Lines Matching refs:is
13 * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
20 * On x86/amd64 platforms, with some compilers, when the library is
21 compiled with support for both AESNI and software AES and AESNI is
40 Code that does not call mbedtls_string_to_names() directly is not affected.
69 library or the application is built with a compiler where
77 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
78 This was sometimes not the case when an operation object is reused,
81 guarantee is met in all cases. Fixes #9975.
89 and compiler optimization is enabled. Found and reported by Linh Le and
119 if certificate-based authentication of the server is attempted.
120 This is because authenticating a server without knowing what name
121 to expect is usually insecure. To restore the old behavior, either
129 The size of each buffer is given by the option
134 configuration is not officially supported. This requires that a
138 is linked against Mbed TLS and that `psa_crypto_init()` is called before
160 * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
162 problematic middlebox is in the way. Fixes #9551.
169 mbedtls_psa_der_to_raw() is called with bits=0.
171 * Fix missing constraints on the AES-NI inline assembly which is used on
178 limitations, notably a fragmented ClientHello is only supported when
179 TLS 1.3 support is enabled. See the documentation of
189 * Fix issue where psa_key_derivation_input_integer() is not detecting
200 called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
201 and the output buffer is smaller than the actual output.
203 when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
204 and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
219 corresponding PSA mechanism is enabled, since the server provides the
221 * A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled.
222 This can happen even if TLS 1.3 is offered but eventually not selected
224 * By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now
235 data is passed in a separate parameter instead of a flexible array
251 (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
253 (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.)
277 * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
278 the number of volatile PSA keys is virtually unlimited, at the expense
279 of increased code size. This option is off by default, but enabled in
288 mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
306 * Fix TLS 1.3 client build and runtime when support for session tickets is
308 * Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
310 as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
324 * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
325 * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
326 CMAC is enabled, but no built-in unauthenticated cipher is enabled.
333 when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
334 MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096.
337 * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
338 but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
339 * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
340 MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
381 * Warn if mbedtls/check_config.h is included manually, as this can
382 lead to spurious errors. Error if a *adjust*.h header is included
414 * mbedtls_ecp_write_key() is deprecated in favor of
419 an RSA key as a domain parameter is no longer supported. Use
421 * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
431 * AES-NI is now supported in Windows builds with clang and clang-cl.
438 (the cipher and PSA interfaces). This option is incompatible with modes
446 implementation is able to take advantage of a driver that only
447 accelerates the key type (that is, the block cipher primitive). See
449 * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
465 hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
493 operations when hardware accelerated AES is not present. Improves
497 * The new function mbedtls_ecp_write_key_ext() is similar to
506 * mbedtls_psa_get_random() is always available as soon as
507 MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
520 docs/tls13-early-data.md). The support enablement is controlled at build
536 to PSA functions is now secure by default.
538 of intermediate outputs during operations. This is currently implemented
548 when an SSL context is reset with the mbedtls_ssl_session_reset() API.
554 TLS 1.2 implementation of the protocol if it is disabled.
565 * Fix the build with CMake when Everest or P256-m is enabled through
567 * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
570 in the san parameter is not separated by a colon.
572 in the san parameter is not separated by a colon.
583 is disabled at runtime. Fixes #8593.
594 * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
618 functions. Note that overlap is still only partially supported when
619 MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
629 acceleration is required.
632 * mbedtls_pk_sign_ext() is now always available, not just when
633 PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
649 * The TLS 1.3 protocol is now enabled in the default configuration.
656 attacker or a remote attacker who is close to the victim on the network
669 * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
685 Starting with this release, it is necessary to declare which curves are
695 * Minimum required Windows version is now Windows Vista, or
700 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
703 IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
705 * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
718 drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
727 * When a PSA driver for ECDH is present, it is now possible to disable
734 a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
755 * It is now possible to generate certificates with SubjectAltNames.
772 On Aarch64, uplift is typically around 20 - 110%.
777 MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
781 - DERIVE is only available for ECC keys, not for RSA or DH ones.
786 This is automatically enabled as soon as PSA_WANT_ALG_FFDH
801 extended: it is now possible to use mbedtls_pk_write_key_der(),
864 PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
865 than all built-in ones and RSA is disabled.
870 a message that one of the required defines is missing.
875 * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
878 MBEDTLS_USE_PSA_CRYPTO is enabled.
886 way to detect the crypto extensions required. A warning is still issued.
916 is called with zero length and padlock is not enabled.
922 MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
941 * Fix the build with CMake when Everest or P256-m is enabled through
951 operations when MBEDTLS_PSA_CRYPTO_C is defined.
960 mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
977 ssl_ciphersuites.c). The preferred cipher suite is now
981 * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
982 mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
984 * PSA to mbedtls error translation is now unified in psa_util.h,
992 Syntax, as defined in RFC 2315. Currently, support is limited to the
994 - Only the signed-data content type, version 1 is supported.
995 - Only DER encoding is supported.
996 - Only a single digest algorithm per message is supported.
999 - There is no support for certificate revocation lists.
1020 * Use HOSTCC (if it is set) when compiling C code during generation of the
1022 CC is set for cross compilation.
1032 * When a PSA driver for ECDSA is present, it is now possible to disable
1037 operations is not present yet.
1045 be used to enable this feature. Run-time detection is supported
1047 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1054 * AES-NI is now supported with Visual Studio.
1055 * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
1056 is disabled, when compiling with GCC or Clang or a compatible compiler
1060 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1069 MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
1072 attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
1074 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
1077 timing side-channel attacks. There is now an intrinsics-based AES-NI
1094 defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
1101 whose binary representation is longer than 20 bytes. This was already
1133 len argument is 0 and buffer is NULL.
1136 This is a partial fix that allows only "client" and "server" identifiers.
1137 * Fix a compilation error when PSA Crypto is built with support for
1141 * Fix TLS 1.3 session resumption when the established pre-shared key is
1142 384 bits long. That is the length of pre-shared keys created under a
1143 session where the cipher suite is TLS_AES_256_GCM_SHA384.
1164 - "serial" is used for the decimal format and it's limted in size to
1166 - "serial_hex" is used for the hex format; max length here is
1168 * The C code follows a new coding style. This is transparent for users but
1179 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
1188 It is now no longer experimental, and implements the final version from
1189 RFC 9146, which is not interoperable with the draft-05 version.
1201 from a release, the Python module jsonschema is now necessary, in
1202 addition to jinja2. The official list of required Python modules is
1223 hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
1225 when) MBEDTLS_MD5_C is disabled.
1230 all hashes only provided by drivers (no built-in hash) is to use
1232 * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
1237 though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
1241 Signature verification is production-ready, but generation is for testing
1244 1024 messages. As such, it is not intended for use in TLS, but instead
1247 * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
1249 be used to sign one message so is impractical for most circumstances.
1253 The ticket mechanism is supported when the configuration option
1254 MBEDTLS_SSL_SESSION_TICKETS is enabled.
1278 entry point. This entry point is specified in the proposed PSA driver
1287 MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
1306 * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
1313 broken link is encountered, skip the broken link and continue parsing
1323 MBEDTLS_DEPRECATED_REMOVED is enabled.
1325 MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
1350 in TLS 1.3 (where it is forbidden).
1356 the error code returned by mbedtls_mpi_write_file() is overwritten
1369 when both operands are 0 and the left operand is represented with 0 limbs.
1427 a piece of user data which is reserved for the application. The user
1449 PSA Crypto is enabled.
1466 * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
1477 * Add support for server HelloRetryRequest message. The TLS 1.3 client is
1496 Opaque keys can now be used everywhere a private key is expected in the
1502 * cmake now detects if it is being built as a sub-project, and in that case
1507 by side in order to illustrate how the operation is performed in PSA.
1521 MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
1522 mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
1523 is selected. This may result in an application crash or potentially an
1529 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
1538 buffer is rather small but increases as its size
1551 * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
1555 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
1562 * The TLS 1.3 implementation is now compatible with the
1569 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
1587 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
1588 not NULL and val_len is zero.
1608 when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
1640 * The file library/psa_crypto_driver_wrappers.c is now generated
1645 AEAD functions is not an AEAD algorithm. This aligns them with the
1647 * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
1655 LIB_INSTALL_DIR is set.
1659 targets work when MbedTLS is built as a subdirectory. This allows the
1668 MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
1678 not supported. Two's complement is the only supported representation.
1695 * Warn if errors from certain functions are ignored. This is currently
1699 value is almost always a bug. Enable the new configuration option
1701 is currently implemented in the AES, DES and md modules, and will be
1707 For decryption a minimum of 16-byte long input is expected.
1730 if the output buffer is in memory that is shared with an untrusted
1734 oracle vulnerability if the output buffer is in memory that is shared with
1757 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
1768 AEAD functions when ChachaPoly is disabled. Fixes #5065.
1776 input buffer size is valid only for the built-in implementation of GCM.
1779 MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
1784 * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
1796 * Fix the build when no SHA2 module is included. Fixes #4930.
1797 * Fix the build when only the bignum module is included. Fixes #4929.
1799 pkcs12 functions when the password is empty. Fix the documentation to
1823 * Improve the performance of base64 constant-flow code. The result is still
1830 ChaCha20-Poly1305 is invalid, and not just unsupported.
1835 most of the interface of this module is private and may change at any
1838 generated by the CMake build system on Unix-like systems. This is not
1898 how the input to multipart operations is broken down. mbedtls_gcm_finish()
1931 mbedtls_cipher_finish() is now mandatory. Previously the documentation
1934 possible to skip calling it, which is no longer supported.
1952 * Instead of accessing the len field of a DHM context, which is no longer
1960 parameter, this parameter is now mandatory (that is, NULL is not an
1989 * Direct access to fields of structures declared in public headers is no
2079 MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
2084 backward compatibility which is no longer supported. Addresses #4404.
2089 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
2094 * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
2138 directly, which is no longer supported.
2147 An adversary who is capable of very precise timing measurements could
2166 lead to the seed file corruption in case if the path to the seed file is
2171 to create is not valid, bringing them in line with version 1.0.0 of the
2178 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2186 * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
2193 defined to specific values. If the code is used in a context
2203 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
2204 * Fix test suite code on platforms where int32_t is not int, such as
2212 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
2215 (when the encrypt-then-MAC extension is not in use) with some ALT
2232 implementations. This reliance is now removed. Fixes #3990.
2242 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
2249 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
2250 in all the right places. Include it from crypto_platform.h, which is
2252 * Fix which alert is sent in some cases to conform to the
2270 python2, which is no longer supported upstream.
2271 * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
2272 When that flag is on, standard GNU C printf format specifiers
2281 when their input has length 0. Note that this is an implementation detail
2289 build_info.h is intended to be included from C code directly, while
2290 mbedtls_config.h is intended to be edited by end users wishing to
2299 The only value supported by Mbed TLS 3.0.0 is 0x03000000.
2303 PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
2304 when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
2305 is also applied when loading a key from storage.
2320 as always 0. It is now reserved for internal purposes and may take
2333 CTR_DRBG is used by default if it is available, but you can override
2367 |A| - |B| where |B| is larger than |A| and has more limbs (so the
2370 all calls inside the library were safe since this function is
2373 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
2378 mbedtls_net_recv_timeout() when given a file descriptor that is
2390 is enabled, on platforms where initializing a mutex allocates resources.
2394 twice is safe. This happens for RSA when some Mbed TLS library functions
2396 enabled on platforms where freeing a mutex twice is not safe.
2398 when MBEDTLS_THREADING_C is enabled on platforms where initializing
2414 implementation is not included into the library.
2424 The underlying stream cipher is determined by the key type
2428 as they have no way to check if the output buffer is large enough.
2455 This is currently non-standard behaviour, but expected to make it into a
2457 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
2460 clashes. The default value of this variable is "", so default target names
2464 * In the PSA API, it is no longer necessary to open persistent keys:
2465 operations now accept the key identifier. The type psa_key_handle_t is now
2468 version 1.0.0. Opening persistent keys is still supported for backward
2486 which is how most uses of randomization in asymmetric cryptography
2511 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
2512 enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
2515 * Fix rsa_prepare_blinding() to retry when the blinding value is not
2517 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
2521 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2536 chars. Fixes a build failure on platforms where char is unsigned. Fixes
2543 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
2574 * The PSA persistent storage format is updated to always store the key bits
2575 attribute. No automatic upgrade path is provided. Previously stored keys
2603 a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
2613 subjecAltName extension is present, the expected name was compared to any
2632 to extract and check the MAC. This is an improvement to the existing
2656 redefinition if the function is inlined.
2666 curve is secp192k1. Fixes #2017.
2673 * Fix bug in redirection of unit test outputs on platforms where stdout is
2682 * Undefine the ASSERT macro before defining it locally, in case it is defined
2685 the copyright of contributors other than Arm is now acknowledged, and the
2704 instead of the keys' lifetime. If the library is upgraded on an existing
2754 pathLenConstraint basic constraint value is equal to INT_MAX.
2755 The actual effect with almost every compiler is the intended
2756 behavior, so this is unlikely to be exploitable anywhere. #3192
2759 * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
2786 * Fix warnings about signedness issues in format strings. The build is now
2805 buffer is not large enough to hold the ClientHello.
2828 fragment length is desired.
2836 (which it is by default).
2859 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
2860 is back directly in the present repository.
2864 buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
2865 is defined), regardless of what MFL was configured for it.
2880 probability (of the order of 2^-n where n is the bitsize of the curve)
2881 unless the RNG is broken, and could result in information disclosure or
2898 existing code is that elliptic curve key types no longer encode the
2901 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
2921 entropy function to obtain entropy for a nonce if the entropy size is less
2930 entropy module formerly only grabbed 32 bytes, which is good enough for
2931 security if the source is genuinely strong, but less than the expected 64
2941 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
2943 blinded value, factor it (as it is smaller than RSA keys and not guaranteed
2959 initial seeding. The default nonce length is chosen based on the key size
2967 key derivation function, use a buffer instead (this is now always
2997 no known instances where this changes the behavior of the library: this is
3016 mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
3046 an incoming record is valid, authentic and has not been seen before. This
3048 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
3052 with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
3053 verified and significantly faster, but is only supported on x86 platforms
3067 list all curves for which at least one of ECDH or ECDSA is supported, not
3069 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
3071 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
3079 is now deprecated.
3153 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
3157 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3166 RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
3176 changed its IP or port. The feature is enabled at compile-time by setting
3216 This certificate is used in the demo server programs, which lead the
3219 updated to one that is SHA-256 signed. Fix contributed by
3222 provided SSL context is unset.
3264 when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
3265 * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
3322 function to see for which parameter values it is defined. This feature is
3344 changed so that the same level of validation is present in all modules, and
3345 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
3346 is off. That means that checks which were previously present by default
3399 (University of Adelaide, Data61). The attack is described in more detail
3446 some configurable amount of operations. This is intended to be used in
3447 constrained, single-threaded systems where ECC is time consuming and can
3448 block other operations until they complete. This is disabled by default,
3469 a feature that is not supported by underlying alternative
3470 implementations implementing cryptographic primitives. This is useful for
3475 MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
3493 MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
3499 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
3524 calls, rather than Win32 API calls directly. This is necessary to avoid
3547 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
3551 * Fix build failures on platforms where only gmtime() is available but
3560 beyond the input buffer is made. Found and analyzed by Nathan Crandall.
3564 is controlled by the maximum fragment length as set locally or negotiated
3588 * Add ecc extensions only if an ecc based ciphersuite is used.
3666 is no functional difference. Contributed by Angus Gratton, and also
3684 * Fix compilation error when MBEDTLS_ARC4_C is disabled and
3685 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
3696 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
3702 when the request_size argument is set to 0 as stated in the documentation.
3705 deep copy of the session, and the peer certificate is not lost. Fixes #926.
3759 mbedtls_platform_zeroize(), which is a critical function from a security
3763 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
3788 where an optional signature algorithms list is expected when the signature
3789 algorithms section is too short. In builds with debug output, the overread
3790 data is output with the debug data.
3811 a check for whether more more data is pending to be processed in the
3813 This function is necessary to determine when it is safe to idle on the
3814 underlying transport in case event-driven IO is used.
3856 * Support cmake builds where Mbed TLS is a subproject. Fix contributed
3862 configurations where the feature is disabled. Found and fixed by Gergely
3869 MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
3894 of the corresponding module is activated by defining the corresponding
3948 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
3951 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
3985 extension. When the truncated HMAC extension is enabled and CBC is used,
3994 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
3999 default enabled) maximum fragment length extension is disabled in the
4001 is larger than the internal message buffer (16384 bytes by default), the
4076 * Direct manipulation of structure fields of RSA contexts is deprecated.
4080 mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
4128 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
4150 Note, this padding mode is not used by the TLS protocol. Found and fixed by
4155 mbedtls_sha512_init() is called before operating on the relevant context
4156 structure. Do not assume that zeroizing a context is a correct way to
4170 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
4187 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
4215 * With authmode set to optional, the TLS handshake is now aborted if the
4220 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
4249 64-bit division. This is useful on embedded platforms where 64-bit division
4296 * Fix incorrect sign computation in modular exponentiation when the base is
4328 behaviour has not changed, namely every configured CAs name is included.
4386 renegotiation routines at unexpected times when the protocol is DTLS. Found
4411 number to write in hexadecimal is negative and requires an odd number of
4432 mbedtls_x509write_csr_der() when the signature is copied to the buffer
4433 without checking whether there is enough space in the destination. The
4440 is functioning correctly.
4442 scripts, which is also now called by all.sh.
4458 when GCM is used. Found by udf2457. #441
4470 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
4499 net.c. For consistency, the corresponding header file, net.h, is marked as
4513 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
4574 datagram if a single record in a datagram is unexpected, instead only
4581 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
4585 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
4605 * Fix build error with configurations where ECDHE-PSK is the only key
4623 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
4632 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
4637 mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
4649 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
4651 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
4690 connection, if cookie verification is available
4694 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4737 * It is now possible to #include a user-provided configuration file at the
4740 * When verifying a certificate chain, if an intermediate certificate is
4741 trusted, no later cert is checked. (suggested by hannes-landeholm)
4829 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
4830 available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
4837 * calloc() is now used instead of malloc() everywhere. API of platform
4846 Their 'port' argument type is changed to a string.
4864 been removed (compiler is required to support 32-bit operations).
4871 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
4872 argument (allowing memory savings if HMAC is not used)
4886 * The default minimum TLS version is now TLS 1.0.
4887 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
4889 * Support for receiving SSLv2 ClientHello is now disabled by default at
4891 * The default authmode for SSL/TLS clients is now REQUIRED.
4892 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
4893 enabled in the default configuration, this is only noticeable if using a
4896 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
4898 * Negotiation of truncated HMAC is now disabled by default on server too.
4907 * The minimum MSVC version required is now 2010 (better C99 support).
4909 * Compiler is required to support C99 types such as long long and uint32_t.
4922 * With UDP sockets, it is no longer necessary to call net_bind() again
4927 thread-safe if MBEDTLS_THREADING_C is enabled.
4968 * Fix bug in entropy.c when THREADING_C is also enabled that caused
4972 * Fix bug in ssl_mail_client when password is longer that username (found
4976 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
4982 ssl_write() is called before the handshake is finished (introduced in
5008 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
5010 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
5011 more flexible (warning: OFLAGS is not used any more) (see the README)
5018 "minimize" others (eg use stddef.h if only size_t is needed).
5025 * NULL pointer dereference in the buffer-based allocator when the buffer is
5026 full and polarssl_free() is called (found by Mark Hasemeyer)
5027 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
5030 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
5033 (TLS server is not affected if it doesn't ask for a client certificate)
5036 (TLS server is not affected if it doesn't ask for a client certificate)
5062 * Stack buffer overflow if ctr_drbg_update() is called with too large
5070 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
5087 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
5091 * A specific error is now returned when there are ciphersuites in common
5092 but none of them is usable due to external factors such as no certificate
5094 * It is now possible to disable negotiation of truncated HMAC server-side
5105 (server is not affected if it doesn't ask for a client certificate)
5133 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
5135 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
5138 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
5166 ciphersuites to use and save some memory if the list is small.
5169 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
5181 * Enforce alignment in the buffer allocator even if buffer is not aligned
5199 * Restore ability to locally trust a self-signed cert that is not a proper
5263 * pk_verify() now returns a specific error code when the signature is valid
5274 it is not affected (ie, its notAfter date is properly checked).
5288 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
5327 "triple handshake" attack when authentication mode is 'optional' (the
5328 attack was already impossible when authentication is required).
5403 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
5453 * config.h is more script-friendly
5497 * Introduced separate SSL Ciphersuites module that is based on
5499 * Internals for SSL module adapted to have separate IV pointer that is
5534 client to crash the server remotely if client authentication is enabled
5553 crafted X.509 certificate (TLS server is not affected if it doesn't ask
5556 (TLS server is not affected if it doesn't ask for a client certificate)
5559 (TLS server is not affected if it doesn't ask for a client certificate)
5562 (TLS server is not affected if it doesn't ask for a client certificate).
5567 * Stack buffer overflow if ctr_drbg_update() is called with too large
5584 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
5592 (server is not affected if it doesn't ask for a client certificate).
5632 "triple handshake" attack when authentication mode is optional (the
5633 attack was already impossible when authentication is required).
5736 * x509parse_crtpath() is now reentrant and uses more portable stat()
5750 * Default Blowfish keysize is now 128-bits
5773 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
5817 * During verify trust-CA is only checked for expiration and CRL presence
5825 * Depth that the certificate verify callback receives is now numbered
5826 bottom-up (Peer cert depth is 0)
5874 to not match CN if subjectAltName extension is present (Closes ticket #56)
5875 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
6024 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
6052 * If certificate serial is longer than 32 octets, serial number is now
6093 is now done with a PLUS instead of an OR as error codes
6099 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
6187 with the generic cipher layer and is better naming
6230 * X509 signature algorithm determination is now
6268 this is mind when checking for errors.
6359 output data is non-aligned by falling back to the software
6369 string is passed as the CN (bug reported by spoofy)
6385 * Updated rsa_gen_key() so that ctx->N is always nbits in size
6474 the bignum code is no longer dependent on long long