Lines Matching +full:runs +full:- +full:on
3 = Mbed TLS 3.6.5 branch released 2025-10-15
13 mbedtls_cipher_finish(), but makes it easier to process invalid-padding
17 * Fix a timing side channel in CBC-PKCS7 decryption that could
19 some plaintexts through a timing-based padding oracle attack.
20 Credits to Beat Heeb from Oberon microsystems AG. CVE-2025-59438
21 * Fix a local timing side-channel in modular inversion and GCD that was
24 private key. This can be exploited on some Arm-v9 CPUs by an unprivileged
25 attacker running code on the same core (SSBleed), or when Trustzone-M is
26 used, by the non-secure side abusing timer interrupts (M-Step), and
29 Carlson (National University of Singapore); M-Step: Cristiano Rodrigues
31 (University of Minho), Jo Van Bulck (DistriNet, KU Leuven). CVE-2025-54764
37 lifetime on platforms where mbedtls_time_t
41 * The function mbedtls_mpi_gcd() now always gives a non-negative output.
43 documented, and inconsistent as all other inputs resulted in a non-negative
46 = Mbed TLS 3.6.4 branch released 2025-06-30
51 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
58 CVE-2025-49601
62 CVE-2025-49600
63 * On x86/amd64 platforms, with some compilers, when the library is
73 CVE-2025-52496
74 * Fix possible use-after-free or double-free in code calling
76 mbedtls_asn1_free_named_data_list() on its head argument, while the
78 on the documented behaviour to still hold pointers to memory blocks after
79 they were free()d, resulting in high risk of use-after-free or double-free,
82 were affected (use-after-free if the san string contains more than one DN).
85 CVE-2025-47917
97 CVE-2025-48965
102 CVE-2025-52497
108 CVE-2025-49087
113 "union foo x = {0}" does not initialize non-default members of the
115 multipart operations, MAC-based key derivation operations, interruptible
117 when using third-party drivers. This also affected one-shot MAC
118 operations using the built-in implementation. Fixes #9814.
119 * On entry to PSA driver entry points that set up a multipart operation
120 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
123 non-default members of the union. The PSA core now ensures that this
127 * Silence spurious -Wunterminated-string-initialization warnings introduced
130 keys with a different LMS or LM-OTS types on some platforms. Specifically,
131 this could happen on platforms where enum types are smaller than 32 bits
134 * Fix a race condition on x86/amd64 platforms in AESNI support detection
138 * Fix mbedtls_base64_decode() on inputs that did not have the correct
141 rejected. Furthermore, before, on inputs with too few equal signs, the
152 to point to NULL on entry. This makes it likely that existing risky uses of
156 = Mbed TLS 3.6.3 branch released 2025-03-24
162 if certificate-based authentication of the server is attempted.
166 enable the new compile-time option
171 uses static storage for keys, enabling malloc-less use of key slots.
180 * implements `psa_can_do_hash()` on the client interface
186 if they use certificate authentication (i.e. not pre-shared keys).
192 CVE-2025-27809
200 CVE-2025-27810
213 * Fix compilation on MS-DOS DJGPP. Fixes #9813.
214 * Fix missing constraints on the AES-NI inline assembly which is used on
215 GCC-like compilers when building AES for generic x86_64 targets. This
216 may have resulted in incorrect code with some compilers, depending on
218 * Support re-assembly of fragmented handshake messages in TLS (both
225 occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
230 implementatios if placed on the include path, eg. when building Mbed TLS
239 = Mbed TLS 3.6.2 branch released 2024-10-14
243 called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
246 when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
247 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
248 CVE-2024-49195
250 = Mbed TLS 3.6.1 branch released 2024-08-30
260 * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
277 They have almost exactly the same interface, but the variable-length
282 - DES (including 3DES).
283 - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
285 - Finite-field Diffie-Hellman with custom groups.
287 - Elliptic curves of size 225 bits or less.
290 - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using
293 - TLS_ECDH_*, i.e. cipher suites using static ECDH.
295 - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman.
297 - TLS_*CBC*, i.e. all cipher suites using CBC.
298 * The following low-level application interfaces are planned to be removed
300 - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
301 - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
302 - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
304 - Private key encryption mechanisms: pkcs5.h, pkcs12.h.
305 - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
310 For guidance on migrating application code to the PSA API, please consult
311 the PSA transition guide (docs/psa-transition.md).
314 - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
316 - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
329 CVE-2024-45157
335 CVE-2024-45158
337 client, if the client-provided certificate does not have appropriate values
346 CVE-2024-45159
351 * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
356 * Fix rare concurrent access bug where attempting to operate on a
357 non-existent key while concurrently creating a new key could potentially
368 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
369 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
375 * Fix interference between PSA volatile keys and built-in keys
383 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
385 some code was defining 0-size arrays, resulting in compilation errors.
409 * Fixed a regression introduced in 3.6.0 where clients that relied on
417 * Fixed a regression introduced in 3.6.0 where context-specific certificate
420 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
433 = Mbed TLS 3.6.0 branch released 2024-03-28
472 * Support Armv8-A Crypto Extension acceleration for SHA-256
473 when compiling for Thumb (T32) or 32-bit Arm (A32).
474 * AES-NI is now supported in Windows builds with clang and clang-cl.
480 This affects both the low-level modules and the high-level APIs
483 * Support use of Armv8-A Cryptographic Extensions for hardware acclerated
484 AES when compiling for Thumb (T32) or 32-bit Arm (A32).
486 library without the corresponding built-in implementation. Generally
488 or they'll both be built in. However, for CCM and GCM the built-in
491 docs/driver-only-builds.md for full details and current limitations.
495 * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
497 GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
499 unauthenticated (non-AEAD) ciphers are disabled, or if they're all
500 fully provided by drivers. See docs/driver-only-builds.md for full
502 decryption still unconditionally depend on MBEDTLS_CIPHER_C.
507 * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
508 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
522 * Add support for using AES-CBC 128, 192, and 256 bit schemes
526 * Add pc files for pkg-config, e.g.:
527 pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
535 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
537 performance by around 30% on 64-bit Intel; 125% on Armv7-M.
557 * Add new accessors to expose the private session-id,
558 session-id length, and ciphersuite-id members of
560 Add new accessor to expose the ciphersuite-id of
563 docs/tls13-early-data.md). The support enablement is controlled at build
570 docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
577 Fixes CVE-2024-30166.
587 Note that setting this option will cause input-output buffer overlap to
589 Fixes CVE-2024-28960.
595 Fixes CVE-2024-28755.
596 * When negotiating TLS version on server side, do not fall back to the
598 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
599 client could put the TLS 1.3-only server in an infinite loop processing
602 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
604 Reported by alluettiv on GitHub.
605 Fixes CVE-2024-28836.
608 * Fix the build with CMake when Everest or P256-m is enabled through
619 * Fix build failure in conda-forge. Fixes #8422.
632 * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
636 TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
641 * mbedtls_pem_read_buffer() now performs a check on the padding data of
644 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
683 * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
694 = Mbed TLS 3.5.2 branch released 2024-01-26
699 attacker or a remote attacker who is close to the victim on the network
705 could result in an integer overflow, causing a zero-length buffer to be
709 = Mbed TLS 3.5.1 branch released 2023-11-06
712 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
719 = Mbed TLS 3.5.0 branch released 2023-10-05
722 * Mbed TLS 3.4 introduced support for omitting the built-in implementation
723 of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
724 there was a flaw in the logic checking if the built-in implementation, in
727 accelerated and still have the built-in implementation compiled out.
730 considered not accelerated, and the built-in implementation of the curves
765 provided - these limitations are lifted in this version. A new set of
768 they're provided by a built-in implementation, a driver or both. See
769 docs/driver-only-builds.md.
772 key exchanges based on ECDH(E) to work, this requires
774 TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
776 * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
779 algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
783 * Add support for server-side TLS version negotiation. If both TLS 1.2 and
785 TLS 1.3 depending on the capabilities and preferences of TLS clients.
795 parameters from RFC 7919. This includes a built-in implementation based
796 on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
807 string to a DER-encoded mbedtls_asn1_buf.
808 * Add SHA-3 family hash functions.
809 * Add support to restrict AES to 128-bit keys in order to save code size.
814 Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
815 On Aarch64, uplift is typically around 20 - 110%.
816 When compiling with gcc -Os on Aarch64, AES-XTS improves
818 * Add support for PBKDF2-HMAC through the PSA API.
824 - DERIVE is only available for ECC keys, not for RSA or DH ones.
825 - implementations are free to enable more than what it was strictly
830 and the ephemeral or psk-ephemeral key exchange mode are enabled.
843 * Support for "opaque" (PSA-held) ECC keys in the PK module has been
852 * Add support for PBKDF2-CMAC through the PSA API.
854 using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
855 disables the plain C implementation and the run-time detection for the
882 (notably recent versions of Clang and IAR) could produce non-constant
885 * Updates to constant-time C code so that compilers are less likely to use
888 implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
896 null-cipher cipher suites. Credit to OSS-Fuzz.
898 In TLS 1.3, all configurations are affected except PSK-only ones, and
903 Credit to OSS-Fuzz.
908 than all built-in ones and RSA is disabled.
922 * Fix the J-PAKE driver interface for user and peer to accept any values
925 M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
943 example TF-M configuration in configs/ from building cleanly:
947 proposes an handshake based on PSK only key exchange mode or at least
953 * Fix a compilation error on some platforms when including mbedtls/ssl.h
958 * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
968 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
975 enabled, where some low-level modules required by requested PSA crypto
981 error code on failure. Before, they returned 1 to indicate failure in
984 * Fix the build with CMake when Everest or P256-m is enabled through
989 compiling with gcc, clang or armclang and -O0.
1007 = Mbed TLS 3.4.1 branch released 2023-08-04
1010 * Fix builds on Windows with clang
1013 * Update test data to avoid failures of unit tests after 2023-08-07.
1015 = Mbed TLS 3.4.0 branch released 2023-03-28
1026 direct dependency of X509 on BIGNUM_C.
1030 optionally providing file-specific error pairs. Please see psa_util.h for
1037 - Only the signed-data content type, version 1 is supported.
1038 - Only DER encoding is supported.
1039 - Only a single digest algorithm per message is supported.
1040 - Certificates must be in X.509 format. A message must have either 0
1042 - There is no support for certificate revocation lists.
1043 - The authenticated and unauthenticated attribute fields of SignerInfo
1046 contributing this feature, and to Demi-Marie Obenour for contributing
1050 * Improvements to use of unaligned and byte-swapped memory, reducing code
1051 size and improving performance (depending on compiler and target
1061 * Add parsing of V3 extensions (key usage, Netscape cert-type,
1064 configuration-independent files. This allows them to be generated when
1081 * Add a driver dispatch layer for EC J-PAKE, enabling alternative
1082 implementations of EC J-PAKE through the driver entry points.
1086 * Add support for AES with the Armv8-A Cryptographic Extension on
1087 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
1088 be used to enable this feature. Run-time detection is supported
1090 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1095 to read non-public fields for padding mode and hash id from
1097 * AES-NI is now supported with Visual Studio.
1098 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1101 gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
1102 compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
1103 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1108 * Use platform-provided secure zeroization function where possible, such as
1111 * Fix a potential heap buffer overread in TLS 1.3 client-side when
1113 * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
1114 Arm, so that these systems are no longer vulnerable to timing side-channel
1115 attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
1117 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
1118 builds that couldn't compile the GCC-style assembly implementation
1120 timing side-channel attacks. There is now an intrinsics-based AES-NI
1131 calculation on the client side. It prevents a server with more accurate
1141 used on a shared secret from a key agreement since its input must be
1145 forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
1155 certificate parsing, but only on subsequent calls to
1163 * Reject OIDs with overlong-encoded subidentifiers when converting
1168 have the most-significant bit set in their last byte.
1169 * Silence warnings from clang -Wdocumentation about empty \retval
1173 * Fix an unused-variable warning in TLS 1.3-only builds if
1177 * Allow setting user and peer identifiers for EC J-PAKE operation
1184 * Fix TLS 1.3 session resumption when the established pre-shared key is
1185 384 bits long. That is the length of pre-shared keys created under a
1190 modules, which would then fail if run on a CPU without the SHA3
1196 * Mixed-endian systems are explicitly not supported any more.
1205 - now it accepts the serial number in 2 different formats: decimal and
1207 - "serial" is used for the decimal format and it's limted in size to
1209 - "serial_hex" is used for the hex format; max length here is
1214 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1220 to best results when tested on Cortex-M4 and Intel i7.
1223 compiler target flags on the command line; the library now sets target
1226 = Mbed TLS 3.3.0 branch released 2022-12-14
1232 RFC 9146, which is not interoperable with the draft-05 version.
1236 standard (non-draft) version.
1238 same build of Mbed TLS, please let us know about your situation on the
1260 * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
1261 Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
1264 built-in implementation present, but only in some configurations.
1265 - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
1267 - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
1273 all hashes only provided by drivers (no built-in hash) is to use
1276 properly negotiate/accept hashes based on their availability in PSA.
1277 As a consequence, they now work in configurations where the built-in
1279 provided by PSA drivers. (See previous entry for limitation on RSA-PSS
1283 * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
1284 Signature verification is production-ready, but generation is for testing
1290 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
1293 * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
1294 The pre-shared keys can be provisioned externally or via the ticket
1312 * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
1323 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
1325 as described in draft-cragie-tls-ecjpake-01. This can be achieved by
1335 victim performing a single private-key operation if the window size used
1337 Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
1338 and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
1342 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
1343 * Fix an issue with in-tree CMake builds in releases with GEN_FILES
1346 * Fix a long-standing build failure when building x86 PIC code with old
1349 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1367 * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
1368 MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
1370 * Fix a build issue on Windows using CMake where the source and build
1371 directories could not be on different drives. Fixes #5751.
1377 PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
1380 Change mbedtls_x509_get_name() to clean up allocated objects on error.
1394 * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
1401 * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
1404 consequence on cryptography code, but might affect applications that call
1415 to OSS-Fuzz. Fixes #6597.
1418 * Move some SSL-specific code out of libmbedcrypto where it had been placed
1425 * Calling AEAD tag-specific functions for non-AEAD algorithms (which
1426 should not be done - they are documented for use only by AES-GCM and
1430 = Mbed TLS 3.2.1 branch released 2022-07-12
1433 * Re-add missing generated file library/psa_crypto_driver_wrappers.c
1435 = Mbed TLS 3.2.0 branch released 2022-07-11
1443 * The library will no longer compile out of the box on a platform without
1491 * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
1507 mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
1516 * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
1517 * Add support for the ARMv8 SHA-2 acceleration instructions when building
1523 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
1529 establishment only). See docs/architecture/tls13-support.md for a
1537 docs/use-psa-crypto.md for the list of exceptions.
1541 * Opaque pre-shared keys for TLS, provisioned with
1544 for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
1545 * cmake now detects if it is being built as a sub-project, and in that case
1554 * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
1560 disabled on stdio files, to stop secrets loaded from said files being
1563 * Fix a potential heap buffer overread in TLS 1.2 server-side when
1570 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1572 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
1600 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1607 * Fix unit tests that used 0 as the file UID. This failed on some
1614 * Fix a race condition in out-of-source builds with CMake when generated data
1617 on Windows.
1620 the function needs to be re-called after initially returning
1633 * Fix compilation error when using C++ Builder on Windows. Reported by
1655 Finished message on the network cannot be satisfied. Fixes #5499.
1659 on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
1662 * Fix a null pointer dereference when performing some operations on zero
1666 non-compliant. This could not lead to a buffer overflow. In particular,
1676 make to break on a clean checkout. Fixes #5340.
1686 see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
1687 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1691 temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
1692 * Assume source files are in UTF-8 when using MSVC with CMake.
1705 = mbed TLS 3.1.0 branch released 2021-12-17
1716 X.509 parsing, and finally the field fd of mbedtls_net_context on
1717 POSIX/Unix-like platforms.
1720 * Sign-magnitude and one's complement representations for signed integers are
1728 * Remove the partial support for running unit tests via Greentea on Mbed OS,
1739 supported on GCC-like compilers and on MSVC and can be configured through
1748 * Add support for CCM*-no-tag cipher to the PSA.
1749 Currently only 13-byte long IV's are supported.
1750 For decryption a minimum of 16-byte long input is expected.
1758 protocol. See docs/architecture/tls13-support.md for the definition of
1770 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1779 * Fix a double-free that happened after mbedtls_ssl_set_session() or
1787 * The GNU makefiles invoke python3 in preference to python except on Windows.
1788 The check was accidentally not performed when cross-compiling for Windows
1789 on Linux. Fix this. Fixes #4774.
1796 * Fix missing constraints on x86_64 and aarch64 assembly code
1800 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1801 * Failures of alternative implementations of AES or DES single-block
1805 where this function cannot fail, or full-module replacements with
1810 * Fix compile-time or run-time errors in PSA
1814 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1817 the built-in implementation of the GCM.
1819 input buffer size is valid only for the built-in implementation of GCM.
1833 * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
1853 oversight during the run-up to the release of Mbed TLS 3.0.
1855 * Implement multi-part CCM API.
1856 The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
1862 * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
1863 code size by about 80B on an M0 build. This option only gated an ability
1866 * Improve the performance of base64 constant-flow code. The result is still
1867 slower than the original non-constant-flow implementation, but much faster
1868 than the previous constant-flow implementation. Fixes #4814.
1869 * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
1873 ChaCha20-Poly1305 is invalid, and not just unsupported.
1880 * The generated configuration-independent files are now automatically
1881 generated by the CMake build system on Unix-like systems. This is not
1882 yet supported when cross-compiling.
1884 = Mbed TLS 3.0.0 branch released 2021-07-07
1893 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1897 header compat-1.3.h and the script rename.pl.
1916 * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
1918 * Drop support for single-DES ciphersuites.
1921 API version 1.0 spec. This version of the spec parameterizes them on the
1922 key type used, as well as the key bit-size in the case of
1937 when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
1940 * The interface of the GCM module has changed to remove restrictions on
1958 session-ID based session resumption) has changed to that of
1959 a key-value store with keys being session IDs and values
1973 * For multi-part AEAD operations with the cipher module, calling
1975 was unclear on this point, and this function happened to never do
1978 * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
2020 context are now connection-specific.
2029 * Implement one-shot cipher functions, psa_cipher_encrypt and
2042 They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
2043 Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
2055 release, some configuration-independent files are now generated at build
2066 compile-time option, which was off by default. Users should not trust
2067 certificates signed with SHA-1 due to the known attacks against SHA-1.
2068 If needed, SHA-1 certificates can still be verified by using a custom
2075 More details on PCKS#11 wrapper removal can be found in the mailing list
2076 https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
2080 compile-time option. This option has been inactive for a long time.
2083 * Remove the following deprecated functions and constants of hex-encoded
2084 primes based on RFC 5114 and RFC 3526 from library code and tests:
2109 * The RSA module no longer supports private-key operations with the public
2138 now determined automatically based on supported curves.
2149 using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
2151 * Remove the compile-time option
2159 * Added support for built-in driver keys through the PSA opaque crypto
2163 * The multi-part GCM interface (mbedtls_gcm_update() or
2166 * The multi-part GCM interface now supports chunked associated data through
2171 modules had undocumented constraints on their context types. These
2173 See docs/architecture/alternative-implementations.md for the remaining
2176 query the size of the modulus in a Diffie-Hellman context.
2178 Diffie-Hellman context.
2186 * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
2198 victim performing a single private-key operation. Found and reported by
2201 information (typically, a co-located process) could recover a Curve25519
2203 observing the victim performing the corresponding private-key operation.
2221 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2226 mbedtls_mpi_read_string() was called on "-0", or when
2232 * In a TLS client, enforce the Diffie-Hellman minimum parameter size
2243 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
2244 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
2246 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
2247 * Fix test suite code on platforms where int32_t is not int, such as
2248 Arm Cortex-M. Fixes #4530.
2250 directive in a header and a missing initialization in the self-test.
2251 * Fix a missing initialization in the Camellia self-test, affecting
2258 (when the encrypt-then-MAC extension is not in use) with some ALT
2259 implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
2261 * Remove outdated check-config.h check that prevented implementing the
2262 timing module on Mbed OS. Fixes #4633.
2266 MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
2269 * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
2273 * psa_verify_hash() was relying on implementation-specific behavior of
2284 Credit to OSS-Fuzz. Fixes #4641.
2286 effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
2289 read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
2296 applicable RFC: on an invalid Finished message value, an
2310 * Remove configs/config-psa-crypto.h, which no longer had any intended
2314 * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
2315 When that flag is on, standard GNU C printf format specifiers
2350 = mbed TLS 2.26.0 branch released 2021-03-08
2404 length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
2410 |A| - |B| where |B| is larger than |A| and has more limbs (so the
2427 * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
2428 * Fix memory leak that occured when calling psa_close_key() on a
2433 is enabled, on platforms where initializing a mutex allocates resources.
2438 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2439 enabled on platforms where freeing a mutex twice is not safe.
2440 * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
2441 when MBEDTLS_THREADING_C is enabled on platforms where initializing
2449 used to validate digital signatures on certificates and MUST mark the
2451 the extension was always marked as non-critical. This was fixed by
2458 * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
2461 = mbed TLS 2.25.0 branch released 2020-12-11
2473 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2478 warning on CMake 3.19.0. #3801
2498 This is currently non-standard behaviour, but expected to make it into a
2505 * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
2509 identical to psa_key_id_t instead of being platform-defined. This bridges
2524 execution depending on the location of the output buffer.
2527 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2531 are implemented. This could cause failures or the silent use of non-random
2535 * Fix a compliance issue whereby we were not checking the tag on the
2563 * Use socklen_t on Android and other POSIX-compliant system
2564 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2566 * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
2574 an ECC key pair on Curve25519 or secp244k1.
2578 * Fix handling of EOF against 0xff bytes and on platforms with unsigned
2579 chars. Fixes a build failure on platforms where char is unsigned. Fixes
2581 * Fix an off-by-one error in the additional data length check for
2582 CCM, which allowed encryption with a non-standard length field.
2586 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
2591 * Attempting to create a volatile key with a non-zero key identifier now
2596 * Fix build failures on GCC 11. Fixes #3782.
2600 * Fix a case in elliptic curve arithmetic where an out-of-memory condition
2610 option on. In this configuration key management methods that are required
2619 must be erased, or manually upgraded based on the key storage format
2620 specification (docs/architecture/mbed-crypto-storage-specification.md).
2624 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2627 = mbed TLS 2.24.0 branch released 2020-09-01
2630 * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
2647 * Support building on e2k (Elbrus) architecture: correctly enable
2648 -Wformat-signedness, and fix the code that causes signed-one-bit-field
2649 and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
2658 attacker could for example impersonate a 4-bytes or 16-byte domain by
2665 available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
2666 certificates were never considered as revoked. On builds with
2674 Encrypt-then-Mac extension, use constant code flow memory access patterns
2677 effective against network-based attackers, but less so against local
2679 if they have access to fine-grained measurements. In particular, this
2683 * Fix side channel in RSA private key operations and static (finite-field)
2684 Diffie-Hellman. An adversary with precise enough timing and memory access
2686 enclave) could bypass an existing counter-measure (base blinding) and
2688 * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
2689 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2703 Montgomery keys in little-endian as defined by RFC7748. Contributed by
2706 curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
2708 * Fix self-test failure when the only enabled short Weierstrass elliptic
2712 * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
2716 * Fix bug in redirection of unit test outputs on platforms where stdout is
2720 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2723 previously could lead to stack overflow on constrained devices.
2735 these applications with password-protected key files. Analogously but for
2740 = mbed TLS 2.23.0 branch released 2020-07-01
2747 instead of the keys' lifetime. If the library is upgraded on an existing
2753 high- and low-level error codes, complementing mbedtls_strerror()
2757 * The new utility programs/ssl/ssl_context_info prints a human-readable
2767 * Added support to entropy_poll for the kern.arandom syscall supported on
2774 Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
2785 * Fix issue in Lucky 13 counter-measure that could make it ineffective when
2804 * Fix potential linker errors on dual world platforms by inlining
2819 * Fix building library/net_sockets.c and the ssl_mail_client program on
2821 * Fix false positive uninitialised variable reported by cpp-check.
2830 clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
2832 * Fix minor performance issue in operations on Curve25519 caused by using a
2842 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2849 * The unit tests now rely on header files in framework/tests/include/test and source
2853 * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
2854 `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
2863 = mbed TLS 2.22.0 branch released 2020-04-14
2884 Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
2910 = mbed TLS 2.21.0 branch released 2020-02-20
2916 * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
2923 probability (of the order of 2^-n where n is the bitsize of the curve)
2931 ARMmbed/mbed-crypto#352
2934 * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
2935 support without SHA-384.
2944 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2950 * Fix some false-positive uninitialized variable warnings in X.509. Fix
2951 contributed by apple-ihack-geek in #2663.
2953 a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
2956 keys. Found by Catena cyber using oss-fuzz (issue 20467).
2960 = mbed TLS 2.20.0 branch released 2020-01-15
2972 default configuration, on a platform with a single entropy source, the
2990 timings on the comparison in the key generation enabled the attacker to
3002 initial seeding. The default nonce length is chosen based on the key size
3003 to achieve the security strength defined by NIST SP 800-90A. You can
3006 msopiha-linaro in ARMmbed/mbed-crypto#307.
3009 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
3023 unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
3025 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
3041 merely a robustness improvement. ARMmbed/mbed-crypto#323
3043 Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
3045 Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
3047 Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
3049 = mbed TLS 2.19.1 branch released 2019-09-16
3063 * Fix some false-positive uninitialized variable warnings in crypto. Fix
3064 contributed by apple-ihack-geek in #2663.
3066 = mbed TLS 2.19.0 branch released 2019-09-06
3075 about 1 bit of information on average and could cause the value to be
3077 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
3086 store it in non-volatile storage, and later using it for TLS session
3091 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
3094 (https://project-everest.github.io/). It can be enabled at compile time
3096 verified and significantly faster, but is only supported on x86 platforms
3097 (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
3105 * Add DER-encoded test CRTs to library/certs.c, allowing
3112 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
3126 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
3127 * Fix multiple X.509 functions previously returning ASN.1 low-level error
3132 * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
3134 * Fix build failure when building with mingw on Windows by including
3148 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
3153 address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
3156 * Improve code clarity in x509_crt module, removing false-positive
3157 uninitialized variable warnings on some recent toolchains (GCC8, etc).
3160 functionally incorrect code on bigendian systems which don't have
3164 * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
3168 * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
3169 docker-env.sh) to simplify running test suites on a Linux host. Contributed
3172 test runs without variability. Contributed by Philippe Antoine (Catena
3175 * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
3181 = mbed TLS 2.18.1 branch released 2019-07-12
3184 * Fix build failure when building with mingw on Windows by including
3191 = mbed TLS 2.18.0 branch released 2019-06-11
3198 * Add the Wi-SUN Field Area Network (FAN) device extended key usage.
3200 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3203 and the used tls-prf.
3204 * Add public API for tls-prf function, according to requested enum.
3213 * Add support for draft-05 of the Connection ID extension, as specified
3214 in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
3219 changed its IP or port. The feature is enabled at compile-time by setting
3220 MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
3226 and the used tls-prf.
3227 * Add public API for tls-prf function, according to requested enum.
3236 * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
3238 OSS-Fuzz.
3253 sequence on failure. Found and fix suggested by Philippe Antoine.
3254 Credit to OSS-Fuzz.
3257 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3258 mbedTLS configuration only SHA-2 signed certificates are accepted.
3262 updated to one that is SHA-256 signed. Fix contributed by
3273 = mbed TLS 2.17.0 branch released 2019-03-19
3277 which allows copy-less parsing of DER encoded X.509 CRTs,
3278 at the cost of additional lifetime constraints on the input
3290 for the benefit of saving RAM, by disabling the new compile-time
3311 previously lead to a stack overflow on constrained targets.
3318 * Fix signed-to-unsigned integer conversion warning
3335 instead of relying on other header files that they include.
3341 for platforms that don't provide it. Based on contributions by Joris Aerts
3350 * Fix configuration queries in ssl-opt.h. #2030
3351 * Ensure that ssl-opt.h can be run in OS X. #2029
3352 * Re-enable certain interoperability tests in ssl-opt.sh which had previously
3353 been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
3354 * Ciphersuites based on 3DES now have the lowest priority by default when
3357 = mbed TLS 2.16.0 branch released 2018-12-21
3363 changed, but requirements on parameters have been made more explicit in
3375 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
3376 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
3380 the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
3382 modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
3408 on some toolchains. Reported by phoenixmcallister. Fixes #2170.
3414 = mbed TLS 2.15.1 branch released 2018-11-30
3419 = mbed TLS 2.15.0 branch released 2018-11-23
3429 * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
3432 = mbed TLS 2.14.1 branch released 2018-11-30
3436 decryption that could lead to a Bleichenbacher-style padding oracle
3437 attack. In TLS, this affects servers that accept ciphersuites based on
3443 in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
3451 * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
3461 = mbed TLS 2.14.0 branch released 2018-11-19
3472 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3477 adversary to construct non-primes that would be erroneously accepted as
3478 primes with high probability. This does not have an impact on the
3482 pairs or Diffie-Hellman parameters, but was insufficient to validate
3483 Diffie-Hellman parameters properly.
3490 constrained, single-threaded systems where ECC is time consuming and can
3496 implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
3499 operations. On CPUs where the extensions are available, they can accelerate
3502 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3506 that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
3507 * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
3526 Miller-Rabin rounds.
3539 padded records in case of CBC ciphersuites using Encrypt-then-MAC.
3550 wildcards and non-ASCII characters being unusable in some DN attributes.
3552 Thomas-Dee.
3556 Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
3562 test the handling of large packets and small packets on the client side
3563 in the same way as on the server side.
3576 Thomas-Dee.
3578 Fixes #517 reported by github-monoculture.
3581 by FIPS-186-4.
3583 = mbed TLS 2.13.1 branch released 2018-09-06
3587 whose implementation should behave as a thread-safe version of gmtime().
3594 * Fix build failures on platforms where only gmtime() is available but
3597 = mbed TLS 2.13.0 branch released 2018-08-31
3608 with the peer, as well as by a new per-connection MTU option, set using
3610 * Add support for auto-adjustment of MTU to a safe value during the
3615 * Add support for buffering out-of-order handshake messages in DTLS.
3617 compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
3636 * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
3647 (found by Catena cyber using oss-fuzz)
3659 * Add support for buffering of out-of-order handshake messages.
3664 = mbed TLS 2.12.0 branch released 2018-07-25
3667 * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
3675 or CCM instead of CBC, using hash sizes other than SHA-384, or using
3676 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3677 caused by a miscalculation (for SHA-384) in a countermeasure to the
3680 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3681 1.2, that allowed a local attacker, able to execute code on the local
3688 instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
3690 * Add a counter-measure against a vulnerability in TLS ciphersuites based
3691 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3692 execute code on the local machine as well as manipulate network packets,
3696 Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
3700 * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
3701 authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
3703 * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
3704 * Add platform support for the Haiku OS. (https://www.haiku-os.org).
3711 * Add support for key wrapping modes based on AES as defined by
3712 NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
3717 * Fix compilation error on C++, because of a variable named new.
3719 * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
3739 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3742 TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
3744 * Fix ssl_client2 example to send application data with 0-length content
3749 * Fix build using -std=c99. Fixed by Nick Wilson.
3753 zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
3755 when calling with a NULL salt and non-zero salt_len. Contributed by
3759 * Allow overriding the time on Windows via the platform-time abstraction.
3761 * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
3763 = mbed TLS 2.11.0 branch released 2018-06-18
3768 * Implement the HMAC-based extract-and-expand key derivation function
3771 * Add support for the XTS block cipher mode with AES (AES-XTS).
3775 non-blocking operation of the TLS server stack.
3782 * Fix compilation warnings with IAR toolchain, on 32 bit platform.
3792 = mbed TLS 2.10.0 branch released 2018-06-06
3811 build to fail. Found by zv-io. Fixes #1651.
3814 * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
3818 = mbed TLS 2.9.0 branch released 2018-04-30
3825 would require a non DER-compliant certificate to be correctly signed by a
3826 trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
3834 * Fix a client-side bug in the validation of the server's ciphersuite choice
3856 This function is necessary to determine when it is safe to idle on the
3857 underlying transport in case event-driven IO is used.
3863 in configurations that omit certain hashes or public-key algorithms.
3870 * Fix the Makefile build process for building shared libraries on Mac OS X.
3875 * Return the plaintext data more quickly on unpadded CBC decryption, as
3885 in the internal buffers; these cases led to deadlocks when event-driven
3902 public-key algorithms. Includes contributions by Gert van Dijk.
3922 letter must not be prefixed by '-', such as LLVM. Found and fixed by
3926 * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
3932 HMAC functions with non-HMAC ciphersuites. Independently contributed
3935 FIPS 186-4. Contributed by Jethro Beekman. #1380
3943 = mbed TLS 2.8.0 branch released 2018-03-16
3957 implementation allowed an offline 2^80 brute force attack on the
3963 a crash on invalid input.
3965 crash on invalid input.
3973 uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
3984 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3994 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
3996 Nick Wilson on issue #355
4005 that could cause a key exchange to fail on valid data.
4007 could cause a key exchange to fail on valid data.
4010 * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
4019 a migration path for those depending on the library's ABI.
4024 = mbed TLS 2.7.0 branch released 2018-02-03
4030 6 bytes on the peer's heap, which could potentially lead to crash or remote
4032 both TLS and DTLS. CVE-2018-0488
4033 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
4036 Qualcomm Technologies Inc. CVE-2018-0487
4037 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
4045 latter overflows. The exploitability of this issue depends on whether the
4047 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
4048 and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
4058 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
4064 * Fix a potential heap buffer over-read in ALPN extension parsing
4065 (server-side). Could result in application crash, but only if an ALPN
4066 name larger than 16 bytes had been configured on the server.
4068 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4073 * The selftest program can execute a subset of the tests based on command
4075 * New unit tests for timing. Improve the self-test to be more robust
4076 when run on a heavily-loaded machine.
4098 * Extend RSA interface by multiple functions allowing structure-
4111 mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
4112 mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
4113 mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
4114 mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
4117 * Deprecate usage of RSA primitives with non-matching key-type
4142 renegotiated handshakes would only accept signatures using SHA-1
4143 regardless of the peer's preferences, or fail if SHA-1 was disabled.
4145 dates on leap years with 100 and 400 intervals are handled correctly. Found
4147 * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
4149 * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
4162 * Correct extraction of signature-type from PK instance in X.509 CRT and CSR
4166 non-v3 CRT's.
4171 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
4174 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
4176 * Add size-checks for record and handshake message content, securing
4177 fragile yet non-exploitable code-paths.
4180 * Fix mbedtls_timing_alarm(0) on Unix and MinGW.
4198 mbedtls_sha512_init() is called before operating on the relevant context
4200 reset it. Found independently by ccli8 on Github.
4212 on GitHub.
4213 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
4215 undeclared dependency of the RSA module on the ASN.1 module.
4224 * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
4227 = mbed TLS 2.6.0 branch released 2017-08-10
4243 platform-specific setup and teardown operations. The macro
4255 * Certificate verification functions now set flags to -1 in case the full
4268 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
4272 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4276 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4280 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4292 64-bit division. This is useful on embedded platforms where 64-bit division
4293 created a dependency on external libraries. #708
4298 config-no-entropy.h to reduce the RAM footprint.
4303 = mbed TLS 2.5.1 released 2017-06-21
4306 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
4307 The issue could only happen client-side with renegotiation enabled.
4311 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
4312 certificate verification. SHA-1 can be turned back on with a compile-time
4317 potential Bleichenbacher/BERserk-style attack.
4322 and with GCC using the -Wpedantic compilation option.
4323 * Fix insufficient support for signature-hash-algorithm extension,
4350 by Jean-Philippe Aumasson.
4352 = mbed TLS 2.5.0 branch released 2017-05-17
4359 against side-channel attacks like the cache attack described in
4378 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
4379 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
4382 * Remove macros from compat-1.3.h that correspond to deleted items from most
4386 * Add checks in the PK module for the RSA functions on 64-bit systems.
4391 = mbed TLS 2.4.2 branch released 2017-03-08
4395 using RSA through the PK module in 64-bit systems. The issue was caused by
4398 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
4407 * Fixed a bug that caused freeing a buffer that was allocated on the stack,
4408 when verifying the validity of a key on secp224k1. This could be
4410 and potentially could lead to remote code execution on some platforms.
4412 team. #569 CVE-2017-2784
4421 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
4422 Found by omlib-lin. #673
4443 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
4459 = mbed TLS 2.4.1 branch released 2016-12-13
4462 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4466 = mbed TLS 2.4.0 branch released 2016-10-17
4470 with RFC-5116 and could lead to session key recovery in very long TLS
4471 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
4472 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
4480 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
4481 NIST SP 800-38B, RFC-4493 and RFC-4615.
4489 * Added a configuration file config-no-entropy.h that configures the subset of
4502 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
4504 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
4517 subramanyam-c. #622
4524 Found by subramanyam-c. #626
4532 * Removed self-tests from the basic-built-test.sh script, and added all
4533 missing self-tests to the test suites, to ensure self-tests are only
4536 * Added support for a Yotta specific configuration file -
4538 * Added optimization for code space for X.509/OID based on configured
4547 = mbed TLS 2.3.0 branch released 2016-06-28
4565 arguments where the same (in-place doubling). Found and fixed by Janos
4584 * Fix test in ssl-opt.sh that does not run properly with valgrind
4588 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
4590 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4594 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
4597 = mbed TLS 2.2.1 released 2016-01-05
4604 SLOTH attack on TLS 1.2 server authentication (other attacks from the
4609 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
4621 = mbed TLS 2.2.0 released 2015-11-04
4627 * Fix potential heap corruption on Windows when
4632 on untrusted input or write keys of untrusted origin. Found by Guido
4634 * The X509 max_pathlen constraint was not enforced on intermediate
4639 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
4642 block. (Potential uses include EAP-TLS and Thread.)
4645 * Self-signed certificates were not excluded from pathlen counting,
4648 * Fix build error with configurations where ECDHE-PSK is the only key
4650 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
4651 ECHD-ECDSA if the only key exchange. Multiple reports. #310
4652 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4653 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
4656 minimum key size for end-entity certificates with RSA keys. Found by
4658 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4667 or -1.
4669 = mbed TLS 2.1.2 released 2015-10-06
4672 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4675 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4684 of TLS, but might be in other uses. On 32 bit machines, requires reading a
4685 string of close to or larger than 1GB to exploit; on 64 bit machines, would
4688 on crafted PEM input data. Found and fix provided by Guido Vranken,
4692 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4694 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4713 = mbed TLS 2.1.1 released 2015-09-17
4716 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
4718 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
4719 * Fix possible client-side NULL pointer dereference (read) when the client
4722 afl-fuzz.)
4726 * Fix off-by-one error in parsing Supported Point Format extension that
4737 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4740 = mbed TLS 2.1.0 released 2015-09-04
4748 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
4756 * Fix compile error with armcc 5 with --gnu option.
4761 * Fix missing -static-libgcc when building shared libraries for Windows
4768 result trying to unlock an unlocked mutex on invalid input (found by
4770 * Fix -Wshadow warnings (found by hnrkp) (#240)
4771 * Fix memory corruption on client with overlong PSK identity, around
4772 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
4780 * It is now possible to #include a user-provided configuration file at the
4781 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
4784 trusted, no later cert is checked. (suggested by hannes-landeholm)
4791 = mbed TLS 2.0.0 released 2015-07-13
4798 * New server-side implementation of session tickets that rotate keys to
4804 * Introduced a concept of presets for SSL security-relevant configuration
4812 Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
4813 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
4815 mbedtls_cipher_info_t.key_length -> key_bitlen
4816 mbedtls_cipher_context_t.key_length -> key_bitlen
4817 mbedtls_ecp_curve_info.size -> bit_size
4821 should generally be the first function called on this context after init:
4822 mbedtls_ssl_init() -> mbedtls_ssl_setup()
4823 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
4824 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
4825 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
4826 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
4832 (see rename.pl and compat-1.3.h above) and their first argument's type
4835 additional callback for read-with-timeout).
4845 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
4854 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4855 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4856 * The following functions changed prototype to avoid an in-out length
4874 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4903 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4905 * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
4907 been removed (compiler is required to support 32-bit operations).
4910 * Removed test program ssl_test, superseded by ssl-opt.sh.
4911 * Removed helper script active-config.pl
4917 Semi-API changes (technically public, morally private)
4938 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4941 * Negotiation of truncated HMAC is now disabled by default on server too.
4942 * The following functions are now case-sensitive:
4951 * The NET layer now unconditionnaly relies on getaddrinfo() and select().
4961 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
4970 thread-safe if MBEDTLS_THREADING_C is enabled.
4971 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4978 extendedKeyUsage on the leaf certificate was lost (results not accessible
4980 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
4990 * Add support for id-at-uniqueIdentifier in X.509 names.
4991 * Add support for overriding snprintf() (except on Windows) and exit() in
4996 cross-compilation easier (thanks to Alon Bar-Lev).
4997 * The benchmark program also prints heap usage for public-key primitives
4999 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
5002 reduced configurations (PSK-CCM and NSA suite B).
5004 warnings on use of deprecated functions (with GCC and Clang only).
5006 errors on use of deprecated functions.
5014 once on the same context.
5019 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
5021 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
5034 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5041 * Add missing dependency on SHA-256 in some x509 programs (reported by
5052 * compat-1.2.h and openssl.h are deprecated.
5055 (contributed by Alon Bar-Lev).
5058 * Move from SHA-1 to SHA-256 in example programs using signatures
5064 * Remove dependency on sscanf() in X.509 parsing modules.
5066 = mbed TLS 1.3.10 released 2015-02-09
5068 * NULL pointer dereference in the buffer-based allocator when the buffer is
5072 * Fix remotely-triggerable uninitialised pointer dereference caused by
5075 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5082 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
5086 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
5087 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
5088 * Add support for Encrypt-then-MAC (RFC 7366).
5091 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5093 * Support for renegotiation can now be disabled at compile-time
5094 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
5095 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
5096 for pre-1.2 clients when multiple certificates are available.
5097 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
5106 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5115 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5122 issue with some servers when a zero-length extension was sent. (Reported
5124 * On a 0-length input, base64_encode() did not correctly set output length
5131 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
5137 * It is now possible to disable negotiation of truncated HMAC server-side
5143 = PolarSSL 1.3.9 released 2014-10-20
5147 * Remotely-triggerable memory leak when parsing some X.509 certificates
5150 * Remotely-triggerable memory leak when parsing crafted ClientHello
5157 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5159 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5162 * Remove non-existent file from VS projects (found by Peter Vaskovic).
5163 * ssl_read() could return non-application data records on server while
5164 renegotation was pending, and on client when a HelloRequest was received.
5165 * Server-initiated renegotiation would fail with non-blocking I/O if the
5168 with non-blocking I/O.
5169 * Fix compiler warnings on iOS (found by Sander Niemeijer).
5170 * x509_crt_parse() did not increase total_failed on PEM error
5176 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
5177 standard defining how to use SHA-2 with SSL 3.0).
5178 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
5179 ambiguous on how to encode some packets with SSL 3.0).
5183 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
5190 = PolarSSL 1.3.8 released 2014-07-11
5199 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
5206 * Add server-side enforcement of sent renegotiation requests
5213 required on some platforms (e.g. OpenBSD)
5225 * Remove less-than-zero checks on unsigned numbers
5226 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5237 rejected with CBC-based ciphersuites and TLS >= 1.1
5239 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
5242 * Restore ability to locally trust a self-signed cert that is not a proper
5248 * Fix off-by-one error in parsing Supported Point Format extension that
5250 * Fix possible miscomputation of the premaster secret with DHE-PSK key
5259 = PolarSSL 1.3.7 released on 2014-05-02
5263 * version_check_feature() added to check for compile-time options at
5264 run-time
5271 * AES-NI now compiles with "old" assemblers too
5272 * Ciphersuites based on RC4 now have the lowest priority by default
5285 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5286 * mpi_fill_random() was creating numbers larger than requested on
5287 big-endian platform when size was not an integer number of limbs
5291 * Fix detection of Clang on some Apple platforms with CMake
5294 = PolarSSL 1.3.6 released on 2014-04-11
5315 This affects certificates in the user-supplied chain except the top
5316 certificate. If the user-supplied chain contains only one certificates,
5335 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
5336 * Calling pk_debug() on an RSA-alt key would segfault.
5337 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
5343 = PolarSSL 1.3.5 released on 2014-03-26
5345 * HMAC-DRBG as a separate module
5349 * Ability to force the entropy module to use SHA-256 as its basis
5351 * Testing script ssl-opt.sh added for testing 'live' ssl option
5359 now thread-safe if POLARSSL_THREADING_C defined
5375 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5382 * Fixed testing with out-of-source builds using cmake
5383 * Fixed version-major intolerance in server
5384 * Fixed CMake symlinking on out-of-source builds
5387 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5390 * m_sleep() was sleeping twice too long on most Unix platforms.
5391 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
5404 = PolarSSL 1.3.4 released on 2014-01-27
5407 * Support for RIPEMD-160
5415 * net module handles timeouts on blocking sockets better (found by Tilman
5423 = PolarSSL 1.3.3 released on 2013-12-31
5429 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
5431 * AES-NI support for AES, AES-GCM and AES key scheduling
5432 * SSL Pthread-based server example added (ssl_pthread_server)
5439 * More constant-time checks in the RSA module
5446 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5447 * Fixed X.509 hostname comparison (with non-regular characters)
5453 * Fixed x509_crt_parse_path() bug on Windows platforms
5460 * Possible remotely-triggered out-of-bounds memory access fixed (found by
5463 = PolarSSL 1.3.2 released on 2013-11-04
5467 * Support for Camellia-GCM mode and ciphersuites
5470 * Padding checks in cipher layer are now constant-time
5471 * Value comparisons in SSL layer are now constant-time
5478 * Prevent possible alignment warnings on casting from char * to 'aligned *'
5484 * Server-side initiated renegotiations send HelloRequest
5486 = PolarSSL 1.3.1 released on 2013-10-15
5489 * Support for ECDHE-PSK key-exchange and ciphersuites
5490 * Support for RSA-PSK key-exchange and ciphersuites
5496 * config.h is more script-friendly
5508 = PolarSSL 1.3.0 released on 2013-10-01
5513 (ECDHE-based ciphersuites)
5515 (ECDSA-based ciphersuites)
5516 * Ability to specify allowed ciphersuites based on the protocol version.
5517 * PSK and DHE-PSK based ciphersuites added
5519 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
5526 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
5527 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
5540 * Introduced separate SSL Ciphersuites module that is based on
5547 * Client and server now filter sent and accepted ciphersuites on minimum
5556 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
5562 * zlib compression/decompression skipped on empty blocks
5567 * RSA blinding on CRT operations to counter timing attacks
5568 (found by Cyril Arnaud and Pierre-Alain Fouque)
5571 = Version 1.2.14 released 2015-05-??
5579 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
5587 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
5590 = Version 1.2.13 released 2015-02-16
5595 * Fix remotely-triggerable uninitialised pointer dereference caused by
5598 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
5611 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
5612 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
5614 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
5621 issue with some servers when a zero-length extension was sent. (Reported
5623 * On a 0-length input, base64_encode() did not correctly set output length
5629 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5631 = Version 1.2.12 released 2014-10-24
5634 * Remotely-triggerable memory leak when parsing some X.509 certificates
5642 with non-blocking I/O.
5643 * x509_crt_parse() did not increase total_failed on PEM error
5644 * Fix compiler warnings on iOS (found by Sander Niemeijer).
5646 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
5647 * ssl_read() could return non-application data records on server while
5648 renegotation was pending, and on client when a HelloRequest was received.
5649 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
5655 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
5658 = Version 1.2.11 released 2014-07-11
5686 * Fixed X.509 hostname comparison (with non-regular characters)
5689 * Fixed x509_crt_parse_path() bug on Windows platforms
5699 * Fixed testing with out-of-source builds using cmake
5700 * Fixed version-major intolerance in server
5701 * Fixed CMake symlinking on out-of-source builds
5702 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5715 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5716 * mpi_fill_random() was creating numbers larger than requested on
5717 big-endian platform when size was not an integer number of limbs
5719 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5728 = Version 1.2.10 released 2013-10-07
5730 * Changed RSA blinding to a slower but thread-safe version
5737 = Version 1.2.9 released 2013-10-01
5747 * Fixed potential heap buffer overflow on large hostname setting
5749 * RSA blinding on CRT operations to counter timing attacks
5750 (found by Cyril Arnaud and Pierre-Alain Fouque)
5752 = Version 1.2.8 released 2013-06-19
5756 * Centralized module option values in config.h to allow user-defined
5774 * Fixed const correctness issues that have no impact on the ABI
5781 * Fixed values for 2-key Triple DES in cipher layer
5786 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5788 = Version 1.2.7 released 2013-04-13
5790 * Ability to specify allowed ciphersuites based on the protocol version.
5793 * Default Blowfish keysize is now 128-bits
5800 = Version 1.2.6 released 2013-03-11
5803 * Corrected GCM counter incrementation to use only 32-bits instead of
5804 128-bits (found by Yawning Angel)
5805 * Fixes for 64-bit compilation with MS Visual Studio
5806 * Fixed net_bind() for specified IP addresses on little endian systems
5815 * Re-added handling for SSLv2 Client Hello when the define
5827 = Version 1.2.5 released 2013-02-02
5829 * Allow enabling of dummy error_strerror() to support some use-cases
5832 * Sending of security-relevant alert messages that do not break
5833 interoperability can be switched on/off with the flag
5840 = Version 1.2.4 released 2013-01-25
5852 = Version 1.2.3 released 2012-11-26
5856 = Version 1.2.2 released 2012-11-24
5860 * During verify trust-CA is only checked for expiration and CRL presence
5864 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
5866 = Version 1.2.1 released 2012-11-20
5869 bottom-up (Peer cert depth is 0)
5875 Pégourié-Gonnard)
5877 Pégourié-Gonnard)
5880 = Version 1.2.0 released 2012-10-31
5886 * Added support for multi-domain certificates through the X509 Subject
5913 * Fixed const-correctness mpi_get_bit()
5929 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
5932 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
5938 * Prevent reading over buffer boundaries on X509 certificate parsing
5945 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
5948 = Version 1.1.8 released on 2013-10-01
5954 * Potential buffer-overflow for ssl_read_record() (independently found by
5957 * Potential heap buffer overflow on large hostname setting
5959 = Version 1.1.7 released on 2013-06-19
5968 * Fixed values for 2-key Triple DES in cipher layer
5973 PEM-encoded certificates has been fixed (found by Jack Lloyd)
5975 = Version 1.1.6 released on 2013-03-11
5977 * Fixed net_bind() for specified IP addresses on little endian systems
5980 * Allow enabling of dummy error_strerror() to support some use-cases
5991 = Version 1.1.5 released on 2013-01-16
5998 * Prevent reading over buffer boundaries on X509 certificate parsing
6002 Pégourié-Gonnard)
6004 Pégourié-Gonnard)
6012 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
6015 = Version 1.1.4 released on 2012-05-31
6019 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
6021 = Version 1.1.3 released on 2012-04-29
6025 = Version 1.1.2 released on 2012-04-26
6027 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
6031 * Fixed potential memory corruption on miscrafted client messages (found by
6032 Frama-C team at CEA LIST)
6036 = Version 1.1.1 released on 2012-01-23
6040 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
6044 = Version 1.1.0 released on 2011-12-22
6046 * Added ssl_session_reset() to allow better multi-connection pools of
6047 SSL contexts without needing to set all non-connection-specific
6054 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
6063 * Inceased maximum size of ASN1 length reads to 32-bits.
6068 * Changed the defined key-length of DES ciphers in cipher.h to include the
6073 trade-off
6081 x509parse_crtfile(). With permissive parsing the parsing does not stop on
6082 encountering a parse-error. Beware that the meaning of return values has
6084 * All error codes are now negative. Even on mermory failures and IO errors.
6087 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
6093 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
6102 = Version 1.0.0 released on 2011-07-27
6115 = Version 0.99-pre5 released on 2011-05-26
6139 net_recv() now returns 0 on EOF instead of
6141 POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
6148 = Version 0.99-pre4 released on 2011-04-01
6151 for the RSAES-OAEP and RSASSA-PSS operations.
6166 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
6170 * Fixed proper handling of RSASSA-PSS verification with variable
6173 = Version 0.99-pre3 released on 2011-02-28
6174 This release replaces version 0.99-pre2 which had possible copyright issues.
6199 * Fixed a possible Man-in-the-Middle attack on the
6203 = Version 0.99-pre1 released on 2011-01-30
6205 Note: Most of these features have been donated by Fox-IT
6218 + Added verification callback on certificate chain
6222 libpkcs11-helper library
6233 = Version 0.14.0 released on 2010-08-16
6237 * Added compile-time and run-time version information
6243 * Removed dependency on rand() in rsa_pkcs1_encrypt().
6254 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
6257 = Version 0.13.1 released on 2010-03-24
6262 = Version 0.13.0 released on 2010-03-21
6278 * Added reset function for HMAC context as speed-up
6279 for specific use-cases
6285 * Added small fixes for compiler warnings on a Mac
6290 = Version 0.12.1 released on 2009-10-04
6301 = Version 0.12.0 released on 2009-07-28
6305 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
6306 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
6318 * Fixed include location of endian.h on FreeBSD (found by
6320 * Fixed include location of endian.h and name clash on
6322 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
6330 * Fixed segfault on handling empty rsa_context in
6343 * Fixed Camellia and XTEA for 64-bit Windows systems.
6345 = Version 0.11.1 released on 2009-05-17
6346 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
6347 SHA-512 in rsa_pkcs1_sign()
6349 = Version 0.11.0 released on 2009-05-03
6353 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
6363 * Made definition of net_htons() endian-clean for big endian
6367 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
6372 * Fixed compatibility of XTEA and Camellia on a 64-bit system
6375 = Version 0.10.0 released on 2009-01-12
6387 = Version 0.9 released on 2008-03-16
6393 be sent twice in non-blocking mode when send returns EAGAIN
6396 * Added user-defined callback debug function (Krystian Kolodziej)
6399 not swapped on PadLock; also fixed compilation on older versions
6402 output data is non-aligned by falling back to the software
6403 implementation, as VIA Nehemiah cannot handle non-aligned buffers
6405 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
6409 * Added support on the client side for the TLS "hostname" extension
6414 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
6419 * Fixed a critical denial-of-service with X.509 cert. verification:
6422 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
6423 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
6424 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
6426 Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
6427 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
6428 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6429 * Fixed assembly PPC compilation errors on Mac OS X, thanks to
6432 = Version 0.8 released on 2007-10-20
6440 * Added user-defined callbacks for handling I/O and sessions
6444 * Added AES-CFB mode of operation, contributed by chmike
6448 * Updated ssl_read() to skip 0-length records from OpenSSL
6450 * Fixed a bug in mpi_read_binary() on 64-bit platforms
6457 = Version 0.7 released on 2007-07-07
6459 * Added support for the MicroBlaze soft-core processor
6461 connections from being established with non-blocking I/O
6465 * Added the SHA-224, SHA-384 and SHA-512 hash functions
6473 = Version 0.6 released on 2007-04-01
6476 time, to reduce the memory footprint on embedded systems
6479 * Added multiply assembly code for 64-bit PowerPCs,
6483 * Fixed "long long" compilation issues on IA-64 and PPC64
6484 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
6485 was not being correctly defined on ARM and MIPS
6487 = Version 0.5 released on 2007-03-01
6490 * Added (beta) support for non-blocking I/O operations
6492 * Fixed some portability issues on WinCE, MINIX 3, Plan9
6493 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6498 = Version 0.4 released on 2007-02-01
6500 * Added support for Ephemeral Diffie-Hellman key exchange
6511 = Version 0.3 released on 2007-01-01
6513 * Added server-side SSLv3 and TLSv1.0 support
6517 the bignum code is no longer dependent on long long
6522 = Version 0.2 released on 2006-12-01
6525 * Updated the MPI code to support 8086 on MSVC 1.5
6533 the Miller-Rabin primality test
6537 who maintains the Debian package :-)
6539 = Version 0.1 released on 2006-11-01