Lines Matching refs:is
12 * The new function mbedtls_cipher_finish_padded() is similar to
25 attacker running code on the same core (SSBleed), or when Trustzone-M is
38 is not time_t. Fixes #10236.
56 * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
63 * On x86/amd64 platforms, with some compilers, when the library is
64 compiled with support for both AESNI and software AES and AESNI is
83 Code that does not call mbedtls_string_to_names() directly is not affected.
112 library or the application is built with a compiler where
120 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
121 This was sometimes not the case when an operation object is reused,
124 guarantee is met in all cases. Fixes #9975.
132 and compiler optimization is enabled. Found and reported by Linh Le and
162 if certificate-based authentication of the server is attempted.
163 This is because authenticating a server without knowing what name
164 to expect is usually insecure. To restore the old behavior, either
172 The size of each buffer is given by the option
177 configuration is not officially supported. This requires that a
181 is linked against Mbed TLS and that `psa_crypto_init()` is called before
203 * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
205 problematic middlebox is in the way. Fixes #9551.
212 mbedtls_psa_der_to_raw() is called with bits=0.
214 * Fix missing constraints on the AES-NI inline assembly which is used on
221 limitations, notably a fragmented ClientHello is only supported when
222 TLS 1.3 support is enabled. See the documentation of
232 * Fix issue where psa_key_derivation_input_integer() is not detecting
243 called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
244 and the output buffer is smaller than the actual output.
246 when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
247 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
262 corresponding PSA mechanism is enabled, since the server provides the
264 * A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled.
265 This can happen even if TLS 1.3 is offered but eventually not selected
267 * By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now
278 data is passed in a separate parameter instead of a flexible array
294 (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
296 (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
320 * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
321 the number of volatile PSA keys is virtually unlimited, at the expense
322 of increased code size. This option is off by default, but enabled in
331 mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
349 * Fix TLS 1.3 client build and runtime when support for session tickets is
351 * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
353 as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
367 * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
368 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
369 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
376 when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
377 MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096.
380 * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
381 but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
382 * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
383 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
424 * Warn if mbedtls/check_config.h is included manually, as this can
425 lead to spurious errors. Error if a *adjust*.h header is included
457 * mbedtls_ecp_write_key() is deprecated in favor of
462 an RSA key as a domain parameter is no longer supported. Use
464 * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
474 * AES-NI is now supported in Windows builds with clang and clang-cl.
481 (the cipher and PSA interfaces). This option is incompatible with modes
489 implementation is able to take advantage of a driver that only
490 accelerates the key type (that is, the block cipher primitive). See
492 * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
508 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
536 operations when hardware accelerated AES is not present. Improves
540 * The new function mbedtls_ecp_write_key_ext() is similar to
549 * mbedtls_psa_get_random() is always available as soon as
550 MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
563 docs/tls13-early-data.md). The support enablement is controlled at build
579 to PSA functions is now secure by default.
581 of intermediate outputs during operations. This is currently implemented
591 when an SSL context is reset with the mbedtls_ssl_session_reset() API.
597 TLS 1.2 implementation of the protocol if it is disabled.
608 * Fix the build with CMake when Everest or P256-m is enabled through
610 * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
613 in the san parameter is not separated by a colon.
615 in the san parameter is not separated by a colon.
626 is disabled at runtime. Fixes #8593.
637 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
661 functions. Note that overlap is still only partially supported when
662 MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
672 acceleration is required.
675 * mbedtls_pk_sign_ext() is now always available, not just when
676 PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
692 * The TLS 1.3 protocol is now enabled in the default configuration.
699 attacker or a remote attacker who is close to the victim on the network
712 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
728 Starting with this release, it is necessary to declare which curves are
738 * Minimum required Windows version is now Windows Vista, or
743 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
746 IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
748 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
761 drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
770 * When a PSA driver for ECDH is present, it is now possible to disable
777 a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
798 * It is now possible to generate certificates with SubjectAltNames.
815 On Aarch64, uplift is typically around 20 - 110%.
820 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
824 - DERIVE is only available for ECC keys, not for RSA or DH ones.
829 This is automatically enabled as soon as PSA_WANT_ALG_FFDH
844 extended: it is now possible to use mbedtls_pk_write_key_der(),
907 PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
908 than all built-in ones and RSA is disabled.
913 a message that one of the required defines is missing.
918 * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
921 MBEDTLS_USE_PSA_CRYPTO is enabled.
929 way to detect the crypto extensions required. A warning is still issued.
959 is called with zero length and padlock is not enabled.
965 MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
984 * Fix the build with CMake when Everest or P256-m is enabled through
994 operations when MBEDTLS_PSA_CRYPTO_C is defined.
1003 mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
1020 ssl_ciphersuites.c). The preferred cipher suite is now
1024 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
1025 mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
1027 * PSA to mbedtls error translation is now unified in psa_util.h,
1035 Syntax, as defined in RFC 2315. Currently, support is limited to the
1037 - Only the signed-data content type, version 1 is supported.
1038 - Only DER encoding is supported.
1039 - Only a single digest algorithm per message is supported.
1042 - There is no support for certificate revocation lists.
1063 * Use HOSTCC (if it is set) when compiling C code during generation of the
1065 CC is set for cross compilation.
1075 * When a PSA driver for ECDSA is present, it is now possible to disable
1080 operations is not present yet.
1088 be used to enable this feature. Run-time detection is supported
1090 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1097 * AES-NI is now supported with Visual Studio.
1098 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1099 is disabled, when compiling with GCC or Clang or a compatible compiler
1103 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1112 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
1115 attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
1117 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
1120 timing side-channel attacks. There is now an intrinsics-based AES-NI
1137 defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
1144 whose binary representation is longer than 20 bytes. This was already
1176 len argument is 0 and buffer is NULL.
1179 This is a partial fix that allows only "client" and "server" identifiers.
1180 * Fix a compilation error when PSA Crypto is built with support for
1184 * Fix TLS 1.3 session resumption when the established pre-shared key is
1185 384 bits long. That is the length of pre-shared keys created under a
1186 session where the cipher suite is TLS_AES_256_GCM_SHA384.
1207 - "serial" is used for the decimal format and it's limted in size to
1209 - "serial_hex" is used for the hex format; max length here is
1211 * The C code follows a new coding style. This is transparent for users but
1222 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
1231 It is now no longer experimental, and implements the final version from
1232 RFC 9146, which is not interoperable with the draft-05 version.
1244 from a release, the Python module jsonschema is now necessary, in
1245 addition to jinja2. The official list of required Python modules is
1266 hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
1268 when) MBEDTLS_MD5_C is disabled.
1273 all hashes only provided by drivers (no built-in hash) is to use
1275 * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
1280 though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
1284 Signature verification is production-ready, but generation is for testing
1287 1024 messages. As such, it is not intended for use in TLS, but instead
1290 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
1292 be used to sign one message so is impractical for most circumstances.
1296 The ticket mechanism is supported when the configuration option
1297 MBEDTLS_SSL_SESSION_TICKETS is enabled.
1321 entry point. This entry point is specified in the proposed PSA driver
1330 MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
1349 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1356 broken link is encountered, skip the broken link and continue parsing
1366 MBEDTLS_DEPRECATED_REMOVED is enabled.
1368 MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
1393 in TLS 1.3 (where it is forbidden).
1399 the error code returned by mbedtls_mpi_write_file() is overwritten
1412 when both operands are 0 and the left operand is represented with 0 limbs.
1470 a piece of user data which is reserved for the application. The user
1492 PSA Crypto is enabled.
1509 * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
1520 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
1539 Opaque keys can now be used everywhere a private key is expected in the
1545 * cmake now detects if it is being built as a sub-project, and in that case
1550 by side in order to illustrate how the operation is performed in PSA.
1564 MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
1565 mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
1566 is selected. This may result in an application crash or potentially an
1572 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
1581 buffer is rather small but increases as its size
1594 * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
1598 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
1605 * The TLS 1.3 implementation is now compatible with the
1612 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
1630 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
1631 not NULL and val_len is zero.
1651 when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
1683 * The file library/psa_crypto_driver_wrappers.c is now generated
1688 AEAD functions is not an AEAD algorithm. This aligns them with the
1690 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1698 LIB_INSTALL_DIR is set.
1702 targets work when MbedTLS is built as a subdirectory. This allows the
1711 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1721 not supported. Two's complement is the only supported representation.
1738 * Warn if errors from certain functions are ignored. This is currently
1742 value is almost always a bug. Enable the new configuration option
1744 is currently implemented in the AES, DES and md modules, and will be
1750 For decryption a minimum of 16-byte long input is expected.
1773 if the output buffer is in memory that is shared with an untrusted
1777 oracle vulnerability if the output buffer is in memory that is shared with
1800 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1811 AEAD functions when ChachaPoly is disabled. Fixes #5065.
1819 input buffer size is valid only for the built-in implementation of GCM.
1822 MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
1827 * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
1839 * Fix the build when no SHA2 module is included. Fixes #4930.
1840 * Fix the build when only the bignum module is included. Fixes #4929.
1842 pkcs12 functions when the password is empty. Fix the documentation to
1866 * Improve the performance of base64 constant-flow code. The result is still
1873 ChaCha20-Poly1305 is invalid, and not just unsupported.
1878 most of the interface of this module is private and may change at any
1881 generated by the CMake build system on Unix-like systems. This is not
1941 how the input to multipart operations is broken down. mbedtls_gcm_finish()
1974 mbedtls_cipher_finish() is now mandatory. Previously the documentation
1977 possible to skip calling it, which is no longer supported.
1995 * Instead of accessing the len field of a DHM context, which is no longer
2003 parameter, this parameter is now mandatory (that is, NULL is not an
2032 * Direct access to fields of structures declared in public headers is no
2122 MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
2127 backward compatibility which is no longer supported. Addresses #4404.
2132 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
2137 * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
2181 directly, which is no longer supported.
2190 An adversary who is capable of very precise timing measurements could
2209 lead to the seed file corruption in case if the path to the seed file is
2214 to create is not valid, bringing them in line with version 1.0.0 of the
2221 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2229 * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
2236 defined to specific values. If the code is used in a context
2246 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
2247 * Fix test suite code on platforms where int32_t is not int, such as
2255 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
2258 (when the encrypt-then-MAC extension is not in use) with some ALT
2275 implementations. This reliance is now removed. Fixes #3990.
2285 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
2292 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
2293 in all the right places. Include it from crypto_platform.h, which is
2295 * Fix which alert is sent in some cases to conform to the
2313 python2, which is no longer supported upstream.
2314 * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
2315 When that flag is on, standard GNU C printf format specifiers
2324 when their input has length 0. Note that this is an implementation detail
2332 build_info.h is intended to be included from C code directly, while
2333 mbedtls_config.h is intended to be edited by end users wishing to
2342 The only value supported by Mbed TLS 3.0.0 is 0x03000000.
2346 PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
2347 when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
2348 is also applied when loading a key from storage.
2363 as always 0. It is now reserved for internal purposes and may take
2376 CTR_DRBG is used by default if it is available, but you can override
2410 |A| - |B| where |B| is larger than |A| and has more limbs (so the
2413 all calls inside the library were safe since this function is
2416 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
2421 mbedtls_net_recv_timeout() when given a file descriptor that is
2433 is enabled, on platforms where initializing a mutex allocates resources.
2437 twice is safe. This happens for RSA when some Mbed TLS library functions
2439 enabled on platforms where freeing a mutex twice is not safe.
2441 when MBEDTLS_THREADING_C is enabled on platforms where initializing
2457 implementation is not included into the library.
2467 The underlying stream cipher is determined by the key type
2471 as they have no way to check if the output buffer is large enough.
2498 This is currently non-standard behaviour, but expected to make it into a
2500 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
2503 clashes. The default value of this variable is "", so default target names
2507 * In the PSA API, it is no longer necessary to open persistent keys:
2508 operations now accept the key identifier. The type psa_key_handle_t is now
2511 version 1.0.0. Opening persistent keys is still supported for backward
2529 which is how most uses of randomization in asymmetric cryptography
2554 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
2555 enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
2558 * Fix rsa_prepare_blinding() to retry when the blinding value is not
2560 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
2564 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2579 chars. Fixes a build failure on platforms where char is unsigned. Fixes
2586 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
2617 * The PSA persistent storage format is updated to always store the key bits
2618 attribute. No automatic upgrade path is provided. Previously stored keys
2646 a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
2656 subjecAltName extension is present, the expected name was compared to any
2675 to extract and check the MAC. This is an improvement to the existing
2699 redefinition if the function is inlined.
2709 curve is secp192k1. Fixes #2017.
2716 * Fix bug in redirection of unit test outputs on platforms where stdout is
2725 * Undefine the ASSERT macro before defining it locally, in case it is defined
2728 the copyright of contributors other than Arm is now acknowledged, and the
2747 instead of the keys' lifetime. If the library is upgraded on an existing
2797 pathLenConstraint basic constraint value is equal to INT_MAX.
2798 The actual effect with almost every compiler is the intended
2799 behavior, so this is unlikely to be exploitable anywhere. #3192
2802 * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
2829 * Fix warnings about signedness issues in format strings. The build is now
2848 buffer is not large enough to hold the ClientHello.
2871 fragment length is desired.
2879 (which it is by default).
2902 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
2903 is back directly in the present repository.
2907 buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
2908 is defined), regardless of what MFL was configured for it.
2923 probability (of the order of 2^-n where n is the bitsize of the curve)
2924 unless the RNG is broken, and could result in information disclosure or
2941 existing code is that elliptic curve key types no longer encode the
2944 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2964 entropy function to obtain entropy for a nonce if the entropy size is less
2973 entropy module formerly only grabbed 32 bytes, which is good enough for
2974 security if the source is genuinely strong, but less than the expected 64
2984 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2986 blinded value, factor it (as it is smaller than RSA keys and not guaranteed
3002 initial seeding. The default nonce length is chosen based on the key size
3010 key derivation function, use a buffer instead (this is now always
3040 no known instances where this changes the behavior of the library: this is
3059 mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
3089 an incoming record is valid, authentic and has not been seen before. This
3091 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
3095 with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
3096 verified and significantly faster, but is only supported on x86 platforms
3110 list all curves for which at least one of ECDH or ECDSA is supported, not
3112 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
3114 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
3122 is now deprecated.
3196 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
3200 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3209 RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
3219 changed its IP or port. The feature is enabled at compile-time by setting
3259 This certificate is used in the demo server programs, which lead the
3262 updated to one that is SHA-256 signed. Fix contributed by
3265 provided SSL context is unset.
3307 when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
3308 * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
3365 function to see for which parameter values it is defined. This feature is
3387 changed so that the same level of validation is present in all modules, and
3388 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
3389 is off. That means that checks which were previously present by default
3442 (University of Adelaide, Data61). The attack is described in more detail
3489 some configurable amount of operations. This is intended to be used in
3490 constrained, single-threaded systems where ECC is time consuming and can
3491 block other operations until they complete. This is disabled by default,
3512 a feature that is not supported by underlying alternative
3513 implementations implementing cryptographic primitives. This is useful for
3518 MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
3536 MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
3542 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
3567 calls, rather than Win32 API calls directly. This is necessary to avoid
3590 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
3594 * Fix build failures on platforms where only gmtime() is available but
3603 beyond the input buffer is made. Found and analyzed by Nathan Crandall.
3607 is controlled by the maximum fragment length as set locally or negotiated
3631 * Add ecc extensions only if an ecc based ciphersuite is used.
3709 is no functional difference. Contributed by Angus Gratton, and also
3727 * Fix compilation error when MBEDTLS_ARC4_C is disabled and
3728 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3739 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3745 when the request_size argument is set to 0 as stated in the documentation.
3748 deep copy of the session, and the peer certificate is not lost. Fixes #926.
3802 mbedtls_platform_zeroize(), which is a critical function from a security
3806 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
3831 where an optional signature algorithms list is expected when the signature
3832 algorithms section is too short. In builds with debug output, the overread
3833 data is output with the debug data.
3854 a check for whether more more data is pending to be processed in the
3856 This function is necessary to determine when it is safe to idle on the
3857 underlying transport in case event-driven IO is used.
3899 * Support cmake builds where Mbed TLS is a subproject. Fix contributed
3905 configurations where the feature is disabled. Found and fixed by Gergely
3912 MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
3937 of the corresponding module is activated by defining the corresponding
3991 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
3994 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
4028 extension. When the truncated HMAC extension is enabled and CBC is used,
4037 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
4042 default enabled) maximum fragment length extension is disabled in the
4044 is larger than the internal message buffer (16384 bytes by default), the
4119 * Direct manipulation of structure fields of RSA contexts is deprecated.
4123 mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
4171 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
4193 Note, this padding mode is not used by the TLS protocol. Found and fixed by
4198 mbedtls_sha512_init() is called before operating on the relevant context
4199 structure. Do not assume that zeroizing a context is a correct way to
4213 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
4230 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
4258 * With authmode set to optional, the TLS handshake is now aborted if the
4263 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
4292 64-bit division. This is useful on embedded platforms where 64-bit division
4339 * Fix incorrect sign computation in modular exponentiation when the base is
4371 behaviour has not changed, namely every configured CAs name is included.
4429 renegotiation routines at unexpected times when the protocol is DTLS. Found
4454 number to write in hexadecimal is negative and requires an odd number of
4475 mbedtls_x509write_csr_der() when the signature is copied to the buffer
4476 without checking whether there is enough space in the destination. The
4483 is functioning correctly.
4485 scripts, which is also now called by all.sh.
4501 when GCM is used. Found by udf2457. #441
4513 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
4542 net.c. For consistency, the corresponding header file, net.h, is marked as
4556 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
4617 datagram if a single record in a datagram is unexpected, instead only
4624 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
4628 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
4648 * Fix build error with configurations where ECDHE-PSK is the only key
4666 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
4675 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4680 mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
4692 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4694 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4733 connection, if cookie verification is available
4737 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4780 * It is now possible to #include a user-provided configuration file at the
4783 * When verifying a certificate chain, if an intermediate certificate is
4784 trusted, no later cert is checked. (suggested by hannes-landeholm)
4872 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
4873 available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
4880 * calloc() is now used instead of malloc() everywhere. API of platform
4889 Their 'port' argument type is changed to a string.
4907 been removed (compiler is required to support 32-bit operations).
4914 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4915 argument (allowing memory savings if HMAC is not used)
4929 * The default minimum TLS version is now TLS 1.0.
4930 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4932 * Support for receiving SSLv2 ClientHello is now disabled by default at
4934 * The default authmode for SSL/TLS clients is now REQUIRED.
4935 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4936 enabled in the default configuration, this is only noticeable if using a
4939 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
4941 * Negotiation of truncated HMAC is now disabled by default on server too.
4950 * The minimum MSVC version required is now 2010 (better C99 support).
4952 * Compiler is required to support C99 types such as long long and uint32_t.
4965 * With UDP sockets, it is no longer necessary to call net_bind() again
4970 thread-safe if MBEDTLS_THREADING_C is enabled.
5011 * Fix bug in entropy.c when THREADING_C is also enabled that caused
5015 * Fix bug in ssl_mail_client when password is longer that username (found
5019 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
5025 ssl_write() is called before the handshake is finished (introduced in
5051 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
5053 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
5054 more flexible (warning: OFLAGS is not used any more) (see the README)
5061 "minimize" others (eg use stddef.h if only size_t is needed).
5068 * NULL pointer dereference in the buffer-based allocator when the buffer is
5069 full and polarssl_free() is called (found by Mark Hasemeyer)
5070 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
5073 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
5076 (TLS server is not affected if it doesn't ask for a client certificate)
5079 (TLS server is not affected if it doesn't ask for a client certificate)
5105 * Stack buffer overflow if ctr_drbg_update() is called with too large
5113 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
5130 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
5134 * A specific error is now returned when there are ciphersuites in common
5135 but none of them is usable due to external factors such as no certificate
5137 * It is now possible to disable negotiation of truncated HMAC server-side
5148 (server is not affected if it doesn't ask for a client certificate)
5176 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
5178 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
5181 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
5209 ciphersuites to use and save some memory if the list is small.
5212 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
5224 * Enforce alignment in the buffer allocator even if buffer is not aligned
5242 * Restore ability to locally trust a self-signed cert that is not a proper
5306 * pk_verify() now returns a specific error code when the signature is valid
5317 it is not affected (ie, its notAfter date is properly checked).
5331 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
5370 "triple handshake" attack when authentication mode is 'optional' (the
5371 attack was already impossible when authentication is required).
5446 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5496 * config.h is more script-friendly
5540 * Introduced separate SSL Ciphersuites module that is based on
5542 * Internals for SSL module adapted to have separate IV pointer that is
5577 client to crash the server remotely if client authentication is enabled
5596 crafted X.509 certificate (TLS server is not affected if it doesn't ask
5599 (TLS server is not affected if it doesn't ask for a client certificate)
5602 (TLS server is not affected if it doesn't ask for a client certificate)
5605 (TLS server is not affected if it doesn't ask for a client certificate).
5610 * Stack buffer overflow if ctr_drbg_update() is called with too large
5627 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
5635 (server is not affected if it doesn't ask for a client certificate).
5675 "triple handshake" attack when authentication mode is optional (the
5676 attack was already impossible when authentication is required).
5779 * x509parse_crtpath() is now reentrant and uses more portable stat()
5793 * Default Blowfish keysize is now 128-bits
5816 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
5860 * During verify trust-CA is only checked for expiration and CRL presence
5868 * Depth that the certificate verify callback receives is now numbered
5869 bottom-up (Peer cert depth is 0)
5917 to not match CN if subjectAltName extension is present (Closes ticket #56)
5918 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
6067 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
6095 * If certificate serial is longer than 32 octets, serial number is now
6136 is now done with a PLUS instead of an OR as error codes
6142 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
6230 with the generic cipher layer and is better naming
6273 * X509 signature algorithm determination is now
6311 this is mind when checking for errors.
6402 output data is non-aligned by falling back to the software
6412 string is passed as the CN (bug reported by spoofy)
6428 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6517 the bignum code is no longer dependent on long long