Lines Matching +full:runs +full:- +full:on
3 = Mbed TLS 3.6.4 branch released 2025-06-30
8 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
15 CVE-2025-49601
19 CVE-2025-49600
20 * On x86/amd64 platforms, with some compilers, when the library is
30 CVE-2025-52496
31 * Fix possible use-after-free or double-free in code calling
33 mbedtls_asn1_free_named_data_list() on its head argument, while the
35 on the documented behaviour to still hold pointers to memory blocks after
36 they were free()d, resulting in high risk of use-after-free or double-free,
39 were affected (use-after-free if the san string contains more than one DN).
42 CVE-2025-47917
54 CVE-2025-48965
59 CVE-2025-52497
65 CVE-2025-49087
70 "union foo x = {0}" does not initialize non-default members of the
72 multipart operations, MAC-based key derivation operations, interruptible
74 when using third-party drivers. This also affected one-shot MAC
75 operations using the built-in implementation. Fixes #9814.
76 * On entry to PSA driver entry points that set up a multipart operation
77 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
80 non-default members of the union. The PSA core now ensures that this
84 * Silence spurious -Wunterminated-string-initialization warnings introduced
87 keys with a different LMS or LM-OTS types on some platforms. Specifically,
88 this could happen on platforms where enum types are smaller than 32 bits
91 * Fix a race condition on x86/amd64 platforms in AESNI support detection
95 * Fix mbedtls_base64_decode() on inputs that did not have the correct
98 rejected. Furthermore, before, on inputs with too few equal signs, the
109 to point to NULL on entry. This makes it likely that existing risky uses of
113 = Mbed TLS 3.6.3 branch released 2025-03-24
119 if certificate-based authentication of the server is attempted.
123 enable the new compile-time option
128 uses static storage for keys, enabling malloc-less use of key slots.
137 * implements `psa_can_do_hash()` on the client interface
143 if they use certificate authentication (i.e. not pre-shared keys).
149 CVE-2025-27809
157 CVE-2025-27810
170 * Fix compilation on MS-DOS DJGPP. Fixes #9813.
171 * Fix missing constraints on the AES-NI inline assembly which is used on
172 GCC-like compilers when building AES for generic x86_64 targets. This
173 may have resulted in incorrect code with some compilers, depending on
175 * Support re-assembly of fragmented handshake messages in TLS (both
182 occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
187 implementatios if placed on the include path, eg. when building Mbed TLS
196 = Mbed TLS 3.6.2 branch released 2024-10-14
200 called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
203 when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
204 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
205 CVE-2024-49195
207 = Mbed TLS 3.6.1 branch released 2024-08-30
217 * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
234 They have almost exactly the same interface, but the variable-length
239 - DES (including 3DES).
240 - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
242 - Finite-field Diffie-Hellman with custom groups.
244 - Elliptic curves of size 225 bits or less.
247 - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using
250 - TLS_ECDH_*, i.e. cipher suites using static ECDH.
252 - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman.
254 - TLS_*CBC*, i.e. all cipher suites using CBC.
255 * The following low-level application interfaces are planned to be removed
257 - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
258 - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
259 - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
261 - Private key encryption mechanisms: pkcs5.h, pkcs12.h.
262 - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
267 For guidance on migrating application code to the PSA API, please consult
268 the PSA transition guide (docs/psa-transition.md).
271 - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
273 - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
286 CVE-2024-45157
292 CVE-2024-45158
294 client, if the client-provided certificate does not have appropriate values
303 CVE-2024-45159
308 * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
313 * Fix rare concurrent access bug where attempting to operate on a
314 non-existent key while concurrently creating a new key could potentially
325 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
326 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
332 * Fix interference between PSA volatile keys and built-in keys
340 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
342 some code was defining 0-size arrays, resulting in compilation errors.
366 * Fixed a regression introduced in 3.6.0 where clients that relied on
374 * Fixed a regression introduced in 3.6.0 where context-specific certificate
377 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
390 = Mbed TLS 3.6.0 branch released 2024-03-28
429 * Support Armv8-A Crypto Extension acceleration for SHA-256
430 when compiling for Thumb (T32) or 32-bit Arm (A32).
431 * AES-NI is now supported in Windows builds with clang and clang-cl.
437 This affects both the low-level modules and the high-level APIs
440 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
441 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
443 library without the corresponding built-in implementation. Generally
445 or they'll both be built in. However, for CCM and GCM the built-in
448 docs/driver-only-builds.md for full details and current limitations.
452 * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
454 GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
456 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
457 fully provided by drivers. See docs/driver-only-builds.md for full
459 decryption still unconditionally depend on MBEDTLS_CIPHER_C.
464 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
465 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
479 * Add support for using AES-CBC 128, 192, and 256 bit schemes
483 * Add pc files for pkg-config, e.g.:
484 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
492 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
494 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
514 * Add new accessors to expose the private session-id,
515 session-id length, and ciphersuite-id members of
517 Add new accessor to expose the ciphersuite-id of
520 docs/tls13-early-data.md). The support enablement is controlled at build
527 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
534 Fixes CVE-2024-30166.
544 Note that setting this option will cause input-output buffer overlap to
546 Fixes CVE-2024-28960.
552 Fixes CVE-2024-28755.
553 * When negotiating TLS version on server side, do not fall back to the
555 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
556 client could put the TLS 1.3-only server in an infinite loop processing
559 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
561 Reported by alluettiv on GitHub.
562 Fixes CVE-2024-28836.
565 * Fix the build with CMake when Everest or P256-m is enabled through
576 * Fix build failure in conda-forge. Fixes #8422.
589 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
593 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
598 * mbedtls_pem_read_buffer() now performs a check on the padding data of
601 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
640 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
651 = Mbed TLS 3.5.2 branch released 2024-01-26
656 attacker or a remote attacker who is close to the victim on the network
662 could result in an integer overflow, causing a zero-length buffer to be
666 = Mbed TLS 3.5.1 branch released 2023-11-06
669 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
676 = Mbed TLS 3.5.0 branch released 2023-10-05
679 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
680 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
681 there was a flaw in the logic checking if the built-in implementation, in
684 accelerated and still have the built-in implementation compiled out.
687 considered not accelerated, and the built-in implementation of the curves
722 provided - these limitations are lifted in this version. A new set of
725 they're provided by a built-in implementation, a driver or both. See
726 docs/driver-only-builds.md.
729 key exchanges based on ECDH(E) to work, this requires
731 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
733 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
736 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
740 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
742 TLS 1.3 depending on the capabilities and preferences of TLS clients.
752 parameters from RFC 7919. This includes a built-in implementation based
753 on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
764 string to a DER-encoded mbedtls_asn1_buf.
765 * Add SHA-3 family hash functions.
766 * Add support to restrict AES to 128-bit keys in order to save code size.
771 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
772 On Aarch64, uplift is typically around 20 - 110%.
773 When compiling with gcc -Os on Aarch64, AES-XTS improves
775 * Add support for PBKDF2-HMAC through the PSA API.
781 - DERIVE is only available for ECC keys, not for RSA or DH ones.
782 - implementations are free to enable more than what it was strictly
787 and the ephemeral or psk-ephemeral key exchange mode are enabled.
800 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
809 * Add support for PBKDF2-CMAC through the PSA API.
811 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
812 disables the plain C implementation and the run-time detection for the
839 (notably recent versions of Clang and IAR) could produce non-constant
842 * Updates to constant-time C code so that compilers are less likely to use
845 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
853 null-cipher cipher suites. Credit to OSS-Fuzz.
855 In TLS 1.3, all configurations are affected except PSK-only ones, and
860 Credit to OSS-Fuzz.
865 than all built-in ones and RSA is disabled.
879 * Fix the J-PAKE driver interface for user and peer to accept any values
882 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
900 example TF-M configuration in configs/ from building cleanly:
904 proposes an handshake based on PSK only key exchange mode or at least
910 * Fix a compilation error on some platforms when including mbedtls/ssl.h
915 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
925 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
932 enabled, where some low-level modules required by requested PSA crypto
938 error code on failure. Before, they returned 1 to indicate failure in
941 * Fix the build with CMake when Everest or P256-m is enabled through
946 compiling with gcc, clang or armclang and -O0.
964 = Mbed TLS 3.4.1 branch released 2023-08-04
967 * Fix builds on Windows with clang
970 * Update test data to avoid failures of unit tests after 2023-08-07.
972 = Mbed TLS 3.4.0 branch released 2023-03-28
983 direct dependency of X509 on BIGNUM_C.
987 optionally providing file-specific error pairs. Please see psa_util.h for
994 - Only the signed-data content type, version 1 is supported.
995 - Only DER encoding is supported.
996 - Only a single digest algorithm per message is supported.
997 - Certificates must be in X.509 format. A message must have either 0
999 - There is no support for certificate revocation lists.
1000 - The authenticated and unauthenticated attribute fields of SignerInfo
1003 contributing this feature, and to Demi-Marie Obenour for contributing
1007 * Improvements to use of unaligned and byte-swapped memory, reducing code
1008 size and improving performance (depending on compiler and target
1018 * Add parsing of V3 extensions (key usage, Netscape cert-type,
1021 configuration-independent files. This allows them to be generated when
1038 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
1039 implementations of EC J-PAKE through the driver entry points.
1043 * Add support for AES with the Armv8-A Cryptographic Extension on
1044 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
1045 be used to enable this feature. Run-time detection is supported
1047 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1052 to read non-public fields for padding mode and hash id from
1054 * AES-NI is now supported with Visual Studio.
1055 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1058 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
1059 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
1060 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1065 * Use platform-provided secure zeroization function where possible, such as
1068 * Fix a potential heap buffer overread in TLS 1.3 client-side when
1070 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
1071 Arm, so that these systems are no longer vulnerable to timing side-channel
1072 attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
1074 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
1075 builds that couldn't compile the GCC-style assembly implementation
1077 timing side-channel attacks. There is now an intrinsics-based AES-NI
1088 calculation on the client side. It prevents a server with more accurate
1098 used on a shared secret from a key agreement since its input must be
1102 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
1112 certificate parsing, but only on subsequent calls to
1120 * Reject OIDs with overlong-encoded subidentifiers when converting
1125 have the most-significant bit set in their last byte.
1126 * Silence warnings from clang -Wdocumentation about empty \retval
1130 * Fix an unused-variable warning in TLS 1.3-only builds if
1134 * Allow setting user and peer identifiers for EC J-PAKE operation
1141 * Fix TLS 1.3 session resumption when the established pre-shared key is
1142 384 bits long. That is the length of pre-shared keys created under a
1147 modules, which would then fail if run on a CPU without the SHA3
1153 * Mixed-endian systems are explicitly not supported any more.
1162 - now it accepts the serial number in 2 different formats: decimal and
1164 - "serial" is used for the decimal format and it's limted in size to
1166 - "serial_hex" is used for the hex format; max length here is
1171 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1177 to best results when tested on Cortex-M4 and Intel i7.
1180 compiler target flags on the command line; the library now sets target
1183 = Mbed TLS 3.3.0 branch released 2022-12-14
1189 RFC 9146, which is not interoperable with the draft-05 version.
1193 standard (non-draft) version.
1195 same build of Mbed TLS, please let us know about your situation on the
1217 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
1218 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
1221 built-in implementation present, but only in some configurations.
1222 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
1224 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
1230 all hashes only provided by drivers (no built-in hash) is to use
1233 properly negotiate/accept hashes based on their availability in PSA.
1234 As a consequence, they now work in configurations where the built-in
1236 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
1240 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
1241 Signature verification is production-ready, but generation is for testing
1247 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
1250 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
1251 The pre-shared keys can be provisioned externally or via the ticket
1269 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
1280 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
1282 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1292 victim performing a single private-key operation if the window size used
1294 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
1295 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1299 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
1300 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1303 * Fix a long-standing build failure when building x86 PIC code with old
1306 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1324 * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
1325 MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
1327 * Fix a build issue on Windows using CMake where the source and build
1328 directories could not be on different drives. Fixes #5751.
1334 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
1337 Change mbedtls_x509_get_name() to clean up allocated objects on error.
1351 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1358 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
1361 consequence on cryptography code, but might affect applications that call
1372 to OSS-Fuzz. Fixes #6597.
1375 * Move some SSL-specific code out of libmbedcrypto where it had been placed
1382 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
1383 should not be done - they are documented for use only by AES-GCM and
1387 = Mbed TLS 3.2.1 branch released 2022-07-12
1390 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1392 = Mbed TLS 3.2.0 branch released 2022-07-11
1400 * The library will no longer compile out of the box on a platform without
1448 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1464 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1473 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1474 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1480 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1486 establishment only). See docs/architecture/tls13-support.md for a
1494 docs/use-psa-crypto.md for the list of exceptions.
1498 * Opaque pre-shared keys for TLS, provisioned with
1501 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1502 * cmake now detects if it is being built as a sub-project, and in that case
1511 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1517 disabled on stdio files, to stop secrets loaded from said files being
1520 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1527 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1529 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
1557 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1564 * Fix unit tests that used 0 as the file UID. This failed on some
1571 * Fix a race condition in out-of-source builds with CMake when generated data
1574 on Windows.
1577 the function needs to be re-called after initially returning
1590 * Fix compilation error when using C++ Builder on Windows. Reported by
1612 Finished message on the network cannot be satisfied. Fixes #5499.
1616 on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
1619 * Fix a null pointer dereference when performing some operations on zero
1623 non-compliant. This could not lead to a buffer overflow. In particular,
1633 make to break on a clean checkout. Fixes #5340.
1643 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1644 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1648 temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
1649 * Assume source files are in UTF-8 when using MSVC with CMake.
1662 = mbed TLS 3.1.0 branch released 2021-12-17
1673 X.509 parsing, and finally the field fd of mbedtls_net_context on
1674 POSIX/Unix-like platforms.
1677 * Sign-magnitude and one's complement representations for signed integers are
1685 * Remove the partial support for running unit tests via Greentea on Mbed OS,
1696 supported on GCC-like compilers and on MSVC and can be configured through
1705 * Add support for CCM*-no-tag cipher to the PSA.
1706 Currently only 13-byte long IV's are supported.
1707 For decryption a minimum of 16-byte long input is expected.
1715 protocol. See docs/architecture/tls13-support.md for the definition of
1727 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1736 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1744 * The GNU makefiles invoke python3 in preference to python except on Windows.
1745 The check was accidentally not performed when cross-compiling for Windows
1746 on Linux. Fix this. Fixes #4774.
1753 * Fix missing constraints on x86_64 and aarch64 assembly code
1757 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1758 * Failures of alternative implementations of AES or DES single-block
1762 where this function cannot fail, or full-module replacements with
1767 * Fix compile-time or run-time errors in PSA
1771 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1774 the built-in implementation of the GCM.
1776 input buffer size is valid only for the built-in implementation of GCM.
1790 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1810 oversight during the run-up to the release of Mbed TLS 3.0.
1812 * Implement multi-part CCM API.
1813 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1819 * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
1820 code size by about 80B on an M0 build. This option only gated an ability
1823 * Improve the performance of base64 constant-flow code. The result is still
1824 slower than the original non-constant-flow implementation, but much faster
1825 than the previous constant-flow implementation. Fixes #4814.
1826 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1830 ChaCha20-Poly1305 is invalid, and not just unsupported.
1837 * The generated configuration-independent files are now automatically
1838 generated by the CMake build system on Unix-like systems. This is not
1839 yet supported when cross-compiling.
1841 = Mbed TLS 3.0.0 branch released 2021-07-07
1850 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1854 header compat-1.3.h and the script rename.pl.
1873 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1875 * Drop support for single-DES ciphersuites.
1878 API version 1.0 spec. This version of the spec parameterizes them on the
1879 key type used, as well as the key bit-size in the case of
1894 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1897 * The interface of the GCM module has changed to remove restrictions on
1915 session-ID based session resumption) has changed to that of
1916 a key-value store with keys being session IDs and values
1930 * For multi-part AEAD operations with the cipher module, calling
1932 was unclear on this point, and this function happened to never do
1935 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
1977 context are now connection-specific.
1986 * Implement one-shot cipher functions, psa_cipher_encrypt and
1999 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
2000 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
2012 release, some configuration-independent files are now generated at build
2023 compile-time option, which was off by default. Users should not trust
2024 certificates signed with SHA-1 due to the known attacks against SHA-1.
2025 If needed, SHA-1 certificates can still be verified by using a custom
2032 More details on PCKS#11 wrapper removal can be found in the mailing list
2033 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
2037 compile-time option. This option has been inactive for a long time.
2040 * Remove the following deprecated functions and constants of hex-encoded
2041 primes based on RFC 5114 and RFC 3526 from library code and tests:
2066 * The RSA module no longer supports private-key operations with the public
2095 now determined automatically based on supported curves.
2106 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
2108 * Remove the compile-time option
2116 * Added support for built-in driver keys through the PSA opaque crypto
2120 * The multi-part GCM interface (mbedtls_gcm_update() or
2123 * The multi-part GCM interface now supports chunked associated data through
2128 modules had undocumented constraints on their context types. These
2130 See docs/architecture/alternative-implementations.md for the remaining
2133 query the size of the modulus in a Diffie-Hellman context.
2135 Diffie-Hellman context.
2143 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
2155 victim performing a single private-key operation. Found and reported by
2158 information (typically, a co-located process) could recover a Curve25519
2160 observing the victim performing the corresponding private-key operation.
2178 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2183 mbedtls_mpi_read_string() was called on "-0", or when
2189 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
2200 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
2201 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
2203 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
2204 * Fix test suite code on platforms where int32_t is not int, such as
2205 Arm Cortex-M. Fixes #4530.
2207 directive in a header and a missing initialization in the self-test.
2208 * Fix a missing initialization in the Camellia self-test, affecting
2215 (when the encrypt-then-MAC extension is not in use) with some ALT
2216 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
2218 * Remove outdated check-config.h check that prevented implementing the
2219 timing module on Mbed OS. Fixes #4633.
2223 MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
2226 * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
2230 * psa_verify_hash() was relying on implementation-specific behavior of
2241 Credit to OSS-Fuzz. Fixes #4641.
2243 effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
2246 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
2253 applicable RFC: on an invalid Finished message value, an
2267 * Remove configs/config-psa-crypto.h, which no longer had any intended
2271 * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
2272 When that flag is on, standard GNU C printf format specifiers
2307 = mbed TLS 2.26.0 branch released 2021-03-08
2361 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
2367 |A| - |B| where |B| is larger than |A| and has more limbs (so the
2384 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2385 * Fix memory leak that occured when calling psa_close_key() on a
2390 is enabled, on platforms where initializing a mutex allocates resources.
2395 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2396 enabled on platforms where freeing a mutex twice is not safe.
2397 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2398 when MBEDTLS_THREADING_C is enabled on platforms where initializing
2406 used to validate digital signatures on certificates and MUST mark the
2408 the extension was always marked as non-critical. This was fixed by
2415 * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
2418 = mbed TLS 2.25.0 branch released 2020-12-11
2430 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2435 warning on CMake 3.19.0. #3801
2455 This is currently non-standard behaviour, but expected to make it into a
2462 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2466 identical to psa_key_id_t instead of being platform-defined. This bridges
2481 execution depending on the location of the output buffer.
2484 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2488 are implemented. This could cause failures or the silent use of non-random
2492 * Fix a compliance issue whereby we were not checking the tag on the
2520 * Use socklen_t on Android and other POSIX-compliant system
2521 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2523 * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
2531 an ECC key pair on Curve25519 or secp244k1.
2535 * Fix handling of EOF against 0xff bytes and on platforms with unsigned
2536 chars. Fixes a build failure on platforms where char is unsigned. Fixes
2538 * Fix an off-by-one error in the additional data length check for
2539 CCM, which allowed encryption with a non-standard length field.
2543 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
2548 * Attempting to create a volatile key with a non-zero key identifier now
2553 * Fix build failures on GCC 11. Fixes #3782.
2557 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2567 option on. In this configuration key management methods that are required
2576 must be erased, or manually upgraded based on the key storage format
2577 specification (docs/architecture/mbed-crypto-storage-specification.md).
2581 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2584 = mbed TLS 2.24.0 branch released 2020-09-01
2587 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2604 * Support building on e2k (Elbrus) architecture: correctly enable
2605 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2606 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2615 attacker could for example impersonate a 4-bytes or 16-byte domain by
2622 available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
2623 certificates were never considered as revoked. On builds with
2631 Encrypt-then-Mac extension, use constant code flow memory access patterns
2634 effective against network-based attackers, but less so against local
2636 if they have access to fine-grained measurements. In particular, this
2640 * Fix side channel in RSA private key operations and static (finite-field)
2641 Diffie-Hellman. An adversary with precise enough timing and memory access
2643 enclave) could bypass an existing counter-measure (base blinding) and
2645 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2646 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2660 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2663 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2665 * Fix self-test failure when the only enabled short Weierstrass elliptic
2669 * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
2673 * Fix bug in redirection of unit test outputs on platforms where stdout is
2677 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2680 previously could lead to stack overflow on constrained devices.
2692 these applications with password-protected key files. Analogously but for
2697 = mbed TLS 2.23.0 branch released 2020-07-01
2704 instead of the keys' lifetime. If the library is upgraded on an existing
2710 high- and low-level error codes, complementing mbedtls_strerror()
2714 * The new utility programs/ssl/ssl_context_info prints a human-readable
2724 * Added support to entropy_poll for the kern.arandom syscall supported on
2731 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2742 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2761 * Fix potential linker errors on dual world platforms by inlining
2776 * Fix building library/net_sockets.c and the ssl_mail_client program on
2778 * Fix false positive uninitialised variable reported by cpp-check.
2787 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2789 * Fix minor performance issue in operations on Curve25519 caused by using a
2799 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2806 * The unit tests now rely on header files in framework/tests/include/test and source
2810 * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
2811 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2820 = mbed TLS 2.22.0 branch released 2020-04-14
2841 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2867 = mbed TLS 2.21.0 branch released 2020-02-20
2873 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2880 probability (of the order of 2^-n where n is the bitsize of the curve)
2888 ARMmbed/mbed-crypto#352
2891 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2892 support without SHA-384.
2901 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2907 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2908 contributed by apple-ihack-geek in #2663.
2910 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2913 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2917 = mbed TLS 2.20.0 branch released 2020-01-15
2929 default configuration, on a platform with a single entropy source, the
2947 timings on the comparison in the key generation enabled the attacker to
2959 initial seeding. The default nonce length is chosen based on the key size
2960 to achieve the security strength defined by NIST SP 800-90A. You can
2963 msopiha-linaro in ARMmbed/mbed-crypto#307.
2966 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2980 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
2982 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2998 merely a robustness improvement. ARMmbed/mbed-crypto#323
3000 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
3002 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
3004 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
3006 = mbed TLS 2.19.1 branch released 2019-09-16
3020 * Fix some false-positive uninitialized variable warnings in crypto. Fix
3021 contributed by apple-ihack-geek in #2663.
3023 = mbed TLS 2.19.0 branch released 2019-09-06
3032 about 1 bit of information on average and could cause the value to be
3034 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
3043 store it in non-volatile storage, and later using it for TLS session
3048 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
3051 (https://project-everest.github.io/). It can be enabled at compile time
3053 verified and significantly faster, but is only supported on x86 platforms
3054 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
3062 * Add DER-encoded test CRTs to library/certs.c, allowing
3069 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
3083 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
3084 * Fix multiple X.509 functions previously returning ASN.1 low-level error
3089 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
3091 * Fix build failure when building with mingw on Windows by including
3105 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
3110 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
3113 * Improve code clarity in x509_crt module, removing false-positive
3114 uninitialized variable warnings on some recent toolchains (GCC8, etc).
3117 functionally incorrect code on bigendian systems which don't have
3121 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
3125 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
3126 docker-env.sh) to simplify running test suites on a Linux host. Contributed
3129 test runs without variability. Contributed by Philippe Antoine (Catena
3132 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
3138 = mbed TLS 2.18.1 branch released 2019-07-12
3141 * Fix build failure when building with mingw on Windows by including
3148 = mbed TLS 2.18.0 branch released 2019-06-11
3155 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
3157 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3160 and the used tls-prf.
3161 * Add public API for tls-prf function, according to requested enum.
3170 * Add support for draft-05 of the Connection ID extension, as specified
3171 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
3176 changed its IP or port. The feature is enabled at compile-time by setting
3177 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
3183 and the used tls-prf.
3184 * Add public API for tls-prf function, according to requested enum.
3193 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3195 OSS-Fuzz.
3210 sequence on failure. Found and fix suggested by Philippe Antoine.
3211 Credit to OSS-Fuzz.
3214 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3215 mbedTLS configuration only SHA-2 signed certificates are accepted.
3219 updated to one that is SHA-256 signed. Fix contributed by
3230 = mbed TLS 2.17.0 branch released 2019-03-19
3234 which allows copy-less parsing of DER encoded X.509 CRTs,
3235 at the cost of additional lifetime constraints on the input
3247 for the benefit of saving RAM, by disabling the new compile-time
3268 previously lead to a stack overflow on constrained targets.
3275 * Fix signed-to-unsigned integer conversion warning
3292 instead of relying on other header files that they include.
3298 for platforms that don't provide it. Based on contributions by Joris Aerts
3307 * Fix configuration queries in ssl-opt.h. #2030
3308 * Ensure that ssl-opt.h can be run in OS X. #2029
3309 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3310 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
3311 * Ciphersuites based on 3DES now have the lowest priority by default when
3314 = mbed TLS 2.16.0 branch released 2018-12-21
3320 changed, but requirements on parameters have been made more explicit in
3332 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
3333 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
3337 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
3339 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
3365 on some toolchains. Reported by phoenixmcallister. Fixes #2170.
3371 = mbed TLS 2.15.1 branch released 2018-11-30
3376 = mbed TLS 2.15.0 branch released 2018-11-23
3386 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3389 = mbed TLS 2.14.1 branch released 2018-11-30
3393 decryption that could lead to a Bleichenbacher-style padding oracle
3394 attack. In TLS, this affects servers that accept ciphersuites based on
3400 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3408 * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
3418 = mbed TLS 2.14.0 branch released 2018-11-19
3429 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3434 adversary to construct non-primes that would be erroneously accepted as
3435 primes with high probability. This does not have an impact on the
3439 pairs or Diffie-Hellman parameters, but was insufficient to validate
3440 Diffie-Hellman parameters properly.
3447 constrained, single-threaded systems where ECC is time consuming and can
3453 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3456 operations. On CPUs where the extensions are available, they can accelerate
3459 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3463 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3464 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3483 Miller-Rabin rounds.
3496 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3507 wildcards and non-ASCII characters being unusable in some DN attributes.
3509 Thomas-Dee.
3513 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3519 test the handling of large packets and small packets on the client side
3520 in the same way as on the server side.
3533 Thomas-Dee.
3535 Fixes #517 reported by github-monoculture.
3538 by FIPS-186-4.
3540 = mbed TLS 2.13.1 branch released 2018-09-06
3544 whose implementation should behave as a thread-safe version of gmtime().
3551 * Fix build failures on platforms where only gmtime() is available but
3554 = mbed TLS 2.13.0 branch released 2018-08-31
3565 with the peer, as well as by a new per-connection MTU option, set using
3567 * Add support for auto-adjustment of MTU to a safe value during the
3572 * Add support for buffering out-of-order handshake messages in DTLS.
3574 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3593 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3604 (found by Catena cyber using oss-fuzz)
3616 * Add support for buffering of out-of-order handshake messages.
3621 = mbed TLS 2.12.0 branch released 2018-07-25
3624 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3632 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3633 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3634 caused by a miscalculation (for SHA-384) in a countermeasure to the
3637 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3638 1.2, that allowed a local attacker, able to execute code on the local
3645 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3647 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3648 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3649 execute code on the local machine as well as manipulate network packets,
3653 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3657 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3658 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3660 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3661 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3668 * Add support for key wrapping modes based on AES as defined by
3669 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3674 * Fix compilation error on C++, because of a variable named new.
3676 * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
3696 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3699 TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
3701 * Fix ssl_client2 example to send application data with 0-length content
3706 * Fix build using -std=c99. Fixed by Nick Wilson.
3710 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3712 when calling with a NULL salt and non-zero salt_len. Contributed by
3716 * Allow overriding the time on Windows via the platform-time abstraction.
3718 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3720 = mbed TLS 2.11.0 branch released 2018-06-18
3725 * Implement the HMAC-based extract-and-expand key derivation function
3728 * Add support for the XTS block cipher mode with AES (AES-XTS).
3732 non-blocking operation of the TLS server stack.
3739 * Fix compilation warnings with IAR toolchain, on 32 bit platform.
3749 = mbed TLS 2.10.0 branch released 2018-06-06
3768 build to fail. Found by zv-io. Fixes #1651.
3771 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3775 = mbed TLS 2.9.0 branch released 2018-04-30
3782 would require a non DER-compliant certificate to be correctly signed by a
3783 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3791 * Fix a client-side bug in the validation of the server's ciphersuite choice
3813 This function is necessary to determine when it is safe to idle on the
3814 underlying transport in case event-driven IO is used.
3820 in configurations that omit certain hashes or public-key algorithms.
3827 * Fix the Makefile build process for building shared libraries on Mac OS X.
3832 * Return the plaintext data more quickly on unpadded CBC decryption, as
3842 in the internal buffers; these cases led to deadlocks when event-driven
3859 public-key algorithms. Includes contributions by Gert van Dijk.
3879 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3883 * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
3889 HMAC functions with non-HMAC ciphersuites. Independently contributed
3892 FIPS 186-4. Contributed by Jethro Beekman. #1380
3900 = mbed TLS 2.8.0 branch released 2018-03-16
3914 implementation allowed an offline 2^80 brute force attack on the
3920 a crash on invalid input.
3922 crash on invalid input.
3930 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3941 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3951 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
3953 Nick Wilson on issue #355
3962 that could cause a key exchange to fail on valid data.
3964 could cause a key exchange to fail on valid data.
3967 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
3976 a migration path for those depending on the library's ABI.
3981 = mbed TLS 2.7.0 branch released 2018-02-03
3987 6 bytes on the peer's heap, which could potentially lead to crash or remote
3989 both TLS and DTLS. CVE-2018-0488
3990 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
3993 Qualcomm Technologies Inc. CVE-2018-0487
3994 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
4002 latter overflows. The exploitability of this issue depends on whether the
4004 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
4005 and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
4015 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
4021 * Fix a potential heap buffer over-read in ALPN extension parsing
4022 (server-side). Could result in application crash, but only if an ALPN
4023 name larger than 16 bytes had been configured on the server.
4025 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4030 * The selftest program can execute a subset of the tests based on command
4032 * New unit tests for timing. Improve the self-test to be more robust
4033 when run on a heavily-loaded machine.
4055 * Extend RSA interface by multiple functions allowing structure-
4068 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
4069 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
4070 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
4071 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
4074 * Deprecate usage of RSA primitives with non-matching key-type
4099 renegotiated handshakes would only accept signatures using SHA-1
4100 regardless of the peer's preferences, or fail if SHA-1 was disabled.
4102 dates on leap years with 100 and 400 intervals are handled correctly. Found
4104 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
4106 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
4119 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
4123 non-v3 CRT's.
4128 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
4131 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
4133 * Add size-checks for record and handshake message content, securing
4134 fragile yet non-exploitable code-paths.
4137 * Fix mbedtls_timing_alarm(0) on Unix and MinGW.
4155 mbedtls_sha512_init() is called before operating on the relevant context
4157 reset it. Found independently by ccli8 on Github.
4169 on GitHub.
4170 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
4172 undeclared dependency of the RSA module on the ASN.1 module.
4181 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
4184 = mbed TLS 2.6.0 branch released 2017-08-10
4200 platform-specific setup and teardown operations. The macro
4212 * Certificate verification functions now set flags to -1 in case the full
4225 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
4229 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4233 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4237 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4249 64-bit division. This is useful on embedded platforms where 64-bit division
4250 created a dependency on external libraries. #708
4255 config-no-entropy.h to reduce the RAM footprint.
4260 = mbed TLS 2.5.1 released 2017-06-21
4263 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4264 The issue could only happen client-side with renegotiation enabled.
4268 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
4269 certificate verification. SHA-1 can be turned back on with a compile-time
4274 potential Bleichenbacher/BERserk-style attack.
4279 and with GCC using the -Wpedantic compilation option.
4280 * Fix insufficient support for signature-hash-algorithm extension,
4307 by Jean-Philippe Aumasson.
4309 = mbed TLS 2.5.0 branch released 2017-05-17
4316 against side-channel attacks like the cache attack described in
4335 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
4336 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
4339 * Remove macros from compat-1.3.h that correspond to deleted items from most
4343 * Add checks in the PK module for the RSA functions on 64-bit systems.
4348 = mbed TLS 2.4.2 branch released 2017-03-08
4352 using RSA through the PK module in 64-bit systems. The issue was caused by
4355 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
4364 * Fixed a bug that caused freeing a buffer that was allocated on the stack,
4365 when verifying the validity of a key on secp224k1. This could be
4367 and potentially could lead to remote code execution on some platforms.
4369 team. #569 CVE-2017-2784
4378 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4379 Found by omlib-lin. #673
4400 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4416 = mbed TLS 2.4.1 branch released 2016-12-13
4419 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4423 = mbed TLS 2.4.0 branch released 2016-10-17
4427 with RFC-5116 and could lead to session key recovery in very long TLS
4428 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4429 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4437 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4438 NIST SP 800-38B, RFC-4493 and RFC-4615.
4446 * Added a configuration file config-no-entropy.h that configures the subset of
4459 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4461 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4474 subramanyam-c. #622
4481 Found by subramanyam-c. #626
4489 * Removed self-tests from the basic-built-test.sh script, and added all
4490 missing self-tests to the test suites, to ensure self-tests are only
4493 * Added support for a Yotta specific configuration file -
4495 * Added optimization for code space for X.509/OID based on configured
4504 = mbed TLS 2.3.0 branch released 2016-06-28
4522 arguments where the same (in-place doubling). Found and fixed by Janos
4541 * Fix test in ssl-opt.sh that does not run properly with valgrind
4545 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4547 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4551 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4554 = mbed TLS 2.2.1 released 2016-01-05
4561 SLOTH attack on TLS 1.2 server authentication (other attacks from the
4566 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4578 = mbed TLS 2.2.0 released 2015-11-04
4584 * Fix potential heap corruption on Windows when
4589 on untrusted input or write keys of untrusted origin. Found by Guido
4591 * The X509 max_pathlen constraint was not enforced on intermediate
4596 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4599 block. (Potential uses include EAP-TLS and Thread.)
4602 * Self-signed certificates were not excluded from pathlen counting,
4605 * Fix build error with configurations where ECDHE-PSK is the only key
4607 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4608 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4609 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4610 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4613 minimum key size for end-entity certificates with RSA keys. Found by
4615 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4624 or -1.
4626 = mbed TLS 2.1.2 released 2015-10-06
4629 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4632 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4641 of TLS, but might be in other uses. On 32 bit machines, requires reading a
4642 string of close to or larger than 1GB to exploit; on 64 bit machines, would
4645 on crafted PEM input data. Found and fix provided by Guido Vranken,
4649 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4651 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4670 = mbed TLS 2.1.1 released 2015-09-17
4673 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4675 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4676 * Fix possible client-side NULL pointer dereference (read) when the client
4679 afl-fuzz.)
4683 * Fix off-by-one error in parsing Supported Point Format extension that
4694 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4697 = mbed TLS 2.1.0 released 2015-09-04
4705 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4713 * Fix compile error with armcc 5 with --gnu option.
4718 * Fix missing -static-libgcc when building shared libraries for Windows
4725 result trying to unlock an unlocked mutex on invalid input (found by
4727 * Fix -Wshadow warnings (found by hnrkp) (#240)
4728 * Fix memory corruption on client with overlong PSK identity, around
4729 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4737 * It is now possible to #include a user-provided configuration file at the
4738 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
4741 trusted, no later cert is checked. (suggested by hannes-landeholm)
4748 = mbed TLS 2.0.0 released 2015-07-13
4755 * New server-side implementation of session tickets that rotate keys to
4761 * Introduced a concept of presets for SSL security-relevant configuration
4769 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4770 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4772 mbedtls_cipher_info_t.key_length -> key_bitlen
4773 mbedtls_cipher_context_t.key_length -> key_bitlen
4774 mbedtls_ecp_curve_info.size -> bit_size
4778 should generally be the first function called on this context after init:
4779 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4780 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4781 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4782 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4783 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4789 (see rename.pl and compat-1.3.h above) and their first argument's type
4792 additional callback for read-with-timeout).
4802 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
4811 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4812 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4813 * The following functions changed prototype to avoid an in-out length
4831 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4860 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4862 * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
4864 been removed (compiler is required to support 32-bit operations).
4867 * Removed test program ssl_test, superseded by ssl-opt.sh.
4868 * Removed helper script active-config.pl
4874 Semi-API changes (technically public, morally private)
4895 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4898 * Negotiation of truncated HMAC is now disabled by default on server too.
4899 * The following functions are now case-sensitive:
4908 * The NET layer now unconditionnaly relies on getaddrinfo() and select().
4918 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4927 thread-safe if MBEDTLS_THREADING_C is enabled.
4928 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4935 extendedKeyUsage on the leaf certificate was lost (results not accessible
4937 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4947 * Add support for id-at-uniqueIdentifier in X.509 names.
4948 * Add support for overriding snprintf() (except on Windows) and exit() in
4953 cross-compilation easier (thanks to Alon Bar-Lev).
4954 * The benchmark program also prints heap usage for public-key primitives
4956 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
4959 reduced configurations (PSK-CCM and NSA suite B).
4961 warnings on use of deprecated functions (with GCC and Clang only).
4963 errors on use of deprecated functions.
4971 once on the same context.
4976 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
4978 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
4991 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
4998 * Add missing dependency on SHA-256 in some x509 programs (reported by
5009 * compat-1.2.h and openssl.h are deprecated.
5012 (contributed by Alon Bar-Lev).
5015 * Move from SHA-1 to SHA-256 in example programs using signatures
5021 * Remove dependency on sscanf() in X.509 parsing modules.
5023 = mbed TLS 1.3.10 released 2015-02-09
5025 * NULL pointer dereference in the buffer-based allocator when the buffer is
5029 * Fix remotely-triggerable uninitialised pointer dereference caused by
5032 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5039 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
5043 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
5044 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
5045 * Add support for Encrypt-then-MAC (RFC 7366).
5048 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5050 * Support for renegotiation can now be disabled at compile-time
5051 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
5052 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
5053 for pre-1.2 clients when multiple certificates are available.
5054 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
5063 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5072 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5079 issue with some servers when a zero-length extension was sent. (Reported
5081 * On a 0-length input, base64_encode() did not correctly set output length
5088 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
5094 * It is now possible to disable negotiation of truncated HMAC server-side
5100 = PolarSSL 1.3.9 released 2014-10-20
5104 * Remotely-triggerable memory leak when parsing some X.509 certificates
5107 * Remotely-triggerable memory leak when parsing crafted ClientHello
5114 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5116 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5119 * Remove non-existent file from VS projects (found by Peter Vaskovic).
5120 * ssl_read() could return non-application data records on server while
5121 renegotation was pending, and on client when a HelloRequest was received.
5122 * Server-initiated renegotiation would fail with non-blocking I/O if the
5125 with non-blocking I/O.
5126 * Fix compiler warnings on iOS (found by Sander Niemeijer).
5127 * x509_crt_parse() did not increase total_failed on PEM error
5133 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
5134 standard defining how to use SHA-2 with SSL 3.0).
5135 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
5136 ambiguous on how to encode some packets with SSL 3.0).
5140 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
5147 = PolarSSL 1.3.8 released 2014-07-11
5156 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5163 * Add server-side enforcement of sent renegotiation requests
5170 required on some platforms (e.g. OpenBSD)
5182 * Remove less-than-zero checks on unsigned numbers
5183 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5194 rejected with CBC-based ciphersuites and TLS >= 1.1
5196 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
5199 * Restore ability to locally trust a self-signed cert that is not a proper
5205 * Fix off-by-one error in parsing Supported Point Format extension that
5207 * Fix possible miscomputation of the premaster secret with DHE-PSK key
5216 = PolarSSL 1.3.7 released on 2014-05-02
5220 * version_check_feature() added to check for compile-time options at
5221 run-time
5228 * AES-NI now compiles with "old" assemblers too
5229 * Ciphersuites based on RC4 now have the lowest priority by default
5242 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5243 * mpi_fill_random() was creating numbers larger than requested on
5244 big-endian platform when size was not an integer number of limbs
5248 * Fix detection of Clang on some Apple platforms with CMake
5251 = PolarSSL 1.3.6 released on 2014-04-11
5272 This affects certificates in the user-supplied chain except the top
5273 certificate. If the user-supplied chain contains only one certificates,
5292 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
5293 * Calling pk_debug() on an RSA-alt key would segfault.
5294 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
5300 = PolarSSL 1.3.5 released on 2014-03-26
5302 * HMAC-DRBG as a separate module
5306 * Ability to force the entropy module to use SHA-256 as its basis
5308 * Testing script ssl-opt.sh added for testing 'live' ssl option
5316 now thread-safe if POLARSSL_THREADING_C defined
5332 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5339 * Fixed testing with out-of-source builds using cmake
5340 * Fixed version-major intolerance in server
5341 * Fixed CMake symlinking on out-of-source builds
5344 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5347 * m_sleep() was sleeping twice too long on most Unix platforms.
5348 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5361 = PolarSSL 1.3.4 released on 2014-01-27
5364 * Support for RIPEMD-160
5372 * net module handles timeouts on blocking sockets better (found by Tilman
5380 = PolarSSL 1.3.3 released on 2013-12-31
5386 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5388 * AES-NI support for AES, AES-GCM and AES key scheduling
5389 * SSL Pthread-based server example added (ssl_pthread_server)
5396 * More constant-time checks in the RSA module
5403 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5404 * Fixed X.509 hostname comparison (with non-regular characters)
5410 * Fixed x509_crt_parse_path() bug on Windows platforms
5417 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5420 = PolarSSL 1.3.2 released on 2013-11-04
5424 * Support for Camellia-GCM mode and ciphersuites
5427 * Padding checks in cipher layer are now constant-time
5428 * Value comparisons in SSL layer are now constant-time
5435 * Prevent possible alignment warnings on casting from char * to 'aligned *'
5441 * Server-side initiated renegotiations send HelloRequest
5443 = PolarSSL 1.3.1 released on 2013-10-15
5446 * Support for ECDHE-PSK key-exchange and ciphersuites
5447 * Support for RSA-PSK key-exchange and ciphersuites
5453 * config.h is more script-friendly
5465 = PolarSSL 1.3.0 released on 2013-10-01
5470 (ECDHE-based ciphersuites)
5472 (ECDSA-based ciphersuites)
5473 * Ability to specify allowed ciphersuites based on the protocol version.
5474 * PSK and DHE-PSK based ciphersuites added
5476 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5483 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5484 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5497 * Introduced separate SSL Ciphersuites module that is based on
5504 * Client and server now filter sent and accepted ciphersuites on minimum
5513 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5519 * zlib compression/decompression skipped on empty blocks
5524 * RSA blinding on CRT operations to counter timing attacks
5525 (found by Cyril Arnaud and Pierre-Alain Fouque)
5528 = Version 1.2.14 released 2015-05-??
5536 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5544 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5547 = Version 1.2.13 released 2015-02-16
5552 * Fix remotely-triggerable uninitialised pointer dereference caused by
5555 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5568 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5569 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
5571 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5578 issue with some servers when a zero-length extension was sent. (Reported
5580 * On a 0-length input, base64_encode() did not correctly set output length
5586 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5588 = Version 1.2.12 released 2014-10-24
5591 * Remotely-triggerable memory leak when parsing some X.509 certificates
5599 with non-blocking I/O.
5600 * x509_crt_parse() did not increase total_failed on PEM error
5601 * Fix compiler warnings on iOS (found by Sander Niemeijer).
5603 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5604 * ssl_read() could return non-application data records on server while
5605 renegotation was pending, and on client when a HelloRequest was received.
5606 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5612 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
5615 = Version 1.2.11 released 2014-07-11
5643 * Fixed X.509 hostname comparison (with non-regular characters)
5646 * Fixed x509_crt_parse_path() bug on Windows platforms
5656 * Fixed testing with out-of-source builds using cmake
5657 * Fixed version-major intolerance in server
5658 * Fixed CMake symlinking on out-of-source builds
5659 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5672 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5673 * mpi_fill_random() was creating numbers larger than requested on
5674 big-endian platform when size was not an integer number of limbs
5676 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5685 = Version 1.2.10 released 2013-10-07
5687 * Changed RSA blinding to a slower but thread-safe version
5694 = Version 1.2.9 released 2013-10-01
5704 * Fixed potential heap buffer overflow on large hostname setting
5706 * RSA blinding on CRT operations to counter timing attacks
5707 (found by Cyril Arnaud and Pierre-Alain Fouque)
5709 = Version 1.2.8 released 2013-06-19
5713 * Centralized module option values in config.h to allow user-defined
5731 * Fixed const correctness issues that have no impact on the ABI
5738 * Fixed values for 2-key Triple DES in cipher layer
5743 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5745 = Version 1.2.7 released 2013-04-13
5747 * Ability to specify allowed ciphersuites based on the protocol version.
5750 * Default Blowfish keysize is now 128-bits
5757 = Version 1.2.6 released 2013-03-11
5760 * Corrected GCM counter incrementation to use only 32-bits instead of
5761 128-bits (found by Yawning Angel)
5762 * Fixes for 64-bit compilation with MS Visual Studio
5763 * Fixed net_bind() for specified IP addresses on little endian systems
5772 * Re-added handling for SSLv2 Client Hello when the define
5784 = Version 1.2.5 released 2013-02-02
5786 * Allow enabling of dummy error_strerror() to support some use-cases
5789 * Sending of security-relevant alert messages that do not break
5790 interoperability can be switched on/off with the flag
5797 = Version 1.2.4 released 2013-01-25
5809 = Version 1.2.3 released 2012-11-26
5813 = Version 1.2.2 released 2012-11-24
5817 * During verify trust-CA is only checked for expiration and CRL presence
5821 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
5823 = Version 1.2.1 released 2012-11-20
5826 bottom-up (Peer cert depth is 0)
5832 Pégourié-Gonnard)
5834 Pégourié-Gonnard)
5837 = Version 1.2.0 released 2012-10-31
5843 * Added support for multi-domain certificates through the X509 Subject
5870 * Fixed const-correctness mpi_get_bit()
5886 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5889 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
5895 * Prevent reading over buffer boundaries on X509 certificate parsing
5902 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
5905 = Version 1.1.8 released on 2013-10-01
5911 * Potential buffer-overflow for ssl_read_record() (independently found by
5914 * Potential heap buffer overflow on large hostname setting
5916 = Version 1.1.7 released on 2013-06-19
5925 * Fixed values for 2-key Triple DES in cipher layer
5930 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5932 = Version 1.1.6 released on 2013-03-11
5934 * Fixed net_bind() for specified IP addresses on little endian systems
5937 * Allow enabling of dummy error_strerror() to support some use-cases
5948 = Version 1.1.5 released on 2013-01-16
5955 * Prevent reading over buffer boundaries on X509 certificate parsing
5959 Pégourié-Gonnard)
5961 Pégourié-Gonnard)
5969 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
5972 = Version 1.1.4 released on 2012-05-31
5976 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
5978 = Version 1.1.3 released on 2012-04-29
5982 = Version 1.1.2 released on 2012-04-26
5984 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5988 * Fixed potential memory corruption on miscrafted client messages (found by
5989 Frama-C team at CEA LIST)
5993 = Version 1.1.1 released on 2012-01-23
5997 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
6001 = Version 1.1.0 released on 2011-12-22
6003 * Added ssl_session_reset() to allow better multi-connection pools of
6004 SSL contexts without needing to set all non-connection-specific
6011 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
6020 * Inceased maximum size of ASN1 length reads to 32-bits.
6025 * Changed the defined key-length of DES ciphers in cipher.h to include the
6030 trade-off
6038 x509parse_crtfile(). With permissive parsing the parsing does not stop on
6039 encountering a parse-error. Beware that the meaning of return values has
6041 * All error codes are now negative. Even on mermory failures and IO errors.
6044 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
6050 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
6059 = Version 1.0.0 released on 2011-07-27
6072 = Version 0.99-pre5 released on 2011-05-26
6096 net_recv() now returns 0 on EOF instead of
6098 POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
6105 = Version 0.99-pre4 released on 2011-04-01
6108 for the RSAES-OAEP and RSASSA-PSS operations.
6123 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
6127 * Fixed proper handling of RSASSA-PSS verification with variable
6130 = Version 0.99-pre3 released on 2011-02-28
6131 This release replaces version 0.99-pre2 which had possible copyright issues.
6156 * Fixed a possible Man-in-the-Middle attack on the
6160 = Version 0.99-pre1 released on 2011-01-30
6162 Note: Most of these features have been donated by Fox-IT
6175 + Added verification callback on certificate chain
6179 libpkcs11-helper library
6190 = Version 0.14.0 released on 2010-08-16
6194 * Added compile-time and run-time version information
6200 * Removed dependency on rand() in rsa_pkcs1_encrypt().
6211 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
6214 = Version 0.13.1 released on 2010-03-24
6219 = Version 0.13.0 released on 2010-03-21
6235 * Added reset function for HMAC context as speed-up
6236 for specific use-cases
6242 * Added small fixes for compiler warnings on a Mac
6247 = Version 0.12.1 released on 2009-10-04
6258 = Version 0.12.0 released on 2009-07-28
6262 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
6263 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
6275 * Fixed include location of endian.h on FreeBSD (found by
6277 * Fixed include location of endian.h and name clash on
6279 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
6287 * Fixed segfault on handling empty rsa_context in
6300 * Fixed Camellia and XTEA for 64-bit Windows systems.
6302 = Version 0.11.1 released on 2009-05-17
6303 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
6304 SHA-512 in rsa_pkcs1_sign()
6306 = Version 0.11.0 released on 2009-05-03
6310 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
6320 * Made definition of net_htons() endian-clean for big endian
6324 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6329 * Fixed compatibility of XTEA and Camellia on a 64-bit system
6332 = Version 0.10.0 released on 2009-01-12
6344 = Version 0.9 released on 2008-03-16
6350 be sent twice in non-blocking mode when send returns EAGAIN
6353 * Added user-defined callback debug function (Krystian Kolodziej)
6356 not swapped on PadLock; also fixed compilation on older versions
6359 output data is non-aligned by falling back to the software
6360 implementation, as VIA Nehemiah cannot handle non-aligned buffers
6362 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
6366 * Added support on the client side for the TLS "hostname" extension
6371 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
6376 * Fixed a critical denial-of-service with X.509 cert. verification:
6379 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
6380 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
6381 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
6383 Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
6384 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
6385 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6386 * Fixed assembly PPC compilation errors on Mac OS X, thanks to
6389 = Version 0.8 released on 2007-10-20
6397 * Added user-defined callbacks for handling I/O and sessions
6401 * Added AES-CFB mode of operation, contributed by chmike
6405 * Updated ssl_read() to skip 0-length records from OpenSSL
6407 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6414 = Version 0.7 released on 2007-07-07
6416 * Added support for the MicroBlaze soft-core processor
6418 connections from being established with non-blocking I/O
6422 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6430 = Version 0.6 released on 2007-04-01
6433 time, to reduce the memory footprint on embedded systems
6436 * Added multiply assembly code for 64-bit PowerPCs,
6440 * Fixed "long long" compilation issues on IA-64 and PPC64
6441 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6442 was not being correctly defined on ARM and MIPS
6444 = Version 0.5 released on 2007-03-01
6447 * Added (beta) support for non-blocking I/O operations
6449 * Fixed some portability issues on WinCE, MINIX 3, Plan9
6450 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6455 = Version 0.4 released on 2007-02-01
6457 * Added support for Ephemeral Diffie-Hellman key exchange
6468 = Version 0.3 released on 2007-01-01
6470 * Added server-side SSLv3 and TLSv1.0 support
6474 the bignum code is no longer dependent on long long
6479 = Version 0.2 released on 2006-12-01
6482 * Updated the MPI code to support 8086 on MSVC 1.5
6490 the Miller-Rabin primality test
6494 who maintains the Debian package :-)
6496 = Version 0.1 released on 2006-11-01