provide it. Based on contributions by Joris Aerts
3343 * Fix clobber list in MIPS assembly for large integer multiplication.
3353 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
3364 the documentation. See the corresponding API documentation for each
3365 function to see for which parameter values it is defined. This feature is
3366 disabled by default. See its API documentation in config.h for additional
3373 using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
3378 * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
3381 * Additional parameter validation checks have been added for the following
3397 * Fix for Clang, which was reporting a warning for the bignum.c inline
3398 assembly for AMD64 targets creating string literals greater than those
3412 of check for certificate/key matching. Reported by Attila Molnar, #507.
3429 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3446 a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
3464 * Fix overly strict DN comparison when looking for CRLs belonging to a
3476 previous settings for the number of rounds made it practical for an
3481 For example, the number of rounds was enough to securely generate RSA key
3488 * Add support for temporarily suspending expensive ECC computations after
3496 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3498 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
3507 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3511 * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
3513 implementations implementing cryptographic primitives. This is useful for
3533 * Fix a bug in the update function for SSL ticket keys which previously
3544 * Zeroize memory used for buffering or reassembling handshake messages
3546 * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
3548 * Change the default string format used for various X.509 DN attributes to
3553 * Fix compilation failure for configurations which use compile time
3559 * Removed support for Yotta as a build tool.
3560 * Add tests for session resumption in DTLS.
3591 automatically select implementations for Windows and POSIX C libraries.
3606 * Add support for fragmentation of outgoing DTLS handshake messages. This
3610 * Add support for auto-adjustment of MTU to a safe value during the
3613 * Add support for packing multiple records within a single datagram,
3615 * Add support for buffering out-of-order handshake messages in DTLS.
3616 The maximum amount of RAM used for this can be controlled by the
3659 * Add support for buffering of out-of-order handshake messages.
3673 worked if the same secret (for example a HTTP Cookie) has been repeatedly
3677 caused by a miscalculation (for SHA-384) in a countermeasure to the
3686 the same secret (for example a HTTP Cookie) has been repeatedly sent over
3703 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3704 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3706 * Make the receive and transmit buffers independent sizes, for situations
3711 * Add support for key wrapping modes based on AES as defined by
3721 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
3726 by Brendan Shanks. Part of a fix for #992.
3731 * Fix the inline assembly for the MPI multiply helper function for i386 and
3738 * Fix decryption for zero length messages (which contain all padding) when a
3747 * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
3761 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3770 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3771 * Add support for the XTS block cipher mode with AES (AES-XTS).
3780 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
3787 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
3788 * Changed the Clang parameters used in the CMake build files to work for
3795 * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
3838 structures for some configurations.
3844 * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
3846 mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
3851 applications to wait for a network context to become ready before reading
3854 a check for whether more more data is pending to be processed in the
3867 * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
3870 * Fix the Makefile build process for building shared libraries on Mac OS X.
3915 for Curve25519 (other curves had it already). Contributed by Nicholas
3970 * Extend PKCS#8 interface by introducing support for the entire SHA
3975 * Add support for public keys encoded in PKCS#1 format. #1122
3978 * Deprecate support for record compression (configuration option
3997 * In test_suite_pk, pass valid parameters when testing for hash length
4017 * Remove support for the library reference configuration for picocoin.
4019 a migration path for those depending on the library's ABI.
4034 for the key size, which could potentially lead to crash or remote code
4059 data. Previously, trailing zero bytes were detected and omitted for the
4075 * New unit tests for timing. Improve the self-test to be more robust
4077 * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
4079 * Add support for alternative implementations of GCM, selected by the
4081 * Add support for alternative implementations for ECDSA, controlled by new
4087 * Add support for alternative implementation of ECDH, controlled by the
4093 * Add support for alternative implementation of ECJPAKE, controlled by
4100 mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
4103 contexts from keys consisting of N,D,E only, even if P,Q are needed for the
4131 * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
4165 * Don't print X.509 version tag for v1 CRT's, and omit extensions for
4172 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
4176 * Add size-checks for record and handshake message content, securing
4209 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
4221 * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
4224 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
4270 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
4274 * Fix a potential integer overflow in the version verification for DER
4278 * Fix potential integer overflow in the version verification for DER
4282 * Fix a potential integer overflow in the version verification for DER
4311 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
4323 * Fix insufficient support for signature-hash-algorithm extension,
4365 * Add hardware acceleration support for the Elliptic Curve Point module.
4368 replacement support for enabling the extension of the interface.
4386 * Add checks in the PK module for the RSA functions on 64-bit systems.
4387 The PK and RSA modules use different types for passing hash length and
4394 * Add checks to prevent signature forgeries for very large messages while
4404 * Removed MD5 from the allowed hash algorithms for CertificateRequest and
4406 Introduced by interoperability fix for #513.
4409 triggered remotely for example with a maliciously constructed certificate
4448 * Fixed the templates used to generate project and solution files for Visual
4463 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
4480 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4484 * Added a script to print build environment info for diagnostic use in test
4492 to configure the minimum number of bytes for entropy sources using the
4496 * Fix for platform time abstraction to avoid dependency issues where a build
4502 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4504 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4506 * Fixed cert_app.c sample program for debug output and for use when no root
4512 * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
4518 * Fix documentation and implementation missmatch for function arguments of
4522 ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
4523 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4535 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
4536 * Added support for a Yotta specific configuration file -
4538 * Added optimization for code space for X.509/OID based on configured
4542 net.c. For consistency, the corresponding header file, net.h, is marked as
4544 * Changed the strategy for X.509 certificate parsing and validation, to no
4560 * Support for platform abstraction of the standard C library time()
4589 don't use the optimized assembly for bignum multiplication. This removes
4592 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
4594 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4601 allocate memory. Only used for certificate generation, not triggerable
4639 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4656 minimum key size for end-entity certificates with RSA keys. Found by
4672 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4699 unless you allow third parties to pick trust CAs for client auth.
4710 * Fixed paths for check_config.h in example config files. (Found by bachp)
4716 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4743 * Added support for yotta as a build system.
4761 * Fix missing -static-libgcc when building shared libraries for Windows
4763 * Fix link error when building shared libraries for Windows with make.
4794 * Support for DTLS 1.0 and 1.2 (RFC 6347).
4801 which algorithms and key sizes (curves for ECDSA) are acceptable.
4804 * Introduced a concept of presets for SSL security-relevant configuration
4809 You now need to link to all of them if you use TLS for example.
4827 Note that for mbedtls_ssl_setup(), you need to be done setting up the
4835 additional callback for read-with-timeout).
4862 * In the NET module, all "int" and "int *" arguments for file descriptors
4864 * net_accept() gained new arguments for the size of the client_ip buffer.
4878 length parameter to include the terminating null byte for PEM input.
4882 (Thanks to Mansour Moufid for helping with the replacement.)
4884 (support for renegotiation now needs explicit enabling in config.h).
4903 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4932 * Support for receiving SSLv2 ClientHello is now disabled by default at
4934 * The default authmode for SSL/TLS clients is now REQUIRED.
4935 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4987 * Add support for reading DH parameters with privateValueLength included
4989 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4990 * Add support for id-at-uniqueIdentifier in X.509 names.
4991 * Add support for overriding snprintf() (except on Windows) and exit() in
4995 * Improved Makefiles for Windows targets by fixing library targets and making
4997 * The benchmark program also prints heap usage for public-key primitives
5000 speed and RAM (heap only for now) usage.
5021 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
5057 performance impact was bad for some users (this was introduced in 1.3.10).
5063 brackets for uniformity with the rest of the code.
5073 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
5076 (TLS server is not affected if it doesn't ask for a client certificate)
5079 (TLS server is not affected if it doesn't ask for a client certificate)
5086 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
5087 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
5088 * Add support for Encrypt-then-MAC (RFC 7366).
5093 * Support for renegotiation can now be disabled at compile-time
5094 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
5096 for pre-1.2 clients when multiple certificates are available.
5097 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
5117 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5128 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
5139 * Example programs for SSL client and server now disable SSLv3 by default.
5140 * Example programs for SSL client and server now disable RC4 by default.
5148 (server is not affected if it doesn't ask for a client certificate)
5192 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
5198 * Support for CCM and CCM_8 ciphersuites
5199 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5202 * Add example config.h for PSK with CCM, optimized for low RAM usage.
5203 * Optimize for RAM usage in example config.h for NSA Suite B profile.
5212 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
5217 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
5219 * All public contexts have _init() and _free() functions now for simpler
5230 * Fix symlink command for cross compiling with CMake (found by Andre
5243 CA for use as an end entity certificate. (This had been removed in
5245 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
5246 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
5256 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
5263 * version_check_feature() added to check for compile-time options at
5270 * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
5280 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
5281 ciphersuites, for full SSL frames of data.
5297 * Support for the ALPN SSL extension
5299 * Enable verification of the keyUsage extension for CA and leaf
5337 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
5347 * Single Platform compatilibity layer (for memory / printf / fprintf)
5351 * Testing script ssl-opt.sh added for testing 'live' ssl option
5353 * Support for reading EC keys that use SpecifiedECDomain in some cases.
5363 * Revamped the compat.sh interoperatibility script to include support for
5406 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
5407 * Support for RIPEMD-160
5408 * Support for AES CFB8 mode
5409 * Support for deterministic ECDSA (RFC 6979)
5426 * Support for adhering to client ciphersuite order preference
5428 * Support for Curve25519
5429 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5430 * Support for IPv6 in the NET module
5431 * AES-NI support for AES, AES-GCM and AES key scheduling
5449 * Missing defines / cases for RSA_PSK key exchange
5466 * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
5467 * Support for Camellia-GCM mode and ciphersuites
5472 * Support for serialNumber, postalAddress and postalCode in X509 names
5488 * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
5489 * Support for ECDHE-PSK key-exchange and ciphersuites
5490 * Support for RSA-PSK key-exchange and ciphersuites
5493 * RSA blinding locks for a smaller amount of time
5495 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
5504 * Better support for MSVC
5512 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
5514 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
5524 * Support for max_fragment_length extension (RFC 6066)
5525 * Support for truncated_hmac extension (RFC 6066)
5526 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5528 * Support for session tickets (RFC 5077)
5533 * Optional blinding for RSA, DHM and EC
5534 * Support for multiple active certificate / key pairs in SSL servers for
5542 * Internals for SSL module adapted to have separate IV pointer that is
5543 dynamically set (Better support for hardware acceleration)
5545 prototypes for the RSA sign and verify functions changed as a result
5553 * All RSA operations require a random generator for blinding purposes
5555 * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
5563 * Support for AIX header locations in net.c module
5597 for a client certificate) (found using Codenomicon Defensics).
5599 (TLS server is not affected if it doesn't ask for a client certificate)
5602 (TLS server is not affected if it doesn't ask for a client certificate)
5605 (TLS server is not affected if it doesn't ask for a client certificate).
5616 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5635 (server is not affected if it doesn't ask for a client certificate).
5663 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
5681 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
5721 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
5722 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
5739 * x509_verify() now case insensitive for cn (RFC 6125 6.4)
5762 and specific DER parser functions for the PKCS#1 and unencrypted
5764 * Added mechanism to provide alternative implementations for all
5773 * Fixed offset for cert_type list in ssl_parse_certificate_request()
5781 * Fixed values for 2-key Triple DES in cipher layer
5797 * Fix for MPI assembly for ARM
5802 * Fixed memory leak in ssl_free() and ssl_reset() for active session
5805 * Fixes for 64-bit compilation with MS Visual Studio
5806 * Fixed net_bind() for specified IP addresses on little endian systems
5807 * Fixed assembly code for ARM (Thumb and regular) for some compilers
5813 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
5815 * Re-added handling for SSLv2 Client Hello when the define
5824 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
5849 * Correctly handle CertificateRequest message in client for <= TLS 1.1
5858 * Added p_hw_data to ssl_context for context specific hardware acceleration
5860 * During verify trust-CA is only checked for expiration and CRL presence
5872 * Fixes for MSVC6
5878 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5882 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
5885 * Added support for wildcard certificates
5886 * Added support for multi-domain certificates through the X509 Subject
5892 * Added base Galois Counter Mode (GCM) for AES
5896 * Added support for Hardware Acceleration hooking in SSL/TLS
5912 * AES code only check for Padlock once
5914 * Documentation for mpi_lsb() and mpi_msb()
5920 * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
5942 * Fixed MPI assembly for SPARC64 platform
5954 * Potential buffer-overflow for ssl_read_record() (independently found by
5968 * Fixed values for 2-key Triple DES in cipher layer
5977 * Fixed net_bind() for specified IP addresses on little endian systems
5988 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
5993 * Fixed MPI assembly for SPARC64 platform
6005 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
6009 * Fixes for MSVC6
6038 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
6041 * Fixed multiple compiler warnings for VS6 and armcc
6055 * Added a generic entropy accumulator that provides support for adding
6060 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
6061 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
6062 encryption and private key for decryption. (Closes ticket #34)
6074 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
6097 * Improved build support for s390x and sparc64 in bignum.h
6104 * Expanded cipher layer with support for CFB128 and CTR mode
6130 instead of int for buffer lengths and loop variables for
6150 * Added support for PKCS#1 v2.1 encoding and thus support
6151 for the RSAES-OAEP and RSASSA-PSS operations.
6154 * Added mpi_fill_random() for centralized filling of big numbers
6183 ticket #13). Also possible to remove PEM support for
6212 * Detection for DES weak keys and parity bits added
6221 * Added support for PKCS#11 through the use of the
6235 * Added support for SSL_EDH_RSA_AES_128_SHA and
6238 * Expanded ssl_client2 arguments for more flexibility
6239 * Added support for TLS v1.1
6251 * Fixed CMake out of source build for tests (found by
6264 * Added option parsing for host and port selection to
6266 * Added support for GeneralizedTime in X509 parsing
6272 * Added const correctness for main code base
6278 * Added reset function for HMAC context as speed-up
6279 for specific use-cases
6285 * Added small fixes for compiler warnings on a Mac
6304 * Added preliminary Code Coverage tests for AES, ARC4,
6311 this is mind when checking for errors.
6312 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
6314 * Changed interface for AES and Camellia setkey functions
6341 * Corrected is_prime() results for 0, 1 and 2 (found by
6343 * Fixed Camellia and XTEA for 64-bit Windows systems.
6346 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
6353 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
6361 * Centralized file opening and reading for x509 files into
6363 * Made definition of net_htons() endian-clean for big endian
6368 responsible for crashes and unwanted behaviour.
6369 * Added support for Certificate Revocation List (CRL) parsing.
6370 * Added support for CRL revocation to x509parse_verify() and
6379 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
6389 * Added support for ciphersuite: SSL_RSA_AES_128_SHA
6390 * Enabled support for large files by default in aescrypt2.c
6408 an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
6409 * Added support on the client side for the TLS "hostname" extension
6421 for which the RSA signature check fails (bug reported by Benoit)
6422 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
6440 * Added user-defined callbacks for handling I/O and sessions
6443 * Added preliminary support for the VIA PadLock routines
6459 * Added support for the MicroBlaze soft-core processor
6477 * Added multiply assembly code for the TriCore and modified
6478 havege_struct for this processor, thanks to David Patiño
6479 * Added multiply assembly code for 64-bit PowerPCs,
6482 * Added support for autoconf, contributed by Arnaud Cornet
6489 * Added multiply assembly code for SPARC and Alpha
6490 * Added (beta) support for non-blocking I/O operations
6500 * Added support for Ephemeral Diffie-Hellman key exchange
6501 * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
6519 * Updated timing.c for improved compatibility with i386
6535 I'd also like to thank Younès Hafri for the CRUX linux port,