Lines Matching full:in
8 function psa_can_do_cipher() in addition to psa_can_do_hash(). This
9 changed was made in Mbed TLS 3.6.0 but was not announced then.
14 conditions in constant time.
17 * Fix a timing side channel in CBC-PKCS7 decryption that could
21 * Fix a local timing side-channel in modular inversion and GCD that was
22 exploitable in RSA key generation and other RSA operations (see the full
27 probably in other similar settings as well. Found and reported
43 documented, and inconsistent as all other inputs resulted in a non-negative
51 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
52 This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
56 * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
59 * Fix a vulnerability in LMS verification through which an adversary could
65 available in hardware, an adversary with fine control over which
66 threads make progress in a multithreaded program could force software
69 key. In particular, this attacker model may be possible against an SGX
74 * Fix possible use-after-free or double-free in code calling
79 they were free()d, resulting in high risk of use-after-free or double-free,
81 In particular, the two sample programs x509/cert_write and x509/cert_req
86 * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
87 an item in the output list in an inconsistent state with val.p == NULL but
92 inside the same call to mbedtls_x509_string_to_names(), or in subsequent
103 * Fix a timing side channel in the implementation of PKCS#7 padding
118 operations using the built-in implementation. Fixes #9814.
124 guarantee is met in all cases. Fixes #9975.
129 * Fix a sloppy check in LMS public key import, which could lead to accepting
134 * Fix a race condition on x86/amd64 platforms in AESNI support detection
135 that could lead to using software AES in some threads at the very
142 function reported the correct size in *olen when it returned
146 arguments, undefined behaviour would be triggered, in the form of a call to
147 memcpy(..., NULL, 0). This was harmless in practice, but could trigger
153 this function (see the entry in the Security section) will be detected and
159 * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
174 largest PSA key enabled in the build.
187 Otherwise, in many scenarios, the server could be impersonated.
193 * Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
195 * Zeroize temporary heap buffers used in PSA operations.
196 * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
205 problematic middlebox is in the way. Fixes #9551.
208 * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
211 * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
216 may have resulted in incorrect code with some compilers, depending on
218 * Support re-assembly of fragmented handshake messages in TLS (both
220 some servers, especially with TLS 1.3 in practice. There are a few
242 * Fix a buffer underrun in mbedtls_pk_write_key_der() when
245 Fix a related buffer underrun in mbedtls_pk_write_key_pem()
255 in C++. This resolves a build failure under C++ compilers that do not
260 * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
266 in the protocol version negotiation.
275 psa_key_derivation_output_key_ext() are deprecated in favor of
278 data is passed in a separate parameter instead of a flexible array
281 in Mbed TLS 4.0:
289 in Mbed TLS 4.0:
299 from the public API in Mbed TLS 4.0:
313 in Mbed TLS 4.0:
322 of increased code size. This option is off by default, but enabled in
330 * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
332 largest supported curve. In some configurations with PSA disabled,
333 all values of bits are affected. This never happens in internal library
338 in keyUsage or extKeyUsage extensions, then the return value of
355 passing in zero length additional data to multipart AEAD.
359 * Fix error handling when creating a key in a dynamic secure element
360 (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
363 * Fix issue of redefinition warning messages for _GNU_SOURCE in
367 * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
368 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
369 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
375 * Fix interference between PSA volatile keys and built-in keys
381 but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
383 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
385 some code was defining 0-size arrays, resulting in compilation errors.
386 Fixed by disabling the offending code in configurations without PSA
392 legacy_compression_methods in the ClientHello.
395 in an application that does not call psa_crypto_init().
397 * Fix TLS connection failure in applications using an Mbed TLS client in
405 * Fixed a regression introduced in 3.6.0 where the CA callback set with
409 * Fixed a regression introduced in 3.6.0 where clients that relied on
417 * Fixed a regression introduced in 3.6.0 where context-specific certificate
421 callback in TLS 1.3.
427 potentially resulting in buffer overflows.
431 in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
436 * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
438 feature may not be TLS 1.3 specific in the future. Fixes #6909.
441 * psa_import_key() now only accepts RSA keys in the PSA standard formats.
454 * In the PSA API, domain parameters are no longer used for anything.
455 They are deprecated and will be removed in a future version of the
457 * mbedtls_ecp_write_key() is deprecated in favor of
461 * In the PSA API, the experimental way to encode the public exponent of
474 * AES-NI is now supported in Windows builds with clang and clang-cl.
482 that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
486 library without the corresponding built-in implementation. Generally
488 or they'll both be built in. However, for CCM and GCM the built-in
493 disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
496 size by disabling it in more circumstances. In particular, the CCM and
501 details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
525 in bits, i.e. the key size for an RSA key.
534 ECDH in all ECDH configurations.
547 the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
552 used as random number generator function (f_rng) and context (p_rng) in
565 the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
575 ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
578 * Passing buffers that are stored in untrusted memory as arguments
585 the function call (i.e. no buffer parameters are in shared memory),
593 TLS 1.3 connection potentially resulting in a Denial of Service or forced
599 client could put the TLS 1.3-only server in an infinite loop processing
600 a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
610 * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
612 * Fix possible NULL dereference issue in X509 cert_req program if an entry
613 in the san parameter is not separated by a colon.
614 * Fix possible NULL dereference issue in X509 cert_write program if an entry
615 in the san parameter is not separated by a colon.
619 * Fix build failure in conda-forge. Fixes #8422.
628 in TLS Suite B Profile. Fixes #8221.
640 entropy resource in gen_key example. Fixes #8809.
644 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
649 * Fix missing bitflags in SSL session serialization headers. Their absence
650 allowed SSL sessions saved in one configuration to be loaded in a
652 * In TLS 1.3 clients, fix an interoperability problem due to the client
656 * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
670 individually enabled in order to enable respective support; also the
671 corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
683 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
692 * The TLS 1.3 protocol is now enabled in the default configuration.
697 * Fix a timing side channel in private key RSA operations. This side channel
705 could result in an integer overflow, causing a zero-length buffer to be
716 * Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
717 in CMake.
722 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
724 there was a flaw in the logic checking if the built-in implementation, in
727 accelerated and still have the built-in implementation compiled out.
730 considered not accelerated, and the built-in implementation of the curves
731 and any algorithm possible using them will be included in the build.
744 are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
748 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
754 deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
762 been called. Previously (in 3.3), this was restricted to a few modules,
763 and only in builds where MBEDTLS_MD_C was disabled; in particular the
765 provided - these limitations are lifted in this version. A new set of
768 they're provided by a built-in implementation, a driver or both. See
771 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
773 MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
774 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
779 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
781 * Add parsing of directoryName subtype for subjectAltName extension in
789 public and private keys in RFC 8410 format using the existing PK APIs.
794 * Add support for the FFDH algorithm and DH key types in PSA, with
795 parameters from RFC 7919. This includes a built-in implementation based
800 IP address, OtherName, and DirectoryName, as defined in RFC 5280.
805 described in 7.4 of RFC5280, will result in a positive URI verification.
809 * Add support to restrict AES to 128-bit keys in order to save code size.
821 or DH) were introduced in order to have finer accuracy in defining the
827 (useful for testing purposes), but this might change in the future.
828 * Add support for FFDH key exchange in TLS 1.3.
843 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
851 of subjectAltName extension in x509 certificates.
858 * Accept arbitrary AttributeType and AttributeValue in certificate
866 * Fix a case where potentially sensitive information held in memory would not
867 be completely zeroized during TLS 1.2 handshake, in both server and client
869 * In configurations with ARIA or Camellia but not AES, the value of
872 only used in relation with CMAC which does not support these ciphers.
880 * Improve padding calculations in CBC decryption, NIST key unwrapping and
886 conditional instructions, which can have an observable difference in
895 * Fix a buffer overread when parsing short TLS application data records in
897 * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
898 In TLS 1.3, all configurations are affected except PSK-only ones, and
900 In TLS 1.2, the affected configurations are those with
908 than all built-in ones and RSA is disabled.
915 in the ecdsa.h header file. There was a build warning when the
920 * Fix missing PSA initialization in sample programs when
927 * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
932 * Fix very high stack usage in SSL debug code. Reported by Maximilian
933 Gerhardt in #7804.
934 * Fix a compilation failure in the constant_time module when
936 Coutinho in #7787.
940 * Fix a bug in which mbedtls_x509_string_to_names() would return success
942 * Fix compilation warnings in aes.c, which prevented the
943 example TF-M configuration in configs/ from building cleanly:
946 * In TLS 1.3, fix handshake failure when a client in its ClientHello
950 * Fix CCM* with no tag being not supported in a build with CCM as the only
958 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
960 * Fix compile failure due to empty enum in cipher_wrap.c, when building
963 signature can silently return an incorrect result in low memory conditions.
974 * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
977 * Fix undefined symbols in some builds using TLS 1.3 with a custom
980 * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
981 error code on failure. Before, they returned 1 to indicate failure in
983 * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
1024 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
1027 * PSA to mbedtls error translation is now unified in psa_util.h,
1035 Syntax, as defined in RFC 2315. Currently, support is limited to the
1040 - Certificates must be in X.509 format. A message must have either 0
1053 * Add support for reading points in compressed format
1059 This helps in saving code size when some of the above hashes are not
1062 Subject Alternative Names) in x509 Certificate Sign Requests.
1067 extension in x509 certificates.
1071 extension in x509 certificates.
1076 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
1078 Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
1079 supported in those builds yet, as driver support for interruptible ECDSA
1091 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
1096 an mbedtls_rsa_context, as requested in #6917.
1098 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1111 * Fix a potential heap buffer overread in TLS 1.3 client-side when
1112 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
1124 * Fix possible integer overflow in mbedtls_timing_hardclock(), which
1125 could cause a crash in programs/test/benchmark.
1127 * Fix a bug in the build where directory names containing spaces were
1128 causing generate_errors.pl to error out resulting in a build failure.
1130 * In TLS 1.3, when using a ticket for session resumption, tweak its age
1132 ticket timestamps (typically timestamps in milliseconds) compared to the
1133 Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
1138 * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
1147 * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
1148 Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
1151 arguments, access uninitialized memory in some cases. Fixes #6700 (which
1160 * Fix bug in conversion from OID to string in
1168 have the most-significant bit set in their last byte.
1171 * Fix the handling of renegotiation attempts in TLS 1.3. They are now
1173 * Fix an unused-variable warning in TLS 1.3-only builds if
1175 * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
1178 instead of role in PAKE PSA Crypto API as described in the specification.
1181 TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
1182 * In the TLS 1.3 server, select the preferred client cipher suite, not the
1183 least preferred. The selection error was introduced in Mbed TLS 3.3.0.
1189 Extensions, where some compilers would emit EOR3 instructions in other
1205 - now it accepts the serial number in 2 different formats: decimal and
1207 - "serial" is used for the decimal format and it's limted in size to
1216 As tested in issue 6790, the correlation between this define and
1244 from a release, the Python module jsonschema is now necessary, in
1246 maintained in scripts/basic.requirements.txt and may change again
1247 in the future.
1255 * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
1258 resulting in library names like "libmbedtls.so" rather than
1262 are supported in this implementation.
1264 built-in implementation present, but only in some configurations.
1269 See the documentation of the corresponding macros in mbedtls_config.h for
1273 all hashes only provided by drivers (no built-in hash) is to use
1276 properly negotiate/accept hashes based on their availability in PSA.
1277 As a consequence, they now work in configurations where the built-in
1282 for authentication in TLS 1.3.
1287 1024 messages. As such, it is not intended for use in TLS, but instead
1301 corresponding new public API call has been added in the library,
1303 * cert_write: support for writing certificate files in either PEM
1311 of memory in named data lists in X.509 structures.
1313 Additional PSA key slots will be allocated in the process of such key
1321 entry point. This entry point is specified in the proposed PSA driver
1324 calculation that can be used to derive the session secret in TLS 1.2,
1325 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1329 * Fix potential heap buffer overread and overwrite in DTLS if
1338 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1339 and Test in Europe 2023.
1343 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1357 other certificate files. Contributed by Eduardo Silva in #2602.
1361 advertised support for PSS in both TLS 1.2 and 1.3, but only
1362 actually supported PSS in TLS 1.3.
1373 configurations with only one encryption type enabled in TLS 1.2.
1374 * Provide the missing definition of mbedtls_setbuf() in some configurations
1378 * Fix memory leak in ssl_parse_certificate_request() caused by
1379 mbedtls_x509_get_name() not freeing allocated objects in case of error.
1387 signature with an invalid public key, in some cases. Reported by
1388 Guido Vranken using Cryptofuzz in #4420.
1390 in TLS PRF code. Reported by Michael Madsen in #6516.
1393 in TLS 1.3 (where it is forbidden).
1394 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1397 serial numbers are now rendered in hex format. Fixes #6262.
1398 * Fix bug in error reporting in dh_genprime.c where upon failure,
1401 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
1410 * Fix undefined behavior (typically harmless in practice) of
1413 * Fix undefined behavior (typically harmless in practice) when some bignum
1416 * Fix undefined behavior (typically harmless in practice) in PSA ECB
1450 mbedtls_ssl_conf_min_version() in favor of
1459 * Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
1474 * Add a function to access the protocol version from an SSL context in a
1478 * Add ALPN support in TLS 1.3 clients.
1489 final delay field in an mbedtls_timing_delay_context, as requested in
1497 mbedtls_ssl_handshake_step(), requested in #4383.
1499 within mbedtls_ssl_context, as requested in #5184.
1510 feature requirements in the file named by the new macro
1515 field within mbedtls_x509_crt context, as requested in #5585.
1516 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1521 now capable of negotiating another shared secret if the one sent in its
1524 TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
1535 affected only a limited subset of crypto operations in TLS, X.509 and PK,
1539 Opaque keys can now be used everywhere a private key is expected in the
1545 * cmake now detects if it is being built as a sub-project, and in that case
1550 by side in order to illustrate how the operation is performed in PSA.
1561 potentially left in memory after file operations. Reported by
1563 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1566 is selected. This may result in an application crash or potentially an
1568 * Fix a buffer overread in DTLS ClientHello parsing in servers with
1570 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1576 * Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
1583 * Fix check of certificate key usage in TLS 1.3. The usage of the public key
1598 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
1599 * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
1610 * Fix API violation in mbedtls_md_process() test by adding a call to
1614 * Fix a race condition in out-of-source builds with CMake when generated data
1618 * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
1619 potentially leading to corrupted alert messages being sent in case
1622 * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not
1625 The fix was released, but not announced, in Mbed TLS 3.1.0.
1628 only, but in fact it does apply to the public key type of the end entity
1630 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
1632 * Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
1634 Miroslav Mastny in #4015.
1637 * Fix a bug in the x25519 example program where the removal of
1644 * Add mbedtls_x509_dn_get_next function to return the next relative DN in
1649 * Silence a warning from GCC 12 in the selftest program. Fixes #5974.
1652 dependencies explicit in the documentation. Fixes #5610.
1656 * Fix resource leaks in mbedtls_pk_parse_public_key() in low
1661 connection identifier in encrypted record headers. Fix #5872.
1664 by 2, and mbedtls_mpi_write_string() in base 2).
1666 non-compliant. This could not lead to a buffer overflow. In particular,
1669 which have been broken, resulting in compilation errors, since Mbed TLS
1675 * Fix an error in make where the absence of a generated file caused
1678 in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
1680 issues in CI/CD environments.
1684 from a template. In the future, the generation will support
1690 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1691 temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
1692 * Assume source files are in UTF-8 when using MSVC with CMake.
1694 DLLs are now installed in the bin directory instead of lib.
1700 in Microsoft Visual C++ compiler. Contributed by Microplankton.
1701 * In CMake builds, add aliases for libraries so that the normal MbedTLS::*
1703 use of FetchContent, as requested in #5688.
1711 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1724 * Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
1733 Archana Madhavan in #4626. Fixes #3399 and #4249.
1744 is currently implemented in the AES, DES and md modules, and will be
1745 extended to other modules in the future.
1767 value when verifying a MAC or AEAD tag. This hardens the library in
1770 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1771 * In psa_aead_generate_nonce(), do not read back from the output buffer.
1773 if the output buffer is in memory that is shared with an untrusted
1775 * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
1777 oracle vulnerability if the output buffer is in memory that is shared with
1787 * The GNU makefiles invoke python3 in preference to python except on Windows.
1792 * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
1793 * Don't use the obsolete header path sys/fcntl.h in unit tests.
1794 These header files cause compilation errors in musl.
1806 MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
1810 * Fix compile-time or run-time errors in PSA
1813 The requirement of minimum 15 bytes for output buffer in
1814 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1817 the built-in implementation of the GCM.
1819 input buffer size is valid only for the built-in implementation of GCM.
1833 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1835 * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
1837 * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
1841 * Fix a potential invalid pointer dereference and infinite loop bugs in
1858 were introduced in mbedTLS 3.0 release, however their implementation was
1872 * Indicate in the error returned if the nonce length used with
1877 from this module will be included in the build as required. Currently
1899 Transfer keys and certificates embedded in the library to the test
1901 users from using unsafe keys in production.
1903 Various helpers and definitions available for use in alt implementations
1910 were not meant to be used in application code have been moved out of
1920 * Update AEAD output size macros to bring them in line with the PSA Crypto
1922 key type used, as well as the key bit-size in the case of
1936 rather than array type. This removes spurious warnings in some compilers
1966 In Mbed TLS 2.X, the API prescribes that later calls overwrite
1967 the effect of earlier calls. In Mbed TLS 3.0, calling
1970 Support for more than one PSK may be added in 3.X.
1976 anything with the currently implemented AEADs, so in practice it was
1979 instead of computing tables in runtime. Thus, this option now increase
1980 code size, and it does not increase RAM usage in runtime anymore.
1997 * In modules that implement cryptographic hash functions, many functions
2007 in DHM and ECDH that compute the shared secret; the scalar multiplication
2008 functions in ECP.
2019 in TLS 1.3. Finally, the key export callback and
2021 * Signature functions in the RSA and PK modules now require the hash
2032 * Direct access to fields of structures declared in public headers is no
2043 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
2046 by default. The default order in TLS now favors faster curves over larger
2053 bear this in mind and do not add them to backported code.
2059 in the development branch” in README.md for more information.
2070 * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
2075 More details on PCKS#11 wrapper removal can be found in the mailing list
2157 test cases provided in the NIST's CAVP test suite. Contributed by Cédric
2158 Meuter in PR #3183.
2159 * Added support for built-in driver keys through the PSA opaque crypto
2168 * The new function mbedtls_mpi_random() generates a random value in a
2176 query the size of the modulus in a Diffie-Hellman context.
2182 * Implement psa_mac_compute() and psa_mac_verify() as defined in the
2186 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
2188 computations. Reported by FlorianF89 in #4245.
2189 * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
2193 large number of signature operations. This completes a partial fix in
2208 * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
2209 lead to the seed file corruption in case if the path to the seed file is
2211 Krasnoshchok in #3616.
2214 to create is not valid, bringing them in line with version 1.0.0 of the
2220 in line with version 1.0.0 of the specification. Fix #4162.
2221 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2223 * Fix some cases in the bignum module where the library constructed an
2232 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
2235 * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
2236 defined to specific values. If the code is used in a context
2237 where these are already defined, this can result in a compilation
2241 nonetheless, resulting in undefined reference errors when building a
2242 shared library. Reported by Guillermo Garcia M. in #4411.
2250 directive in a header and a missing initialization in the self-test.
2251 * Fix a missing initialization in the Camellia self-test, affecting
2257 * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
2258 (when the encrypt-then-MAC extension is not in use) with some ALT
2267 * Fix a resource leak in a test suite with an alternative AES
2269 * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
2272 in #4578. Fixes #4608.
2274 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
2282 mbedtls_mpi_read_xxx functions (including in particular TLS code) since
2293 in all the right places. Include it from crypto_platform.h, which is
2295 * Fix which alert is sent in some cases to conform to the
2303 * Fix the setting of the read timeout in the DTLS sample programs.
2305 * Fix memsan build false positive in x509_crt.c with clang 11
2326 may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
2339 the config file in a way that's compatible with the config file format
2353 * Renamed the PSA Crypto API output buffer size macros to bring them in line
2356 in bits rather than bytes, with an additional flag to indicate if the
2358 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
2362 * In mbedtls_rsa_context objects, the ver field was formerly documented
2380 MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
2383 tweaking the setting for the maximum amount of keys simultaneously in RAM.
2394 * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
2400 * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
2405 In such cases, a random nonce was necessary to achieve the advertised
2408 Found by John Stroebel in #3819 and fixed in #3973.
2409 * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
2414 only called with |A| >= |B|. Reported by Guido Vranken in #4042.
2415 * Fix an errorneous estimation for an internal buffer in
2419 Found by Daniel Otte, reported in #4093 and fixed in #4094.
2422 beyond FD_SETSIZE. Reported by FigBug in #4169.
2427 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2431 * Fix a memory leak in an error case in psa_generate_derived_key_internal().
2432 * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
2434 This was a regression introduced in the previous release. Reported in
2440 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2448 include this extension in all CA certificates that contain public keys
2450 extension as critical in such certificates." Previous to this change,
2484 mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
2488 the tag in the ciphertext length.
2495 * In PSA, allow using a key declared with a base key agreement algorithm
2496 in combined key agreement and derivation operations, as long as the key
2497 agreement algorithm in use matches the algorithm the key was declared with.
2505 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2507 * In the PSA API, it is no longer necessary to open persistent keys:
2512 compatibility, but will be deprecated and later removed in future
2515 PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
2528 * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
2529 which is how most uses of randomization in asymmetric cryptography
2536 algorithm parameters (only the size) when comparing the signature in the
2540 valid. However, if the parameters do not match in *any* way then the
2544 and reported it in #3629.
2546 in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
2554 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
2556 * Include the psa_constant_names generated source code in the source tree
2560 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
2567 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
2581 * Fix an off-by-one error in the additional data length check for
2587 defined. Fix contributed in #3571.
2588 * Fix conditions for including string.h in error.c. Fixes #3866.
2590 in a secure element.
2594 * Attempting to create or register a key with a key identifier in the vendor
2597 * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
2598 * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
2600 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2601 could go undetected, resulting in an incorrect result.
2602 * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
2604 * In PEM writing functions, fill the trailing part of the buffer with null
2607 until this property was inadvertently broken in Mbed TLS 2.19.0.
2610 option on. In this configuration key management methods that are required
2616 Reported in #3591 and fix contributed in #3592 by Daniel Otte.
2622 * Remove the zeroization of a pointer variable in AES rounds. It was valid
2630 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2631 group families to psa_ecc_family_t and psa_dh_family_t, in line with the
2641 through PSA Crypto with a volatile lifetime. Reported in #3288 and
2642 contributed by Steven Cooreman in #3382.
2653 * Fix a vulnerability in the verification of X.509 certificates when
2657 name in that extension regardless of its type. This means that an
2662 reported by kFYatek in #3498.
2664 its revocationDate was in the past according to the local clock if
2665 available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
2670 revocationDate field, in accordance with RFC 5280. Reported by
2671 yuemonangong in #3340. Reported independently and fixed by
2672 Raoul Strackx and Jethro Beekman in #3433.
2673 * In (D)TLS record decryption, when using a CBC ciphersuites without the
2679 if they have access to fine-grained measurements. In particular, this
2683 * Fix side channel in RSA private key operations and static (finite-field)
2688 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2691 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
2692 application data from memory. Reported in #689 by
2698 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
2700 Reported in #3451 and fix contributed in #3452 by okhowang.
2703 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2704 Steven Cooreman in #3425.
2706 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2707 also fixes missing declarations reported by Steven Cooreman in #1147.
2711 instead of erroring out. Contributed by Steven Cooreman in #3492.
2713 lower bits. Fix contributed in #3540.
2714 * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
2715 conditions. Reported and fix suggested by Guido Vranken in #3486.
2716 * Fix bug in redirection of unit test outputs on platforms where stdout is
2717 defined as a macro. First reported in #2311 and fix contributed in #3528.
2721 in #3478 and fix contributed in #3479 by okhowang.
2724 Contributed by Doru Gucea and Simon Leet in #3464.
2725 * Undefine the ASSERT macro before defining it locally, in case it is defined
2726 in a platform header. Contributed by Abdelatif Guettouche in #3557.
2729 years of publishing are no longer tracked in the source files. This also
2743 * In the experimental PSA secure element interface, change the encoding of
2752 * New functions in the error module return constant strings for
2756 in #3176.
2762 Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
2768 some BSD systems. Contributed by Nia Alarie in #3423.
2769 * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
2772 * Fix a side channel vulnerability in modular exponentiation that could
2773 reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
2776 Strackx (Fortanix) in #3394.
2777 * Fix side channel in mbedtls_ecp_check_pub_priv() and
2785 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2787 macros). This would cause the original Lucky 13 attack to be possible in
2790 Reported and fix suggested by Luc Perneel in #3246.
2794 Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
2795 the example programs. Reported in #1430 and fix contributed by irwir.
2796 * Fix undefined behavior in X.509 certificate parsing if the
2801 due to shadowed variable. Contributed by Sander Visser in #3310.
2803 NULL pointer argument. Contributed by Sander Visser in #3312.
2807 * Remove dead code in X.509 certificate parsing. Contributed by irwir in
2809 * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
2810 * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
2811 when PRNG function fails. Contributed by Jonas Lejeune in #3318.
2812 * Remove unused macros from MSVC projects. Reported in #3297 and fix
2813 submitted in #3333 by irwir.
2814 * Add additional bounds checks in ssl_write_client_hello() preventing
2817 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
2818 fix submitted in #3421 by Nia Alarie.
2820 NetBSD. Contributed by Nia Alarie in #3422.
2822 Contributed by Sander Visser in #3311.
2826 in ssl_parse_record_header().
2829 * Fix warnings about signedness issues in format strings. The build is now
2831 in #3153.
2832 * Fix minor performance issue in operations on Curve25519 caused by using a
2833 suboptimal modular reduction in one place. Found and fix contributed by
2834 Aurelien Jarno in #3209.
2835 * Combine identical cases in switch statements in md.c. Contributed
2836 by irwir in #3208.
2837 * Simplify a bounds check in ssl_write_certificate_request(). Contributed
2838 by irwir in #3150.
2841 behavior in bare metal environments.
2843 Contributed by Koh M. Nakagawa in #3326.
2849 * The unit tests now rely on header files in framework/tests/include/test and source
2850 files in framework/tests/src. When building with make or cmake, the files in
2859 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
2860 in #3182 and fix submitted by irwir. #3217
2861 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2866 * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
2868 * Deprecate mbedtls_ssl_get_max_frag_len() in favour of
2874 * Fix issue in DTLS handling of new associations with the same parameters
2877 legitimate clients, resulting in a Denial of Service. This could only
2878 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
2880 * Fix side channel in ECC code that allowed an adversary with access to
2885 * Fix a potentially remotely exploitable buffer overread in a
2896 * Remove a spurious check in ssl_parse_client_psk_identity that triggered
2897 a warning with some compilers. Fix contributed by irwir in #2856.
2898 * Fix a function name in a debug message. Contributed by Ercan Ozturk in
2903 is back directly in the present repository.
2917 library which allows TLS authentication to use keys stored in a
2924 unless the RNG is broken, and could result in information disclosure or
2938 * Change the encoding of key types and curves in the PSA API. The new
2947 * Fix an unchecked call to mbedtls_md() in the x509write module.
2949 Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
2950 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2951 contributed by apple-ihack-geek in #2663.
2952 * Fix a possible error code mangling in psa_mac_verify_finish() when
2954 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
2957 * Fix a bug in mbedtls_pk_parse_key() that would cause it to
2965 than 3/2 times the key size. In case you want to disable the extra call to
2971 MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the
2976 * Zeroize local variables in mbedtls_internal_aes_encrypt() and
2984 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2989 * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
2990 timings on the comparison in the key generation enabled the attacker to
2993 * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
2999 * Key derivation inputs in the PSA API can now either come from a key object
3006 msopiha-linaro in ARMmbed/mbed-crypto#307.
3009 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
3016 * Fix an incorrect size in a debugging message. Reported and fix
3022 * Fix a buffer overflow in the PSA HMAC code when using a long key with an
3025 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
3034 structures, which was exposed only in an internal header.
3043 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
3045 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
3047 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
3053 Contributed by Zachary J. Fields in PR #2949.
3058 * Make client_random and server_random const in
3063 * Fix some false-positive uninitialized variable warnings in crypto. Fix
3064 contributed by apple-ihack-geek in #2663.
3069 * Fix a missing error detection in ECJPAKE. This could have caused a
3073 value, as specified in RFC 5915. Previously, the value was written
3086 store it in non-volatile storage, and later using it for TLS session
3102 socket. Contributed by Robert Larsen in #2803.
3119 * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an
3125 * Fix missing bounds checks in X.509 parsing functions that could
3132 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
3133 * Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
3141 * Fix misuse of signed arithmetic in the HAVEGE module. #2598
3144 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
3145 * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
3147 Bernhard M. Wiedemann in #2357.
3148 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
3149 that are only available in Thumb mode. Fix contributed by Aurelien Jarno
3150 in #2169.
3151 * Fix propagation of restart contexts in restartable EC operations.
3152 This could previously lead to segmentation faults in builds using an
3154 * Fix memory leak in in mpi_miller_rabin(). Contributed by
3155 Jens Wiklander <jens.wiklander@linaro.org> in #2363
3156 * Improve code clarity in x509_crt module, removing false-positive
3159 * Fix bug in endianness conversion in bignum module. This lead to
3164 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
3168 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
3173 cyber) in #2681.
3189 Ashley Duncan in #2609.
3194 * Add the Any Policy certificate policy oid, as defined in
3205 * Add support for parsing otherName entries in the Subject Alternative Name
3207 as defined in RFC 4108 section 5.
3208 * Add support for parsing certificate policies extension, as defined in
3211 * List all SAN types in the subject_alt_names field of the certificate.
3214 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
3230 * Fix private key DER output in the key_app_writer example. File contents
3232 Christian Walther in #2239.
3233 * Fix potential memory leak in X.509 self test. Found and fixed by
3236 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3237 used with negative inputs. Found by Guido Vranken in #2404. Credit to
3239 * Fix bugs in the AEAD test suite which would be exposed by ciphers which
3242 * Fix incorrect default port number in ssl_mail_client example's usage.
3246 * Add missing parentheses around parameters in the definition of the
3248 in case operators binding less strongly than subtraction were used
3250 * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
3251 sni entry parameter. Reported by inestlerode in #560.
3257 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3259 This certificate is used in the demo server programs, which lead the
3266 * Remove dead code from bignum.c in the default configuration.
3270 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
3281 named bitstring in DER as required by RFC 5280 Appendix B.
3289 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
3302 an error or a meaningless output from mbedtls_ecdh_get_params. In the
3309 Raised as a comment in #1996.
3313 in the header files, which missed the precompilation check. #971
3315 * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
3319 in X.509 module. Fixes #2212.
3322 * Fix false failure in all.sh when backup files exist in include/mbedtls
3326 * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
3327 extensions in CSRs and CRTs that caused these bitstrings to not be encoded
3328 correctly as trailing zeroes were not accounted for as unused bits in the
3334 * Include configuration file in all header files that use configuration,
3338 in RFC 7468. Found by Michael Ernst. Fixes #767.
3343 * Fix clobber list in MIPS assembly for large integer multiplication.
3345 produced by some optimizing compilers, showing up as failures in
3346 e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
3350 * Fix configuration queries in ssl-opt.h. #2030
3351 * Ensure that ssl-opt.h can be run in OS X. #2029
3352 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3361 of parameters in the API. This allows detection of obvious misuses of the
3363 changed, but requirements on parameters have been made more explicit in
3366 disabled by default. See its API documentation in config.h for additional
3370 * The following functions in the random generator modules have been
3387 changed so that the same level of validation is present in all modules, and
3394 in favor of functions that can return an error code.
3400 * Fix runtime error in `mbedtls_platform_entropy_poll()` when run
3402 in #1212. Fixes #1212.
3404 This could lead to a buffer overflow, but only in case ticket authentication
3405 was broken. Reported and fix suggested by Guido Vranken in #659.
3435 * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
3437 attack. In TLS, this affects servers that accept ciphersuites based on
3442 (University of Adelaide, Data61). The attack is described in more detail
3443 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3444 * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
3451 * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
3466 name and the CA's subject name differed in their string encoding (e.g.,
3467 one using PrintableString and the other UTF8String) or in the choice of
3468 upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
3470 * Fix a flawed bounds check in server PSK hint parsing. In case the
3479 security of TLS, but can matter in other contexts with numbers chosen
3489 some configurable amount of operations. This is intended to be used in
3494 xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
3495 yet), and to existing functions in ECDH and SSL (currently only
3496 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3500 MPI multiplications used in ECC and RSA cryptography. Contributed by
3507 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3524 * Deprecate the function mbedtls_mpi_is_prime() in favor of
3529 * Fix wrong order of freeing in programs/ssl/ssl_server2 example
3530 application leading to a memory leak in case both
3533 * Fix a bug in the update function for SSL ticket keys which previously
3535 * Fix failure in hmac_drbg in the benchmark sample application, when
3537 * Fix a bug in the record decryption routine ssl_decrypt_buf()
3539 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3540 * Fix memory leak and freeing without initialization in the example
3542 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
3547 of sensitive data in the example programs aescrypt2 and crypt_and_hash.
3550 wildcards and non-ASCII characters being unusable in some DN attributes.
3551 Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
3560 * Add tests for session resumption in DTLS.
3561 * Close a test gap in (D)TLS between the client side and the server side:
3563 in the same way as on the server side.
3570 X.509 DNs. Previously, DN attributes were always written in their default
3572 created which used PrintableStrings in the issuer field even though the
3573 signing CA used UTF8Strings in its subject field; while X.509 compliant,
3574 such CRTs were rejected in some applications, e.g. some versions of
3575 Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
3580 use it to reduce error probability in RSA key generation to levels mandated
3600 * Fix an issue in the X.509 module which could lead to a buffer overread
3601 during certificate extensions parsing. In case of receiving malformed
3615 * Add support for buffering out-of-order handshake messages in DTLS.
3618 in mbedtls/config.h.
3625 * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
3626 failure in the function could lead to other buffers being leaked.
3629 * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
3633 interoperability issues with BouncyCastle. Raised by milenamil in #1157.
3634 * Replace printf with mbedtls_printf in the ARIA module. Found by
3635 TrinityTonic in #1908.
3636 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3641 check in parsing the CertificateRequest message,
3642 introduced in Mbed TLS 2.12.0. Fixes #1954.
3643 * Fix a miscalculation of the maximum record expansion in
3644 mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
3645 or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
3646 * Fix undefined shifts with negative values in certificates parsing
3648 * Fix memory leak and free without initialization in pk_encrypt
3667 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3668 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
3671 this recovery by sending many messages in the same connection. With TLS
3677 caused by a miscalculation (for SHA-384) in a countermeasure to the
3680 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3690 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3691 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3718 Found and fixed by Hirotaka Niisato in #1783.
3723 * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
3725 * Remove unused headers included in x509.c. Found by Chris Hanson and fixed
3728 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3733 * Fix namespacing in header files. Remove the `mbedtls` namespacing in
3734 the `#include` in the header files. Resolves #857
3735 * Fix compiler warning of 'use before initialisation' in
3745 when the request_size argument is set to 0 as stated in the documentation.
3757 * Change the shebang line in Perl scripts to look up perl in the PATH.
3770 * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
3772 Contributed by Aorimn in pull request #414.
3773 * In TLS servers, support offloading private key operations to an external
3783 Reported by rahmanih in #683
3784 * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
3788 * Changed the Clang parameters used in the CMake build files to work for
3796 (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
3810 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
3814 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3821 * Fix an issue in the X.509 module which could lead to a buffer overread
3828 * Fix the buffer length assertion in the ssl_parse_certificate_request()
3832 algorithms section is too short. In builds with debug output, the overread
3834 * Fix a client-side bug in the validation of the server's ciphersuite choice
3843 Suggested and contributed by jkivilin in pull request #394.
3847 Nicholas Wilson in pull request #348.
3854 a check for whether more more data is pending to be processed in the
3857 underlying transport in case event-driven IO is used.
3860 * Fix a spurious uninitialized variable warning in cmac.c. Fix independently
3862 * Add missing dependencies in test suites that led to build failures
3863 in configurations that omit certain hashes or public-key algorithms.
3865 * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
3868 MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
3874 ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
3876 stated in the mbedtls_cipher_update() documentation. Contributed by
3879 a file in pk_sign program. Found by kevlut in #1142.
3881 where data needs to be fetched from the underlying transport in order
3885 in the internal buffers; these cases led to deadlocks when event-driven
3886 I/O was used. Found and reported by Hubert Mis in #772.
3887 * Fix buffer length assertions in the ssl_parse_certificate_request()
3893 maintained 2.7 branch. The soversion was increased in Mbed TLS
3894 version 2.7.1 to reflect breaking changes in that release, but the
3895 increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
3898 * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
3901 * Improve testing in configurations that omit certain hashes or
3904 * Do not define global mutexes around readdir() and gmtime() in
3910 Found and fix submitted by junyeonLEE in #1220.
3914 * Add the order of the base point as N in the mbedtls_ecp_group structure
3920 Paul Sokolovsky in #1356.
3921 * Add an option in the Makefile to support ar utilities where the operation
3926 * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
3927 by Alexey Skalozub in #405.
3928 * In the SSL module, when f_send, f_recv or f_recv_timeout report
3930 Sam O'Connor in #1245.
3933 by Jiayuan Chen in #1377. Fixes #1437.
3936 * Declare functions in header files even when an alternative implementation
3941 * Add platform setup and teardown calls in test suites.
3951 the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
3962 * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
3964 * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
3975 * Add support for public keys encoded in PKCS#1 format. #1122
3982 * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
3987 In the context of SSL, this resulted in handshake failure. Reported by
3988 daniel in the Mbed TLS forum. #1351
3997 * In test_suite_pk, pass valid parameters when testing for hash length
3999 * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
4001 * Log correct number of ciphersuites used in Client Hello message. #918
4004 * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
4006 * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
4014 * Fix tag lengths and value ranges in the documentation of CCM encryption.
4016 * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
4018 * MD functions deprecated in 2.7.0 are no longer inline, to provide
4027 * Fix a heap corruption issue in the implementation of the truncated HMAC
4031 code execution. The issue could be triggered remotely from either side in
4033 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
4037 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
4039 * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
4041 * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
4042 default enabled) maximum fragment length extension is disabled in the
4048 and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
4053 Changes were introduced in multiple places in the library.
4064 * Fix a potential heap buffer over-read in ALPN extension parsing
4065 (server-side). Could result in application crash, but only if an ALPN
4068 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4072 * Allow comments in test data files.
4083 MBEDTLS_ECDSDA_GENKEY_AT in config.h.
4089 MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
4106 implementations of the RSA interface declared in rsa.h.
4107 * The following functions in the message digest modules (MD2, MD4, MD5,
4124 any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
4133 accepting DHM parameters in binary form, matching the new constants.
4137 as recommended in RFC 6347 Section 4.1.2.7.
4138 * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
4140 * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
4144 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
4150 Found independently by Florian in the mbed TLS forum and by Mishamax.
4154 * Fix unchecked return codes from AES, DES and 3DES functions in
4160 * Include configuration file in md.h, to fix compilation warnings.
4161 Reported by aaronmdjones in #1001
4162 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
4164 RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
4167 * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
4170 * Fix handling of handshake messages in mbedtls_ssl_read() in case
4172 * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
4174 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
4175 * Fix incorrect unit in benchmark output. #850
4181 * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
4182 * Fix possible memory leaks in mbedtls_gcm_self_test().
4183 * Added missing return code checks in mbedtls_aes_self_test().
4184 * Fix issues in RSA key generation program programs/x509/rsa_genkey and the
4188 * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
4191 * Fix an issue in the cipher decryption with the mode
4196 mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
4201 * In mbedtls_entropy_free(), properly free the message digest context.
4202 * Fix status handshake status message in programs/ssl/dtls_client.c. Found
4209 * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
4217 new ones with return codes. In particular, this modifies the
4219 everywhere except some locations in the ssl_tls.c module.
4230 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
4236 * Reliably wipe sensitive data after use in the AES example applications
4245 by the user in a platform_alt.h file. These new functions are required in
4250 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
4255 * Certificate verification functions now set flags to -1 in case the full
4256 chain was not verified due to an internal error (including in the verify
4260 a fatal error in the verify callback.
4263 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
4268 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
4269 in the case of an error. Found by redplait. #590
4272 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4274 * Fix a potential integer overflow in the version verification for DER
4278 * Fix potential integer overflow in the version verification for DER
4282 * Fix a potential integer overflow in the version verification for DER
4295 accelerator code in the library leaves concurrency handling to the
4297 * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
4306 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4308 Could result in DoS (application crash) or information leak
4314 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
4321 valid C and they prevented the test from compiling in Visual Studio 2015
4324 resulting in compatibility problems with Chrome. Found by hfloyrd. #823
4325 * Fix behaviour that hid the original cause of fatal alerts in some cases
4332 * Accept empty trusted CA chain in authentication mode
4335 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
4339 * Fix incorrect sign computation in modular exponentiation when the base is
4342 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
4346 * Send fatal alerts in more cases. The previous behaviour was to skip
4355 * Wipe stack buffers in RSA private key operations
4359 against side-channel attacks like the cache attack described in
4370 suppressing the CA list in Certificate Request messages. The default
4374 * The following functions in the AES module have been deprecated and replaced
4384 * Fixed issue in the Threading module that prevented mutexes from
4386 * Add checks in the PK module for the RSA functions on 64-bit systems.
4395 using RSA through the PK module in 64-bit systems. The issue was caused by
4396 some data loss when casting a size_t to an unsigned int value in the
4399 * Fixed potential livelock during the parsing of a CRL in PEM format in
4401 characters after the footer could result in the execution of an infinite
4421 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4423 * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
4426 * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
4428 in RFC 6347 Section 4.3.1. This could cause the execution of the
4431 * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
4432 the input string in PEM format to extract the different components. Found
4434 * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
4436 * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
4438 * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
4440 * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
4442 * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
4444 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
4445 by missing calls to mbedtls_pem_free() in cases when a
4450 generated in Visual Studio 2015. Reported by Steve Valliere. #742
4451 * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
4452 Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
4453 * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
4454 number to write in hexadecimal is negative and requires an odd number of
4456 * Fix unlisted DES configuration dependency in some pkparse test cases. Found
4470 with RFC-5116 and could lead to session key recovery in very long TLS
4471 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4474 * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
4476 without checking whether there is enough space in the destination. The
4484 * Added a script to print build environment info for diagnostic use in test
4491 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
4499 * Fix dependency issue in Makefile to allow parallel builds.
4500 * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
4508 * Fix conditional statement that would cause a 1 byte overread in
4515 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
4521 * Fix potential byte overread when verifying malformed SERVER_HELLO in
4523 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
4541 naming collision in projects which also have files with the common name
4550 * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
4552 * Fix potential integer overflow to buffer overflow in
4554 (not triggerable remotely in (D)TLS).
4555 * Fix a potential integer underflow to buffer overread in
4556 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
4564 * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
4565 arguments where the same (in-place doubling). Found and fixed by Janos
4568 in the previous patch release. Found by Robert Scheck. #390 #391
4569 * Fix issue in Makefile that prevented building using armar. #386
4571 ECDSA was disabled in config.h . The leak didn't occur by default.
4574 in the trusted certificate list.
4575 * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
4576 buffer after DER certificates to be included in the raw representation.
4578 * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
4582 * Fix issue in ssl_fork_server which was preventing it from functioning. #429
4583 * Fix memory leaks in test framework
4584 * Fix test in ssl-opt.sh that does not run properly with valgrind
4591 * Disabled SSLv3 in the default configuration.
4602 remotely in SSL/TLS. Found by Rafał Przywara. #367
4603 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
4609 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4610 * Fix bug in certificate validation that caused valid chains to be rejected
4612 Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
4613 * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
4617 datagram if a single record in a datagram is unexpected, instead only
4618 drop the record and look at subsequent records (if any are present) in
4630 * Fix potential buffer overflow in some asn1_write_xxx() functions.
4639 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4646 resulting in some valid X.509 being incorrectly rejected. Found and fix
4658 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4660 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
4661 * Fix bug in ASN.1 encoding of booleans that caused generated CA
4676 once in the same handhake and mbedtls_ssl_conf_psk() was used.
4679 * Fix stack buffer overflow in pkcs12 decryption (used by
4682 * Fix potential buffer overflow in mbedtls_mpi_read_string().
4683 Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
4684 of TLS, but might be in other uses. On 32 bit machines, requires reading a
4687 * Fix potential random memory allocation in mbedtls_pem_read_buffer()
4689 Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
4691 * Fix possible heap buffer overflow in base64_encoded() when the input
4693 Intelworks. Not trigerrable remotely in TLS.
4697 * Fix potential heap buffer overflow in servers that perform client
4703 * Fix compile error in net.c with musl libc. Found and patch provided by
4708 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
4710 * Fixed paths for check_config.h in example config files. (Found by bachp)
4726 * Fix off-by-one error in parsing Supported Point Format extension that
4730 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
4734 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
4747 * Fix segfault in the benchmark program when benchmarking DHM.
4752 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
4754 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
4757 * Fix bug in Makefile that caused programs not to be installed correctly
4759 * Fix bug in Makefile that prevented from installing without building the
4765 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
4767 * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
4776 * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
4802 * Expanded configurability of security parameters in the SSL module with
4813 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4818 * Headers are now found in the 'mbedtls' directory (previously 'polarssl').
4836 * The following functions have been introduced and must be used in callback
4845 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
4856 * The following functions changed prototype to avoid an in-out length
4862 * In the NET module, all "int" and "int *" arguments for file descriptors
4865 * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
4874 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4884 (support for renegotiation now needs explicit enabling in config.h).
4886 in config.h
4914 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4918 * Renamed a few headers to include _internal in the name. Those headers are
4923 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
4930 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4935 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4936 enabled in the default configuration, this is only noticeable if using a
4989 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
4990 * Add support for id-at-uniqueIdentifier in X.509 names.
4991 * Add support for overriding snprintf() (except on Windows) and exit() in
4993 * Add an option to use macros instead of function pointers in the platform
5011 * Fix bug in entropy.c when THREADING_C is also enabled that caused
5015 * Fix bug in ssl_mail_client when password is longer that username (found
5017 * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
5025 ssl_write() is called before the handshake is finished (introduced in
5027 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
5029 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
5030 * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
5031 * Fix hardclock() (only used in the benchmarking program) with some
5033 * Fix warnings from mingw64 in timing.c (found by kxjklele).
5034 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5036 * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
5038 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
5039 in 1.3.10).
5040 * Add missing extern "C" guard in aesni.h (reported by amir zamani).
5041 * Add missing dependency on SHA-256 in some x509 programs (reported by
5047 * Remove bias in mpi_gen_prime (contributed by Pascal Junod).
5057 performance impact was bad for some users (this was introduced in 1.3.10).
5058 * Move from SHA-1 to SHA-256 in example programs using signatures
5062 * Change #include lines in test files to use double quotes instead of angle
5064 * Remove dependency on sscanf() in X.509 parsing modules.
5068 * NULL pointer dereference in the buffer-based allocator when the buffer is
5082 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
5110 * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
5112 * Fix potential undefined behaviour in Camellia.
5113 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
5115 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5128 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
5129 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
5132 * Forbid repeated extensions in X.509 certificates.
5133 * debug_print_buf() now prints a text view in addition to hexadecimal.
5134 * A specific error is now returned when there are ciphersuites in common
5141 * Use platform.h in all test suites and programs.
5145 * Lowest common hash was selected from signature_algorithms extension in
5146 TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
5155 * Support escaping of commas in x509_string_to_names()
5156 * Fix compile error in ssl_pthread_server (found by Julian Ospald).
5158 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
5160 * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
5167 * ssl_close_notify() could send more than one message in some circumstances
5171 * Fix compile error with armcc in mpi_is_prime()
5172 * Fix potential bad read in parsing ServerHello (found by Adrien
5180 * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
5184 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
5186 * Accept spaces at end of line or end of buffer in base64_decode().
5199 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5201 * Blowfish in the cipher layer now supports variable length keys.
5203 * Optimize for RAM usage in example config.h for NSA Suite B profile.
5212 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
5217 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
5223 * Fix in debug_print_msg()
5224 * Enforce alignment in the buffer allocator even if buffer is not aligned
5233 * Very small records were incorrectly rejected when truncated HMAC was in
5234 use with some ciphersuites and versions (RC4 in all versions, CBC with
5241 been removed in 1.3.6.)
5243 CA for use as an end entity certificate. (This had been removed in
5248 * Fix off-by-one error in parsing Supported Point Format extension that
5254 * Fix base64_decode() to return and check length correctly (in case of
5268 checked and filled in the relevant module headers
5275 * Only iterate over actual certificates in ssl_write_certificate_request()
5277 * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
5280 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
5282 * Improve interoperability by not writing extension length in ClientHello /
5288 * Fix dependencies issues in X.509 test suite.
5290 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
5309 * Reject certificates with times not in UTC, per RFC 5280.
5312 * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
5315 This affects certificates in the user-supplied chain except the top
5318 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
5324 * Potential memory leak in mpi_exp_mod() when error occurs during
5326 * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
5329 * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
5338 * Potential buffer overwrite in pem_write_buffer() because of low length
5340 * EC curves constants, which should be only in ROM since 1.3.3, were also
5341 stored in RAM due to missing 'const's (found by Gergely Budai).
5353 * Support for reading EC keys that use SpecifiedECDomain in some cases.
5381 * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
5383 * Fixed version-major intolerance in server
5385 * Fixed dependency issues in test suite
5391 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5397 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5399 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5401 * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
5412 * Potential memory leak in bignum_selftest()
5417 * Assembly format fixes in bn_mul.h
5425 * EC key generation support in gen_key app
5430 * Support for IPv6 in the NET module
5439 * More constant-time checks in the RSA module
5441 * Curves are now stored fully in ROM
5442 * Memory usage optimizations in ECP module
5446 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5451 * Potential memory leak in ssl_ticket_keys_init()
5452 * Memory leak in benchmark application
5454 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
5456 * Fixed potential overflow in certificate size verification in
5470 * Padding checks in cipher layer are now constant-time
5471 * Value comparisons in SSL layer are now constant-time
5472 * Support for serialNumber, postalAddress and postalCode in X509 names
5476 * More stringent checks in cipher layer
5503 * Possible naming collision in dhm_context
5527 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5534 * Support for multiple active certificate / key pairs in SSL servers for
5561 * Fixed parse error in ssl_parse_certificate_request()
5563 * Support for AIX header locations in net.c module
5574 * Fix potential invalid memory read in the server, that allows a client to
5576 * Fix potential invalid memory read in certificate parsing, that allows a
5583 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
5584 * Fix hardclock() (only used in the benchmarking program) with some
5586 * Fix warnings from mingw64 in timing.c (found by kxjklele).
5587 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5592 this will be made in the 1.2 branch at this point.
5608 * Fix potential undefined behaviour in Camellia.
5609 * Fix memory leaks in PKCS#5 and PKCS#12.
5612 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
5613 in 1.2.12).
5614 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5628 * Forbid repeated extensions in X.509 certificates.
5639 * Fix potential bad read in parsing ServerHello (found by Adrien
5641 * ssl_close_notify() could send more than one message in some circumstances
5645 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
5656 * Accept spaces at end of line or end of buffer in base64_decode().
5669 * Reject certificates with times not in UTC, per RFC 5280.
5679 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
5690 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
5692 * Fixed potential overflow in certificate size verification in
5694 * Fix ASM format in bn_mul.h
5695 * Potential memory leak in bignum_selftest()
5698 * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
5700 * Fixed version-major intolerance in server
5704 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5706 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5710 * Potential memory leak in mpi_exp_mod() when error occurs during
5712 * Improve interoperability by not writing extension length in ClientHello
5718 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
5725 * Fix base64_decode() to return and check length correctly (in case of
5733 * Fixed memory leak in RSA as a result of introduction of blinding
5748 * Fixed potential negative value misinterpretation in load_file()
5756 * Centralized module option values in config.h to allow user-defined
5765 symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
5771 * Secure renegotiation extension should only be sent in case client
5773 * Fixed offset for cert_type list in ssl_parse_certificate_request()
5781 * Fixed values for 2-key Triple DES in cipher layer
5802 * Fixed memory leak in ssl_free() and ssl_reset() for active session
5821 * Removed further timing differences during SSL message decryption in
5837 * Removed timing differences during SSL message decryption in
5848 * Handle future version properly in ssl_write_certificate_request()
5849 * Correctly handle CertificateRequest message in client for <= TLS 1.1
5864 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
5874 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5876 * Fixed possible segfault in mpi_shift_r() (found by Manuel
5896 * Added support for Hardware Acceleration hooking in SSL/TLS
5923 in SSL/TLS
5929 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5931 * Fixed potential heap corruption in x509_name allocation
5956 * Potential negative value misinterpretation in load_file()
5968 * Fixed values for 2-key Triple DES in cipher layer
5985 * Removed timing differences during SSL message decryption in
6001 * Fixed possible segfault in mpi_shift_r() (found by Manuel
6003 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
6018 * Fixed potential heap corruption in x509_name allocation
6027 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
6038 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
6042 * Fixed bug in CTR_CRBG selftest
6060 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
6068 * Changed the defined key-length of DES ciphers in cipher.h to include the
6069 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
6078 a consequence in library code and programs
6093 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
6097 * Improved build support for s390x and sparc64 in bignum.h
6098 * Fixed MS Visual C++ name clash with int64 in sha4.h
6099 * Corrected removal of leading "00:" in printing serial numbers in
6112 * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
6132 t_int and t_dbl to t_uint and t_udbl in the process
6161 does not zeroize memory in advance anymore. Use rsa_init()
6168 * Fixed bug in ssl_write() when flushing old data (Fixed ticket
6199 * Fixed a possible Man-in-the-Middle attack on the
6213 * Improvements to support integration in other
6225 * x509parse_time_expired() checks time in addition to
6243 * Removed dependency on rand() in rsa_pkcs1_encrypt().
6247 * Some SSL defines were renamed in order to avoid
6254 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
6259 * Fixed Makefile in library that was mistakenly merged
6266 * Added support for GeneralizedTime in X509 parsing
6274 in a function to allow easy future expansion
6282 * Fixed bug resulting in failure to send the last
6283 certificate in the chain in ssl_write_certificate() and
6287 * Fixed algorithmic bug in mpi_is_prime() (found by
6298 * Changed typo in #ifdef in x509parse.c (found
6313 * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
6325 * Prevented use of long long in bignum if
6328 * Fixed incorrect handling of negative strings in
6330 * Fixed segfault on handling empty rsa_context in
6334 value in mpi_add_abs() (found by code coverage tests).
6336 value in mpi_sub_abs() (found by code coverage tests).
6338 value in mpi_mod_mpi() and mpi_mod_int(). Resulting
6347 SHA-512 in rsa_pkcs1_sign()
6350 * Fixed a bug in mpi_gcd() so that it also works when both
6358 * Fixed minor memory leak in x509parse_crt() and added better
6365 * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
6367 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6381 * Fixed dangerous bug that can cause a heap overflow in
6390 * Enabled support for large files by default in aescrypt2.c
6392 * Fixed a bug in ssl_write() that caused the same payload to
6393 be sent twice in non-blocking mode when send returns EAGAIN
6395 not be swapped in the SSLv2 ClientHello (found by Greg Robson)
6401 * Correctly handle the case in padlock_xcryptcbc() when input or
6404 * Fixed a memory leak in x509parse_crt() which was reported by Greg
6418 serial number, setup correct server port in the ssl client example
6428 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6441 * Added lots of debugging output in the SSL/TLS functions
6450 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6452 * Fixed a long standing memory leak in mpi_is_prime()
6453 * Replaced realloc with malloc in mpi_grow(), and set
6454 the sign of zero as positive in mpi_init() (reported
6460 * Fixed a bug in ssl_tls.c which sometimes prevented SSL
6462 * Fixed a couple bugs in the VS6 and UNIX Makefiles
6463 * Fixed the "PIC register ebx clobbered in asm" bug
6470 * Rewrote README.txt in program/ssl/ca to better explain
6475 * Ciphers used in SSL/TLS can now be disabled at compile
6484 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6504 * Fixed a bug in ssl_encrypt_buf (incorrect padding was
6505 generated) and in ssl_parse_client_hello (max. client
6507 * Fixed another bug in ssl_parse_client_hello: clients with
6509 * Fixed a couple memory leak in x509_read.c
6516 * Fixed a bug in the CBC code, thanks to dowst; also,
6527 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
6528 * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
6529 * Fixed a bug reported by Torsten Lauter in ssl_read_record
6530 * Fixed a bug in rsa_check_privkey that would wrongly cause
6532 * Fixed a bug in mpi_is_prime that caused some primes to fail