Lines Matching full:for
21 compiled with support for both AESNI and software AES and AESNI is
24 AES to be used for some time when the program starts. This could allow
34 documentation did no suggest it did, making it likely for callers relying
128 uses static storage for keys, enabling malloc-less use of key slots.
163 * Fix invalid JSON schemas for driver descriptions used by
172 GCC-like compilers when building AES for generic x86_64 targets. This
180 mbedtls_ssl_handshake() for details.
204 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
267 For guidance on migrating application code to the PSA API, please consult
298 clear. As a result, an attacker that had a certificate valid for uses other
299 than TLS client authentication could be able to use it for TLS client
306 * Fix TLS 1.3 client build and runtime when support for session tickets is
320 * Fix issue of redefinition warning messages for _GNU_SOURCE in
322 building for linux platform.
357 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more
364 upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS
370 support for optional/none with TLS 1.3 as well. Note that the TLS 1.3
377 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
405 * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
411 * In the PSA API, domain parameters are no longer used for anything.
429 * Support Armv8-A Crypto Extension acceleration for SHA-256
430 when compiling for Thumb (T32) or 32-bit Arm (A32).
440 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
441 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
445 or they'll both be built in. However, for CCM and GCM the built-in
448 docs/driver-only-builds.md for full details and current limitations.
457 fully provided by drivers. See docs/driver-only-builds.md for full
460 * Add support for record size limit extension as defined by RFC 8449
475 * Add partial platform support for z/OS.
476 * Improve performance for gcc (versions older than 9.3.0) and IAR.
479 * Add support for using AES-CBC 128, 192, and 256 bit schemes
482 in bits, i.e. the key size for an RSA key.
483 * Add pc files for pkg-config, e.g.:
490 * The benchmark program now reports times for both ephemeral and static
492 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
523 * Add protection for multithreaded access to the PSA keystore and protection
524 for multithreaded access to the the PSA global state, including
527 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
541 PSA functions are owned exclusively by the PSA core for the duration of
578 * Switch to milliseconds as the unit for ticket creation and reception time
592 * Correct initial capacities for key derivation algorithms:TLS12_PRF,
594 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
603 RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
623 This reduces stack usage significantly for writing a public/private
634 * Extended PSA Crypto configurations options for FFDH by making it possible
637 for each size you want to support. Also, if you have an FFDH accelerator,
639 support for these domain parameters.
655 could be sufficient for an attacker to recover the plaintext. A local
658 the attacker to send a large number of messages for decryption. For
679 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
690 function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
704 the capabilities of the PSA side for either key.
713 for overflow of the output buffer and reporting the actual length
724 to check for availability of hash algorithms, regardless of whether
727 * When a PSA driver for ECDH is present, it is now possible to disable
728 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
732 as PSA does not have an API for restartable ECDH yet.
735 if not required by another module) and still get support for ECC keys and
737 for details.
738 * Add parsing of directoryName subtype for subjectAltName extension in
740 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
745 * Add support for reading and writing X25519 and X448
749 * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
751 * Add support for the FFDH algorithm and DH key types in PSA, with
758 See mbedtls_x509write_crt_set_subject_alternative_name for
775 * Add support for PBKDF2-HMAC through the PSA API.
779 PSA capabilities for each key. These capabilities, named yyy above, can be
781 - DERIVE is only available for ECC keys, not for RSA or DH ones.
783 requested. For example BASIC internally enables IMPORT and EXPORT
784 (useful for testing purposes), but this might change in the future.
785 * Add support for FFDH key exchange in TLS 1.3.
800 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
806 representation of A for some curves. Fixes #8045.
809 * Add support for PBKDF2-CMAC through the PSA API.
812 disables the plain C implementation and the run-time detection for the
820 option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
835 which checks for overflow of the output buffer and reports the actual
845 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
863 * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
869 was sufficient for a particular program to work, it would only print
879 * Fix the J-PAKE driver interface for user and peer to accept any values
892 building for arm64_32 (e.g., for watchos). Reported by Paulo
936 * Fix log level for the got supported group message. Fixes #6765
945 * Enable Arm / Thumb bignum assembly for most Arm platforms when
950 This reduces stack usage significantly for RSA signature
987 optionally providing file-specific error pairs. Please see psa_util.h for
991 * Added partial support for parsing the PKCS #7 Cryptographic Message
999 - There is no support for certificate revocation lists.
1002 Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
1003 contributing this feature, and to Demi-Marie Obenour for contributing
1010 * Add support for reading points in compressed format
1012 (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
1022 CC is set for cross compilation.
1023 * Add parsing of uniformResourceIdentifier subtype for subjectAltName
1026 backed by internal library support for ECDSA signing and verification.
1027 * Add parsing of rfc822Name subtype for subjectAltName
1030 MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
1032 * When a PSA driver for ECDSA is present, it is now possible to disable
1033 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
1036 supported in those builds yet, as driver support for interruptible ECDSA
1038 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
1040 * Add new API mbedtls_ssl_cache_remove for cache entry removal by
1043 * Add support for AES with the Armv8-A Cryptographic Extension on
1047 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1048 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
1052 to read non-public fields for padding mode and hash id from
1057 for a target CPU that supports the requisite instructions (for example
1070 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
1078 implementation as a fallback for when the assembly one cannot be used.
1087 * In TLS 1.3, when using a ticket for session resumption, tweak its age
1134 * Allow setting user and peer identifiers for EC J-PAKE operation
1137 * Fix a compilation error when PSA Crypto is built with support for
1155 defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
1164 - "serial" is used for the decimal format and it's limted in size to
1166 - "serial_hex" is used for the hex format; max length here is
1168 * The C code follows a new coding style. This is transparent for users but
1169 affects contributors and maintainers of local patches. For more
1171 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1220 * Some modules can now use PSA drivers for hashes, including with no
1226 See the documentation of the corresponding macros in mbedtls_config.h for
1229 the entropy module. As a consequence, for now the only way to build with
1236 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
1238 * Add support for opaque keys as the private keys associated to certificates
1239 for authentication in TLS 1.3.
1241 Signature verification is production-ready, but generation is for testing
1244 1024 messages. As such, it is not intended for use in TLS, but instead
1245 for verification of assets transmitted over an insecure channel,
1248 required for LMS. This can be used independently, but each key can only
1249 be used to sign one message so is impractical for most circumstances.
1256 control the support for the three possible TLS 1.3 key exchange modes.
1257 * cert_write: support for setting extended key usage attributes. A
1260 * cert_write: support for writing certificate files in either PEM
1271 exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
1273 * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
1276 * Add a driver dispatch layer for raw key agreement, enabling alternative
1293 for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
1306 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1318 advertised support for PSS in both TLS 1.2 and 1.3, but only
1334 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
1377 * Fix a build error when compiling the bignum module for some Arm platforms.
1382 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
1383 should not be done - they are documented for use only by AES-GCM and
1396 for IV lengths other than 12. The library was silently overwriting this
1417 mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
1424 * Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
1427 a piece of user data which is reserved for the application. The user
1439 mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
1443 * Add support for psa crypto key derivation for elliptic curve
1457 * Introduce mbedtls_ssl_hs_cb_t typedef for use with
1474 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1475 for Aarch64.
1476 * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
1477 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
1480 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1486 establishment only). See docs/architecture/tls13-support.md for a
1489 * Add accessors to configure DN hints for certificate request:
1494 docs/use-psa-crypto.md for the list of exceptions.
1498 * Opaque pre-shared keys for TLS, provisioned with
1500 previously only worked for "pure" PSK key exchange, now can also be used
1501 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1541 provided by a client or server certificate for authentication was not
1549 pattern for PSA_WANT_xxx symbols. Previously you had to specify
1550 PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
1558 client would fail to check that the curve selected by the server for
1615 * Fix server connection identifier setting for outgoing encrypted records
1642 driver descriptions. For the time being, to customize this file,
1654 variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
1658 * In CMake builds, add aliases for libraries so that the normal MbedTLS::*
1665 * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
1669 * You can configure groups for a TLS key exchange with the new function
1677 * Sign-magnitude and one's complement representations for signed integers are
1685 * Remove the partial support for running unit tests via Greentea on Mbed OS,
1689 * Enable support for Curve448 via the PSA API. Contributed by
1698 (where supported) for critical functions where ignoring the return
1700 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
1705 * Add support for CCM*-no-tag cipher to the PSA.
1707 For decryption a minimum of 16-byte long input is expected.
1709 * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
1712 * Add the internal implementation of and support for CCM to the PSA multipart
1715 protocol. See docs/architecture/tls13-support.md for the definition of
1720 * Add PSA API definition for ARIA.
1725 case the value leaks through a memory disclosure vulnerability. For
1745 The check was accidentally not performed when cross-compiling for Windows
1754 for bignum multiplication that broke some bignum operations with
1766 * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
1769 * Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
1770 The requirement of minimum 15 bytes for output buffer in
1775 The requirement for output buffer size to be equal or greater then
1776 input buffer size is valid only for the built-in implementation of GCM.
1781 This algorithm now accepts only the same salt length for verification
1785 for algorithm values that fully encode the hashing step, as per the PSA
1817 Implemented functions support chunked data input for both CCM and CCM*
1826 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1827 For CCM* encryption/decryption without authentication, input
1845 The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
1850 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1853 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
1860 Various helpers and definitions available for use in alt implementations
1866 Header files that were only meant for the library's internal use and
1870 * Drop support for parsing SSLv2 ClientHello
1872 * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
1873 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1874 * Drop support for RC4 TLS ciphersuites.
1875 * Drop support for single-DES ciphersuites.
1876 * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
1899 now takes extra output parameters for the last partial output block.
1900 mbedtls_gcm_update() now takes extra parameters for the output length.
1907 These changes are backward compatible for users of the cipher API.
1914 * The getter and setter API of the SSL session cache (used for
1927 Support for more than one PSK may be added in 3.X.
1930 * For multi-part AEAD operations with the cipher module, calling
1946 * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
1956 function mbedtls_xxx_ret() which was identical except for returning int
1958 migration guide for more information. Fixes #4212.
1959 * For all functions that take a random number generator (RNG) as a
1975 paving the way for the larger number of secrets
1979 length parameter to be the size of the hash input. For RSA signatures
1985 indicating the size of the output buffer for the signature.
1990 longer supported except for fields that are documented public. Use accessor
1991 functions instead. For more information, see the migration guide entry
1994 mbedtls_ssl_{set,get}_session() may now only be called once for any given
2001 * Some default policies for X.509 certificate verification and TLS have
2015 C compiler for the host platform are required. See “Generated source files
2016 in the development branch” in README.md for more information.
2037 compile-time option. This option has been inactive for a long time.
2057 * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
2083 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
2089 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
2101 * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
2107 See issue #4341 for more details.
2116 * Added support for built-in driver keys through the PSA opaque crypto
2118 MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
2130 See docs/architecture/alternative-implementations.md for the remaining
2137 point format for ECJPAKE instead of accessing the point_format field
2144 private keys and of blinding values for DHM and elliptic curves (ECP)
2148 learn partial information about the leading bits of the nonce used for the
2170 than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
2176 rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
2228 and using a Montgomery curve for the key exchange. Reported by lhuang04
2247 can now only be used as intended, for keys that cannot be modified through
2287 * Add CMake package config generation for CMake projects consuming Mbed TLS.
2320 as always 0. It is now reserved for internal purposes and may take
2340 tweaking the setting for the maximum amount of keys simultaneously in RAM.
2346 and see the documentation of mbedtls_psa_external_get_random() for details.
2347 * Applications using both mbedtls_xxx and psa_xxx functions (for example,
2350 mbedtls_psa_get_random() for details.
2351 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
2372 * Fix an errorneous estimation for an internal buffer in
2394 twice is safe. This happens for RSA when some Mbed TLS library functions
2400 * Fixes a bug where, if the library was configured to include support for
2451 * Add support for ECB to the PSA cipher API.
2462 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2468 version 1.0.0. Opening persistent keys is still supported for backward
2490 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
2502 * Zeroising of local buffers and variables which are used for calculations
2538 * Fix an off-by-one error in the additional data length check for
2541 * Correct the default IV size for mbedtls_cipher_info_t structures using
2545 * Fix conditions for including string.h in error.c. Fixes #3866.
2546 * psa_set_key_id() now also sets the lifetime to persistent for keys located
2563 the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
2568 for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
2615 attacker could for example impersonate a 4-bytes or 16-byte domain by
2616 getting a certificate for the corresponding IPv4 or IPv6 (this would
2624 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
2646 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2647 for pinpointing the problematic code.
2687 eliminates the need for the lines declaring the files to be part of
2690 example applications which allows to provide a password for the key file
2692 these applications with password-protected key files. Analogously but for
2694 set a password for the key file provided through the existing key_file2
2709 * New functions in the error module return constant strings for
2711 which constructs a string for any error code, including compound
2716 * Add support for midipix, a POSIX layer for Microsoft Windows.
2724 * Added support to entropy_poll for the kern.arandom syscall supported on
2726 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2750 * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
2751 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
2811 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2824 SSL module for hardware acceleration of individual records.
2865 is defined), regardless of what MFL was configured for it.
2872 * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
2873 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2900 a curve family and the key size determines the exact curve (for example,
2921 entropy function to obtain entropy for a nonce if the entropy size is less
2930 entropy module formerly only grabbed 32 bytes, which is good enough for
2982 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
3029 * When writing a private EC key, use a constant size for the private
3033 1 byte too large for the output buffer.
3035 implement blinding. Because of this for the same key and message the same
3042 mbedtls_ssl_session_load() to allow serializing a session, for example to
3043 store it in non-volatile storage, and later using it for TLS session
3067 list all curves for which at least one of ECDH or ECDSA is supported, not
3068 just curves for which both are supported. Call mbedtls_ecdsa_can_do() or
3072 mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
3099 * Avoid use of statically sized stack buffers for certificate writing.
3132 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
3161 * Add public API for tls-prf function, according to requested enum.
3162 * Add support for parsing otherName entries in the Subject Alternative Name
3165 * Add support for parsing certificate policies extension, as defined in
3170 * Add support for draft-05 of the Connection ID extension, as specified
3184 * Add public API for tls-prf function, according to requested enum.
3206 for the parameter.
3207 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
3225 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
3245 See the Features section for more information.
3247 for the benefit of saving RAM, by disabling the new compile-time
3248 option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
3269 * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
3285 correctly as trailing zeroes were not accounted for as unused bits in the
3293 Inserted as an enhancement for #1371
3294 * Add support for alternative CSR headers, as used by Microsoft and defined
3298 for platforms that don't provide it. Based on contributions by Joris Aerts
3300 * Fix clobber list in MIPS assembly for large integer multiplication.
3310 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
3321 the documentation. See the corresponding API documentation for each
3322 function to see for which parameter values it is defined. This feature is
3323 disabled by default. See its API documentation in config.h for additional
3330 using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
3335 * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
3338 * Additional parameter validation checks have been added for the following
3354 * Fix for Clang, which was reporting a warning for the bignum.c inline
3355 assembly for AMD64 targets creating string literals greater than those
3369 of check for certificate/key matching. Reported by Attila Molnar, #507.
3386 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3403 a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
3421 * Fix overly strict DN comparison when looking for CRLs belonging to a
3433 previous settings for the number of rounds made it practical for an
3438 For example, the number of rounds was enough to securely generate RSA key
3445 * Add support for temporarily suspending expensive ECC computations after
3453 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3455 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
3464 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3468 * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
3470 implementations implementing cryptographic primitives. This is useful for
3490 * Fix a bug in the update function for SSL ticket keys which previously
3501 * Zeroize memory used for buffering or reassembling handshake messages
3503 * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
3505 * Change the default string format used for various X.509 DN attributes to
3510 * Fix compilation failure for configurations which use compile time
3516 * Removed support for Yotta as a build tool.
3517 * Add tests for session resumption in DTLS.
3548 automatically select implementations for Windows and POSIX C libraries.
3563 * Add support for fragmentation of outgoing DTLS handshake messages. This
3567 * Add support for auto-adjustment of MTU to a safe value during the
3570 * Add support for packing multiple records within a single datagram,
3572 * Add support for buffering out-of-order handshake messages in DTLS.
3573 The maximum amount of RAM used for this can be controlled by the
3616 * Add support for buffering of out-of-order handshake messages.
3630 worked if the same secret (for example a HTTP Cookie) has been repeatedly
3634 caused by a miscalculation (for SHA-384) in a countermeasure to the
3643 the same secret (for example a HTTP Cookie) has been repeatedly sent over
3660 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3661 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3663 * Make the receive and transmit buffers independent sizes, for situations
3668 * Add support for key wrapping modes based on AES as defined by
3678 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
3683 by Brendan Shanks. Part of a fix for #992.
3688 * Fix the inline assembly for the MPI multiply helper function for i386 and
3695 * Fix decryption for zero length messages (which contain all padding) when a
3704 * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
3718 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3727 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3728 * Add support for the XTS block cipher mode with AES (AES-XTS).
3737 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
3744 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
3745 * Changed the Clang parameters used in the CMake build files to work for
3752 * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
3795 structures for some configurations.
3801 * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
3803 mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
3808 applications to wait for a network context to become ready before reading
3811 a check for whether more more data is pending to be processed in the
3824 * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
3827 * Fix the Makefile build process for building shared libraries on Mac OS X.
3872 for Curve25519 (other curves had it already). Contributed by Nicholas
3927 * Extend PKCS#8 interface by introducing support for the entire SHA
3932 * Add support for public keys encoded in PKCS#1 format. #1122
3935 * Deprecate support for record compression (configuration option
3954 * In test_suite_pk, pass valid parameters when testing for hash length
3974 * Remove support for the library reference configuration for picocoin.
3976 a migration path for those depending on the library's ABI.
3991 for the key size, which could potentially lead to crash or remote code
4016 data. Previously, trailing zero bytes were detected and omitted for the
4032 * New unit tests for timing. Improve the self-test to be more robust
4034 * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
4036 * Add support for alternative implementations of GCM, selected by the
4038 * Add support for alternative implementations for ECDSA, controlled by new
4044 * Add support for alternative implementation of ECDH, controlled by the
4050 * Add support for alternative implementation of ECJPAKE, controlled by
4057 mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
4060 contexts from keys consisting of N,D,E only, even if P,Q are needed for the
4088 * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
4122 * Don't print X.509 version tag for v1 CRT's, and omit extensions for
4129 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
4133 * Add size-checks for record and handshake message content, securing
4166 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
4178 * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
4181 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
4227 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
4231 * Fix a potential integer overflow in the version verification for DER
4235 * Fix potential integer overflow in the version verification for DER
4239 * Fix a potential integer overflow in the version verification for DER
4268 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
4280 * Fix insufficient support for signature-hash-algorithm extension,
4322 * Add hardware acceleration support for the Elliptic Curve Point module.
4325 replacement support for enabling the extension of the interface.
4343 * Add checks in the PK module for the RSA functions on 64-bit systems.
4344 The PK and RSA modules use different types for passing hash length and
4351 * Add checks to prevent signature forgeries for very large messages while
4361 * Removed MD5 from the allowed hash algorithms for CertificateRequest and
4363 Introduced by interoperability fix for #513.
4366 triggered remotely for example with a maliciously constructed certificate
4405 * Fixed the templates used to generate project and solution files for Visual
4420 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
4437 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4441 * Added a script to print build environment info for diagnostic use in test
4449 to configure the minimum number of bytes for entropy sources using the
4453 * Fix for platform time abstraction to avoid dependency issues where a build
4459 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4461 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4463 * Fixed cert_app.c sample program for debug output and for use when no root
4469 * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
4475 * Fix documentation and implementation missmatch for function arguments of
4479 ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
4480 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4492 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
4493 * Added support for a Yotta specific configuration file -
4495 * Added optimization for code space for X.509/OID based on configured
4499 net.c. For consistency, the corresponding header file, net.h, is marked as
4501 * Changed the strategy for X.509 certificate parsing and validation, to no
4517 * Support for platform abstraction of the standard C library time()
4546 don't use the optimized assembly for bignum multiplication. This removes
4549 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
4551 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4558 allocate memory. Only used for certificate generation, not triggerable
4596 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4613 minimum key size for end-entity certificates with RSA keys. Found by
4629 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4656 unless you allow third parties to pick trust CAs for client auth.
4667 * Fixed paths for check_config.h in example config files. (Found by bachp)
4673 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4700 * Added support for yotta as a build system.
4718 * Fix missing -static-libgcc when building shared libraries for Windows
4720 * Fix link error when building shared libraries for Windows with make.
4751 * Support for DTLS 1.0 and 1.2 (RFC 6347).
4758 which algorithms and key sizes (curves for ECDSA) are acceptable.
4761 * Introduced a concept of presets for SSL security-relevant configuration
4766 You now need to link to all of them if you use TLS for example.
4784 Note that for mbedtls_ssl_setup(), you need to be done setting up the
4792 additional callback for read-with-timeout).
4819 * In the NET module, all "int" and "int *" arguments for file descriptors
4821 * net_accept() gained new arguments for the size of the client_ip buffer.
4835 length parameter to include the terminating null byte for PEM input.
4839 (Thanks to Mansour Moufid for helping with the replacement.)
4841 (support for renegotiation now needs explicit enabling in config.h).
4860 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4889 * Support for receiving SSLv2 ClientHello is now disabled by default at
4891 * The default authmode for SSL/TLS clients is now REQUIRED.
4892 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4944 * Add support for reading DH parameters with privateValueLength included
4946 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4947 * Add support for id-at-uniqueIdentifier in X.509 names.
4948 * Add support for overriding snprintf() (except on Windows) and exit() in
4952 * Improved Makefiles for Windows targets by fixing library targets and making
4954 * The benchmark program also prints heap usage for public-key primitives
4957 speed and RAM (heap only for now) usage.
4978 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
5014 performance impact was bad for some users (this was introduced in 1.3.10).
5020 brackets for uniformity with the rest of the code.
5030 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
5033 (TLS server is not affected if it doesn't ask for a client certificate)
5036 (TLS server is not affected if it doesn't ask for a client certificate)
5043 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
5044 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
5045 * Add support for Encrypt-then-MAC (RFC 7366).
5050 * Support for renegotiation can now be disabled at compile-time
5051 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
5053 for pre-1.2 clients when multiple certificates are available.
5054 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
5074 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5085 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
5096 * Example programs for SSL client and server now disable SSLv3 by default.
5097 * Example programs for SSL client and server now disable RC4 by default.
5105 (server is not affected if it doesn't ask for a client certificate)
5149 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
5155 * Support for CCM and CCM_8 ciphersuites
5156 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5159 * Add example config.h for PSK with CCM, optimized for low RAM usage.
5160 * Optimize for RAM usage in example config.h for NSA Suite B profile.
5169 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
5174 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
5176 * All public contexts have _init() and _free() functions now for simpler
5187 * Fix symlink command for cross compiling with CMake (found by Andre
5200 CA for use as an end entity certificate. (This had been removed in
5202 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
5203 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
5213 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
5220 * version_check_feature() added to check for compile-time options at
5227 * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
5237 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
5238 ciphersuites, for full SSL frames of data.
5254 * Support for the ALPN SSL extension
5256 * Enable verification of the keyUsage extension for CA and leaf
5294 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
5304 * Single Platform compatilibity layer (for memory / printf / fprintf)
5308 * Testing script ssl-opt.sh added for testing 'live' ssl option
5310 * Support for reading EC keys that use SpecifiedECDomain in some cases.
5320 * Revamped the compat.sh interoperatibility script to include support for
5363 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
5364 * Support for RIPEMD-160
5365 * Support for AES CFB8 mode
5366 * Support for deterministic ECDSA (RFC 6979)
5383 * Support for adhering to client ciphersuite order preference
5385 * Support for Curve25519
5386 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5387 * Support for IPv6 in the NET module
5388 * AES-NI support for AES, AES-GCM and AES key scheduling
5406 * Missing defines / cases for RSA_PSK key exchange
5423 * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
5424 * Support for Camellia-GCM mode and ciphersuites
5429 * Support for serialNumber, postalAddress and postalCode in X509 names
5445 * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
5446 * Support for ECDHE-PSK key-exchange and ciphersuites
5447 * Support for RSA-PSK key-exchange and ciphersuites
5450 * RSA blinding locks for a smaller amount of time
5452 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
5461 * Better support for MSVC
5469 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
5471 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
5481 * Support for max_fragment_length extension (RFC 6066)
5482 * Support for truncated_hmac extension (RFC 6066)
5483 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5485 * Support for session tickets (RFC 5077)
5490 * Optional blinding for RSA, DHM and EC
5491 * Support for multiple active certificate / key pairs in SSL servers for
5499 * Internals for SSL module adapted to have separate IV pointer that is
5500 dynamically set (Better support for hardware acceleration)
5502 prototypes for the RSA sign and verify functions changed as a result
5510 * All RSA operations require a random generator for blinding purposes
5512 * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
5520 * Support for AIX header locations in net.c module
5554 for a client certificate) (found using Codenomicon Defensics).
5556 (TLS server is not affected if it doesn't ask for a client certificate)
5559 (TLS server is not affected if it doesn't ask for a client certificate)
5562 (TLS server is not affected if it doesn't ask for a client certificate).
5573 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5592 (server is not affected if it doesn't ask for a client certificate).
5620 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
5638 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
5678 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
5679 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
5696 * x509_verify() now case insensitive for cn (RFC 6125 6.4)
5719 and specific DER parser functions for the PKCS#1 and unencrypted
5721 * Added mechanism to provide alternative implementations for all
5730 * Fixed offset for cert_type list in ssl_parse_certificate_request()
5738 * Fixed values for 2-key Triple DES in cipher layer
5754 * Fix for MPI assembly for ARM
5759 * Fixed memory leak in ssl_free() and ssl_reset() for active session
5762 * Fixes for 64-bit compilation with MS Visual Studio
5763 * Fixed net_bind() for specified IP addresses on little endian systems
5764 * Fixed assembly code for ARM (Thumb and regular) for some compilers
5770 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
5772 * Re-added handling for SSLv2 Client Hello when the define
5781 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
5806 * Correctly handle CertificateRequest message in client for <= TLS 1.1
5815 * Added p_hw_data to ssl_context for context specific hardware acceleration
5817 * During verify trust-CA is only checked for expiration and CRL presence
5829 * Fixes for MSVC6
5835 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5839 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
5842 * Added support for wildcard certificates
5843 * Added support for multi-domain certificates through the X509 Subject
5849 * Added base Galois Counter Mode (GCM) for AES
5853 * Added support for Hardware Acceleration hooking in SSL/TLS
5869 * AES code only check for Padlock once
5871 * Documentation for mpi_lsb() and mpi_msb()
5877 * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
5899 * Fixed MPI assembly for SPARC64 platform
5911 * Potential buffer-overflow for ssl_read_record() (independently found by
5925 * Fixed values for 2-key Triple DES in cipher layer
5934 * Fixed net_bind() for specified IP addresses on little endian systems
5945 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
5950 * Fixed MPI assembly for SPARC64 platform
5962 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
5966 * Fixes for MSVC6
5995 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
5998 * Fixed multiple compiler warnings for VS6 and armcc
6012 * Added a generic entropy accumulator that provides support for adding
6017 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
6018 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
6019 encryption and private key for decryption. (Closes ticket #34)
6031 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
6054 * Improved build support for s390x and sparc64 in bignum.h
6061 * Expanded cipher layer with support for CFB128 and CTR mode
6087 instead of int for buffer lengths and loop variables for
6107 * Added support for PKCS#1 v2.1 encoding and thus support
6108 for the RSAES-OAEP and RSASSA-PSS operations.
6111 * Added mpi_fill_random() for centralized filling of big numbers
6140 ticket #13). Also possible to remove PEM support for
6169 * Detection for DES weak keys and parity bits added
6178 * Added support for PKCS#11 through the use of the
6192 * Added support for SSL_EDH_RSA_AES_128_SHA and
6195 * Expanded ssl_client2 arguments for more flexibility
6196 * Added support for TLS v1.1
6208 * Fixed CMake out of source build for tests (found by
6221 * Added option parsing for host and port selection to
6223 * Added support for GeneralizedTime in X509 parsing
6229 * Added const correctness for main code base
6235 * Added reset function for HMAC context as speed-up
6236 for specific use-cases
6242 * Added small fixes for compiler warnings on a Mac
6261 * Added preliminary Code Coverage tests for AES, ARC4,
6268 this is mind when checking for errors.
6269 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
6271 * Changed interface for AES and Camellia setkey functions
6298 * Corrected is_prime() results for 0, 1 and 2 (found by
6300 * Fixed Camellia and XTEA for 64-bit Windows systems.
6303 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
6310 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
6318 * Centralized file opening and reading for x509 files into
6320 * Made definition of net_htons() endian-clean for big endian
6325 responsible for crashes and unwanted behaviour.
6326 * Added support for Certificate Revocation List (CRL) parsing.
6327 * Added support for CRL revocation to x509parse_verify() and
6336 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
6346 * Added support for ciphersuite: SSL_RSA_AES_128_SHA
6347 * Enabled support for large files by default in aescrypt2.c
6365 an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
6366 * Added support on the client side for the TLS "hostname" extension
6378 for which the RSA signature check fails (bug reported by Benoit)
6379 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
6397 * Added user-defined callbacks for handling I/O and sessions
6400 * Added preliminary support for the VIA PadLock routines
6416 * Added support for the MicroBlaze soft-core processor
6434 * Added multiply assembly code for the TriCore and modified
6435 havege_struct for this processor, thanks to David Patiño
6436 * Added multiply assembly code for 64-bit PowerPCs,
6439 * Added support for autoconf, contributed by Arnaud Cornet
6446 * Added multiply assembly code for SPARC and Alpha
6447 * Added (beta) support for non-blocking I/O operations
6457 * Added support for Ephemeral Diffie-Hellman key exchange
6458 * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
6476 * Updated timing.c for improved compatibility with i386
6492 I'd also like to thank Younès Hafri for the CRUX linux port,