Lines Matching +full:linux +full:- +full:next
3 = Mbed TLS 3.6.4 branch released 2025-06-30
8 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
15 CVE-2025-49601
19 CVE-2025-49600
30 CVE-2025-52496
31 * Fix possible use-after-free or double-free in code calling
36 they were free()d, resulting in high risk of use-after-free or double-free,
39 were affected (use-after-free if the san string contains more than one DN).
42 CVE-2025-47917
54 CVE-2025-48965
59 CVE-2025-52497
65 CVE-2025-49087
70 "union foo x = {0}" does not initialize non-default members of the
72 multipart operations, MAC-based key derivation operations, interruptible
74 when using third-party drivers. This also affected one-shot MAC
75 operations using the built-in implementation. Fixes #9814.
77 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
80 non-default members of the union. The PSA core now ensures that this
84 * Silence spurious -Wunterminated-string-initialization warnings introduced
87 keys with a different LMS or LM-OTS types on some platforms. Specifically,
113 = Mbed TLS 3.6.3 branch released 2025-03-24
119 if certificate-based authentication of the server is attempted.
123 enable the new compile-time option
128 uses static storage for keys, enabling malloc-less use of key slots.
143 if they use certificate authentication (i.e. not pre-shared keys).
149 CVE-2025-27809
157 CVE-2025-27810
170 * Fix compilation on MS-DOS DJGPP. Fixes #9813.
171 * Fix missing constraints on the AES-NI inline assembly which is used on
172 GCC-like compilers when building AES for generic x86_64 targets. This
175 * Support re-assembly of fragmented handshake messages in TLS (both
196 = Mbed TLS 3.6.2 branch released 2024-10-14
204 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
205 CVE-2024-49195
207 = Mbed TLS 3.6.1 branch released 2024-08-30
217 * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
234 They have almost exactly the same interface, but the variable-length
239 - DES (including 3DES).
240 - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
242 - Finite-field Diffie-Hellman with custom groups.
244 - Elliptic curves of size 225 bits or less.
247 - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using
250 - TLS_ECDH_*, i.e. cipher suites using static ECDH.
252 - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman.
254 - TLS_*CBC*, i.e. all cipher suites using CBC.
255 * The following low-level application interfaces are planned to be removed
257 - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
258 - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
259 - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
261 - Private key encryption mechanisms: pkcs5.h, pkcs12.h.
262 - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
268 the PSA transition guide (docs/psa-transition.md).
271 - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
273 - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
286 CVE-2024-45157
292 CVE-2024-45158
294 client, if the client-provided certificate does not have appropriate values
303 CVE-2024-45159
308 * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
314 non-existent key while concurrently creating a new key could potentially
322 building for linux platform.
325 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
326 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
332 * Fix interference between PSA volatile keys and built-in keys
340 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
342 some code was defining 0-size arrays, resulting in compilation errors.
374 * Fixed a regression introduced in 3.6.0 where context-specific certificate
377 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
390 = Mbed TLS 3.6.0 branch released 2024-03-28
429 * Support Armv8-A Crypto Extension acceleration for SHA-256
430 when compiling for Thumb (T32) or 32-bit Arm (A32).
431 * AES-NI is now supported in Windows builds with clang and clang-cl.
437 This affects both the low-level modules and the high-level APIs
440 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
441 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
443 library without the corresponding built-in implementation. Generally
445 or they'll both be built in. However, for CCM and GCM the built-in
448 docs/driver-only-builds.md for full details and current limitations.
456 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
457 fully provided by drivers. See docs/driver-only-builds.md for full
464 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
465 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
479 * Add support for using AES-CBC 128, 192, and 256 bit schemes
483 * Add pc files for pkg-config, e.g.:
484 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
492 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
494 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
514 * Add new accessors to expose the private session-id,
515 session-id length, and ciphersuite-id members of
517 Add new accessor to expose the ciphersuite-id of
520 docs/tls13-early-data.md). The support enablement is controlled at build
527 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
534 Fixes CVE-2024-30166.
544 Note that setting this option will cause input-output buffer overlap to
546 Fixes CVE-2024-28960.
552 Fixes CVE-2024-28755.
555 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
556 client could put the TLS 1.3-only server in an infinite loop processing
559 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
562 Fixes CVE-2024-28836.
565 * Fix the build with CMake when Everest or P256-m is enabled through
576 * Fix build failure in conda-forge. Fixes #8422.
589 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
593 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
601 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
640 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
651 = Mbed TLS 3.5.2 branch released 2024-01-26
662 could result in an integer overflow, causing a zero-length buffer to be
666 = Mbed TLS 3.5.1 branch released 2023-11-06
669 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
676 = Mbed TLS 3.5.0 branch released 2023-10-05
679 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
680 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
681 there was a flaw in the logic checking if the built-in implementation, in
684 accelerated and still have the built-in implementation compiled out.
687 considered not accelerated, and the built-in implementation of the curves
722 provided - these limitations are lifted in this version. A new set of
725 they're provided by a built-in implementation, a driver or both. See
726 docs/driver-only-builds.md.
731 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
733 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
736 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
740 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
752 parameters from RFC 7919. This includes a built-in implementation based
764 string to a DER-encoded mbedtls_asn1_buf.
765 * Add SHA-3 family hash functions.
766 * Add support to restrict AES to 128-bit keys in order to save code size.
771 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
772 On Aarch64, uplift is typically around 20 - 110%.
773 When compiling with gcc -Os on Aarch64, AES-XTS improves
775 * Add support for PBKDF2-HMAC through the PSA API.
781 - DERIVE is only available for ECC keys, not for RSA or DH ones.
782 - implementations are free to enable more than what it was strictly
787 and the ephemeral or psk-ephemeral key exchange mode are enabled.
800 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
809 * Add support for PBKDF2-CMAC through the PSA API.
811 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
812 disables the plain C implementation and the run-time detection for the
839 (notably recent versions of Clang and IAR) could produce non-constant
842 * Updates to constant-time C code so that compilers are less likely to use
845 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
853 null-cipher cipher suites. Credit to OSS-Fuzz.
855 In TLS 1.3, all configurations are affected except PSK-only ones, and
860 Credit to OSS-Fuzz.
865 than all built-in ones and RSA is disabled.
879 * Fix the J-PAKE driver interface for user and peer to accept any values
882 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
900 example TF-M configuration in configs/ from building cleanly:
915 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
925 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
932 enabled, where some low-level modules required by requested PSA crypto
941 * Fix the build with CMake when Everest or P256-m is enabled through
946 compiling with gcc, clang or armclang and -O0.
964 = Mbed TLS 3.4.1 branch released 2023-08-04
970 * Update test data to avoid failures of unit tests after 2023-08-07.
972 = Mbed TLS 3.4.0 branch released 2023-03-28
987 optionally providing file-specific error pairs. Please see psa_util.h for
994 - Only the signed-data content type, version 1 is supported.
995 - Only DER encoding is supported.
996 - Only a single digest algorithm per message is supported.
997 - Certificates must be in X.509 format. A message must have either 0
999 - There is no support for certificate revocation lists.
1000 - The authenticated and unauthenticated attribute fields of SignerInfo
1003 contributing this feature, and to Demi-Marie Obenour for contributing
1007 * Improvements to use of unaligned and byte-swapped memory, reducing code
1018 * Add parsing of V3 extensions (key usage, Netscape cert-type,
1021 configuration-independent files. This allows them to be generated when
1038 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
1039 implementations of EC J-PAKE through the driver entry points.
1043 * Add support for AES with the Armv8-A Cryptographic Extension on
1044 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
1045 be used to enable this feature. Run-time detection is supported
1046 under Linux only.
1047 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1052 to read non-public fields for padding mode and hash id from
1054 * AES-NI is now supported with Visual Studio.
1055 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1058 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
1059 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
1060 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1065 * Use platform-provided secure zeroization function where possible, such as
1068 * Fix a potential heap buffer overread in TLS 1.3 client-side when
1070 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
1071 Arm, so that these systems are no longer vulnerable to timing side-channel
1075 builds that couldn't compile the GCC-style assembly implementation
1077 timing side-channel attacks. There is now an intrinsics-based AES-NI
1102 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
1120 * Reject OIDs with overlong-encoded subidentifiers when converting
1125 have the most-significant bit set in their last byte.
1126 * Silence warnings from clang -Wdocumentation about empty \retval
1130 * Fix an unused-variable warning in TLS 1.3-only builds if
1134 * Allow setting user and peer identifiers for EC J-PAKE operation
1141 * Fix TLS 1.3 session resumption when the established pre-shared key is
1142 384 bits long. That is the length of pre-shared keys created under a
1153 * Mixed-endian systems are explicitly not supported any more.
1162 - now it accepts the serial number in 2 different formats: decimal and
1164 - "serial" is used for the decimal format and it's limted in size to
1166 - "serial_hex" is used for the hex format; max length here is
1171 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1177 to best results when tested on Cortex-M4 and Intel i7.
1183 = Mbed TLS 3.3.0 branch released 2022-12-14
1189 RFC 9146, which is not interoperable with the draft-05 version.
1193 standard (non-draft) version.
1217 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
1218 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
1221 built-in implementation present, but only in some configurations.
1222 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
1224 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
1230 all hashes only provided by drivers (no built-in hash) is to use
1234 As a consequence, they now work in configurations where the built-in
1236 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
1240 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
1241 Signature verification is production-ready, but generation is for testing
1247 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
1250 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
1251 The pre-shared keys can be provisioned externally or via the ticket
1269 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
1280 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
1282 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1292 victim performing a single private-key operation if the window size used
1294 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
1295 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1299 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
1300 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1303 * Fix a long-standing build failure when building x86 PIC code with old
1306 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1334 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
1351 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1358 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
1372 to OSS-Fuzz. Fixes #6597.
1375 * Move some SSL-specific code out of libmbedcrypto where it had been placed
1382 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
1383 should not be done - they are documented for use only by AES-GCM and
1387 = Mbed TLS 3.2.1 branch released 2022-07-12
1390 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1392 = Mbed TLS 3.2.0 branch released 2022-07-11
1448 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1464 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1473 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1474 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1480 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1486 establishment only). See docs/architecture/tls13-support.md for a
1494 docs/use-psa-crypto.md for the list of exceptions.
1498 * Opaque pre-shared keys for TLS, provisioned with
1501 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1502 * cmake now detects if it is being built as a sub-project, and in that case
1511 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1520 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1527 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1557 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1571 * Fix a race condition in out-of-source builds with CMake when generated data
1577 the function needs to be re-called after initially returning
1601 * Add mbedtls_x509_dn_get_next function to return the next relative DN in
1623 non-compliant. This could not lead to a buffer overflow. In particular,
1643 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1644 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1649 * Assume source files are in UTF-8 when using MSVC with CMake.
1662 = mbed TLS 3.1.0 branch released 2021-12-17
1674 POSIX/Unix-like platforms.
1677 * Sign-magnitude and one's complement representations for signed integers are
1696 supported on GCC-like compilers and on MSVC and can be configured through
1705 * Add support for CCM*-no-tag cipher to the PSA.
1706 Currently only 13-byte long IV's are supported.
1707 For decryption a minimum of 16-byte long input is expected.
1715 protocol. See docs/architecture/tls13-support.md for the definition of
1727 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1736 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1745 The check was accidentally not performed when cross-compiling for Windows
1746 on Linux. Fix this. Fixes #4774.
1757 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1758 * Failures of alternative implementations of AES or DES single-block
1762 where this function cannot fail, or full-module replacements with
1767 * Fix compile-time or run-time errors in PSA
1771 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1774 the built-in implementation of the GCM.
1776 input buffer size is valid only for the built-in implementation of GCM.
1790 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1810 oversight during the run-up to the release of Mbed TLS 3.0.
1812 * Implement multi-part CCM API.
1813 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1823 * Improve the performance of base64 constant-flow code. The result is still
1824 slower than the original non-constant-flow implementation, but much faster
1825 than the previous constant-flow implementation. Fixes #4814.
1826 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1830 ChaCha20-Poly1305 is invalid, and not just unsupported.
1837 * The generated configuration-independent files are now automatically
1838 generated by the CMake build system on Unix-like systems. This is not
1839 yet supported when cross-compiling.
1841 = Mbed TLS 3.0.0 branch released 2021-07-07
1850 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1854 header compat-1.3.h and the script rename.pl.
1873 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1875 * Drop support for single-DES ciphersuites.
1879 key type used, as well as the key bit-size in the case of
1894 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1903 by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
1915 session-ID based session resumption) has changed to that of
1916 a key-value store with keys being session IDs and values
1930 * For multi-part AEAD operations with the cipher module, calling
1935 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1977 context are now connection-specific.
1986 * Implement one-shot cipher functions, psa_cipher_encrypt and
1999 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
2000 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
2012 release, some configuration-independent files are now generated at build
2023 compile-time option, which was off by default. Users should not trust
2024 certificates signed with SHA-1 due to the known attacks against SHA-1.
2025 If needed, SHA-1 certificates can still be verified by using a custom
2033 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
2037 compile-time option. This option has been inactive for a long time.
2040 * Remove the following deprecated functions and constants of hex-encoded
2066 * The RSA module no longer supports private-key operations with the public
2106 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
2108 * Remove the compile-time option
2116 * Added support for built-in driver keys through the PSA opaque crypto
2120 * The multi-part GCM interface (mbedtls_gcm_update() or
2123 * The multi-part GCM interface now supports chunked associated data through
2130 See docs/architecture/alternative-implementations.md for the remaining
2133 query the size of the modulus in a Diffie-Hellman context.
2135 Diffie-Hellman context.
2143 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
2155 victim performing a single private-key operation. Found and reported by
2158 information (typically, a co-located process) could recover a Curve25519
2160 observing the victim performing the corresponding private-key operation.
2178 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2183 mbedtls_mpi_read_string() was called on "-0", or when
2189 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
2200 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
2201 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
2203 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
2205 Arm Cortex-M. Fixes #4530.
2207 directive in a header and a missing initialization in the self-test.
2208 * Fix a missing initialization in the Camellia self-test, affecting
2215 (when the encrypt-then-MAC extension is not in use) with some ALT
2216 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
2218 * Remove outdated check-config.h check that prevented implementing the
2230 * psa_verify_hash() was relying on implementation-specific behavior of
2241 Credit to OSS-Fuzz. Fixes #4641.
2246 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
2267 * Remove configs/config-psa-crypto.h, which no longer had any intended
2307 = mbed TLS 2.26.0 branch released 2021-03-08
2361 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
2367 |A| - |B| where |B| is larger than |A| and has more limbs (so the
2384 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2395 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2397 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2408 the extension was always marked as non-critical. This was fixed by
2418 = mbed TLS 2.25.0 branch released 2020-12-11
2430 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2455 This is currently non-standard behaviour, but expected to make it into a
2462 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2466 identical to psa_key_id_t instead of being platform-defined. This bridges
2484 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2488 are implemented. This could cause failures or the silent use of non-random
2520 * Use socklen_t on Android and other POSIX-compliant system
2521 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2538 * Fix an off-by-one error in the additional data length check for
2539 CCM, which allowed encryption with a non-standard length field.
2548 * Attempting to create a volatile key with a non-zero key identifier now
2557 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2577 specification (docs/architecture/mbed-crypto-storage-specification.md).
2581 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2584 = mbed TLS 2.24.0 branch released 2020-09-01
2587 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2605 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2606 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2615 attacker could for example impersonate a 4-bytes or 16-byte domain by
2631 Encrypt-then-Mac extension, use constant code flow memory access patterns
2634 effective against network-based attackers, but less so against local
2636 if they have access to fine-grained measurements. In particular, this
2640 * Fix side channel in RSA private key operations and static (finite-field)
2641 Diffie-Hellman. An adversary with precise enough timing and memory access
2643 enclave) could bypass an existing counter-measure (base blinding) and
2645 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2646 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2660 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2663 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2665 * Fix self-test failure when the only enabled short Weierstrass elliptic
2677 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2684 * Update copyright notices to use Linux Foundation guidance. As a result,
2692 these applications with password-protected key files. Analogously but for
2697 = mbed TLS 2.23.0 branch released 2020-07-01
2710 high- and low-level error codes, complementing mbedtls_strerror()
2714 * The new utility programs/ssl/ssl_context_info prints a human-readable
2731 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2742 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2778 * Fix false positive uninitialised variable reported by cpp-check.
2787 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2799 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2811 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2820 = mbed TLS 2.22.0 branch released 2020-04-14
2841 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2867 = mbed TLS 2.21.0 branch released 2020-02-20
2873 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2880 probability (of the order of 2^-n where n is the bitsize of the curve)
2888 ARMmbed/mbed-crypto#352
2891 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2892 support without SHA-384.
2901 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2907 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2908 contributed by apple-ihack-geek in #2663.
2910 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2913 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2917 = mbed TLS 2.20.0 branch released 2020-01-15
2960 to achieve the security strength defined by NIST SP 800-90A. You can
2963 msopiha-linaro in ARMmbed/mbed-crypto#307.
2966 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2980 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2982 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2998 merely a robustness improvement. ARMmbed/mbed-crypto#323
3000 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
3002 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
3004 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
3006 = mbed TLS 2.19.1 branch released 2019-09-16
3020 * Fix some false-positive uninitialized variable warnings in crypto. Fix
3021 contributed by apple-ihack-geek in #2663.
3023 = mbed TLS 2.19.0 branch released 2019-09-06
3034 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
3043 store it in non-volatile storage, and later using it for TLS session
3048 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
3051 (https://project-everest.github.io/). It can be enabled at compile time
3054 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
3062 * Add DER-encoded test CRTs to library/certs.c, allowing
3083 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
3084 * Fix multiple X.509 functions previously returning ASN.1 low-level error
3089 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
3110 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
3113 * Improve code clarity in x509_crt module, removing false-positive
3121 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
3125 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
3126 docker-env.sh) to simplify running test suites on a Linux host. Contributed
3132 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
3138 = mbed TLS 2.18.1 branch released 2019-07-12
3148 = mbed TLS 2.18.0 branch released 2019-06-11
3155 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
3157 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3160 and the used tls-prf.
3161 * Add public API for tls-prf function, according to requested enum.
3170 * Add support for draft-05 of the Connection ID extension, as specified
3171 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
3176 changed its IP or port. The feature is enabled at compile-time by setting
3177 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
3183 and the used tls-prf.
3184 * Add public API for tls-prf function, according to requested enum.
3193 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3195 OSS-Fuzz.
3209 * Set the next sequence of the subject_alt_name to NULL when deleting
3211 Credit to OSS-Fuzz.
3214 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3215 mbedTLS configuration only SHA-2 signed certificates are accepted.
3219 updated to one that is SHA-256 signed. Fix contributed by
3230 = mbed TLS 2.17.0 branch released 2019-03-19
3234 which allows copy-less parsing of DER encoded X.509 CRTs,
3247 for the benefit of saving RAM, by disabling the new compile-time
3275 * Fix signed-to-unsigned integer conversion warning
3307 * Fix configuration queries in ssl-opt.h. #2030
3308 * Ensure that ssl-opt.h can be run in OS X. #2029
3309 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3314 = mbed TLS 2.16.0 branch released 2018-12-21
3332 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
3333 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
3337 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
3339 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
3371 = mbed TLS 2.15.1 branch released 2018-11-30
3376 = mbed TLS 2.15.0 branch released 2018-11-23
3386 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3389 = mbed TLS 2.14.1 branch released 2018-11-30
3393 decryption that could lead to a Bleichenbacher-style padding oracle
3400 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3418 = mbed TLS 2.14.0 branch released 2018-11-19
3429 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3434 adversary to construct non-primes that would be erroneously accepted as
3439 pairs or Diffie-Hellman parameters, but was insufficient to validate
3440 Diffie-Hellman parameters properly.
3447 constrained, single-threaded systems where ECC is time consuming and can
3453 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3459 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3463 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3464 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3483 Miller-Rabin rounds.
3496 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3507 wildcards and non-ASCII characters being unusable in some DN attributes.
3509 Thomas-Dee.
3513 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3533 Thomas-Dee.
3535 Fixes #517 reported by github-monoculture.
3538 by FIPS-186-4.
3540 = mbed TLS 2.13.1 branch released 2018-09-06
3544 whose implementation should behave as a thread-safe version of gmtime().
3554 = mbed TLS 2.13.0 branch released 2018-08-31
3565 with the peer, as well as by a new per-connection MTU option, set using
3567 * Add support for auto-adjustment of MTU to a safe value during the
3572 * Add support for buffering out-of-order handshake messages in DTLS.
3574 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3593 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3604 (found by Catena cyber using oss-fuzz)
3616 * Add support for buffering of out-of-order handshake messages.
3621 = mbed TLS 2.12.0 branch released 2018-07-25
3624 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3632 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3633 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3634 caused by a miscalculation (for SHA-384) in a countermeasure to the
3645 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3647 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3653 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3657 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3658 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3660 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3661 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3669 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3696 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3701 * Fix ssl_client2 example to send application data with 0-length content
3706 * Fix build using -std=c99. Fixed by Nick Wilson.
3710 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3712 when calling with a NULL salt and non-zero salt_len. Contributed by
3716 * Allow overriding the time on Windows via the platform-time abstraction.
3718 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3720 = mbed TLS 2.11.0 branch released 2018-06-18
3725 * Implement the HMAC-based extract-and-expand key derivation function
3728 * Add support for the XTS block cipher mode with AES (AES-XTS).
3732 non-blocking operation of the TLS server stack.
3749 = mbed TLS 2.10.0 branch released 2018-06-06
3768 build to fail. Found by zv-io. Fixes #1651.
3771 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3775 = mbed TLS 2.9.0 branch released 2018-04-30
3782 would require a non DER-compliant certificate to be correctly signed by a
3783 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3791 * Fix a client-side bug in the validation of the server's ciphersuite choice
3814 underlying transport in case event-driven IO is used.
3820 in configurations that omit certain hashes or public-key algorithms.
3842 in the internal buffers; these cases led to deadlocks when event-driven
3859 public-key algorithms. Includes contributions by Gert van Dijk.
3879 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3889 HMAC functions with non-HMAC ciphersuites. Independently contributed
3892 FIPS 186-4. Contributed by Jethro Beekman. #1380
3900 = mbed TLS 2.8.0 branch released 2018-03-16
3930 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3941 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3967 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3981 = mbed TLS 2.7.0 branch released 2018-02-03
3989 both TLS and DTLS. CVE-2018-0488
3990 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3993 Qualcomm Technologies Inc. CVE-2018-0487
3994 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
4004 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
4015 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
4021 * Fix a potential heap buffer over-read in ALPN extension parsing
4022 (server-side). Could result in application crash, but only if an ALPN
4025 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4032 * New unit tests for timing. Improve the self-test to be more robust
4033 when run on a heavily-loaded machine.
4055 * Extend RSA interface by multiple functions allowing structure-
4068 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
4069 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
4070 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
4071 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
4074 * Deprecate usage of RSA primitives with non-matching key-type
4099 renegotiated handshakes would only accept signatures using SHA-1
4100 regardless of the peer's preferences, or fail if SHA-1 was disabled.
4104 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
4106 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
4119 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
4123 non-v3 CRT's.
4128 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
4133 * Add size-checks for record and handshake message content, securing
4134 fragile yet non-exploitable code-paths.
4170 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
4181 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
4184 = mbed TLS 2.6.0 branch released 2017-08-10
4200 platform-specific setup and teardown operations. The macro
4212 * Certificate verification functions now set flags to -1 in case the full
4229 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4233 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4237 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4249 64-bit division. This is useful on embedded platforms where 64-bit division
4255 config-no-entropy.h to reduce the RAM footprint.
4260 = mbed TLS 2.5.1 released 2017-06-21
4263 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4264 The issue could only happen client-side with renegotiation enabled.
4268 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
4269 certificate verification. SHA-1 can be turned back on with a compile-time
4274 potential Bleichenbacher/BERserk-style attack.
4279 and with GCC using the -Wpedantic compilation option.
4280 * Fix insufficient support for signature-hash-algorithm extension,
4307 by Jean-Philippe Aumasson.
4309 = mbed TLS 2.5.0 branch released 2017-05-17
4316 against side-channel attacks like the cache attack described in
4335 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
4336 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
4339 * Remove macros from compat-1.3.h that correspond to deleted items from most
4343 * Add checks in the PK module for the RSA functions on 64-bit systems.
4348 = mbed TLS 2.4.2 branch released 2017-03-08
4352 using RSA through the PK module in 64-bit systems. The issue was caused by
4355 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
4369 team. #569 CVE-2017-2784
4378 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4379 Found by omlib-lin. #673
4400 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4416 = mbed TLS 2.4.1 branch released 2016-12-13
4419 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4423 = mbed TLS 2.4.0 branch released 2016-10-17
4427 with RFC-5116 and could lead to session key recovery in very long TLS
4428 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4429 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4437 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4438 NIST SP 800-38B, RFC-4493 and RFC-4615.
4446 * Added a configuration file config-no-entropy.h that configures the subset of
4459 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4461 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4474 subramanyam-c. #622
4481 Found by subramanyam-c. #626
4489 * Removed self-tests from the basic-built-test.sh script, and added all
4490 missing self-tests to the test suites, to ensure self-tests are only
4493 * Added support for a Yotta specific configuration file -
4504 = mbed TLS 2.3.0 branch released 2016-06-28
4522 arguments where the same (in-place doubling). Found and fixed by Janos
4541 * Fix test in ssl-opt.sh that does not run properly with valgrind
4545 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4547 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4551 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4554 = mbed TLS 2.2.1 released 2016-01-05
4566 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4578 = mbed TLS 2.2.0 released 2015-11-04
4596 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4599 block. (Potential uses include EAP-TLS and Thread.)
4602 * Self-signed certificates were not excluded from pathlen counting,
4605 * Fix build error with configurations where ECDHE-PSK is the only key
4607 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4608 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4609 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4610 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4613 minimum key size for end-entity certificates with RSA keys. Found by
4624 or -1.
4626 = mbed TLS 2.1.2 released 2015-10-06
4629 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4632 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4649 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4651 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4670 = mbed TLS 2.1.1 released 2015-09-17
4673 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4675 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4676 * Fix possible client-side NULL pointer dereference (read) when the client
4679 afl-fuzz.)
4683 * Fix off-by-one error in parsing Supported Point Format extension that
4694 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4697 = mbed TLS 2.1.0 released 2015-09-04
4705 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4713 * Fix compile error with armcc 5 with --gnu option.
4718 * Fix missing -static-libgcc when building shared libraries for Windows
4727 * Fix -Wshadow warnings (found by hnrkp) (#240)
4729 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4737 * It is now possible to #include a user-provided configuration file at the
4741 trusted, no later cert is checked. (suggested by hannes-landeholm)
4748 = mbed TLS 2.0.0 released 2015-07-13
4755 * New server-side implementation of session tickets that rotate keys to
4761 * Introduced a concept of presets for SSL security-relevant configuration
4769 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4770 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4772 mbedtls_cipher_info_t.key_length -> key_bitlen
4773 mbedtls_cipher_context_t.key_length -> key_bitlen
4774 mbedtls_ecp_curve_info.size -> bit_size
4779 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4780 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4781 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4782 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4783 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4789 (see rename.pl and compat-1.3.h above) and their first argument's type
4792 additional callback for read-with-timeout).
4811 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4812 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4813 * The following functions changed prototype to avoid an in-out length
4831 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4860 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4864 been removed (compiler is required to support 32-bit operations).
4867 * Removed test program ssl_test, superseded by ssl-opt.sh.
4868 * Removed helper script active-config.pl
4874 Semi-API changes (technically public, morally private)
4895 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4899 * The following functions are now case-sensitive:
4918 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4927 thread-safe if MBEDTLS_THREADING_C is enabled.
4928 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4937 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4947 * Add support for id-at-uniqueIdentifier in X.509 names.
4953 cross-compilation easier (thanks to Alon Bar-Lev).
4954 * The benchmark program also prints heap usage for public-key primitives
4956 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4959 reduced configurations (PSK-CCM and NSA suite B).
4978 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
4991 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4998 * Add missing dependency on SHA-256 in some x509 programs (reported by
5009 * compat-1.2.h and openssl.h are deprecated.
5012 (contributed by Alon Bar-Lev).
5015 * Move from SHA-1 to SHA-256 in example programs using signatures
5023 = mbed TLS 1.3.10 released 2015-02-09
5025 * NULL pointer dereference in the buffer-based allocator when the buffer is
5029 * Fix remotely-triggerable uninitialised pointer dereference caused by
5032 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5039 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
5043 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
5044 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
5045 * Add support for Encrypt-then-MAC (RFC 7366).
5048 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5050 * Support for renegotiation can now be disabled at compile-time
5051 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
5052 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
5053 for pre-1.2 clients when multiple certificates are available.
5054 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
5063 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5079 issue with some servers when a zero-length extension was sent. (Reported
5081 * On a 0-length input, base64_encode() did not correctly set output length
5088 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
5094 * It is now possible to disable negotiation of truncated HMAC server-side
5100 = PolarSSL 1.3.9 released 2014-10-20
5104 * Remotely-triggerable memory leak when parsing some X.509 certificates
5107 * Remotely-triggerable memory leak when parsing crafted ClientHello
5114 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5116 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5119 * Remove non-existent file from VS projects (found by Peter Vaskovic).
5120 * ssl_read() could return non-application data records on server while
5122 * Server-initiated renegotiation would fail with non-blocking I/O if the
5125 with non-blocking I/O.
5133 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
5134 standard defining how to use SHA-2 with SSL 3.0).
5135 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
5147 = PolarSSL 1.3.8 released 2014-07-11
5156 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5163 * Add server-side enforcement of sent renegotiation requests
5182 * Remove less-than-zero checks on unsigned numbers
5194 rejected with CBC-based ciphersuites and TLS >= 1.1
5196 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
5199 * Restore ability to locally trust a self-signed cert that is not a proper
5205 * Fix off-by-one error in parsing Supported Point Format extension that
5207 * Fix possible miscomputation of the premaster secret with DHE-PSK key
5216 = PolarSSL 1.3.7 released on 2014-05-02
5220 * version_check_feature() added to check for compile-time options at
5221 run-time
5228 * AES-NI now compiles with "old" assemblers too
5244 big-endian platform when size was not an integer number of limbs
5251 = PolarSSL 1.3.6 released on 2014-04-11
5272 This affects certificates in the user-supplied chain except the top
5273 certificate. If the user-supplied chain contains only one certificates,
5292 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
5293 * Calling pk_debug() on an RSA-alt key would segfault.
5294 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
5300 = PolarSSL 1.3.5 released on 2014-03-26
5302 * HMAC-DRBG as a separate module
5306 * Ability to force the entropy module to use SHA-256 as its basis
5308 * Testing script ssl-opt.sh added for testing 'live' ssl option
5316 now thread-safe if POLARSSL_THREADING_C defined
5332 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5339 * Fixed testing with out-of-source builds using cmake
5340 * Fixed version-major intolerance in server
5341 * Fixed CMake symlinking on out-of-source builds
5344 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5348 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5361 = PolarSSL 1.3.4 released on 2014-01-27
5364 * Support for RIPEMD-160
5380 = PolarSSL 1.3.3 released on 2013-12-31
5386 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5388 * AES-NI support for AES, AES-GCM and AES key scheduling
5389 * SSL Pthread-based server example added (ssl_pthread_server)
5396 * More constant-time checks in the RSA module
5404 * Fixed X.509 hostname comparison (with non-regular characters)
5417 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5420 = PolarSSL 1.3.2 released on 2013-11-04
5424 * Support for Camellia-GCM mode and ciphersuites
5427 * Padding checks in cipher layer are now constant-time
5428 * Value comparisons in SSL layer are now constant-time
5441 * Server-side initiated renegotiations send HelloRequest
5443 = PolarSSL 1.3.1 released on 2013-10-15
5446 * Support for ECDHE-PSK key-exchange and ciphersuites
5447 * Support for RSA-PSK key-exchange and ciphersuites
5453 * config.h is more script-friendly
5465 = PolarSSL 1.3.0 released on 2013-10-01
5470 (ECDHE-based ciphersuites)
5472 (ECDSA-based ciphersuites)
5474 * PSK and DHE-PSK based ciphersuites added
5476 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5483 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5484 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5513 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5525 (found by Cyril Arnaud and Pierre-Alain Fouque)
5528 = Version 1.2.14 released 2015-05-??
5536 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5544 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5547 = Version 1.2.13 released 2015-02-16
5552 * Fix remotely-triggerable uninitialised pointer dereference caused by
5555 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5568 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5578 issue with some servers when a zero-length extension was sent. (Reported
5580 * On a 0-length input, base64_encode() did not correctly set output length
5586 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5588 = Version 1.2.12 released 2014-10-24
5591 * Remotely-triggerable memory leak when parsing some X.509 certificates
5599 with non-blocking I/O.
5603 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5604 * ssl_read() could return non-application data records on server while
5606 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5615 = Version 1.2.11 released 2014-07-11
5643 * Fixed X.509 hostname comparison (with non-regular characters)
5656 * Fixed testing with out-of-source builds using cmake
5657 * Fixed version-major intolerance in server
5658 * Fixed CMake symlinking on out-of-source builds
5659 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5674 big-endian platform when size was not an integer number of limbs
5685 = Version 1.2.10 released 2013-10-07
5687 * Changed RSA blinding to a slower but thread-safe version
5694 = Version 1.2.9 released 2013-10-01
5707 (found by Cyril Arnaud and Pierre-Alain Fouque)
5709 = Version 1.2.8 released 2013-06-19
5713 * Centralized module option values in config.h to allow user-defined
5738 * Fixed values for 2-key Triple DES in cipher layer
5743 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5745 = Version 1.2.7 released 2013-04-13
5750 * Default Blowfish keysize is now 128-bits
5757 = Version 1.2.6 released 2013-03-11
5760 * Corrected GCM counter incrementation to use only 32-bits instead of
5761 128-bits (found by Yawning Angel)
5762 * Fixes for 64-bit compilation with MS Visual Studio
5772 * Re-added handling for SSLv2 Client Hello when the define
5784 = Version 1.2.5 released 2013-02-02
5786 * Allow enabling of dummy error_strerror() to support some use-cases
5789 * Sending of security-relevant alert messages that do not break
5797 = Version 1.2.4 released 2013-01-25
5809 = Version 1.2.3 released 2012-11-26
5813 = Version 1.2.2 released 2012-11-24
5817 * During verify trust-CA is only checked for expiration and CRL presence
5823 = Version 1.2.1 released 2012-11-20
5826 bottom-up (Peer cert depth is 0)
5832 Pégourié-Gonnard)
5834 Pégourié-Gonnard)
5837 = Version 1.2.0 released 2012-10-31
5843 * Added support for multi-domain certificates through the X509 Subject
5870 * Fixed const-correctness mpi_get_bit()
5905 = Version 1.1.8 released on 2013-10-01
5911 * Potential buffer-overflow for ssl_read_record() (independently found by
5916 = Version 1.1.7 released on 2013-06-19
5925 * Fixed values for 2-key Triple DES in cipher layer
5930 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5932 = Version 1.1.6 released on 2013-03-11
5937 * Allow enabling of dummy error_strerror() to support some use-cases
5948 = Version 1.1.5 released on 2013-01-16
5959 Pégourié-Gonnard)
5961 Pégourié-Gonnard)
5972 = Version 1.1.4 released on 2012-05-31
5978 = Version 1.1.3 released on 2012-04-29
5982 = Version 1.1.2 released on 2012-04-26
5989 Frama-C team at CEA LIST)
5993 = Version 1.1.1 released on 2012-01-23
5997 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
6001 = Version 1.1.0 released on 2011-12-22
6003 * Added ssl_session_reset() to allow better multi-connection pools of
6004 SSL contexts without needing to set all non-connection-specific
6011 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
6020 * Inceased maximum size of ASN1 length reads to 32-bits.
6025 * Changed the defined key-length of DES ciphers in cipher.h to include the
6030 trade-off
6039 encountering a parse-error. Beware that the meaning of return values has
6044 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
6050 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
6059 = Version 1.0.0 released on 2011-07-27
6072 = Version 0.99-pre5 released on 2011-05-26
6105 = Version 0.99-pre4 released on 2011-04-01
6108 for the RSAES-OAEP and RSASSA-PSS operations.
6123 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
6127 * Fixed proper handling of RSASSA-PSS verification with variable
6130 = Version 0.99-pre3 released on 2011-02-28
6131 This release replaces version 0.99-pre2 which had possible copyright issues.
6156 * Fixed a possible Man-in-the-Middle attack on the
6160 = Version 0.99-pre1 released on 2011-01-30
6162 Note: Most of these features have been donated by Fox-IT
6179 libpkcs11-helper library
6190 = Version 0.14.0 released on 2010-08-16
6194 * Added compile-time and run-time version information
6214 = Version 0.13.1 released on 2010-03-24
6219 = Version 0.13.0 released on 2010-03-21
6235 * Added reset function for HMAC context as speed-up
6236 for specific use-cases
6247 = Version 0.12.1 released on 2009-10-04
6258 = Version 0.12.0 released on 2009-07-28
6262 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
6263 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
6279 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
6300 * Fixed Camellia and XTEA for 64-bit Windows systems.
6302 = Version 0.11.1 released on 2009-05-17
6303 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
6304 SHA-512 in rsa_pkcs1_sign()
6306 = Version 0.11.0 released on 2009-05-03
6310 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
6320 * Made definition of net_htons() endian-clean for big endian
6324 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6329 * Fixed compatibility of XTEA and Camellia on a 64-bit system
6332 = Version 0.10.0 released on 2009-01-12
6344 = Version 0.9 released on 2008-03-16
6350 be sent twice in non-blocking mode when send returns EAGAIN
6353 * Added user-defined callback debug function (Krystian Kolodziej)
6359 output data is non-aligned by falling back to the software
6360 implementation, as VIA Nehemiah cannot handle non-aligned buffers
6362 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
6371 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
6376 * Fixed a critical denial-of-service with X.509 cert. verification:
6379 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
6380 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
6381 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
6384 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
6385 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6389 = Version 0.8 released on 2007-10-20
6397 * Added user-defined callbacks for handling I/O and sessions
6401 * Added AES-CFB mode of operation, contributed by chmike
6405 * Updated ssl_read() to skip 0-length records from OpenSSL
6407 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6414 = Version 0.7 released on 2007-07-07
6416 * Added support for the MicroBlaze soft-core processor
6418 connections from being established with non-blocking I/O
6422 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6430 = Version 0.6 released on 2007-04-01
6436 * Added multiply assembly code for 64-bit PowerPCs,
6440 * Fixed "long long" compilation issues on IA-64 and PPC64
6441 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6444 = Version 0.5 released on 2007-03-01
6447 * Added (beta) support for non-blocking I/O operations
6450 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6455 = Version 0.4 released on 2007-02-01
6457 * Added support for Ephemeral Diffie-Hellman key exchange
6468 = Version 0.3 released on 2007-01-01
6470 * Added server-side SSLv3 and TLSv1.0 support
6479 = Version 0.2 released on 2006-12-01
6490 the Miller-Rabin primality test
6492 I'd also like to thank Younès Hafri for the CRUX linux port,
6494 who maintains the Debian package :-)
6496 = Version 0.1 released on 2006-11-01