Lines Matching +full:restore +full:- +full:keys
3 = Mbed TLS 3.6.4 branch released 2025-06-30
7 client and server to extract additional shared symmetric keys from an SSL
8 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
15 CVE-2025-49601
19 CVE-2025-49600
30 CVE-2025-52496
31 * Fix possible use-after-free or double-free in code calling
36 they were free()d, resulting in high risk of use-after-free or double-free,
39 were affected (use-after-free if the san string contains more than one DN).
42 CVE-2025-47917
54 CVE-2025-48965
56 keys, which could be used by an attacker capable of feeding encrypted
57 PEM keys to a user. This could cause a crash or information disclosure.
59 CVE-2025-52497
65 CVE-2025-49087
70 "union foo x = {0}" does not initialize non-default members of the
72 multipart operations, MAC-based key derivation operations, interruptible
74 when using third-party drivers. This also affected one-shot MAC
75 operations using the built-in implementation. Fixes #9814.
77 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
80 non-default members of the union. The PSA core now ensures that this
84 * Silence spurious -Wunterminated-string-initialization warnings introduced
87 keys with a different LMS or LM-OTS types on some platforms. Specifically,
113 = Mbed TLS 3.6.3 branch released 2025-03-24
119 if certificate-based authentication of the server is attempted.
121 to expect is usually insecure. To restore the old behavior, either
123 enable the new compile-time option
128 uses static storage for keys, enabling malloc-less use of key slots.
143 if they use certificate authentication (i.e. not pre-shared keys).
149 CVE-2025-27809
157 CVE-2025-27810
170 * Fix compilation on MS-DOS DJGPP. Fixes #9813.
171 * Fix missing constraints on the AES-NI inline assembly which is used on
172 GCC-like compilers when building AES for generic x86_64 targets. This
175 * Support re-assembly of fragmented handshake messages in TLS (both
193 * Improve performance of PSA key generation with ECC keys: it no longer
196 = Mbed TLS 3.6.2 branch released 2024-10-14
204 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
205 CVE-2024-49195
207 = Mbed TLS 3.6.1 branch released 2024-08-30
217 * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
234 They have almost exactly the same interface, but the variable-length
239 - DES (including 3DES).
240 - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
242 - Finite-field Diffie-Hellman with custom groups.
244 - Elliptic curves of size 225 bits or less.
247 - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using
250 - TLS_ECDH_*, i.e. cipher suites using static ECDH.
252 - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman.
254 - TLS_*CBC*, i.e. all cipher suites using CBC.
255 * The following low-level application interfaces are planned to be removed
257 - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
258 - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
259 - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
261 - Private key encryption mechanisms: pkcs5.h, pkcs12.h.
262 - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
268 the PSA transition guide (docs/psa-transition.md).
271 - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
273 - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
278 the number of volatile PSA keys is virtually unlimited, at the expense
286 CVE-2024-45157
292 CVE-2024-45158
294 client, if the client-provided certificate does not have appropriate values
303 CVE-2024-45159
308 * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
314 non-existent key while concurrently creating a new key could potentially
325 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
326 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
332 * Fix interference between PSA volatile keys and built-in keys
336 to persistent keys. Resolves #9253.
340 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
342 some code was defining 0-size arrays, resulting in compilation errors.
345 * Fix unintended performance regression when using short RSA public keys.
374 * Fixed a regression introduced in 3.6.0 where context-specific certificate
377 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
390 = Mbed TLS 3.6.0 branch released 2024-03-28
398 * psa_import_key() now only accepts RSA keys in the PSA standard formats.
429 * Support Armv8-A Crypto Extension acceleration for SHA-256
430 when compiling for Thumb (T32) or 32-bit Arm (A32).
431 * AES-NI is now supported in Windows builds with clang and clang-cl.
437 This affects both the low-level modules and the high-level APIs
440 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
441 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
443 library without the corresponding built-in implementation. Generally
445 or they'll both be built in. However, for CCM and GCM the built-in
448 docs/driver-only-builds.md for full details and current limitations.
456 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
457 fully provided by drivers. See docs/driver-only-builds.md for full
464 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
465 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
479 * Add support for using AES-CBC 128, 192, and 256 bit schemes
480 with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
483 * Add pc files for pkg-config, e.g.:
484 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
492 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
494 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
514 * Add new accessors to expose the private session-id,
515 session-id length, and ciphersuite-id members of
517 Add new accessor to expose the ciphersuite-id of
520 docs/tls13-early-data.md). The support enablement is controlled at build
527 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
534 Fixes CVE-2024-30166.
544 Note that setting this option will cause input-output buffer overlap to
546 Fixes CVE-2024-28960.
547 * Restore the maximum TLS version to be negotiated to the configured one
552 Fixes CVE-2024-28755.
555 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
556 client could put the TLS 1.3-only server in an infinite loop processing
559 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
562 Fixes CVE-2024-28836.
565 * Fix the build with CMake when Everest or P256-m is enabled through
576 * Fix build failure in conda-forge. Fixes #8422.
587 (psa_asymmetric_[en|de]crypt) with opaque keys.
589 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
593 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
594 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
599 decrypted keys and it rejects invalid ones.
601 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
615 * Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the
640 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
651 = Mbed TLS 3.5.2 branch released 2024-01-26
662 could result in an integer overflow, causing a zero-length buffer to be
666 = Mbed TLS 3.5.1 branch released 2023-11-06
669 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
676 = Mbed TLS 3.5.0 branch released 2023-10-05
679 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
680 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
681 there was a flaw in the logic checking if the built-in implementation, in
684 accelerated and still have the built-in implementation compiled out.
687 considered not accelerated, and the built-in implementation of the curves
722 provided - these limitations are lifted in this version. A new set of
725 they're provided by a built-in implementation, a driver or both. See
726 docs/driver-only-builds.md.
731 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
733 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
735 if not required by another module) and still get support for ECC keys and
736 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
740 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
746 public and private keys in RFC 8410 format using the existing PK APIs.
752 parameters from RFC 7919. This includes a built-in implementation based
764 string to a DER-encoded mbedtls_asn1_buf.
765 * Add SHA-3 family hash functions.
766 * Add support to restrict AES to 128-bit keys in order to save code size.
771 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
772 On Aarch64, uplift is typically around 20 - 110%.
773 When compiling with gcc -Os on Aarch64, AES-XTS improves
775 * Add support for PBKDF2-HMAC through the PSA API.
781 - DERIVE is only available for ECC keys, not for RSA or DH ones.
782 - implementations are free to enable more than what it was strictly
787 and the ephemeral or psk-ephemeral key exchange mode are enabled.
800 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
803 mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
809 * Add support for PBKDF2-CMAC through the PSA API.
811 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
812 disables the plain C implementation and the run-time detection for the
839 (notably recent versions of Clang and IAR) could produce non-constant
842 * Updates to constant-time C code so that compilers are less likely to use
845 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
853 null-cipher cipher suites. Credit to OSS-Fuzz.
855 In TLS 1.3, all configurations are affected except PSK-only ones, and
860 Credit to OSS-Fuzz.
865 than all built-in ones and RSA is disabled.
879 * Fix the J-PAKE driver interface for user and peer to accept any values
882 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
900 example TF-M configuration in configs/ from building cleanly:
905 one of the key exchange modes using ephemeral keys to a server that
915 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
925 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
932 enabled, where some low-level modules required by requested PSA crypto
940 * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
941 * Fix the build with CMake when Everest or P256-m is enabled through
946 compiling with gcc, clang or armclang and -O0.
964 = Mbed TLS 3.4.1 branch released 2023-08-04
970 * Update test data to avoid failures of unit tests after 2023-08-07.
972 = Mbed TLS 3.4.0 branch released 2023-03-28
987 optionally providing file-specific error pairs. Please see psa_util.h for
994 - Only the signed-data content type, version 1 is supported.
995 - Only DER encoding is supported.
996 - Only a single digest algorithm per message is supported.
997 - Certificates must be in X.509 format. A message must have either 0
999 - There is no support for certificate revocation lists.
1000 - The authenticated and unauthenticated attribute fields of SignerInfo
1003 contributing this feature, and to Demi-Marie Obenour for contributing
1007 * Improvements to use of unaligned and byte-swapped memory, reducing code
1018 * Add parsing of V3 extensions (key usage, Netscape cert-type,
1021 configuration-independent files. This allows them to be generated when
1038 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
1039 implementations of EC J-PAKE through the driver entry points.
1043 * Add support for AES with the Armv8-A Cryptographic Extension on
1044 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
1045 be used to enable this feature. Run-time detection is supported
1047 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1052 to read non-public fields for padding mode and hash id from
1054 * AES-NI is now supported with Visual Studio.
1055 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1058 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
1059 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
1060 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1065 * Use platform-provided secure zeroization function where possible, such as
1068 * Fix a potential heap buffer overread in TLS 1.3 client-side when
1070 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
1071 Arm, so that these systems are no longer vulnerable to timing side-channel
1075 builds that couldn't compile the GCC-style assembly implementation
1077 timing side-channel attacks. There is now an intrinsics-based AES-NI
1102 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
1120 * Reject OIDs with overlong-encoded subidentifiers when converting
1125 have the most-significant bit set in their last byte.
1126 * Silence warnings from clang -Wdocumentation about empty \retval
1130 * Fix an unused-variable warning in TLS 1.3-only builds if
1134 * Allow setting user and peer identifiers for EC J-PAKE operation
1141 * Fix TLS 1.3 session resumption when the established pre-shared key is
1142 384 bits long. That is the length of pre-shared keys created under a
1153 * Mixed-endian systems are explicitly not supported any more.
1162 - now it accepts the serial number in 2 different formats: decimal and
1164 - "serial" is used for the decimal format and it's limted in size to
1166 - "serial_hex" is used for the hex format; max length here is
1171 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1177 to best results when tested on Cortex-M4 and Intel i7.
1183 = Mbed TLS 3.3.0 branch released 2022-12-14
1189 RFC 9146, which is not interoperable with the draft-05 version.
1193 standard (non-draft) version.
1217 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
1218 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
1221 built-in implementation present, but only in some configurations.
1222 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
1224 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
1230 all hashes only provided by drivers (no built-in hash) is to use
1234 As a consequence, they now work in configurations where the built-in
1236 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
1238 * Add support for opaque keys as the private keys associated to certificates
1240 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
1241 Signature verification is production-ready, but generation is for testing
1247 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
1250 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
1251 The pre-shared keys can be provisioned externally or via the ticket
1269 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
1280 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
1282 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1292 victim performing a single private-key operation if the window size used
1294 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
1295 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1299 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
1300 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1303 * Fix a long-standing build failure when building x86 PIC code with old
1306 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1334 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
1351 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1358 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
1372 to OSS-Fuzz. Fixes #6597.
1375 * Move some SSL-specific code out of libmbedcrypto where it had been placed
1382 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
1383 should not be done - they are documented for use only by AES-GCM and
1387 = Mbed TLS 3.2.1 branch released 2022-07-12
1390 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1392 = Mbed TLS 3.2.0 branch released 2022-07-11
1444 keys. Fixes #3260.
1448 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1464 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1473 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1474 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1480 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1486 establishment only). See docs/architecture/tls13-support.md for a
1494 docs/use-psa-crypto.md for the list of exceptions.
1496 Opaque keys can now be used everywhere a private key is expected in the
1498 * Opaque pre-shared keys for TLS, provisioned with
1501 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1502 * cmake now detects if it is being built as a sub-project, and in that case
1511 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1520 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1527 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1557 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1571 * Fix a race condition in out-of-source builds with CMake when generated data
1577 the function needs to be re-called after initially returning
1623 non-compliant. This could not lead to a buffer overflow. In particular,
1643 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1644 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1649 * Assume source files are in UTF-8 when using MSVC with CMake.
1662 = mbed TLS 3.1.0 branch released 2021-12-17
1674 POSIX/Unix-like platforms.
1677 * Sign-magnitude and one's complement representations for signed integers are
1696 supported on GCC-like compilers and on MSVC and can be configured through
1705 * Add support for CCM*-no-tag cipher to the PSA.
1706 Currently only 13-byte long IV's are supported.
1707 For decryption a minimum of 16-byte long input is expected.
1715 protocol. See docs/architecture/tls13-support.md for the definition of
1727 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1736 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1745 The check was accidentally not performed when cross-compiling for Windows
1757 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1758 * Failures of alternative implementations of AES or DES single-block
1762 where this function cannot fail, or full-module replacements with
1767 * Fix compile-time or run-time errors in PSA
1771 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1774 the built-in implementation of the GCM.
1776 input buffer size is valid only for the built-in implementation of GCM.
1810 oversight during the run-up to the release of Mbed TLS 3.0.
1812 * Implement multi-part CCM API.
1813 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1823 * Improve the performance of base64 constant-flow code. The result is still
1824 slower than the original non-constant-flow implementation, but much faster
1825 than the previous constant-flow implementation. Fixes #4814.
1826 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1830 ChaCha20-Poly1305 is invalid, and not just unsupported.
1837 * The generated configuration-independent files are now automatically
1838 generated by the CMake build system on Unix-like systems. This is not
1839 yet supported when cross-compiling.
1841 = Mbed TLS 3.0.0 branch released 2021-07-07
1850 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1854 header compat-1.3.h and the script rename.pl.
1856 Transfer keys and certificates embedded in the library to the test
1858 users from using unsafe keys in production.
1873 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1875 * Drop support for single-DES ciphersuites.
1879 key type used, as well as the key bit-size in the case of
1894 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1915 session-ID based session resumption) has changed to that of
1916 a key-value store with keys being session IDs and values
1930 * For multi-part AEAD operations with the cipher module, calling
1935 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1972 Raw keys and IVs are no longer passed to the callback.
1977 context are now connection-specific.
1986 * Implement one-shot cipher functions, psa_cipher_encrypt and
1999 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
2000 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
2012 release, some configuration-independent files are now generated at build
2023 compile-time option, which was off by default. Users should not trust
2024 certificates signed with SHA-1 due to the known attacks against SHA-1.
2025 If needed, SHA-1 certificates can still be verified by using a custom
2033 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
2037 compile-time option. This option has been inactive for a long time.
2040 * Remove the following deprecated functions and constants of hex-encoded
2066 * The RSA module no longer supports private-key operations with the public
2106 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
2108 * Remove the compile-time option
2116 * Added support for built-in driver keys through the PSA opaque crypto
2120 * The multi-part GCM interface (mbedtls_gcm_update() or
2123 * The multi-part GCM interface now supports chunked associated data through
2130 See docs/architecture/alternative-implementations.md for the remaining
2133 query the size of the modulus in a Diffie-Hellman context.
2135 Diffie-Hellman context.
2143 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
2144 private keys and of blinding values for DHM and elliptic curves (ECP)
2155 victim performing a single private-key operation. Found and reported by
2158 information (typically, a co-located process) could recover a Curve25519
2160 observing the victim performing the corresponding private-key operation.
2178 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2183 mbedtls_mpi_read_string() was called on "-0", or when
2189 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
2200 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
2201 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
2203 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
2205 Arm Cortex-M. Fixes #4530.
2207 directive in a header and a missing initialization in the self-test.
2208 * Fix a missing initialization in the Camellia self-test, affecting
2210 * Restore the ability to configure PSA via Mbed TLS options to support RSA
2215 (when the encrypt-then-MAC extension is not in use) with some ALT
2216 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
2218 * Remove outdated check-config.h check that prevented implementing the
2230 * psa_verify_hash() was relying on implementation-specific behavior of
2241 Credit to OSS-Fuzz. Fixes #4641.
2245 * The PSA API no longer allows the creation or destruction of keys with a
2246 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
2247 can now only be used as intended, for keys that cannot be modified through
2267 * Remove configs/config-psa-crypto.h, which no longer had any intended
2307 = mbed TLS 2.26.0 branch released 2021-03-08
2340 tweaking the setting for the maximum amount of keys simultaneously in RAM.
2341 MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
2361 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
2367 |A| - |B| where |B| is larger than |A| and has more limbs (so the
2374 value the function might fail to write a private RSA keys of the largest
2384 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2395 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2397 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2401 both the old SE interface and the new PSA driver interface, external keys were
2405 include this extension in all CA certificates that contain public keys
2408 the extension was always marked as non-critical. This was fixed by
2418 = mbed TLS 2.25.0 branch released 2020-12-11
2430 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2455 This is currently non-standard behaviour, but expected to make it into a
2462 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2464 * In the PSA API, it is no longer necessary to open persistent keys:
2466 identical to psa_key_id_t instead of being platform-defined. This bridges
2468 version 1.0.0. Opening persistent keys is still supported for backward
2484 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2488 are implemented. This could cause failures or the silent use of non-random
2520 * Use socklen_t on Android and other POSIX-compliant system
2521 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2538 * Fix an off-by-one error in the additional data length check for
2539 CCM, which allowed encryption with a non-standard length field.
2546 * psa_set_key_id() now also sets the lifetime to persistent for keys located
2548 * Attempting to create a volatile key with a non-zero key identifier now
2557 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2575 attribute. No automatic upgrade path is provided. Previously stored keys
2577 specification (docs/architecture/mbed-crypto-storage-specification.md).
2581 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2584 = mbed TLS 2.24.0 branch released 2020-09-01
2587 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2597 * Stop storing persistent information about externally stored keys created
2602 * The new function mbedtls_ecp_write_key() exports private ECC keys back to
2605 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2606 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2615 attacker could for example impersonate a 4-bytes or 16-byte domain by
2631 Encrypt-then-Mac extension, use constant code flow memory access patterns
2634 effective against network-based attackers, but less so against local
2636 if they have access to fine-grained measurements. In particular, this
2640 * Fix side channel in RSA private key operations and static (finite-field)
2641 Diffie-Hellman. An adversary with precise enough timing and memory access
2643 enclave) could bypass an existing counter-measure (base blinding) and
2645 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2646 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2658 * Fix the endianness of Curve25519 keys imported/exported through the PSA
2660 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2663 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2665 * Fix self-test failure when the only enabled short Weierstrass elliptic
2677 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2692 these applications with password-protected key files. Analogously but for
2697 = mbed TLS 2.23.0 branch released 2020-07-01
2704 instead of the keys' lifetime. If the library is upgraded on an existing
2705 device, keys created with the old lifetime value will not be readable or
2710 high- and low-level error codes, complementing mbedtls_strerror()
2714 * The new utility programs/ssl/ssl_context_info prints a human-readable
2731 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2742 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2778 * Fix false positive uninitialised variable reported by cpp-check.
2787 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2799 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2811 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2820 = mbed TLS 2.22.0 branch released 2020-04-14
2841 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2867 = mbed TLS 2.21.0 branch released 2020-02-20
2873 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2874 library which allows TLS authentication to use keys stored in a
2880 probability (of the order of 2^-n where n is the bitsize of the curve)
2888 ARMmbed/mbed-crypto#352
2891 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2892 support without SHA-384.
2901 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2907 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2908 contributed by apple-ihack-geek in #2663.
2910 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2912 RSA keys that would later be rejected by functions expecting private
2913 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2915 accept some RSA keys with invalid values by silently fixing those values.
2917 = mbed TLS 2.20.0 branch released 2020-01-15
2943 blinded value, factor it (as it is smaller than RSA keys and not guaranteed
2960 to achieve the security strength defined by NIST SP 800-90A. You can
2963 msopiha-linaro in ARMmbed/mbed-crypto#307.
2966 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2980 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2982 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2998 merely a robustness improvement. ARMmbed/mbed-crypto#323
3000 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
3002 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
3004 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
3006 = mbed TLS 2.19.1 branch released 2019-09-16
3020 * Fix some false-positive uninitialized variable warnings in crypto. Fix
3021 contributed by apple-ihack-geek in #2663.
3023 = mbed TLS 2.19.0 branch released 2019-09-06
3034 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
3043 store it in non-volatile storage, and later using it for TLS session
3048 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
3051 (https://project-everest.github.io/). It can be enabled at compile time
3054 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
3062 * Add DER-encoded test CRTs to library/certs.c, allowing
3083 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
3084 * Fix multiple X.509 functions previously returning ASN.1 low-level error
3089 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
3110 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
3113 * Improve code clarity in x509_crt module, removing false-positive
3121 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
3125 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
3126 docker-env.sh) to simplify running test suites on a Linux host. Contributed
3132 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
3138 = mbed TLS 2.18.1 branch released 2019-07-12
3148 = mbed TLS 2.18.0 branch released 2019-06-11
3155 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
3157 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3160 and the used tls-prf.
3161 * Add public API for tls-prf function, according to requested enum.
3170 * Add support for draft-05 of the Connection ID extension, as specified
3171 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
3176 changed its IP or port. The feature is enabled at compile-time by setting
3177 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
3183 and the used tls-prf.
3184 * Add public API for tls-prf function, according to requested enum.
3193 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3195 OSS-Fuzz.
3211 Credit to OSS-Fuzz.
3214 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3215 mbedTLS configuration only SHA-2 signed certificates are accepted.
3219 updated to one that is SHA-256 signed. Fix contributed by
3230 = mbed TLS 2.17.0 branch released 2019-03-19
3234 which allows copy-less parsing of DER encoded X.509 CRTs,
3247 for the benefit of saving RAM, by disabling the new compile-time
3257 passed keys that belonged to different group, the first key's data was
3275 * Fix signed-to-unsigned integer conversion warning
3307 * Fix configuration queries in ssl-opt.h. #2030
3308 * Ensure that ssl-opt.h can be run in OS X. #2029
3309 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3314 = mbed TLS 2.16.0 branch released 2018-12-21
3332 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
3333 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
3337 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
3339 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
3371 = mbed TLS 2.15.1 branch released 2018-11-30
3376 = mbed TLS 2.15.0 branch released 2018-11-23
3386 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3389 = mbed TLS 2.14.1 branch released 2018-11-30
3393 decryption that could lead to a Bleichenbacher-style padding oracle
3400 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3418 = mbed TLS 2.14.0 branch released 2018-11-19
3429 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3434 adversary to construct non-primes that would be erroneously accepted as
3439 pairs or Diffie-Hellman parameters, but was insufficient to validate
3440 Diffie-Hellman parameters properly.
3447 constrained, single-threaded systems where ECC is time consuming and can
3453 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3459 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3463 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3464 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3483 Miller-Rabin rounds.
3490 * Fix a bug in the update function for SSL ticket keys which previously
3491 invalidated keys of a lifetime of less than a 1s. Fixes #1968.
3496 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3507 wildcards and non-ASCII characters being unusable in some DN attributes.
3509 Thomas-Dee.
3513 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3533 Thomas-Dee.
3535 Fixes #517 reported by github-monoculture.
3538 by FIPS-186-4.
3540 = mbed TLS 2.13.1 branch released 2018-09-06
3544 whose implementation should behave as a thread-safe version of gmtime().
3554 = mbed TLS 2.13.0 branch released 2018-08-31
3565 with the peer, as well as by a new per-connection MTU option, set using
3567 * Add support for auto-adjustment of MTU to a safe value during the
3572 * Add support for buffering out-of-order handshake messages in DTLS.
3574 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3593 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3604 (found by Catena cyber using oss-fuzz)
3616 * Add support for buffering of out-of-order handshake messages.
3621 = mbed TLS 2.12.0 branch released 2018-07-25
3624 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3632 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3633 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3634 caused by a miscalculation (for SHA-384) in a countermeasure to the
3645 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3647 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3653 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3657 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3658 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3660 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3661 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3669 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3696 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3701 * Fix ssl_client2 example to send application data with 0-length content
3706 * Fix build using -std=c99. Fixed by Nick Wilson.
3710 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3712 when calling with a NULL salt and non-zero salt_len. Contributed by
3716 * Allow overriding the time on Windows via the platform-time abstraction.
3718 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3720 = mbed TLS 2.11.0 branch released 2018-06-18
3725 * Implement the HMAC-based extract-and-expand key derivation function
3728 * Add support for the XTS block cipher mode with AES (AES-XTS).
3732 non-blocking operation of the TLS server stack.
3749 = mbed TLS 2.10.0 branch released 2018-06-06
3768 build to fail. Found by zv-io. Fixes #1651.
3771 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3775 = mbed TLS 2.9.0 branch released 2018-04-30
3782 would require a non DER-compliant certificate to be correctly signed by a
3783 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3791 * Fix a client-side bug in the validation of the server's ciphersuite choice
3814 underlying transport in case event-driven IO is used.
3820 in configurations that omit certain hashes or public-key algorithms.
3829 * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
3830 unable to parse keys which had only the optional parameters field of the
3842 in the internal buffers; these cases led to deadlocks when event-driven
3859 public-key algorithms. Includes contributions by Gert van Dijk.
3879 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3889 HMAC functions with non-HMAC ciphersuites. Independently contributed
3892 FIPS 186-4. Contributed by Jethro Beekman. #1380
3900 = mbed TLS 2.8.0 branch released 2018-03-16
3907 prior versions of Mbed TLS. To restore the old behavior, enable
3928 algorithms family when encrypting private keys using PKCS#5 v2.0.
3930 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3932 * Add support for public keys encoded in PKCS#1 format. #1122
3941 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3967 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3981 = mbed TLS 2.7.0 branch released 2018-02-03
3989 both TLS and DTLS. CVE-2018-0488
3990 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3993 Qualcomm Technologies Inc. CVE-2018-0487
3994 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
4004 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
4011 * Set PEM buffer to zero before freeing it, to avoid decoded private keys
4015 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
4021 * Fix a potential heap buffer over-read in ALPN extension parsing
4022 (server-side). Could result in application crash, but only if an ALPN
4025 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4032 * New unit tests for timing. Improve the self-test to be more robust
4033 when run on a heavily-loaded machine.
4055 * Extend RSA interface by multiple functions allowing structure-
4060 contexts from keys consisting of N,D,E only, even if P,Q are needed for the
4068 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
4069 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
4070 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
4071 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
4074 * Deprecate usage of RSA primitives with non-matching key-type
4099 renegotiated handshakes would only accept signatures using SHA-1
4100 regardless of the peer's preferences, or fail if SHA-1 was disabled.
4104 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
4106 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
4119 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
4123 non-v3 CRT's.
4128 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
4133 * Add size-checks for record and handshake message content, securing
4134 fragile yet non-exploitable code-paths.
4170 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
4181 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
4184 = mbed TLS 2.6.0 branch released 2017-08-10
4200 platform-specific setup and teardown operations. The macro
4212 * Certificate verification functions now set flags to -1 in case the full
4229 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4233 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4237 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4249 64-bit division. This is useful on embedded platforms where 64-bit division
4255 config-no-entropy.h to reduce the RAM footprint.
4260 = mbed TLS 2.5.1 released 2017-06-21
4263 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4264 The issue could only happen client-side with renegotiation enabled.
4268 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
4269 certificate verification. SHA-1 can be turned back on with a compile-time
4274 potential Bleichenbacher/BERserk-style attack.
4279 and with GCC using the -Wpedantic compilation option.
4280 * Fix insufficient support for signature-hash-algorithm extension,
4307 by Jean-Philippe Aumasson.
4309 = mbed TLS 2.5.0 branch released 2017-05-17
4316 against side-channel attacks like the cache attack described in
4335 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
4336 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
4339 * Remove macros from compat-1.3.h that correspond to deleted items from most
4343 * Add checks in the PK module for the RSA functions on 64-bit systems.
4348 = mbed TLS 2.4.2 branch released 2017-03-08
4352 using RSA through the PK module in 64-bit systems. The issue was caused by
4355 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
4369 team. #569 CVE-2017-2784
4378 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4379 Found by omlib-lin. #673
4400 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4416 = mbed TLS 2.4.1 branch released 2016-12-13
4419 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4423 = mbed TLS 2.4.0 branch released 2016-10-17
4427 with RFC-5116 and could lead to session key recovery in very long TLS
4428 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4429 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4437 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4438 NIST SP 800-38B, RFC-4493 and RFC-4615.
4446 * Added a configuration file config-no-entropy.h that configures the subset of
4459 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4461 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4474 subramanyam-c. #622
4481 Found by subramanyam-c. #626
4489 * Removed self-tests from the basic-built-test.sh script, and added all
4490 missing self-tests to the test suites, to ensure self-tests are only
4493 * Added support for a Yotta specific configuration file -
4504 = mbed TLS 2.3.0 branch released 2016-06-28
4522 arguments where the same (in-place doubling). Found and fixed by Janos
4534 * Fix issue that caused a hang when generating RSA keys of odd bitlength
4541 * Fix test in ssl-opt.sh that does not run properly with valgrind
4545 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4547 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4551 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4554 = mbed TLS 2.2.1 released 2016-01-05
4566 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4578 = mbed TLS 2.2.0 released 2015-11-04
4589 on untrusted input or write keys of untrusted origin. Found by Guido
4596 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4599 block. (Potential uses include EAP-TLS and Thread.)
4602 * Self-signed certificates were not excluded from pathlen counting,
4605 * Fix build error with configurations where ECDHE-PSK is the only key
4607 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4608 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4609 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4610 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4613 minimum key size for end-entity certificates with RSA keys. Found by
4624 or -1.
4626 = mbed TLS 2.1.2 released 2015-10-06
4629 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4632 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4649 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4651 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4670 = mbed TLS 2.1.1 released 2015-09-17
4673 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4675 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4676 * Fix possible client-side NULL pointer dereference (read) when the client
4679 afl-fuzz.)
4683 * Fix off-by-one error in parsing Supported Point Format extension that
4694 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4697 = mbed TLS 2.1.0 released 2015-09-04
4705 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4713 * Fix compile error with armcc 5 with --gnu option.
4718 * Fix missing -static-libgcc when building shared libraries for Windows
4727 * Fix -Wshadow warnings (found by hnrkp) (#240)
4729 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4737 * It is now possible to #include a user-provided configuration file at the
4741 trusted, no later cert is checked. (suggested by hannes-landeholm)
4748 = mbed TLS 2.0.0 released 2015-07-13
4755 * New server-side implementation of session tickets that rotate keys to
4761 * Introduced a concept of presets for SSL security-relevant configuration
4769 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4770 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4772 mbedtls_cipher_info_t.key_length -> key_bitlen
4773 mbedtls_cipher_context_t.key_length -> key_bitlen
4774 mbedtls_ecp_curve_info.size -> bit_size
4779 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4780 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4781 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4782 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4783 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4789 (see rename.pl and compat-1.3.h above) and their first argument's type
4792 additional callback for read-with-timeout).
4811 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4812 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4813 * The following functions changed prototype to avoid an in-out length
4831 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4860 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4864 been removed (compiler is required to support 32-bit operations).
4867 * Removed test program ssl_test, superseded by ssl-opt.sh.
4868 * Removed helper script active-config.pl
4874 Semi-API changes (technically public, morally private)
4895 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4899 * The following functions are now case-sensitive:
4918 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4927 thread-safe if MBEDTLS_THREADING_C is enabled.
4928 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4937 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4947 * Add support for id-at-uniqueIdentifier in X.509 names.
4953 cross-compilation easier (thanks to Alon Bar-Lev).
4954 * The benchmark program also prints heap usage for public-key primitives
4956 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4959 reduced configurations (PSK-CCM and NSA suite B).
4984 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
4991 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4998 * Add missing dependency on SHA-256 in some x509 programs (reported by
5009 * compat-1.2.h and openssl.h are deprecated.
5012 (contributed by Alon Bar-Lev).
5015 * Move from SHA-1 to SHA-256 in example programs using signatures
5023 = mbed TLS 1.3.10 released 2015-02-09
5025 * NULL pointer dereference in the buffer-based allocator when the buffer is
5029 * Fix remotely-triggerable uninitialised pointer dereference caused by
5032 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5039 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
5043 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
5044 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
5045 * Add support for Encrypt-then-MAC (RFC 7366).
5046 * Add function pk_check_pair() to test if public and private keys match.
5048 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5050 * Support for renegotiation can now be disabled at compile-time
5051 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
5052 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
5053 for pre-1.2 clients when multiple certificates are available.
5063 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5079 issue with some servers when a zero-length extension was sent. (Reported
5081 * On a 0-length input, base64_encode() did not correctly set output length
5088 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
5094 * It is now possible to disable negotiation of truncated HMAC server-side
5100 = PolarSSL 1.3.9 released 2014-10-20
5104 * Remotely-triggerable memory leak when parsing some X.509 certificates
5107 * Remotely-triggerable memory leak when parsing crafted ClientHello
5114 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5116 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5119 * Remove non-existent file from VS projects (found by Peter Vaskovic).
5120 * ssl_read() could return non-application data records on server while
5122 * Server-initiated renegotiation would fail with non-blocking I/O if the
5125 with non-blocking I/O.
5133 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
5134 standard defining how to use SHA-2 with SSL 3.0).
5135 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
5142 RSA keys.
5147 = PolarSSL 1.3.8 released 2014-07-11
5156 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5158 * Blowfish in the cipher layer now supports variable length keys.
5163 * Add server-side enforcement of sent renegotiation requests
5182 * Remove less-than-zero checks on unsigned numbers
5194 rejected with CBC-based ciphersuites and TLS >= 1.1
5196 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
5197 * Restore ability to use a v1 cert as a CA if trusted locally. (This had
5199 * Restore ability to locally trust a self-signed cert that is not a proper
5205 * Fix off-by-one error in parsing Supported Point Format extension that
5207 * Fix possible miscomputation of the premaster secret with DHE-PSK key
5216 = PolarSSL 1.3.7 released on 2014-05-02
5220 * version_check_feature() added to check for compile-time options at
5221 run-time
5228 * AES-NI now compiles with "old" assemblers too
5244 big-endian platform when size was not an integer number of limbs
5251 = PolarSSL 1.3.6 released on 2014-04-11
5272 This affects certificates in the user-supplied chain except the top
5273 certificate. If the user-supplied chain contains only one certificates,
5292 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
5293 * Calling pk_debug() on an RSA-alt key would segfault.
5294 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
5300 = PolarSSL 1.3.5 released on 2014-03-26
5302 * HMAC-DRBG as a separate module
5306 * Ability to force the entropy module to use SHA-256 as its basis
5308 * Testing script ssl-opt.sh added for testing 'live' ssl option
5310 * Support for reading EC keys that use SpecifiedECDomain in some cases.
5316 now thread-safe if POLARSSL_THREADING_C defined
5332 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5339 * Fixed testing with out-of-source builds using cmake
5340 * Fixed version-major intolerance in server
5341 * Fixed CMake symlinking on out-of-source builds
5344 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5348 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5361 = PolarSSL 1.3.4 released on 2014-01-27
5364 * Support for RIPEMD-160
5380 = PolarSSL 1.3.3 released on 2013-12-31
5386 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5388 * AES-NI support for AES, AES-GCM and AES key scheduling
5389 * SSL Pthread-based server example added (ssl_pthread_server)
5396 * More constant-time checks in the RSA module
5404 * Fixed X.509 hostname comparison (with non-regular characters)
5417 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5420 = PolarSSL 1.3.2 released on 2013-11-04
5424 * Support for Camellia-GCM mode and ciphersuites
5427 * Padding checks in cipher layer are now constant-time
5428 * Value comparisons in SSL layer are now constant-time
5441 * Server-side initiated renegotiations send HelloRequest
5443 = PolarSSL 1.3.1 released on 2013-10-15
5446 * Support for ECDHE-PSK key-exchange and ciphersuites
5447 * Support for RSA-PSK key-exchange and ciphersuites
5453 * config.h is more script-friendly
5465 = PolarSSL 1.3.0 released on 2013-10-01
5470 (ECDHE-based ciphersuites)
5472 (ECDSA-based ciphersuites)
5474 * PSK and DHE-PSK based ciphersuites added
5476 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5479 * Parsing Elliptic Curve keys
5483 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5484 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5513 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5525 (found by Cyril Arnaud and Pierre-Alain Fouque)
5528 = Version 1.2.14 released 2015-05-??
5536 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5544 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5547 = Version 1.2.13 released 2015-02-16
5552 * Fix remotely-triggerable uninitialised pointer dereference caused by
5555 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5568 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5578 issue with some servers when a zero-length extension was sent. (Reported
5580 * On a 0-length input, base64_encode() did not correctly set output length
5586 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5588 = Version 1.2.12 released 2014-10-24
5591 * Remotely-triggerable memory leak when parsing some X.509 certificates
5599 with non-blocking I/O.
5603 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5604 * ssl_read() could return non-application data records on server while
5606 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5615 = Version 1.2.11 released 2014-07-11
5643 * Fixed X.509 hostname comparison (with non-regular characters)
5656 * Fixed testing with out-of-source builds using cmake
5657 * Fixed version-major intolerance in server
5658 * Fixed CMake symlinking on out-of-source builds
5659 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5674 big-endian platform when size was not an integer number of limbs
5685 = Version 1.2.10 released 2013-10-07
5687 * Changed RSA blinding to a slower but thread-safe version
5694 = Version 1.2.9 released 2013-10-01
5707 (found by Cyril Arnaud and Pierre-Alain Fouque)
5709 = Version 1.2.8 released 2013-06-19
5713 * Centralized module option values in config.h to allow user-defined
5738 * Fixed values for 2-key Triple DES in cipher layer
5743 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5745 = Version 1.2.7 released 2013-04-13
5750 * Default Blowfish keysize is now 128-bits
5757 = Version 1.2.6 released 2013-03-11
5760 * Corrected GCM counter incrementation to use only 32-bits instead of
5761 128-bits (found by Yawning Angel)
5762 * Fixes for 64-bit compilation with MS Visual Studio
5772 * Re-added handling for SSLv2 Client Hello when the define
5784 = Version 1.2.5 released 2013-02-02
5786 * Allow enabling of dummy error_strerror() to support some use-cases
5789 * Sending of security-relevant alert messages that do not break
5797 = Version 1.2.4 released 2013-01-25
5809 = Version 1.2.3 released 2012-11-26
5813 = Version 1.2.2 released 2012-11-24
5817 * During verify trust-CA is only checked for expiration and CRL presence
5823 = Version 1.2.1 released 2012-11-20
5826 bottom-up (Peer cert depth is 0)
5832 Pégourié-Gonnard)
5834 Pégourié-Gonnard)
5837 = Version 1.2.0 released 2012-10-31
5843 * Added support for multi-domain certificates through the X509 Subject
5870 * Fixed const-correctness mpi_get_bit()
5905 = Version 1.1.8 released on 2013-10-01
5911 * Potential buffer-overflow for ssl_read_record() (independently found by
5916 = Version 1.1.7 released on 2013-06-19
5925 * Fixed values for 2-key Triple DES in cipher layer
5930 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5932 = Version 1.1.6 released on 2013-03-11
5937 * Allow enabling of dummy error_strerror() to support some use-cases
5948 = Version 1.1.5 released on 2013-01-16
5959 Pégourié-Gonnard)
5961 Pégourié-Gonnard)
5972 = Version 1.1.4 released on 2012-05-31
5978 = Version 1.1.3 released on 2012-04-29
5982 = Version 1.1.2 released on 2012-04-26
5989 Frama-C team at CEA LIST)
5993 = Version 1.1.1 released on 2012-01-23
5997 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
6001 = Version 1.1.0 released on 2011-12-22
6003 * Added ssl_session_reset() to allow better multi-connection pools of
6004 SSL contexts without needing to set all non-connection-specific
6011 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
6020 * Inceased maximum size of ASN1 length reads to 32-bits.
6025 * Changed the defined key-length of DES ciphers in cipher.h to include the
6030 trade-off
6039 encountering a parse-error. Beware that the meaning of return values has
6044 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
6050 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
6059 = Version 1.0.0 released on 2011-07-27
6072 = Version 0.99-pre5 released on 2011-05-26
6105 = Version 0.99-pre4 released on 2011-04-01
6108 for the RSAES-OAEP and RSASSA-PSS operations.
6123 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
6127 * Fixed proper handling of RSASSA-PSS verification with variable
6130 = Version 0.99-pre3 released on 2011-02-28
6131 This release replaces version 0.99-pre2 which had possible copyright issues.
6133 * Parsing PEM private keys encrypted with DES and AES
6156 * Fixed a possible Man-in-the-Middle attack on the
6160 = Version 0.99-pre1 released on 2011-01-30
6162 Note: Most of these features have been donated by Fox-IT
6169 * Detection for DES weak keys and parity bits added
6179 libpkcs11-helper library
6190 = Version 0.14.0 released on 2010-08-16
6194 * Added compile-time and run-time version information
6210 * rsa_check_private() now supports PKCS1v2 keys as well
6214 = Version 0.13.1 released on 2010-03-24
6219 = Version 0.13.0 released on 2010-03-21
6235 * Added reset function for HMAC context as speed-up
6236 for specific use-cases
6247 = Version 0.12.1 released on 2009-10-04
6258 = Version 0.12.0 released on 2009-07-28
6262 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
6263 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
6279 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
6300 * Fixed Camellia and XTEA for 64-bit Windows systems.
6302 = Version 0.11.1 released on 2009-05-17
6303 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
6304 SHA-512 in rsa_pkcs1_sign()
6306 = Version 0.11.0 released on 2009-05-03
6310 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
6320 * Made definition of net_htons() endian-clean for big endian
6324 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6329 * Fixed compatibility of XTEA and Camellia on a 64-bit system
6332 = Version 0.10.0 released on 2009-01-12
6344 = Version 0.9 released on 2008-03-16
6350 be sent twice in non-blocking mode when send returns EAGAIN
6353 * Added user-defined callback debug function (Krystian Kolodziej)
6359 output data is non-aligned by falling back to the software
6360 implementation, as VIA Nehemiah cannot handle non-aligned buffers
6362 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
6371 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
6376 * Fixed a critical denial-of-service with X.509 cert. verification:
6379 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
6380 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
6381 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
6384 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
6385 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6389 = Version 0.8 released on 2007-10-20
6391 * Modified the HMAC functions to handle keys larger
6397 * Added user-defined callbacks for handling I/O and sessions
6401 * Added AES-CFB mode of operation, contributed by chmike
6405 * Updated ssl_read() to skip 0-length records from OpenSSL
6407 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6414 = Version 0.7 released on 2007-07-07
6416 * Added support for the MicroBlaze soft-core processor
6418 connections from being established with non-blocking I/O
6422 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6430 = Version 0.6 released on 2007-04-01
6436 * Added multiply assembly code for 64-bit PowerPCs,
6440 * Fixed "long long" compilation issues on IA-64 and PPC64
6441 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6444 = Version 0.5 released on 2007-03-01
6447 * Added (beta) support for non-blocking I/O operations
6450 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6455 = Version 0.4 released on 2007-02-01
6457 * Added support for Ephemeral Diffie-Hellman key exchange
6468 = Version 0.3 released on 2007-01-01
6470 * Added server-side SSLv3 and TLSv1.0 support
6479 = Version 0.2 released on 2006-12-01
6488 valid RSA keys to be dismissed (thanks to oldwolf)
6490 the Miller-Rabin primality test
6494 who maintains the Debian package :-)
6496 = Version 0.1 released on 2006-11-01