Lines Matching full:in
8 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
9 This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
13 * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
16 * Fix a vulnerability in LMS verification through which an adversary could
22 available in hardware, an adversary with fine control over which
23 threads make progress in a multithreaded program could force software
26 key. In particular, this attacker model may be possible against an SGX
31 * Fix possible use-after-free or double-free in code calling
36 they were free()d, resulting in high risk of use-after-free or double-free,
38 In particular, the two sample programs x509/cert_write and x509/cert_req
43 * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
44 an item in the output list in an inconsistent state with val.p == NULL but
49 inside the same call to mbedtls_x509_string_to_names(), or in subsequent
60 * Fix a timing side channel in the implementation of PKCS#7 padding
75 operations using the built-in implementation. Fixes #9814.
81 guarantee is met in all cases. Fixes #9975.
86 * Fix a sloppy check in LMS public key import, which could lead to accepting
91 * Fix a race condition on x86/amd64 platforms in AESNI support detection
92 that could lead to using software AES in some threads at the very
99 function reported the correct size in *olen when it returned
103 arguments, undefined behaviour would be triggered, in the form of a call to
104 memcpy(..., NULL, 0). This was harmless in practice, but could trigger
110 this function (see the entry in the Security section) will be detected and
116 * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
131 largest PSA key enabled in the build.
144 Otherwise, in many scenarios, the server could be impersonated.
150 * Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
152 * Zeroize temporary heap buffers used in PSA operations.
153 * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
162 problematic middlebox is in the way. Fixes #9551.
165 * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
168 * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
173 may have resulted in incorrect code with some compilers, depending on
175 * Support re-assembly of fragmented handshake messages in TLS (both
177 some servers, especially with TLS 1.3 in practice. There are a few
199 * Fix a buffer underrun in mbedtls_pk_write_key_der() when
202 Fix a related buffer underrun in mbedtls_pk_write_key_pem()
212 in C++. This resolves a build failure under C++ compilers that do not
217 * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
223 in the protocol version negotiation.
232 psa_key_derivation_output_key_ext() are deprecated in favor of
235 data is passed in a separate parameter instead of a flexible array
238 in Mbed TLS 4.0:
246 in Mbed TLS 4.0:
256 from the public API in Mbed TLS 4.0:
270 in Mbed TLS 4.0:
279 of increased code size. This option is off by default, but enabled in
287 * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
289 largest supported curve. In some configurations with PSA disabled,
290 all values of bits are affected. This never happens in internal library
295 in keyUsage or extKeyUsage extensions, then the return value of
312 passing in zero length additional data to multipart AEAD.
316 * Fix error handling when creating a key in a dynamic secure element
317 (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
320 * Fix issue of redefinition warning messages for _GNU_SOURCE in
324 * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
325 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
326 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
332 * Fix interference between PSA volatile keys and built-in keys
338 but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
340 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
342 some code was defining 0-size arrays, resulting in compilation errors.
343 Fixed by disabling the offending code in configurations without PSA
349 legacy_compression_methods in the ClientHello.
352 in an application that does not call psa_crypto_init().
354 * Fix TLS connection failure in applications using an Mbed TLS client in
362 * Fixed a regression introduced in 3.6.0 where the CA callback set with
366 * Fixed a regression introduced in 3.6.0 where clients that relied on
374 * Fixed a regression introduced in 3.6.0 where context-specific certificate
378 callback in TLS 1.3.
384 potentially resulting in buffer overflows.
388 in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
393 * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
395 feature may not be TLS 1.3 specific in the future. Fixes #6909.
398 * psa_import_key() now only accepts RSA keys in the PSA standard formats.
411 * In the PSA API, domain parameters are no longer used for anything.
412 They are deprecated and will be removed in a future version of the
414 * mbedtls_ecp_write_key() is deprecated in favor of
418 * In the PSA API, the experimental way to encode the public exponent of
431 * AES-NI is now supported in Windows builds with clang and clang-cl.
439 that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
443 library without the corresponding built-in implementation. Generally
445 or they'll both be built in. However, for CCM and GCM the built-in
450 disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
453 size by disabling it in more circumstances. In particular, the CCM and
458 details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
482 in bits, i.e. the key size for an RSA key.
491 ECDH in all ECDH configurations.
504 the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
509 used as random number generator function (f_rng) and context (p_rng) in
522 the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
532 ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
535 * Passing buffers that are stored in untrusted memory as arguments
542 the function call (i.e. no buffer parameters are in shared memory),
550 TLS 1.3 connection potentially resulting in a Denial of Service or forced
556 client could put the TLS 1.3-only server in an infinite loop processing
557 a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
567 * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
569 * Fix possible NULL dereference issue in X509 cert_req program if an entry
570 in the san parameter is not separated by a colon.
571 * Fix possible NULL dereference issue in X509 cert_write program if an entry
572 in the san parameter is not separated by a colon.
576 * Fix build failure in conda-forge. Fixes #8422.
585 in TLS Suite B Profile. Fixes #8221.
597 entropy resource in gen_key example. Fixes #8809.
601 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
606 * Fix missing bitflags in SSL session serialization headers. Their absence
607 allowed SSL sessions saved in one configuration to be loaded in a
609 * In TLS 1.3 clients, fix an interoperability problem due to the client
613 * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
627 individually enabled in order to enable respective support; also the
628 corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
640 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
649 * The TLS 1.3 protocol is now enabled in the default configuration.
654 * Fix a timing side channel in private key RSA operations. This side channel
662 could result in an integer overflow, causing a zero-length buffer to be
673 * Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
674 in CMake.
679 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
681 there was a flaw in the logic checking if the built-in implementation, in
684 accelerated and still have the built-in implementation compiled out.
687 considered not accelerated, and the built-in implementation of the curves
688 and any algorithm possible using them will be included in the build.
701 are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
705 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
711 deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
719 been called. Previously (in 3.3), this was restricted to a few modules,
720 and only in builds where MBEDTLS_MD_C was disabled; in particular the
722 provided - these limitations are lifted in this version. A new set of
725 they're provided by a built-in implementation, a driver or both. See
728 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
730 MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
731 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
736 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
738 * Add parsing of directoryName subtype for subjectAltName extension in
746 public and private keys in RFC 8410 format using the existing PK APIs.
751 * Add support for the FFDH algorithm and DH key types in PSA, with
752 parameters from RFC 7919. This includes a built-in implementation based
757 IP address, OtherName, and DirectoryName, as defined in RFC 5280.
762 described in 7.4 of RFC5280, will result in a positive URI verification.
766 * Add support to restrict AES to 128-bit keys in order to save code size.
778 or DH) were introduced in order to have finer accuracy in defining the
784 (useful for testing purposes), but this might change in the future.
785 * Add support for FFDH key exchange in TLS 1.3.
800 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
808 of subjectAltName extension in x509 certificates.
815 * Accept arbitrary AttributeType and AttributeValue in certificate
823 * Fix a case where potentially sensitive information held in memory would not
824 be completely zeroized during TLS 1.2 handshake, in both server and client
826 * In configurations with ARIA or Camellia but not AES, the value of
829 only used in relation with CMAC which does not support these ciphers.
837 * Improve padding calculations in CBC decryption, NIST key unwrapping and
843 conditional instructions, which can have an observable difference in
852 * Fix a buffer overread when parsing short TLS application data records in
854 * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
855 In TLS 1.3, all configurations are affected except PSK-only ones, and
857 In TLS 1.2, the affected configurations are those with
865 than all built-in ones and RSA is disabled.
872 in the ecdsa.h header file. There was a build warning when the
877 * Fix missing PSA initialization in sample programs when
884 * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
889 * Fix very high stack usage in SSL debug code. Reported by Maximilian
890 Gerhardt in #7804.
891 * Fix a compilation failure in the constant_time module when
893 Coutinho in #7787.
897 * Fix a bug in which mbedtls_x509_string_to_names() would return success
899 * Fix compilation warnings in aes.c, which prevented the
900 example TF-M configuration in configs/ from building cleanly:
903 * In TLS 1.3, fix handshake failure when a client in its ClientHello
907 * Fix CCM* with no tag being not supported in a build with CCM as the only
915 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
917 * Fix compile failure due to empty enum in cipher_wrap.c, when building
920 signature can silently return an incorrect result in low memory conditions.
931 * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
934 * Fix undefined symbols in some builds using TLS 1.3 with a custom
937 * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
938 error code on failure. Before, they returned 1 to indicate failure in
940 * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
981 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
984 * PSA to mbedtls error translation is now unified in psa_util.h,
992 Syntax, as defined in RFC 2315. Currently, support is limited to the
997 - Certificates must be in X.509 format. A message must have either 0
1010 * Add support for reading points in compressed format
1016 This helps in saving code size when some of the above hashes are not
1019 Subject Alternative Names) in x509 Certificate Sign Requests.
1024 extension in x509 certificates.
1028 extension in x509 certificates.
1033 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
1035 Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
1036 supported in those builds yet, as driver support for interruptible ECDSA
1048 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
1053 an mbedtls_rsa_context, as requested in #6917.
1055 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1068 * Fix a potential heap buffer overread in TLS 1.3 client-side when
1069 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
1081 * Fix possible integer overflow in mbedtls_timing_hardclock(), which
1082 could cause a crash in programs/test/benchmark.
1084 * Fix a bug in the build where directory names containing spaces were
1085 causing generate_errors.pl to error out resulting in a build failure.
1087 * In TLS 1.3, when using a ticket for session resumption, tweak its age
1089 ticket timestamps (typically timestamps in milliseconds) compared to the
1090 Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
1095 * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
1104 * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
1105 Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
1108 arguments, access uninitialized memory in some cases. Fixes #6700 (which
1117 * Fix bug in conversion from OID to string in
1125 have the most-significant bit set in their last byte.
1128 * Fix the handling of renegotiation attempts in TLS 1.3. They are now
1130 * Fix an unused-variable warning in TLS 1.3-only builds if
1132 * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
1135 instead of role in PAKE PSA Crypto API as described in the specification.
1138 TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
1139 * In the TLS 1.3 server, select the preferred client cipher suite, not the
1140 least preferred. The selection error was introduced in Mbed TLS 3.3.0.
1146 Extensions, where some compilers would emit EOR3 instructions in other
1162 - now it accepts the serial number in 2 different formats: decimal and
1164 - "serial" is used for the decimal format and it's limted in size to
1173 As tested in issue 6790, the correlation between this define and
1201 from a release, the Python module jsonschema is now necessary, in
1203 maintained in scripts/basic.requirements.txt and may change again
1204 in the future.
1212 * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
1215 resulting in library names like "libmbedtls.so" rather than
1219 are supported in this implementation.
1221 built-in implementation present, but only in some configurations.
1226 See the documentation of the corresponding macros in mbedtls_config.h for
1230 all hashes only provided by drivers (no built-in hash) is to use
1233 properly negotiate/accept hashes based on their availability in PSA.
1234 As a consequence, they now work in configurations where the built-in
1239 for authentication in TLS 1.3.
1244 1024 messages. As such, it is not intended for use in TLS, but instead
1258 corresponding new public API call has been added in the library,
1260 * cert_write: support for writing certificate files in either PEM
1268 of memory in named data lists in X.509 structures.
1270 Additional PSA key slots will be allocated in the process of such key
1278 entry point. This entry point is specified in the proposed PSA driver
1281 calculation that can be used to derive the session secret in TLS 1.2,
1282 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1286 * Fix potential heap buffer overread and overwrite in DTLS if
1295 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1296 and Test in Europe 2023.
1300 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1314 other certificate files. Contributed by Eduardo Silva in #2602.
1318 advertised support for PSS in both TLS 1.2 and 1.3, but only
1319 actually supported PSS in TLS 1.3.
1330 configurations with only one encryption type enabled in TLS 1.2.
1331 * Provide the missing definition of mbedtls_setbuf() in some configurations
1335 * Fix memory leak in ssl_parse_certificate_request() caused by
1336 mbedtls_x509_get_name() not freeing allocated objects in case of error.
1344 signature with an invalid public key, in some cases. Reported by
1345 Guido Vranken using Cryptofuzz in #4420.
1347 in TLS PRF code. Reported by Michael Madsen in #6516.
1350 in TLS 1.3 (where it is forbidden).
1351 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1354 serial numbers are now rendered in hex format. Fixes #6262.
1355 * Fix bug in error reporting in dh_genprime.c where upon failure,
1358 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
1367 * Fix undefined behavior (typically harmless in practice) of
1370 * Fix undefined behavior (typically harmless in practice) when some bignum
1373 * Fix undefined behavior (typically harmless in practice) in PSA ECB
1407 mbedtls_ssl_conf_min_version() in favor of
1416 * Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
1431 * Add a function to access the protocol version from an SSL context in a
1435 * Add ALPN support in TLS 1.3 clients.
1446 final delay field in an mbedtls_timing_delay_context, as requested in
1454 mbedtls_ssl_handshake_step(), requested in #4383.
1456 within mbedtls_ssl_context, as requested in #5184.
1467 feature requirements in the file named by the new macro
1472 field within mbedtls_x509_crt context, as requested in #5585.
1473 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1478 now capable of negotiating another shared secret if the one sent in its
1481 TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
1492 affected only a limited subset of crypto operations in TLS, X.509 and PK,
1496 Opaque keys can now be used everywhere a private key is expected in the
1502 * cmake now detects if it is being built as a sub-project, and in that case
1507 by side in order to illustrate how the operation is performed in PSA.
1518 potentially left in memory after file operations. Reported by
1520 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1523 is selected. This may result in an application crash or potentially an
1525 * Fix a buffer overread in DTLS ClientHello parsing in servers with
1527 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1533 * Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
1540 * Fix check of certificate key usage in TLS 1.3. The usage of the public key
1555 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
1556 * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
1567 * Fix API violation in mbedtls_md_process() test by adding a call to
1571 * Fix a race condition in out-of-source builds with CMake when generated data
1575 * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
1576 potentially leading to corrupted alert messages being sent in case
1579 * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not
1582 The fix was released, but not announced, in Mbed TLS 3.1.0.
1585 only, but in fact it does apply to the public key type of the end entity
1587 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
1589 * Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
1591 Miroslav Mastny in #4015.
1594 * Fix a bug in the x25519 example program where the removal of
1601 * Add mbedtls_x509_dn_get_next function to return the next relative DN in
1606 * Silence a warning from GCC 12 in the selftest program. Fixes #5974.
1609 dependencies explicit in the documentation. Fixes #5610.
1613 * Fix resource leaks in mbedtls_pk_parse_public_key() in low
1618 connection identifier in encrypted record headers. Fix #5872.
1621 by 2, and mbedtls_mpi_write_string() in base 2).
1623 non-compliant. This could not lead to a buffer overflow. In particular,
1626 which have been broken, resulting in compilation errors, since Mbed TLS
1632 * Fix an error in make where the absence of a generated file caused
1635 in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
1637 issues in CI/CD environments.
1641 from a template. In the future, the generation will support
1647 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1648 temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
1649 * Assume source files are in UTF-8 when using MSVC with CMake.
1651 DLLs are now installed in the bin directory instead of lib.
1657 in Microsoft Visual C++ compiler. Contributed by Microplankton.
1658 * In CMake builds, add aliases for libraries so that the normal MbedTLS::*
1660 use of FetchContent, as requested in #5688.
1668 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1681 * Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
1690 Archana Madhavan in #4626. Fixes #3399 and #4249.
1701 is currently implemented in the AES, DES and md modules, and will be
1702 extended to other modules in the future.
1724 value when verifying a MAC or AEAD tag. This hardens the library in
1727 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1728 * In psa_aead_generate_nonce(), do not read back from the output buffer.
1730 if the output buffer is in memory that is shared with an untrusted
1732 * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
1734 oracle vulnerability if the output buffer is in memory that is shared with
1744 * The GNU makefiles invoke python3 in preference to python except on Windows.
1749 * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
1750 * Don't use the obsolete header path sys/fcntl.h in unit tests.
1751 These header files cause compilation errors in musl.
1763 MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
1767 * Fix compile-time or run-time errors in PSA
1770 The requirement of minimum 15 bytes for output buffer in
1771 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1774 the built-in implementation of the GCM.
1776 input buffer size is valid only for the built-in implementation of GCM.
1790 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1792 * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
1794 * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
1798 * Fix a potential invalid pointer dereference and infinite loop bugs in
1815 were introduced in mbedTLS 3.0 release, however their implementation was
1829 * Indicate in the error returned if the nonce length used with
1834 from this module will be included in the build as required. Currently
1856 Transfer keys and certificates embedded in the library to the test
1858 users from using unsafe keys in production.
1860 Various helpers and definitions available for use in alt implementations
1867 were not meant to be used in application code have been moved out of
1877 * Update AEAD output size macros to bring them in line with the PSA Crypto
1879 key type used, as well as the key bit-size in the case of
1893 rather than array type. This removes spurious warnings in some compilers
1923 In Mbed TLS 2.X, the API prescribes that later calls overwrite
1924 the effect of earlier calls. In Mbed TLS 3.0, calling
1927 Support for more than one PSK may be added in 3.X.
1933 anything with the currently implemented AEADs, so in practice it was
1936 instead of computing tables in runtime. Thus, this option now increase
1937 code size, and it does not increase RAM usage in runtime anymore.
1954 * In modules that implement cryptographic hash functions, many functions
1964 in DHM and ECDH that compute the shared secret; the scalar multiplication
1965 functions in ECP.
1976 in TLS 1.3. Finally, the key export callback and
1978 * Signature functions in the RSA and PK modules now require the hash
1989 * Direct access to fields of structures declared in public headers is no
2000 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
2003 by default. The default order in TLS now favors faster curves over larger
2010 bear this in mind and do not add them to backported code.
2016 in the development branch” in README.md for more information.
2027 * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
2032 More details on PCKS#11 wrapper removal can be found in the mailing list
2114 test cases provided in the NIST's CAVP test suite. Contributed by Cédric
2115 Meuter in PR #3183.
2116 * Added support for built-in driver keys through the PSA opaque crypto
2125 * The new function mbedtls_mpi_random() generates a random value in a
2133 query the size of the modulus in a Diffie-Hellman context.
2139 * Implement psa_mac_compute() and psa_mac_verify() as defined in the
2143 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
2145 computations. Reported by FlorianF89 in #4245.
2146 * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
2150 large number of signature operations. This completes a partial fix in
2165 * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
2166 lead to the seed file corruption in case if the path to the seed file is
2168 Krasnoshchok in #3616.
2171 to create is not valid, bringing them in line with version 1.0.0 of the
2177 in line with version 1.0.0 of the specification. Fix #4162.
2178 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2180 * Fix some cases in the bignum module where the library constructed an
2189 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
2192 * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
2193 defined to specific values. If the code is used in a context
2194 where these are already defined, this can result in a compilation
2198 nonetheless, resulting in undefined reference errors when building a
2199 shared library. Reported by Guillermo Garcia M. in #4411.
2207 directive in a header and a missing initialization in the self-test.
2208 * Fix a missing initialization in the Camellia self-test, affecting
2214 * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
2215 (when the encrypt-then-MAC extension is not in use) with some ALT
2224 * Fix a resource leak in a test suite with an alternative AES
2226 * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
2229 in #4578. Fixes #4608.
2231 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
2239 mbedtls_mpi_read_xxx functions (including in particular TLS code) since
2250 in all the right places. Include it from crypto_platform.h, which is
2252 * Fix which alert is sent in some cases to conform to the
2260 * Fix the setting of the read timeout in the DTLS sample programs.
2262 * Fix memsan build false positive in x509_crt.c with clang 11
2283 may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
2296 the config file in a way that's compatible with the config file format
2310 * Renamed the PSA Crypto API output buffer size macros to bring them in line
2313 in bits rather than bytes, with an additional flag to indicate if the
2315 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
2319 * In mbedtls_rsa_context objects, the ver field was formerly documented
2337 MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
2340 tweaking the setting for the maximum amount of keys simultaneously in RAM.
2351 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
2357 * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
2362 In such cases, a random nonce was necessary to achieve the advertised
2365 Found by John Stroebel in #3819 and fixed in #3973.
2366 * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
2371 only called with |A| >= |B|. Reported by Guido Vranken in #4042.
2372 * Fix an errorneous estimation for an internal buffer in
2376 Found by Daniel Otte, reported in #4093 and fixed in #4094.
2379 beyond FD_SETSIZE. Reported by FigBug in #4169.
2384 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2388 * Fix a memory leak in an error case in psa_generate_derived_key_internal().
2389 * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
2391 This was a regression introduced in the previous release. Reported in
2397 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2405 include this extension in all CA certificates that contain public keys
2407 extension as critical in such certificates." Previous to this change,
2441 mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
2445 the tag in the ciphertext length.
2452 * In PSA, allow using a key declared with a base key agreement algorithm
2453 in combined key agreement and derivation operations, as long as the key
2454 agreement algorithm in use matches the algorithm the key was declared with.
2462 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2464 * In the PSA API, it is no longer necessary to open persistent keys:
2469 compatibility, but will be deprecated and later removed in future
2472 PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
2485 * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
2486 which is how most uses of randomization in asymmetric cryptography
2493 algorithm parameters (only the size) when comparing the signature in the
2497 valid. However, if the parameters do not match in *any* way then the
2501 and reported it in #3629.
2503 in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
2511 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
2513 * Include the psa_constant_names generated source code in the source tree
2517 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
2524 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
2538 * Fix an off-by-one error in the additional data length check for
2544 defined. Fix contributed in #3571.
2545 * Fix conditions for including string.h in error.c. Fixes #3866.
2547 in a secure element.
2551 * Attempting to create or register a key with a key identifier in the vendor
2554 * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
2555 * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
2557 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2558 could go undetected, resulting in an incorrect result.
2559 * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
2561 * In PEM writing functions, fill the trailing part of the buffer with null
2564 until this property was inadvertently broken in Mbed TLS 2.19.0.
2567 option on. In this configuration key management methods that are required
2573 Reported in #3591 and fix contributed in #3592 by Daniel Otte.
2579 * Remove the zeroization of a pointer variable in AES rounds. It was valid
2587 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2588 group families to psa_ecc_family_t and psa_dh_family_t, in line with the
2598 through PSA Crypto with a volatile lifetime. Reported in #3288 and
2599 contributed by Steven Cooreman in #3382.
2610 * Fix a vulnerability in the verification of X.509 certificates when
2614 name in that extension regardless of its type. This means that an
2619 reported by kFYatek in #3498.
2621 its revocationDate was in the past according to the local clock if
2622 available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
2627 revocationDate field, in accordance with RFC 5280. Reported by
2628 yuemonangong in #3340. Reported independently and fixed by
2629 Raoul Strackx and Jethro Beekman in #3433.
2630 * In (D)TLS record decryption, when using a CBC ciphersuites without the
2636 if they have access to fine-grained measurements. In particular, this
2640 * Fix side channel in RSA private key operations and static (finite-field)
2645 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2648 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
2649 application data from memory. Reported in #689 by
2655 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
2657 Reported in #3451 and fix contributed in #3452 by okhowang.
2660 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2661 Steven Cooreman in #3425.
2663 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2664 also fixes missing declarations reported by Steven Cooreman in #1147.
2668 instead of erroring out. Contributed by Steven Cooreman in #3492.
2670 lower bits. Fix contributed in #3540.
2671 * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
2672 conditions. Reported and fix suggested by Guido Vranken in #3486.
2673 * Fix bug in redirection of unit test outputs on platforms where stdout is
2674 defined as a macro. First reported in #2311 and fix contributed in #3528.
2678 in #3478 and fix contributed in #3479 by okhowang.
2681 Contributed by Doru Gucea and Simon Leet in #3464.
2682 * Undefine the ASSERT macro before defining it locally, in case it is defined
2683 in a platform header. Contributed by Abdelatif Guettouche in #3557.
2686 years of publishing are no longer tracked in the source files. This also
2700 * In the experimental PSA secure element interface, change the encoding of
2709 * New functions in the error module return constant strings for
2713 in #3176.
2719 Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
2725 some BSD systems. Contributed by Nia Alarie in #3423.
2726 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2729 * Fix a side channel vulnerability in modular exponentiation that could
2730 reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
2733 Strackx (Fortanix) in #3394.
2734 * Fix side channel in mbedtls_ecp_check_pub_priv() and
2742 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2744 macros). This would cause the original Lucky 13 attack to be possible in
2747 Reported and fix suggested by Luc Perneel in #3246.
2751 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
2752 the example programs. Reported in #1430 and fix contributed by irwir.
2753 * Fix undefined behavior in X.509 certificate parsing if the
2758 due to shadowed variable. Contributed by Sander Visser in #3310.
2760 NULL pointer argument. Contributed by Sander Visser in #3312.
2764 * Remove dead code in X.509 certificate parsing. Contributed by irwir in
2766 * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
2767 * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
2768 when PRNG function fails. Contributed by Jonas Lejeune in #3318.
2769 * Remove unused macros from MSVC projects. Reported in #3297 and fix
2770 submitted in #3333 by irwir.
2771 * Add additional bounds checks in ssl_write_client_hello() preventing
2774 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
2775 fix submitted in #3421 by Nia Alarie.
2777 NetBSD. Contributed by Nia Alarie in #3422.
2779 Contributed by Sander Visser in #3311.
2783 in ssl_parse_record_header().
2786 * Fix warnings about signedness issues in format strings. The build is now
2788 in #3153.
2789 * Fix minor performance issue in operations on Curve25519 caused by using a
2790 suboptimal modular reduction in one place. Found and fix contributed by
2791 Aurelien Jarno in #3209.
2792 * Combine identical cases in switch statements in md.c. Contributed
2793 by irwir in #3208.
2794 * Simplify a bounds check in ssl_write_certificate_request(). Contributed
2795 by irwir in #3150.
2798 behavior in bare metal environments.
2800 Contributed by Koh M. Nakagawa in #3326.
2806 * The unit tests now rely on header files in framework/tests/include/test and source
2807 files in framework/tests/src. When building with make or cmake, the files in
2816 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
2817 in #3182 and fix submitted by irwir. #3217
2818 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2823 * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
2825 * Deprecate mbedtls_ssl_get_max_frag_len() in favour of
2831 * Fix issue in DTLS handling of new associations with the same parameters
2834 legitimate clients, resulting in a Denial of Service. This could only
2835 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
2837 * Fix side channel in ECC code that allowed an adversary with access to
2842 * Fix a potentially remotely exploitable buffer overread in a
2853 * Remove a spurious check in ssl_parse_client_psk_identity that triggered
2854 a warning with some compilers. Fix contributed by irwir in #2856.
2855 * Fix a function name in a debug message. Contributed by Ercan Ozturk in
2860 is back directly in the present repository.
2874 library which allows TLS authentication to use keys stored in a
2881 unless the RNG is broken, and could result in information disclosure or
2895 * Change the encoding of key types and curves in the PSA API. The new
2904 * Fix an unchecked call to mbedtls_md() in the x509write module.
2906 Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
2907 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2908 contributed by apple-ihack-geek in #2663.
2909 * Fix a possible error code mangling in psa_mac_verify_finish() when
2911 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
2914 * Fix a bug in mbedtls_pk_parse_key() that would cause it to
2922 than 3/2 times the key size. In case you want to disable the extra call to
2928 MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the
2933 * Zeroize local variables in mbedtls_internal_aes_encrypt() and
2941 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2946 * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
2947 timings on the comparison in the key generation enabled the attacker to
2950 * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
2956 * Key derivation inputs in the PSA API can now either come from a key object
2963 msopiha-linaro in ARMmbed/mbed-crypto#307.
2966 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2973 * Fix an incorrect size in a debugging message. Reported and fix
2979 * Fix a buffer overflow in the PSA HMAC code when using a long key with an
2982 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2991 structures, which was exposed only in an internal header.
3000 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
3002 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
3004 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
3010 Contributed by Zachary J. Fields in PR #2949.
3015 * Make client_random and server_random const in
3020 * Fix some false-positive uninitialized variable warnings in crypto. Fix
3021 contributed by apple-ihack-geek in #2663.
3026 * Fix a missing error detection in ECJPAKE. This could have caused a
3030 value, as specified in RFC 5915. Previously, the value was written
3043 store it in non-volatile storage, and later using it for TLS session
3059 socket. Contributed by Robert Larsen in #2803.
3076 * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an
3082 * Fix missing bounds checks in X.509 parsing functions that could
3089 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
3090 * Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
3098 * Fix misuse of signed arithmetic in the HAVEGE module. #2598
3101 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
3102 * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
3104 Bernhard M. Wiedemann in #2357.
3105 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
3106 that are only available in Thumb mode. Fix contributed by Aurelien Jarno
3107 in #2169.
3108 * Fix propagation of restart contexts in restartable EC operations.
3109 This could previously lead to segmentation faults in builds using an
3111 * Fix memory leak in in mpi_miller_rabin(). Contributed by
3112 Jens Wiklander <jens.wiklander@linaro.org> in #2363
3113 * Improve code clarity in x509_crt module, removing false-positive
3116 * Fix bug in endianness conversion in bignum module. This lead to
3121 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
3125 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
3130 cyber) in #2681.
3146 Ashley Duncan in #2609.
3151 * Add the Any Policy certificate policy oid, as defined in
3162 * Add support for parsing otherName entries in the Subject Alternative Name
3164 as defined in RFC 4108 section 5.
3165 * Add support for parsing certificate policies extension, as defined in
3168 * List all SAN types in the subject_alt_names field of the certificate.
3171 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
3187 * Fix private key DER output in the key_app_writer example. File contents
3189 Christian Walther in #2239.
3190 * Fix potential memory leak in X.509 self test. Found and fixed by
3193 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3194 used with negative inputs. Found by Guido Vranken in #2404. Credit to
3196 * Fix bugs in the AEAD test suite which would be exposed by ciphers which
3199 * Fix incorrect default port number in ssl_mail_client example's usage.
3203 * Add missing parentheses around parameters in the definition of the
3205 in case operators binding less strongly than subtraction were used
3207 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
3208 sni entry parameter. Reported by inestlerode in #560.
3214 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3216 This certificate is used in the demo server programs, which lead the
3223 * Remove dead code from bignum.c in the default configuration.
3227 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
3238 named bitstring in DER as required by RFC 5280 Appendix B.
3246 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
3259 an error or a meaningless output from mbedtls_ecdh_get_params. In the
3266 Raised as a comment in #1996.
3270 in the header files, which missed the precompilation check. #971
3272 * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
3276 in X.509 module. Fixes #2212.
3279 * Fix false failure in all.sh when backup files exist in include/mbedtls
3283 * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
3284 extensions in CSRs and CRTs that caused these bitstrings to not be encoded
3285 correctly as trailing zeroes were not accounted for as unused bits in the
3291 * Include configuration file in all header files that use configuration,
3295 in RFC 7468. Found by Michael Ernst. Fixes #767.
3300 * Fix clobber list in MIPS assembly for large integer multiplication.
3302 produced by some optimizing compilers, showing up as failures in
3303 e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
3307 * Fix configuration queries in ssl-opt.h. #2030
3308 * Ensure that ssl-opt.h can be run in OS X. #2029
3309 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3318 of parameters in the API. This allows detection of obvious misuses of the
3320 changed, but requirements on parameters have been made more explicit in
3323 disabled by default. See its API documentation in config.h for additional
3327 * The following functions in the random generator modules have been
3344 changed so that the same level of validation is present in all modules, and
3351 in favor of functions that can return an error code.
3357 * Fix runtime error in `mbedtls_platform_entropy_poll()` when run
3359 in #1212. Fixes #1212.
3361 This could lead to a buffer overflow, but only in case ticket authentication
3362 was broken. Reported and fix suggested by Guido Vranken in #659.
3392 * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
3394 attack. In TLS, this affects servers that accept ciphersuites based on
3399 (University of Adelaide, Data61). The attack is described in more detail
3400 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3401 * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
3408 * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
3423 name and the CA's subject name differed in their string encoding (e.g.,
3424 one using PrintableString and the other UTF8String) or in the choice of
3425 upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
3427 * Fix a flawed bounds check in server PSK hint parsing. In case the
3436 security of TLS, but can matter in other contexts with numbers chosen
3446 some configurable amount of operations. This is intended to be used in
3451 xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
3452 yet), and to existing functions in ECDH and SSL (currently only
3453 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3457 MPI multiplications used in ECC and RSA cryptography. Contributed by
3464 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3481 * Deprecate the function mbedtls_mpi_is_prime() in favor of
3486 * Fix wrong order of freeing in programs/ssl/ssl_server2 example
3487 application leading to a memory leak in case both
3490 * Fix a bug in the update function for SSL ticket keys which previously
3492 * Fix failure in hmac_drbg in the benchmark sample application, when
3494 * Fix a bug in the record decryption routine ssl_decrypt_buf()
3496 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3497 * Fix memory leak and freeing without initialization in the example
3499 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
3504 of sensitive data in the example programs aescrypt2 and crypt_and_hash.
3507 wildcards and non-ASCII characters being unusable in some DN attributes.
3508 Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
3517 * Add tests for session resumption in DTLS.
3518 * Close a test gap in (D)TLS between the client side and the server side:
3520 in the same way as on the server side.
3527 X.509 DNs. Previously, DN attributes were always written in their default
3529 created which used PrintableStrings in the issuer field even though the
3530 signing CA used UTF8Strings in its subject field; while X.509 compliant,
3531 such CRTs were rejected in some applications, e.g. some versions of
3532 Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
3537 use it to reduce error probability in RSA key generation to levels mandated
3557 * Fix an issue in the X.509 module which could lead to a buffer overread
3558 during certificate extensions parsing. In case of receiving malformed
3572 * Add support for buffering out-of-order handshake messages in DTLS.
3575 in mbedtls/config.h.
3582 * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
3583 failure in the function could lead to other buffers being leaked.
3586 * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
3590 interoperability issues with BouncyCastle. Raised by milenamil in #1157.
3591 * Replace printf with mbedtls_printf in the ARIA module. Found by
3592 TrinityTonic in #1908.
3593 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3598 check in parsing the CertificateRequest message,
3599 introduced in Mbed TLS 2.12.0. Fixes #1954.
3600 * Fix a miscalculation of the maximum record expansion in
3601 mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
3602 or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
3603 * Fix undefined shifts with negative values in certificates parsing
3605 * Fix memory leak and free without initialization in pk_encrypt
3624 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3625 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
3628 this recovery by sending many messages in the same connection. With TLS
3634 caused by a miscalculation (for SHA-384) in a countermeasure to the
3637 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3647 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3648 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3675 Found and fixed by Hirotaka Niisato in #1783.
3680 * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
3682 * Remove unused headers included in x509.c. Found by Chris Hanson and fixed
3685 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3690 * Fix namespacing in header files. Remove the `mbedtls` namespacing in
3691 the `#include` in the header files. Resolves #857
3692 * Fix compiler warning of 'use before initialisation' in
3702 when the request_size argument is set to 0 as stated in the documentation.
3714 * Change the shebang line in Perl scripts to look up perl in the PATH.
3727 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3729 Contributed by Aorimn in pull request #414.
3730 * In TLS servers, support offloading private key operations to an external
3740 Reported by rahmanih in #683
3741 * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
3745 * Changed the Clang parameters used in the CMake build files to work for
3753 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
3767 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
3771 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3778 * Fix an issue in the X.509 module which could lead to a buffer overread
3785 * Fix the buffer length assertion in the ssl_parse_certificate_request()
3789 algorithms section is too short. In builds with debug output, the overread
3791 * Fix a client-side bug in the validation of the server's ciphersuite choice
3800 Suggested and contributed by jkivilin in pull request #394.
3804 Nicholas Wilson in pull request #348.
3811 a check for whether more more data is pending to be processed in the
3814 underlying transport in case event-driven IO is used.
3817 * Fix a spurious uninitialized variable warning in cmac.c. Fix independently
3819 * Add missing dependencies in test suites that led to build failures
3820 in configurations that omit certain hashes or public-key algorithms.
3822 * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
3825 MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
3831 ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
3833 stated in the mbedtls_cipher_update() documentation. Contributed by
3836 a file in pk_sign program. Found by kevlut in #1142.
3838 where data needs to be fetched from the underlying transport in order
3842 in the internal buffers; these cases led to deadlocks when event-driven
3843 I/O was used. Found and reported by Hubert Mis in #772.
3844 * Fix buffer length assertions in the ssl_parse_certificate_request()
3850 maintained 2.7 branch. The soversion was increased in Mbed TLS
3851 version 2.7.1 to reflect breaking changes in that release, but the
3852 increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
3855 * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
3858 * Improve testing in configurations that omit certain hashes or
3861 * Do not define global mutexes around readdir() and gmtime() in
3867 Found and fix submitted by junyeonLEE in #1220.
3871 * Add the order of the base point as N in the mbedtls_ecp_group structure
3877 Paul Sokolovsky in #1356.
3878 * Add an option in the Makefile to support ar utilities where the operation
3883 * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
3884 by Alexey Skalozub in #405.
3885 * In the SSL module, when f_send, f_recv or f_recv_timeout report
3887 Sam O'Connor in #1245.
3890 by Jiayuan Chen in #1377. Fixes #1437.
3893 * Declare functions in header files even when an alternative implementation
3898 * Add platform setup and teardown calls in test suites.
3908 the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
3919 * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
3921 * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
3932 * Add support for public keys encoded in PKCS#1 format. #1122
3939 * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
3944 In the context of SSL, this resulted in handshake failure. Reported by
3945 daniel in the Mbed TLS forum. #1351
3954 * In test_suite_pk, pass valid parameters when testing for hash length
3956 * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
3958 * Log correct number of ciphersuites used in Client Hello message. #918
3961 * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
3963 * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
3971 * Fix tag lengths and value ranges in the documentation of CCM encryption.
3973 * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
3975 * MD functions deprecated in 2.7.0 are no longer inline, to provide
3984 * Fix a heap corruption issue in the implementation of the truncated HMAC
3988 code execution. The issue could be triggered remotely from either side in
3990 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3994 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3996 * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
3998 * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
3999 default enabled) maximum fragment length extension is disabled in the
4005 and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
4010 Changes were introduced in multiple places in the library.
4021 * Fix a potential heap buffer over-read in ALPN extension parsing
4022 (server-side). Could result in application crash, but only if an ALPN
4025 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4029 * Allow comments in test data files.
4040 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
4046 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
4063 implementations of the RSA interface declared in rsa.h.
4064 * The following functions in the message digest modules (MD2, MD4, MD5,
4081 any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
4090 accepting DHM parameters in binary form, matching the new constants.
4094 as recommended in RFC 6347 Section 4.1.2.7.
4095 * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
4097 * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
4101 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
4107 Found independently by Florian in the mbed TLS forum and by Mishamax.
4111 * Fix unchecked return codes from AES, DES and 3DES functions in
4117 * Include configuration file in md.h, to fix compilation warnings.
4118 Reported by aaronmdjones in #1001
4119 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
4121 RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
4124 * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
4127 * Fix handling of handshake messages in mbedtls_ssl_read() in case
4129 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
4131 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
4132 * Fix incorrect unit in benchmark output. #850
4138 * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
4139 * Fix possible memory leaks in mbedtls_gcm_self_test().
4140 * Added missing return code checks in mbedtls_aes_self_test().
4141 * Fix issues in RSA key generation program programs/x509/rsa_genkey and the
4145 * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
4148 * Fix an issue in the cipher decryption with the mode
4153 mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
4158 * In mbedtls_entropy_free(), properly free the message digest context.
4159 * Fix status handshake status message in programs/ssl/dtls_client.c. Found
4166 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
4174 new ones with return codes. In particular, this modifies the
4176 everywhere except some locations in the ssl_tls.c module.
4187 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
4193 * Reliably wipe sensitive data after use in the AES example applications
4202 by the user in a platform_alt.h file. These new functions are required in
4207 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
4212 * Certificate verification functions now set flags to -1 in case the full
4213 chain was not verified due to an internal error (including in the verify
4217 a fatal error in the verify callback.
4220 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
4225 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
4226 in the case of an error. Found by redplait. #590
4229 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4231 * Fix a potential integer overflow in the version verification for DER
4235 * Fix potential integer overflow in the version verification for DER
4239 * Fix a potential integer overflow in the version verification for DER
4252 accelerator code in the library leaves concurrency handling to the
4254 * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
4263 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4265 Could result in DoS (application crash) or information leak
4271 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
4278 valid C and they prevented the test from compiling in Visual Studio 2015
4281 resulting in compatibility problems with Chrome. Found by hfloyrd. #823
4282 * Fix behaviour that hid the original cause of fatal alerts in some cases
4289 * Accept empty trusted CA chain in authentication mode
4292 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
4296 * Fix incorrect sign computation in modular exponentiation when the base is
4299 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
4303 * Send fatal alerts in more cases. The previous behaviour was to skip
4312 * Wipe stack buffers in RSA private key operations
4316 against side-channel attacks like the cache attack described in
4327 suppressing the CA list in Certificate Request messages. The default
4331 * The following functions in the AES module have been deprecated and replaced
4341 * Fixed issue in the Threading module that prevented mutexes from
4343 * Add checks in the PK module for the RSA functions on 64-bit systems.
4352 using RSA through the PK module in 64-bit systems. The issue was caused by
4353 some data loss when casting a size_t to an unsigned int value in the
4356 * Fixed potential livelock during the parsing of a CRL in PEM format in
4358 characters after the footer could result in the execution of an infinite
4378 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4380 * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
4383 * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
4385 in RFC 6347 Section 4.3.1. This could cause the execution of the
4388 * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
4389 the input string in PEM format to extract the different components. Found
4391 * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
4393 * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
4395 * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
4397 * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
4399 * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
4401 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
4402 by missing calls to mbedtls_pem_free() in cases when a
4407 generated in Visual Studio 2015. Reported by Steve Valliere. #742
4408 * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
4409 Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
4410 * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
4411 number to write in hexadecimal is negative and requires an odd number of
4413 * Fix unlisted DES configuration dependency in some pkparse test cases. Found
4427 with RFC-5116 and could lead to session key recovery in very long TLS
4428 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4431 * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
4433 without checking whether there is enough space in the destination. The
4441 * Added a script to print build environment info for diagnostic use in test
4448 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
4456 * Fix dependency issue in Makefile to allow parallel builds.
4457 * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
4465 * Fix conditional statement that would cause a 1 byte overread in
4472 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
4478 * Fix potential byte overread when verifying malformed SERVER_HELLO in
4480 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4498 naming collision in projects which also have files with the common name
4507 * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
4509 * Fix potential integer overflow to buffer overflow in
4511 (not triggerable remotely in (D)TLS).
4512 * Fix a potential integer underflow to buffer overread in
4513 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
4521 * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
4522 arguments where the same (in-place doubling). Found and fixed by Janos
4525 in the previous patch release. Found by Robert Scheck. #390 #391
4526 * Fix issue in Makefile that prevented building using armar. #386
4528 ECDSA was disabled in config.h . The leak didn't occur by default.
4531 in the trusted certificate list.
4532 * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
4533 buffer after DER certificates to be included in the raw representation.
4535 * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
4539 * Fix issue in ssl_fork_server which was preventing it from functioning. #429
4540 * Fix memory leaks in test framework
4541 * Fix test in ssl-opt.sh that does not run properly with valgrind
4548 * Disabled SSLv3 in the default configuration.
4559 remotely in SSL/TLS. Found by Rafał Przywara. #367
4560 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
4566 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4567 * Fix bug in certificate validation that caused valid chains to be rejected
4569 Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
4570 * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
4574 datagram if a single record in a datagram is unexpected, instead only
4575 drop the record and look at subsequent records (if any are present) in
4587 * Fix potential buffer overflow in some asn1_write_xxx() functions.
4596 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4603 resulting in some valid X.509 being incorrectly rejected. Found and fix
4615 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4617 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
4618 * Fix bug in ASN.1 encoding of booleans that caused generated CA
4633 once in the same handhake and mbedtls_ssl_conf_psk() was used.
4636 * Fix stack buffer overflow in pkcs12 decryption (used by
4639 * Fix potential buffer overflow in mbedtls_mpi_read_string().
4640 Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
4641 of TLS, but might be in other uses. On 32 bit machines, requires reading a
4644 * Fix potential random memory allocation in mbedtls_pem_read_buffer()
4646 Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
4648 * Fix possible heap buffer overflow in base64_encoded() when the input
4650 Intelworks. Not trigerrable remotely in TLS.
4654 * Fix potential heap buffer overflow in servers that perform client
4660 * Fix compile error in net.c with musl libc. Found and patch provided by
4665 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
4667 * Fixed paths for check_config.h in example config files. (Found by bachp)
4683 * Fix off-by-one error in parsing Supported Point Format extension that
4687 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
4691 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
4704 * Fix segfault in the benchmark program when benchmarking DHM.
4709 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
4711 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
4714 * Fix bug in Makefile that caused programs not to be installed correctly
4716 * Fix bug in Makefile that prevented from installing without building the
4722 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
4724 * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
4733 * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
4759 * Expanded configurability of security parameters in the SSL module with
4770 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4775 * Headers are now found in the 'mbedtls' directory (previously 'polarssl').
4793 * The following functions have been introduced and must be used in callback
4802 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
4813 * The following functions changed prototype to avoid an in-out length
4819 * In the NET module, all "int" and "int *" arguments for file descriptors
4822 * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
4831 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4841 (support for renegotiation now needs explicit enabling in config.h).
4843 in config.h
4871 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4875 * Renamed a few headers to include _internal in the name. Those headers are
4880 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
4887 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4892 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4893 enabled in the default configuration, this is only noticeable if using a
4946 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4947 * Add support for id-at-uniqueIdentifier in X.509 names.
4948 * Add support for overriding snprintf() (except on Windows) and exit() in
4950 * Add an option to use macros instead of function pointers in the platform
4968 * Fix bug in entropy.c when THREADING_C is also enabled that caused
4972 * Fix bug in ssl_mail_client when password is longer that username (found
4974 * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
4982 ssl_write() is called before the handshake is finished (introduced in
4984 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
4986 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
4987 * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
4988 * Fix hardclock() (only used in the benchmarking program) with some
4990 * Fix warnings from mingw64 in timing.c (found by kxjklele).
4991 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4993 * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
4995 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
4996 in 1.3.10).
4997 * Add missing extern "C" guard in aesni.h (reported by amir zamani).
4998 * Add missing dependency on SHA-256 in some x509 programs (reported by
5004 * Remove bias in mpi_gen_prime (contributed by Pascal Junod).
5014 performance impact was bad for some users (this was introduced in 1.3.10).
5015 * Move from SHA-1 to SHA-256 in example programs using signatures
5019 * Change #include lines in test files to use double quotes instead of angle
5021 * Remove dependency on sscanf() in X.509 parsing modules.
5025 * NULL pointer dereference in the buffer-based allocator when the buffer is
5039 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
5067 * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
5069 * Fix potential undefined behaviour in Camellia.
5070 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
5072 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5085 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
5086 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
5089 * Forbid repeated extensions in X.509 certificates.
5090 * debug_print_buf() now prints a text view in addition to hexadecimal.
5091 * A specific error is now returned when there are ciphersuites in common
5098 * Use platform.h in all test suites and programs.
5102 * Lowest common hash was selected from signature_algorithms extension in
5103 TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
5112 * Support escaping of commas in x509_string_to_names()
5113 * Fix compile error in ssl_pthread_server (found by Julian Ospald).
5115 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
5117 * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
5124 * ssl_close_notify() could send more than one message in some circumstances
5128 * Fix compile error with armcc in mpi_is_prime()
5129 * Fix potential bad read in parsing ServerHello (found by Adrien
5137 * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
5141 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
5143 * Accept spaces at end of line or end of buffer in base64_decode().
5156 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5158 * Blowfish in the cipher layer now supports variable length keys.
5160 * Optimize for RAM usage in example config.h for NSA Suite B profile.
5169 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
5174 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
5180 * Fix in debug_print_msg()
5181 * Enforce alignment in the buffer allocator even if buffer is not aligned
5190 * Very small records were incorrectly rejected when truncated HMAC was in
5191 use with some ciphersuites and versions (RC4 in all versions, CBC with
5198 been removed in 1.3.6.)
5200 CA for use as an end entity certificate. (This had been removed in
5205 * Fix off-by-one error in parsing Supported Point Format extension that
5211 * Fix base64_decode() to return and check length correctly (in case of
5225 checked and filled in the relevant module headers
5232 * Only iterate over actual certificates in ssl_write_certificate_request()
5234 * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
5237 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
5239 * Improve interoperability by not writing extension length in ClientHello /
5245 * Fix dependencies issues in X.509 test suite.
5247 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
5266 * Reject certificates with times not in UTC, per RFC 5280.
5269 * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
5272 This affects certificates in the user-supplied chain except the top
5275 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
5281 * Potential memory leak in mpi_exp_mod() when error occurs during
5283 * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
5286 * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
5295 * Potential buffer overwrite in pem_write_buffer() because of low length
5297 * EC curves constants, which should be only in ROM since 1.3.3, were also
5298 stored in RAM due to missing 'const's (found by Gergely Budai).
5310 * Support for reading EC keys that use SpecifiedECDomain in some cases.
5338 * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
5340 * Fixed version-major intolerance in server
5342 * Fixed dependency issues in test suite
5348 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5354 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5356 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5358 * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
5369 * Potential memory leak in bignum_selftest()
5374 * Assembly format fixes in bn_mul.h
5382 * EC key generation support in gen_key app
5387 * Support for IPv6 in the NET module
5396 * More constant-time checks in the RSA module
5398 * Curves are now stored fully in ROM
5399 * Memory usage optimizations in ECP module
5403 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5408 * Potential memory leak in ssl_ticket_keys_init()
5409 * Memory leak in benchmark application
5411 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
5413 * Fixed potential overflow in certificate size verification in
5427 * Padding checks in cipher layer are now constant-time
5428 * Value comparisons in SSL layer are now constant-time
5429 * Support for serialNumber, postalAddress and postalCode in X509 names
5433 * More stringent checks in cipher layer
5460 * Possible naming collision in dhm_context
5484 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5491 * Support for multiple active certificate / key pairs in SSL servers for
5518 * Fixed parse error in ssl_parse_certificate_request()
5520 * Support for AIX header locations in net.c module
5531 * Fix potential invalid memory read in the server, that allows a client to
5533 * Fix potential invalid memory read in certificate parsing, that allows a
5540 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
5541 * Fix hardclock() (only used in the benchmarking program) with some
5543 * Fix warnings from mingw64 in timing.c (found by kxjklele).
5544 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5549 this will be made in the 1.2 branch at this point.
5565 * Fix potential undefined behaviour in Camellia.
5566 * Fix memory leaks in PKCS#5 and PKCS#12.
5569 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
5570 in 1.2.12).
5571 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5585 * Forbid repeated extensions in X.509 certificates.
5596 * Fix potential bad read in parsing ServerHello (found by Adrien
5598 * ssl_close_notify() could send more than one message in some circumstances
5602 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
5613 * Accept spaces at end of line or end of buffer in base64_decode().
5626 * Reject certificates with times not in UTC, per RFC 5280.
5636 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
5647 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
5649 * Fixed potential overflow in certificate size verification in
5651 * Fix ASM format in bn_mul.h
5652 * Potential memory leak in bignum_selftest()
5655 * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
5657 * Fixed version-major intolerance in server
5661 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5663 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5667 * Potential memory leak in mpi_exp_mod() when error occurs during
5669 * Improve interoperability by not writing extension length in ClientHello
5675 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
5682 * Fix base64_decode() to return and check length correctly (in case of
5690 * Fixed memory leak in RSA as a result of introduction of blinding
5705 * Fixed potential negative value misinterpretation in load_file()
5713 * Centralized module option values in config.h to allow user-defined
5722 symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
5728 * Secure renegotiation extension should only be sent in case client
5730 * Fixed offset for cert_type list in ssl_parse_certificate_request()
5738 * Fixed values for 2-key Triple DES in cipher layer
5759 * Fixed memory leak in ssl_free() and ssl_reset() for active session
5778 * Removed further timing differences during SSL message decryption in
5794 * Removed timing differences during SSL message decryption in
5805 * Handle future version properly in ssl_write_certificate_request()
5806 * Correctly handle CertificateRequest message in client for <= TLS 1.1
5821 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
5831 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5833 * Fixed possible segfault in mpi_shift_r() (found by Manuel
5853 * Added support for Hardware Acceleration hooking in SSL/TLS
5880 in SSL/TLS
5886 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5888 * Fixed potential heap corruption in x509_name allocation
5913 * Potential negative value misinterpretation in load_file()
5925 * Fixed values for 2-key Triple DES in cipher layer
5942 * Removed timing differences during SSL message decryption in
5958 * Fixed possible segfault in mpi_shift_r() (found by Manuel
5960 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5975 * Fixed potential heap corruption in x509_name allocation
5984 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5995 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
5999 * Fixed bug in CTR_CRBG selftest
6017 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
6025 * Changed the defined key-length of DES ciphers in cipher.h to include the
6026 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
6035 a consequence in library code and programs
6050 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
6054 * Improved build support for s390x and sparc64 in bignum.h
6055 * Fixed MS Visual C++ name clash with int64 in sha4.h
6056 * Corrected removal of leading "00:" in printing serial numbers in
6069 * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
6089 t_int and t_dbl to t_uint and t_udbl in the process
6118 does not zeroize memory in advance anymore. Use rsa_init()
6125 * Fixed bug in ssl_write() when flushing old data (Fixed ticket
6156 * Fixed a possible Man-in-the-Middle attack on the
6170 * Improvements to support integration in other
6182 * x509parse_time_expired() checks time in addition to
6200 * Removed dependency on rand() in rsa_pkcs1_encrypt().
6204 * Some SSL defines were renamed in order to avoid
6211 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
6216 * Fixed Makefile in library that was mistakenly merged
6223 * Added support for GeneralizedTime in X509 parsing
6231 in a function to allow easy future expansion
6239 * Fixed bug resulting in failure to send the last
6240 certificate in the chain in ssl_write_certificate() and
6244 * Fixed algorithmic bug in mpi_is_prime() (found by
6255 * Changed typo in #ifdef in x509parse.c (found
6270 * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
6282 * Prevented use of long long in bignum if
6285 * Fixed incorrect handling of negative strings in
6287 * Fixed segfault on handling empty rsa_context in
6291 value in mpi_add_abs() (found by code coverage tests).
6293 value in mpi_sub_abs() (found by code coverage tests).
6295 value in mpi_mod_mpi() and mpi_mod_int(). Resulting
6304 SHA-512 in rsa_pkcs1_sign()
6307 * Fixed a bug in mpi_gcd() so that it also works when both
6315 * Fixed minor memory leak in x509parse_crt() and added better
6322 * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
6324 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6338 * Fixed dangerous bug that can cause a heap overflow in
6347 * Enabled support for large files by default in aescrypt2.c
6349 * Fixed a bug in ssl_write() that caused the same payload to
6350 be sent twice in non-blocking mode when send returns EAGAIN
6352 not be swapped in the SSLv2 ClientHello (found by Greg Robson)
6358 * Correctly handle the case in padlock_xcryptcbc() when input or
6361 * Fixed a memory leak in x509parse_crt() which was reported by Greg
6375 serial number, setup correct server port in the ssl client example
6385 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6398 * Added lots of debugging output in the SSL/TLS functions
6407 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6409 * Fixed a long standing memory leak in mpi_is_prime()
6410 * Replaced realloc with malloc in mpi_grow(), and set
6411 the sign of zero as positive in mpi_init() (reported
6417 * Fixed a bug in ssl_tls.c which sometimes prevented SSL
6419 * Fixed a couple bugs in the VS6 and UNIX Makefiles
6420 * Fixed the "PIC register ebx clobbered in asm" bug
6427 * Rewrote README.txt in program/ssl/ca to better explain
6432 * Ciphers used in SSL/TLS can now be disabled at compile
6441 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6461 * Fixed a bug in ssl_encrypt_buf (incorrect padding was
6462 generated) and in ssl_parse_client_hello (max. client
6464 * Fixed another bug in ssl_parse_client_hello: clients with
6466 * Fixed a couple memory leak in x509_read.c
6473 * Fixed a bug in the CBC code, thanks to dowst; also,
6484 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
6485 * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
6486 * Fixed a bug reported by Torsten Lauter in ssl_read_record
6487 * Fixed a bug in rsa_check_privkey that would wrongly cause
6489 * Fixed a bug in mpi_is_prime that caused some primes to fail