Lines Matching refs:to
7 client and server to extract additional shared symmetric keys from an SSL
8 session, according to the TLS-Exporter specification in RFC 8446 and 5705.
9 This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
18 to fail. Found and reported by Linh Le and Ngan Nguyen from Calif.
24 AES to be used for some time when the program starts. This could allow
25 the adversary to conduct timing attacks and potentially recover the
29 a similarly powerful adversary to craft GCM forgeries.
35 on the documented behaviour to still hold pointers to memory blocks after
37 with consequences ranging up to arbitrary code execution.
49 inside the same call to mbedtls_x509_string_to_names(), or in subsequent
51 only affects applications that create (as opposed to consume) X.509
57 PEM keys to a user. This could cause a crash or information disclosure.
62 ciphertexts to recover the plaintext through a timing oracle attack.
76 * On entry to PSA driver entry points that set up a multipart operation
77 ("xxx_setup"), the operation object is supposed to be all-bits-zero.
86 * Fix a sloppy check in LMS public key import, which could lead to accepting
92 that could lead to using software AES in some threads at the very
100 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the
103 arguments, undefined behaviour would be triggered, in the form of a call to
109 to point to NULL on entry. This makes it likely that existing risky uses of
121 to expect is usually insecure. To restore the old behavior, either
166 and 'mbedtls_net_connect' to prevent possible double close fd
181 * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
227 need to enable the handling of TLS 1.3 tickets through the new
237 * The following cryptographic mechanisms are planned to be removed
245 * The following cipher suites are planned to be removed from (D)TLS 1.2
255 * The following low-level application interfaces are planned to be removed
267 For guidance on migrating application code to the PSA API, please consult
269 * The following integration interfaces are planned to be removed
284 not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
299 than TLS client authentication could be able to use it for TLS client
312 passing in zero length additional data to multipart AEAD.
313 * Fix rare concurrent access bug where attempting to operate on a
331 long. Credit to Cryptofuzz. Fixes #9314.
336 to persistent keys. Resolves #9253.
347 * Fixes an issue where some TLS 1.2 clients could not connect to an
348 Mbed TLS 3.6.0 server, due to incorrect handling of
355 the default configuration connecting to a TLS 1.3 server sending tickets.
360 * Fix a memory leak that could occur when failing to process an RSA
361 key through some PSA functions due to low memory conditions.
364 upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS
369 working when connections were upgraded to TLS 1.3. Fixed by adding
371 standard makes server authentication mandatory; users are advised not to
372 use authmode none, and to carefully check the results when using optional
375 verify callbacks, set with mbedtls_ssl_set_verify() as opposed to
377 upgraded to TLS 1.3. Fixed by adding support for context-specific verify
382 lead to spurious errors. Error if a *adjust*.h header is included
383 manually, as this can lead to silently inconsistent configurations,
387 configuration file (renamed to mbedtls_config.h). This change was made
399 The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
408 * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
418 * In the PSA API, the experimental way to encode the public exponent of
423 mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
424 while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
428 * Added an example program showing how to hash with the PSA API.
435 * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
444 speaking that requires both the key type and algorithm to be accelerated
446 implementation is able to take advantage of a driver that only
450 disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
452 * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
462 Application data sent and received will be fragmented according to
467 to convert between Mbed TLS and PSA curve identifiers.
468 * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
473 mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
477 * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
485 * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
488 mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
492 * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
497 * The new function mbedtls_ecp_write_key_ext() is similar to
500 * Add new accessor to expose the private group id member of
502 * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
512 mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
514 * Add new accessors to expose the private session-id,
517 Add new accessor to expose the ciphersuite-id of
523 * Add protection for multithreaded access to the PSA keystore and protection
524 for multithreaded access to the the PSA global state, including
536 to PSA functions is now secure by default.
540 This feature increases code size and memory usage. If buffers passed to
544 Note that setting this option will cause input-output buffer overlap to
547 * Restore the maximum TLS version to be negotiated to the configured one
549 An attacker was able to prevent an Mbed TLS server from establishing any
551 version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.
553 * When negotiating TLS version on server side, do not fall back to the
560 was able to successfully establish a TLS 1.2 connection with the server.
578 * Switch to milliseconds as the unit for ticket creation and reception time
580 tickets compared to peer using a millisecond clock (observed with GnuTLS).
601 mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
607 allowed SSL sessions saved in one configuration to be loaded in a
609 * In TLS 1.3 clients, fix an interoperability problem due to the client
622 * Use heap memory to allocate DER encoded public/private key.
624 key to a PEM string.
627 individually enabled in order to enable respective support; also the
631 mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
635 to select only some of the parameters / groups, with the macros
636 PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
637 for each size you want to support. Also, if you have an FFDH accelerator,
638 you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
647 * Rename directory containing Visual Studio files from visualc/VS2013 to
655 could be sufficient for an attacker to recover the plaintext. A local
656 attacker or a remote attacker who is close to the victim on the network
657 might have precise enough timing measurements to exploit this. It requires
658 the attacker to send a large number of messages for decryption. For
661 * Fix a failure to validate input when writing x509 extensions lengths which
662 could result in an integer overflow, causing a zero-length buffer to be
663 allocated to hold the extension. The extension would then be copied into
682 that it failed to check if all the relevant curves were supported by the
683 accelerator. As a result, it was possible to declare no curves as
685 Starting with this release, it is necessary to declare which curves are
703 IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
719 been called. Previously (in 3.3), this was restricted to a few modules,
721 entropy module was not covered which meant an external RNG had to be
724 to check for availability of hash algorithms, regardless of whether
727 * When a PSA driver for ECDH is present, it is now possible to disable
728 MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
729 key exchanges based on ECDH(E) to work, this requires
734 a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
755 * It is now possible to generate certificates with SubjectAltNames.
763 * Add function mbedtls_oid_from_numeric_string() to parse an OID from a
764 string to a DER-encoded mbedtls_asn1_buf.
766 * Add support to restrict AES to 128-bit keys in order to save code size.
768 used to enable this feature.
778 or DH) were introduced in order to have finer accuracy in defining the
782 - implementations are free to enable more than what it was strictly
791 * Reduce syscalls to time() during certificate verification.
792 * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
794 * Add getter (mbedtls_ssl_cache_get_timeout()) to access
796 * Add getter (mbedtls_ssl_get_hostname()) to access
798 * Add getter (mbedtls_ssl_conf_get_endpoint()) to access
801 extended: it is now possible to use mbedtls_pk_write_key_der(),
807 * Add a possibility to generate CSR's with RCF822 and directoryName subtype
832 review the size of the output buffer passed to this function, and note
834 to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
841 has access to precise timing measurements.
842 * Updates to constant-time C code so that compilers are less likely to use
844 timing. (Clang has been seen to do this.) Also introduce assembly
846 guaranteed not to use conditional instructions.
853 null-cipher cipher suites. Credit to OSS-Fuzz.
860 Credit to OSS-Fuzz.
867 * Add missing md.h includes to some of the external programs from
869 was sufficient for a particular program to work, it would only print
876 MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
879 * Fix the J-PAKE driver interface for user and peer to accept any values
880 (previously accepted values were limited to "client" or "server").
886 way to detect the crypto extensions required. A warning is still issued.
895 mode of operation due to the input not being multiple of block size.
905 one of the key exchange modes using ephemeral keys to a server that
912 * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
917 * Fix compile failure due to empty enum in cipher_wrap.c, when building
921 * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
926 copied to the struct. This meant that the struct had incomplete
938 error code on failure. Before, they returned 1 to indicate failure in
948 to avoid accidental misuse.
949 * Use heap memory to allocate DER encoded RSA private key.
952 * Update Windows code to use BCryptGenRandom and wcslen, and
958 to psa_crypto_driver_wrappers_no_static.c.
959 * When using CBC with the cipher module, the requirement to call
970 * Update test data to avoid failures of unit tests after 2023-08-07.
975 * The default priority order of TLS 1.3 cipher suites has been modified to
982 mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
984 * PSA to mbedtls error translation is now unified in psa_util.h,
992 Syntax, as defined in RFC 2315. Currently, support is limited to the
1002 Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
1003 contributing this feature, and to Demi-Marie Obenour for contributing
1007 * Improvements to use of unaligned and byte-swapped memory, reducing code
1021 configuration-independent files. This allows them to be generated when
1025 * Add an interruptible version of sign and verify hash to the PSA interface,
1032 * When a PSA driver for ECDSA is present, it is now possible to disable
1033 MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
1034 and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
1042 * Add support to include the SubjectAltName extension to a CSR.
1045 be used to enable this feature. Run-time detection is supported
1047 * When a PSA driver for EC J-PAKE is present, it is now possible to disable
1048 MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
1049 corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
1050 to be enabled.
1052 to read non-public fields for padding mode and hash id from
1060 * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
1071 Arm, so that these systems are no longer vulnerable to timing side-channel
1076 (most notably builds with Visual Studio), leaving them vulnerable to
1085 causing generate_errors.pl to error out resulting in a build failure.
1089 ticket timestamps (typically timestamps in milliseconds) compared to the
1090 Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
1112 certificate parsing, but only on subsequent calls to
1115 possible to verify RSA PSS signatures with the pk module, which was
1117 * Fix bug in conversion from OID to string in
1121 them to a string.
1156 signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
1159 visualc/VS2010 to visualc/VS2013 as we do not support building with versions
1160 older than 2013. Update the solution file to specify VS2013 as a minimum.
1164 - "serial" is used for the decimal format and it's limted in size to
1171 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
1172 * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
1174 RSA decryption performance has changed lately due to security fixes.
1176 window was reduced from 6 to 2, a value that gives the best or close
1177 to best results when tested on Cortex-M4 and Intel i7.
1179 MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
1190 If you need to communicate with peers that use earlier versions of
1191 Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
1192 to 1, but then you won't be able to communicate with peers that use the
1194 If you need to interoperate with both classes of peers with the
1202 addition to jinja2. The official list of required Python modules is
1228 Note that some modules are not able to use hashes from PSA yet, including
1229 the entropy module. As a consequence, for now the only way to build with
1230 all hashes only provided by drivers (no built-in hash) is to use
1238 * Add support for opaque keys as the private keys associated to certificates
1243 (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
1249 be used to sign one message so is impractical for most circumstances.
1280 * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
1281 calculation that can be used to derive the session secret in TLS 1.2,
1289 * Fix an issue where an adversary with access to precise enough information
1299 * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
1302 it could be turned into a symbolic link to itself.
1305 recommend upgrading to a more recent compiler instead. Fixes #1910.
1307 Contributed by Kazuyuki Kimura to fix #2020.
1308 * Use double quotes to include private header file psa_crypto_cipher.h.
1322 * Fix a build error due to a missing prototype warning when
1333 * Fix compilation errors when trying to build with
1337 Change mbedtls_x509_get_name() to clean up allocated objects on error.
1343 public key. This bug meant that it was possible to verify a
1349 * Add a configuration check to exclude optional client authentication
1372 to OSS-Fuzz. Fixes #6597.
1381 * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
1422 * Add accessor to obtain ciphersuite id from ssl context.
1423 * Add accessors to get members from ciphersuite info.
1425 * Add accessor to get the raw buffer pointer from a PEM context.
1429 * Add an accessor function to get the configuration associated with
1431 * Add a function to access the protocol version from an SSL context in a
1432 form that's easy to compare. Fixes #5407.
1433 * Add function mbedtls_md_info_from_ctx() to recall the message digest
1434 information that was used to set up a message digest context.
1438 * Provide mechanism to reset handshake cert list by calling
1440 * Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
1445 * Add function mbedtls_timing_get_final_delay() to access the private
1450 * Add function mbedtls_ecp_export() to export ECP key pair parameters.
1452 * Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
1453 Handshake has completed or not, and thus whether to continue calling
1455 * Add the function mbedtls_ssl_get_own_cid() to access our own connection id
1461 mbedtls_ssl_conf_min_tls_version() that use a single value to specify
1463 * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
1469 Furthermore you may name an additional file to include after the main
1471 * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
1479 first ClientHello was not suitable to the server.
1489 * Add accessors to configure DN hints for certificate request:
1493 now causes most of them to be done using PSA Crypto; see
1507 by side in order to illustrate how the operation is performed in PSA.
1516 * Add the platform function mbedtls_setbuf() to allow buffering to be
1517 disabled on stdio files, to stop secrets loaded from said files being
1527 or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
1531 and possibly up to 571 bytes with a custom cookie check function.
1534 client or server could cause an MbedTLS server or client to overread up
1535 to 64 kBytes of data and potentially overread the input buffer by that
1543 client or server to be able to authenticate itself through a certificate
1544 to an Mbed TLS TLS 1.3 server or client while it does not own a proper
1545 certificate to do so.
1549 pattern for PSA_WANT_xxx symbols. Previously you had to specify
1558 client would fail to check that the curve selected by the server for
1561 according to its configuration. Fixes #5291.
1567 * Fix API violation in mbedtls_md_process() test by adding a call to
1570 to catch bad uses of time.h.
1576 potentially leading to corrupted alert messages being sent in case
1577 the function needs to be re-called after initially returning
1580 MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null
1584 documentation stated that the `allowed_pks` field applies to signatures
1585 only, but in fact it does apply to the public key type of the end entity
1595 MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
1598 been received yet when we first try to fetch it.
1601 * Add mbedtls_x509_dn_get_next function to return the next relative DN in
1602 an X509 name, to allow walking the name list. Fixes #5431.
1605 and other special characters, conforming to RFC 1779. Fixes #769.
1607 * Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
1611 * Fix a TLS 1.3 handshake failure when the first attempt to send the client
1623 non-compliant. This could not lead to a buffer overflow. In particular,
1633 make to break on a clean checkout. Fixes #5340.
1636 * Removed the prompt to exit from all windows build programs, which was causing
1642 driver descriptions. For the time being, to customize this file,
1644 * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
1652 * cmake: Use GnuInstallDirs to customize install directories
1666 Alternative GCM implementations are expected to verify
1667 the length of the provided output buffers and to return the
1700 MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
1702 extended to other modules in the future.
1705 * Add support for CCM*-no-tag cipher to the PSA.
1708 These restrictions may be subject to change.
1710 * Add functions to get the IV and block size from cipher_info structs.
1711 * Add functions to check if a cipher supports variable IV or key size.
1712 * Add the internal implementation of and support for CCM to the PSA multipart
1719 to select the 1.3 version of the protocol to establish a TLS connection.
1723 * Zeroize several intermediate variables used to calculate the expected
1727 man-in-the-middle to inject fake ciphertext into a DTLS connection.
1739 and mbedtls_ssl_free() would cause an internal session buffer to
1744 * The GNU makefiles invoke python3 in preference to python except on Windows.
1771 psa_aead_finish() and psa_aead_verify() does not apply to the built-in
1773 * Move GCM's update output buffer length verification from PSA AEAD to
1775 The requirement for output buffer size to be equal or greater then
1783 PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
1791 not to list other shared libraries they need.
1799 pkcs12 functions when the password is empty. Fix the documentation to
1800 better describe the inputs to these functions and their possible values.
1810 oversight during the run-up to the release of Mbed TLS 3.0.
1811 The fields were never intended to be public.
1821 to set a callback, but was deemed unnecessary as it was yet another define
1822 to remember when writing tests, or test configurations. Fixes #4653.
1832 containing various functions meant to resist timing side channel attacks.
1850 https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
1852 * Add missing const attributes to API functions.
1853 * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
1856 Transfer keys and certificates embedded in the library to the test
1857 component. This contributes to minimizing library API and discourages
1863 which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
1867 were not meant to be used in application code have been moved out of
1877 * Update AEAD output size macros to bring them in line with the PSA Crypto
1897 * The interface of the GCM module has changed to remove restrictions on
1898 how the input to multipart operations is broken down. mbedtls_gcm_finish()
1902 call to mbedtls_gcm_update(), but alternative implementations activated
1903 by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
1905 no longer pass the associated data to mbedtls_gcm_starts(), but to the
1915 session-ID based session resumption) has changed to that of
1929 which allows to mark an extension as critical. Fixes #4055.
1932 was unclear on this point, and this function happened to never do
1934 possible to skip calling it, which is no longer supported.
1972 Raw keys and IVs are no longer passed to the callback.
1979 length parameter to be the size of the hash input. For RSA signatures
1987 psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
1989 * Direct access to fields of structures declared in public headers is no
1998 * Enable by default the functionalities which have no reason to be disabled.
2010 bear this in mind and do not add them to backported code.
2017 * Refresh the minimum supported versions of tools to build the
2024 certificates signed with SHA-1 due to the known attacks against SHA-1.
2058 CBC record splitting, fallback SCSV, and the ability to configure
2089 option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
2112 * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
2113 signature with a specific salt length. This function allows to validate
2117 driver interface. Refer to the documentation of
2121 mbedtls_cipher_update()) no longer requires the size of partial inputs to
2124 multiple calls to mbedtls_gcm_update_ad().
2136 * Use the new function mbedtls_ecjpake_set_point_format() to select the
2152 * Fix an issue where an adversary with access to precise enough information
2157 * Fix an issue where an adversary with access to precise enough timing
2166 lead to the seed file corruption in case if the path to the seed file is
2167 equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
2171 to create is not valid, bringing them in line with version 1.0.0 of the
2173 * Add printf function attributes to mbedtls_debug_print_msg to ensure we
2178 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
2191 minimum size was rounded down to the nearest multiple of 8.
2193 defined to specific values. If the code is used in a context
2196 be adequate to build Mbed TLS.
2210 * Restore the ability to configure PSA via Mbed TLS options to support RSA
2212 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
2217 the affected side to wrongly reject valid messages. Fixes #4118.
2227 could notably be triggered by setting the TLS debug level to 3 or above
2237 A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
2241 Credit to OSS-Fuzz. Fixes #4641.
2252 * Fix which alert is sent in some cases to conform to the
2256 * Correct (change from 12 to 13 bytes) the value of the macro describing the
2261 * Add extra printf compiler warning flags to builds.
2263 * Alternative implementations of CMAC may now opt to not support 3DES as a
2289 build_info.h is intended to be included from C code directly, while
2290 mbedtls_config.h is intended to be edited by end users wishing to
2295 Defining it to a particular value will ensure that Mbed TLS interprets
2300 * Various changes to which alert and/or error code may be returned
2310 * Renamed the PSA Crypto API output buffer size macros to bring them in line
2313 in bits rather than bytes, with an additional flag to indicate if the
2314 size may have been rounded up to a whole number of bytes.
2315 * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
2336 * Automatic fallback to a software implementation of ECP when
2339 * The PSA crypto subsystem can now be configured to use less static RAM by
2352 minimum MAC or tag length thanks to the new wildcards
2362 In such cases, a random nonce was necessary to achieve the advertised
2373 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
2374 value the function might fail to write a private RSA keys of the largest
2381 making access aceess to them use constant flow code.
2400 * Fixes a bug where, if the library was configured to include support for
2406 used to validate digital signatures on certificates and MUST mark the
2407 extension as critical in such certificates." Previous to this change,
2412 * A new library C file psa_crypto_client.c has been created to contain
2421 * The numerical values of the PSA Crypto API macros have been updated to
2422 conform to version 1.0.0 of the specification.
2428 as they have no way to check if the output buffer is large enough.
2430 mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
2434 * Update the minimum required CMake version to 2.8.12. This silences a
2444 these new functions always append the tag to the ciphertext, and include
2451 * Add support for ECB to the PSA cipher API.
2455 This is currently non-standard behaviour, but expected to make it into a
2457 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
2459 external CMake projects that include this one to avoid CMake target name
2464 * In the PSA API, it is no longer necessary to open persistent keys:
2466 identical to psa_key_id_t instead of being platform-defined. This bridges
2467 the last major gap to compliance with the PSA Cryptography specification
2480 of up to 15 bytes, with consequences ranging up to arbitrary code
2482 * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
2483 MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
2484 generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
2490 obtain entropy, or due to an internal failure (which, for Mbed TLS's own
2491 CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
2494 description part of the cert to the real signature. This meant that a
2495 NULL algorithm parameters entry would look identical to an array of REAL
2496 (size zero) to the library and thus the certificate would be considered
2500 Many thanks to guidovranken who found this issue via differential fuzzing
2505 functions to erase sensitive data from memory. Reported by
2515 * Fix rsa_prepare_blinding() to retry when the blinding value is not
2521 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
2524 sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
2530 * Fix psa_generate_key() returning an error when asked to generate
2532 * Fix psa_key_derivation_output_key() to allow the output of a combined key
2533 agreement and subsequent key derivation operation to be used as a key
2542 MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
2546 * psa_set_key_id() now also sets the lifetime to persistent for keys located
2548 * Attempting to create a volatile key with a non-zero key identifier now
2551 * Attempting to create or register a key with a key identifier in the vendor
2556 (an error condition) and the second operand was aliased to the result.
2574 * The PSA persistent storage format is updated to always store the key bits
2580 but spurious and misleading since it looked like a mistaken attempt to
2581 zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
2588 group families to psa_ecc_family_t and psa_dh_family_t, in line with the
2591 PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
2592 PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
2593 PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
2594 PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
2602 * The new function mbedtls_ecp_write_key() exports private ECC keys back to
2613 subjecAltName extension is present, the expected name was compared to any
2617 require the attacker to control that IP address, though). Similar attacks
2621 its revocationDate was in the past according to the local clock if
2624 MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
2632 to extract and check the MAC. This is an improvement to the existing
2636 if they have access to fine-grained measurements. In particular, this
2646 Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
2648 * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
2655 * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
2677 * Only pass -Wformat-signedness to versions of GCC that support it. Reported
2680 previously could lead to stack overflow on constrained devices.
2684 * Update copyright notices to use Linux Foundation guidance. As a result,
2687 eliminates the need for the lines declaring the files to be part of
2689 * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
2690 example applications which allows to provide a password for the key file
2693 ssl_server2 only, add the command line parameter key_pwd2 which allows to
2701 key lifetimes to encode a persistence level and the location. Although C
2703 psa_register_se_driver() must be modified to pass the driver's location
2720 a solution to #3241.
2721 * Pass the "certificate policies" extension to the callback supplied to
2724 * Added support to entropy_poll for the kern.arandom syscall supported on
2738 f_rng argument. An attacker with access to precise enough timing and
2744 macros). This would cause the original Lucky 13 attack to be possible in
2745 those configurations, allowing an active network attacker to recover
2754 pathLenConstraint basic constraint value is equal to INT_MAX.
2756 behavior, so this is unlikely to be exploitable anywhere. #3192
2758 due to shadowed variable. Contributed by Sander Visser in #3310.
2762 mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
2774 * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
2796 * Unify the example programs termination to call mbedtls_exit() instead of
2797 using a return command. This has been done to enable customization of the
2799 * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
2805 buffer is not large enough to hold the ClientHello.
2827 mbedtls_ssl_get_input_max_frag_len() to be more precise about which max
2832 (RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to
2833 the server could cause it to drop established associations with
2837 * Fix side channel in ECC code that allowed an adversary with access to
2839 untrusted operating system attacking a secure enclave) to fully recover
2863 mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input
2874 library which allows TLS authentication to use keys stored in a
2904 * Fix an unchecked call to mbedtls_md() in the x509write module.
2911 * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
2914 * Fix a bug in mbedtls_pk_parse_key() that would cause it to
2920 * The initial seeding of a CTR_DRBG instance makes a second call to the
2921 entropy function to obtain entropy for a nonce if the entropy size is less
2922 than 3/2 times the key size. In case you want to disable the extra call to
2923 grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
2924 nonce length to 0.
2935 these variables can be used to recover the last round key. To follow best
2936 practice and to limit the impact of buffer overread vulnerabilities (like
2937 Heartbleed) we need to zeroize them before exiting the function.
2944 to have only large prime factors), and then, by brute force, recover the
2947 timings on the comparison in the key generation enabled the attacker to
2948 learn leading bits of the ephemeral key used during ECDSA signatures and to
2960 to achieve the security strength defined by NIST SP 800-90A. You can
2962 * Add ENUMERATED tag support to the ASN.1 module. Contributed by
2966 * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
2969 * Rename psa_asymmetric_sign() to psa_sign_hash() and
2970 psa_asymmetric_verify() to psa_verify_hash().
2981 * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
2982 to OSS-Fuzz for finding a bug in an intermediate version of the fix.
2983 * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at
2990 * Remove the technical possibility to define custom mbedtls_md_info
2994 * Variables containing error codes are now initialized to an error code
2995 rather than success, so that coding mistakes or memory corruption tends to
2996 cause functions to return this error code rather than a success. There are
2999 * Remove a useless call to mbedtls_ecp_group_free(). Contributed by
3009 * Declare include headers as PUBLIC to propagate to CMake project consumers
3011 * Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of
3031 as an ASN.1 INTEGER, which caused the size of the key to leak
3032 about 1 bit of information on average and could cause the value to be
3034 * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
3042 mbedtls_ssl_session_load() to allow serializing a session, for example to
3045 * Add a new API function mbedtls_ssl_check_record() to allow checking that
3062 * Add DER-encoded test CRTs to library/certs.c, allowing
3063 the example programs ssl_server2 and ssl_client2 to be run
3069 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
3071 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
3083 lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
3085 codes to always wrap these codes into X.509 high level error codes before
3087 * Fix to allow building test suites with any warning that detects unused
3101 in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
3103 * Update test certificates that were about to expire. Reported by
3105 * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
3109 This could previously lead to segmentation faults in builds using an
3116 * Fix bug in endianness conversion in bignum module. This lead to
3122 * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
3126 docker-env.sh) to simplify running test suites on a Linux host. Contributed
3128 * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
3131 * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
3153 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
3157 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
3159 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
3161 * Add public API for tls-prf function, according to requested enum.
3172 The Connection ID extension allows to keep DTLS connections beyond the
3174 to the DTLS record header. This identifier can be used to associated an
3182 * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
3184 * Add public API for tls-prf function, according to requested enum.
3194 used with negative inputs. Found by Guido Vranken in #2404. Credit to
3201 * Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx.
3204 public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
3209 * Set the next sequence of the subject_alt_name to NULL when deleting
3211 Credit to OSS-Fuzz.
3217 client programs to fail at the peer's certificate verification
3218 due to an unacceptable hash signature. The certificate has been
3219 updated to one that is SHA-256 signed. Fix contributed by
3225 * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
3227 * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
3237 * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1
3239 * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
3246 * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
3256 belongs to a different group from the first. Before, if an application
3257 passed keys that belonged to different group, the first key's data was
3258 interpreted according to the second group, which could lead to either
3268 previously lead to a stack overflow on constrained targets.
3273 * Remove the mbedtls namespacing from the header file, to fix a "file not found"
3275 * Fix signed-to-unsigned integer conversion warning
3284 extensions in CSRs and CRTs that caused these bitstrings to not be encoded
3297 * Provide an abstraction of vsnprintf to allow alternative implementations
3301 Previously, this could lead to functionally incorrect assembly being
3322 function to see for which parameter values it is defined. This feature is
3324 steps you have to take when enabling it.
3329 the return type from void to int to allow returning error codes when
3334 * Extend ECDH interface to enable alternative implementations.
3361 This could lead to a buffer overflow, but only in case ticket authentication
3363 * Add explicit integer to enumeration type casts to example program
3364 programs/pkey/gen_key which previously led to compilation failure
3374 * Update the Mbed Crypto submodule to version 0.1.0b2.
3379 * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
3381 * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
3393 decryption that could lead to a Bleichenbacher-style padding oracle
3413 mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
3421 * Fix overly strict DN comparison when looking for CRLs belonging to a
3422 particular CA. This previously led to ignoring CRLs when the CRL's issuer
3430 to trigger a memory access up to 64KiB beyond the incoming message buffer,
3431 potentially leading to an application crash or information disclosure.
3432 * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
3434 adversary to construct non-primes that would be erroneously accepted as
3438 For example, the number of rounds was enough to securely generate RSA key
3439 pairs or Diffie-Hellman parameters, but was insufficient to validate
3446 some configurable amount of operations. This is intended to be used in
3450 configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
3452 yet), and to existing functions in ECDH and SSL (currently only
3455 * Add support for Arm CPU DSP extensions to accelerate asymmetric key
3459 * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
3461 an error if this was not possible. Now the salt size may be up to two bytes
3462 shorter. This allows the library to support all hash and signature sizes
3465 than 256 bits limits the security of generated material to 128 bits.
3487 application leading to a memory leak in case both
3495 which lead to accepting properly authenticated but improperly
3505 * Change the default string format used for various X.509 DN attributes to
3506 UTF8String. Previously, the use of the PrintableString format led to
3521 * Change the dtls_client and dtls_server samples to work by default over
3523 * Change the use of Windows threading to use Microsoft Visual C++ runtime
3524 calls, rather than Win32 API calls directly. This is necessary to avoid
3528 string format (mostly PrintableString), which could lead to CRTs being
3536 * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
3537 use it to reduce error probability in RSA key generation to levels mandated
3545 This allows users to configure such an implementation at compile time when
3547 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
3557 * Fix an issue in the X.509 module which could lead to a buffer overread
3559 input (extensions length field equal to 0), an illegal read of one byte
3567 * Add support for auto-adjustment of MTU to a safe value during the
3578 * Add function mbedtls_ssl_set_datagram_packing() to configure
3583 failure in the function could lead to other buffers being leaked.
3589 This improves compliance to RFC 4492, and as a result, solves
3595 * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
3597 without providing a list of CAs. This was due to an overly strict bounds
3617 * Add warnings to the documentation of the HKDF module to reduce the risk
3625 in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
3634 caused by a miscalculation (for SHA-384) in a countermeasure to the
3637 * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
3638 1.2, that allowed a local attacker, able to execute code on the local
3639 machine as well as manipulate network packets, to partially recover the
3648 on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
3650 to partially recover the plaintext of messages under some conditions (see
3678 * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
3686 * Added length checks to some TLS parsing functions. Found and fixed by
3698 to the connection being terminated. Seen most often with OpenSSL using
3701 * Fix ssl_client2 example to send application data with 0-length content
3702 when the request_size argument is set to 0 as stated in the documentation.
3711 * Change the default behaviour of mbedtls_hkdf_extract() to return an error
3714 * Change the shebang line in Perl scripts to look up perl in the PATH.
3723 * Add additional block mode, OFB (Output Feedback), to the AES module and
3730 * In TLS servers, support offloading private key operations to an external
3731 cryptoprocessor. Private key operations can be asynchronous to allow
3735 * Fix the cert_write example to handle certificates signed with elliptic
3737 * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
3744 * Changed CMake defaults for IAR to treat all compiler warnings as errors.
3745 * Changed the Clang parameters used in the CMake build files to work for
3760 point of view. mbedtls_platform_zeroize() needs to be regularly tested
3761 against compilers to ensure that calls to it are not removed from the
3763 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
3768 build to fail. Found by zv-io. Fixes #1651.
3778 * Fix an issue in the X.509 module which could lead to a buffer overread
3779 during certificate validation. Additionally, the issue could also lead to
3780 unnecessary callback checks being made or to some validation checks to be
3782 would require a non DER-compliant certificate to be correctly signed by a
3786 function which led to an arbitrary overread of the message buffer. The
3792 which could potentially lead to the client accepting a ciphersuite it didn't
3794 chosen by the server. This could lead to corruption of internal data
3798 * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
3807 * Extend the public API with the function of mbedtls_net_poll() to allow user
3808 applications to wait for a network context to become ready before reading
3810 * Add function mbedtls_ssl_check_pending() to the public API to allow
3811 a check for whether more more data is pending to be processed in the
3813 This function is necessary to determine when it is safe to idle on the
3819 * Add missing dependencies in test suites that led to build failures
3830 unable to parse keys which had only the optional parameters field of the
3835 * Fix overriding and ignoring return values when parsing and writing to
3837 * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
3838 where data needs to be fetched from the underlying transport in order
3839 to make progress. Previously, this error code was also occasionally
3841 further messages could potentially already be pending to be processed
3842 in the internal buffers; these cases led to deadlocks when event-driven
3845 function which leads to a potential one byte overread of the message
3847 * Fix invalid buffer sizes passed to zlib during record compression and
3849 * Fix the soversion of libmbedcrypto to match the soversion of the
3851 version 2.7.1 to reflect breaking changes in that release, but the
3878 * Add an option in the Makefile to support ar utilities where the operation
3896 not need to copy the declarations, and ensures that they will have the
3903 * The truncated HMAC extension now conforms to RFC 6066. This means
3917 * Verify results of RSA private key operations to defend
3923 * Fix CRL parsing to reject CRLs containing unsupported critical
3941 * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
3942 * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
3962 that could cause a key exchange to fail on valid data.
3964 could cause a key exchange to fail on valid data.
3975 * MD functions deprecated in 2.7.0 are no longer inline, to provide
3986 sending a malicious application packet could be used to selectively corrupt
3987 6 bytes on the peer's heap, which could potentially lead to crash or remote
3991 for the key size, which could potentially lead to crash or remote code
3997 64 KiB to the address of the SSL buffer and causing a wrap around.
4000 config and the application data buffer passed to mbedtls_ssl_write
4007 * Add a provision to prevent compiler optimizations breaking the time
4011 * Set PEM buffer to zero before freeing it, to avoid decoded private keys
4012 being leaked to memory after release.
4013 * Fix dhm_check_range() failing to detect trivial subgroups and potentially
4015 * Make mbedtls_mpi_read_binary() constant-time with respect to the input
4017 sake of saving memory, but potentially leading to slight timing
4025 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
4032 * New unit tests for timing. Improve the self-test to be more robust
4052 * Add mechanism to provide alternative implementation of the DHM module.
4058 up RSA contexts from partial key material and having them completed to the
4059 needs of the implementation automatically. This allows to setup private RSA
4062 * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
4066 The new functions change the return type from void to int to allow
4077 Users are advised to use the extended RSA API instead.
4093 * Fix ssl_parse_record_header() to silently discard invalid DTLS records
4101 * Fix leap year calculation in x509_date_is_valid() to ensure that invalid
4113 If a call to one of the functions of the cryptographic primitive modules
4115 mbedtls_pem_read_buffer() causing it to return invalid values. Found by
4117 * Include configuration file in md.h, to fix compilation warnings.
4120 writing routines that prevented these functions to work with alternative
4125 * Fix net_would_block() to avoid modification by errno through fcntl() call.
4131 * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
4142 RSA test suite where the failure of CTR DRBG initialization lead to
4152 * Fix the entropy.c module to not call mbedtls_sha256_starts() or
4154 * Fix the entropy.c module to ensure that mbedtls_sha256_init() or
4156 structure. Do not assume that zeroizing a context is a correct way to
4163 * Extend cert_write example program by options to set the certificate version
4173 * Update all internal usage of deprecated message digest functions to the
4187 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
4191 triggered remotely from either side. (With authmode set to 'required'
4199 and the context struct mbedtls_platform_context to perform
4201 MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
4203 some embedded environments to provide a means of initialising underlying
4207 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
4212 * Certificate verification functions now set flags to -1 in case the full
4213 chain was not verified due to an internal error (including in the verify
4215 * With authmode set to optional, the TLS handshake is now aborted if the
4216 verification of the peer's certificate failed due to an overlong chain or
4223 to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
4227 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
4229 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
4233 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4237 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
4241 constructed certificates to bypass the certificate verification check.
4242 * Fix a call to the libc function time() to call the platform abstraction
4248 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
4252 accelerator code in the library leaves concurrency handling to the
4255 config-no-entropy.h to reduce the RAM footprint.
4267 back to the server or to a third party). Can be triggered remotely.
4271 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
4273 * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
4283 when sending the alert failed. The fix makes sure not to hide the error
4286 peer after sending a fatal alert to refuse a renegotiation attempt.
4287 Previous behaviour was to keep processing data even after the alert has
4291 * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
4292 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
4294 * Fix bug that caused the modular inversion function to accept the invalid
4295 modulus 1 and therefore to hang. Found by blaufish. #641.
4299 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
4303 * Send fatal alerts in more cases. The previous behaviour was to skip
4305 * Clarify ECDSA documentation and improve the sample code to avoid
4315 * Add exponent blinding to RSA private operations as a countermeasure
4323 This involved exposing parts of the internal interface to enable
4326 * Add a new configuration option to 'mbedtls_ssl_config' to enable
4333 void to int to allow returning error codes when using MBEDTLS_AES_ALT,
4339 * Remove macros from compat-1.3.h that correspond to deleted items from most
4345 without these checks the type cast could lead to data loss. Found by Guido
4351 * Add checks to prevent signature forgeries for very large messages while
4353 some data loss when casting a size_t to an unsigned int value in the
4362 CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
4367 and potentially could lead to remote code execution on some platforms.
4374 MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
4377 * Fix the redefinition of macro ssl_set_bio to an undefined symbol
4389 the input string in PEM format to extract the different components. Found
4392 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4394 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4396 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4398 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
4402 by missing calls to mbedtls_pem_free() in cases when a
4405 * Fixed the templates used to generate project and solution files for Visual
4406 Studio 2015 as well as the files themselves, to remove a build warning
4411 number to write in hexadecimal is negative and requires an odd number of
4419 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
4427 with RFC-5116 and could lead to session key recovery in very long TLS
4432 mbedtls_x509write_csr_der() when the signature is copied to the buffer
4439 * Added hardware entropy selftest to verify that the hardware entropy source
4441 * Added a script to print build environment info for diagnostic use in test
4443 * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
4449 to configure the minimum number of bytes for entropy sources using the
4453 * Fix for platform time abstraction to avoid dependency issues where a build
4455 configuration consistency checks to check_config.h
4456 * Fix dependency issue in Makefile to allow parallel builds.
4467 * Fixed pthread implementation to avoid unintended double initialisations
4472 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
4490 missing self-tests to the test suites, to ensure self-tests are only
4492 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
4497 * Renamed source file library/net.c to library/net_sockets.c to avoid
4500 deprecated, and its contents moved to net_sockets.h.
4501 * Changed the strategy for X.509 certificate parsing and validation, to no
4509 * Fix potential integer overflow to buffer overflow in
4512 * Fix a potential integer underflow to buffer overread in
4524 * Fix potential build failures related to the 'apidoc' target, introduced
4529 * Fix an issue that caused valid certificates to be rejected whenever an
4533 buffer after DER certificates to be included in the raw representation.
4537 * Fix issue that caused a crash if invalid curves were passed to
4542 * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
4547 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
4557 * Fix potential double free when mbedtls_asn1_store_named_data() fails to
4560 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
4562 SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
4567 * Fix bug in certificate validation that caused valid chains to be rejected
4598 * Added a key extraction callback to accees the master secret and key
4609 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
4612 size/curve against the profile. Before that, there was no way to set a
4615 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
4619 certificates to be rejected by some applications, including OS X
4629 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
4642 string of close to or larger than 1GB to exploit; on 64 bit machines, would
4643 require reading a string of close to or larger than 2^62 bytes.
4656 unless you allow third parties to pick trust CAs for client auth.
4665 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
4677 tries to continue the handshake after it failed (a misuse of the API).
4684 caused some handshakes to fail.
4687 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
4694 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
4701 * Primary open source license changed to Apache 2.0 license.
4709 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
4711 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
4714 * Fix bug in Makefile that caused programs not to be installed correctly
4722 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
4725 result trying to unlock an unlocked mutex on invalid input (found by
4737 * It is now possible to #include a user-provided configuration file at the
4743 * Prepend a "thread identifier" to debug messages (issue pointed out by
4745 * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
4752 * Ability to override core functions from MDx, SHAx, AES and DES modules
4754 ability to override the whole module.
4755 * New server-side implementation of session tickets that rotate keys to
4766 You now need to link to all of them if you use TLS for example.
4767 * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
4768 Some names have been further changed to make them more consistent.
4784 Note that for mbedtls_ssl_setup(), you need to be done setting up the
4788 ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
4790 changed from ssl_context to ssl_config.
4803 place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
4811 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
4812 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
4813 * The following functions changed prototype to avoid an in-out length
4820 changed type to "mbedtls_net_context *".
4828 mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
4829 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
4831 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
4835 length parameter to include the terminating null byte for PEM input.
4836 * Signature of mpi_mul_mpi() changed to make the last argument unsigned
4839 (Thanks to Mansour Moufid for helping with the replacement.)
4840 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
4844 * net_connect() and net_bind() have a new 'proto' argument to choose
4846 Their 'port' argument type is changed to a string.
4860 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
4864 been removed (compiler is required to support 32-bit operations).
4875 * Renamed a few headers to include _internal in the name. Those headers are
4876 not supposed to be included by users.
4880 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
4881 * x509_crt.key_usage changed from unsigned char to unsigned int.
4895 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
4909 * Compiler is required to support C99 types such as long long and uint32_t.
4922 * With UDP sockets, it is no longer necessary to call net_bind() again
4928 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
4934 * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
4943 * Add x509_crt_verify_info() to display certificate verification results.
4950 * Add an option to use macros instead of function pointers in the platform
4953 cross-compilation easier (thanks to Alon Bar-Lev).
4960 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
4962 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
4967 * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
4969 entropy_free() to crash (thanks to Rafał Przywara).
4984 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
5000 * Fix bug related to ssl_set_curves(): the client didn't check that the
5015 * Move from SHA-1 to SHA-256 in example programs using signatures
5019 * Change #include lines in test files to use double quotes instead of angle
5038 * Fix timing difference that could theoretically lead to a
5046 * Add function pk_check_pair() to test if public and private keys match.
5048 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5056 * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
5074 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5076 to a failed verification (found by Fredrik Axelsson).
5085 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
5086 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
5090 * debug_print_buf() now prints a text view in addition to hexadecimal.
5092 but none of them is usable due to external factors such as no certificate
5094 * It is now possible to disable negotiation of truncated HMAC server-side
5134 standard defining how to use SHA-2 with SSL 3.0).
5136 ambiguous on how to encode some packets with SSL 3.0).
5141 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
5150 It was possible to crash the server (and client) using crafted messages
5154 * Add CCM module and cipher mode to Cipher Layer
5161 * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
5165 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
5166 ciphersuites to use and save some memory if the list is small.
5171 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
5183 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5196 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
5197 * Restore ability to use a v1 cert as a CA if trusted locally. (This had
5199 * Restore ability to locally trust a self-signed cert that is not a proper
5206 caused some handshakes to fail.
5208 exchange that caused some handshakes to fail with other implementations.
5211 * Fix base64_decode() to return and check length correctly (in case of
5213 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
5218 * debug_set_log_mode() added to determine raw or full logging
5219 * debug_set_threshold() added to ignore messages over threshold level
5220 * version_check_feature() added to check for compile-time options at
5241 * rsa_check_pubkey() now allows an E up to N
5242 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5255 * Add option 'use_dev_random' to gen_key application
5265 * Use UTC time to check certificate validity.
5290 * oid_get_numeric_string() used to truncate the output without returning an
5298 stored in RAM due to missing 'const's (found by Gergely Budai).
5303 * Option to set the Curve preference order (disabled by default)
5305 * Ability to provide alternate timing implementation
5306 * Ability to force the entropy module to use SHA-256 as its basis
5317 * Improvements to the CMake build system, contributed by Julian Ospald.
5320 * Revamped the compat.sh interoperatibility script to include support for
5323 * Improvements to tests/Makefile, contributed by Oden Eriksson.
5326 * Forbid change of server certificate during renegotiation to prevent
5336 * ecp_gen_keypair() does more tries to prevent failure because of
5359 * x509_get_current_time() uses localtime_r() to prevent thread issues
5383 * Support for adhering to client ciphersuite order preference
5422 * PK tests added to test framework
5435 * Prevent possible alignment warnings on casting from char * to 'aligned *'
5436 * Misc fixes and additions to dependency checks
5440 * Defines to handle UEFI environment under MSVC
5473 * Ability to specify allowed ciphersuites based on the protocol version.
5492 the same host (Not to be confused with SNI!)
5495 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
5499 * Internals for SSL module adapted to have separate IV pointer that is
5501 * Moved all OID functionality to a separate module. RSA function
5506 * Ability to disable server_name extension (RFC 6066)
5507 * Renamed error_strerror() to the less conflicting polarssl_strerror()
5508 (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
5509 * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
5524 * RSA blinding on CRT operations to counter timing attacks
5531 * Fix potential invalid memory read in the server, that allows a client to
5534 client to crash the server remotely if client authentication is enabled
5548 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
5573 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
5575 to a failed verification (found by Fredrik Axelsson).
5586 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
5621 * Improvements to the CMake build system, contributed by Julian Ospald.
5624 * Improvements to tests/Makefile, contributed by Oden Eriksson.
5625 * Use UTC time to check certificate validity.
5627 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
5631 * Forbid change of server certificate during renegotiation to prevent
5639 It was possible to crash the server (and client) using crafted messages
5665 * x509_get_current_time() uses localtime_r() to prevent thread issues
5671 * rsa_check_pubkey() now allows an E up to N
5672 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
5676 * Stricter check on SSL ClientHello internal sizes compared to actual packet
5682 * Fix base64_decode() to return and check length correctly (in case of
5687 * Changed RSA blinding to a slower but thread-safe version
5699 * Fixed potential memory leak when failing to resume a session
5706 * RSA blinding on CRT operations to counter timing attacks
5713 * Centralized module option values in config.h to allow user-defined
5721 * Added mechanism to provide alternative implementations for all
5737 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
5742 * A possible DoS during the SSL Handshake, due to faulty parsing of
5747 * Ability to specify allowed ciphersuites based on the protocol version.
5751 * Test suites made smaller to accommodate Raspberry Pi
5755 * GCM adapted to support sizes > 2^29
5760 * Corrected GCM counter incrementation to use only 32-bits instead of
5768 rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
5780 * Removed timing differences due to bad padding from
5786 * Allow enabling of dummy error_strerror() to support some use-cases
5795 ssl_decrypt_buf() due to badly formatted padding
5799 * More advanced SSL ciphersuite representation and moved to more dynamic
5801 * Added ssl_handshake_step() to allow single stepping the handshake process
5815 * Added p_hw_data to ssl_context for context specific hardware acceleration
5831 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5851 * Added GCM suites to TLS 1.2 (RFC 5288)
5865 * Added option to add minimum accepted SSL/TLS protocol version
5872 * Moved out_msg to out_hdr + 32 to support hardware acceleration
5873 * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
5874 to not match CN if subjectAltName extension is present (Closes ticket #56)
5875 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
5876 POLARSSL_MODE_CFB, to also handle different block size CFB modes.
5882 * Moved from unsigned long to fixed width uint32_t types throughout code
5883 * Renamed ciphersuites naming scheme to IANA reserved names
5896 * mpi_add_abs() now correctly handles adding short numbers to long numbers
5907 * Fixed potential memory leak when failing to resume a session
5929 * A possible DoS during the SSL Handshake, due to faulty parsing of
5937 * Allow enabling of dummy error_strerror() to support some use-cases
5944 * Removed timing differences due to bad padding from
5952 * mpi_add_abs() now correctly handles adding short numbers to long numbers
5960 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
5980 * Fixed random MPI generation to not generate more size than requested.
5990 * Fixed generation of DHM parameters to correct length (found by Ruslan
6003 * Added ssl_session_reset() to allow better multi-connection pools of
6004 SSL contexts without needing to set all non-connection-specific
6005 data and pointers again. Adapted ssl_server to use this functionality.
6006 * Added ssl_set_max_version() to allow clients to offer a lower maximum
6007 supported version to a server to help buggy server implementations.
6018 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
6020 * Inceased maximum size of ASN1 length reads to 32-bits.
6021 * Added an EXPLICIT tag number parameter to x509_get_ext()
6025 * Changed the defined key-length of DES ciphers in cipher.h to include the
6026 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
6027 * Loads of minimal changes to better support WINCE as a build target
6028 (Credits go to Marco Lizza)
6029 * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
6033 * Changed the used random function pointer to more flexible format. Renamed
6034 havege_rand() to havege_random() to prevent mistakes. Lots of changes as
6036 * Moved all examples programs to use the new entropy and CTR_DRBG
6037 * Added permissive certificate parsing to x509parse_crt() and
6048 * Allowed X509 key usage parsing to accept 4 byte values instead of the
6074 * Added additional Cipher Block Modes to symmetric ciphers
6075 (AES CTR, Camellia CTR, XTEA CBC) including the option to
6079 * A error_strerror function() has been added to translate between
6089 t_int and t_dbl to t_uint and t_udbl in the process
6135 * Added crl_app program to allow easy reading and
6139 * Parsing of PEM files moved to separate module (Fixes
6140 ticket #13). Also possible to remove PEM support for
6152 to negotiate anonymous connection (Fixes ticket #12,
6157 Diffie Hellman key exchange (thanks to Larry Highsmith,
6165 * Improved X509 certificate parsing to include extended
6170 * Improvements to support integration in other
6176 verification to allow external blacklisting
6177 + Additional example programs to show usage
6182 * x509parse_time_expired() checks time in addition to
6185 of ssl_session have been renamed to ciphersuites and
6201 Now using random fuction provided to function and
6204 * Some SSL defines were renamed in order to avoid
6221 * Added option parsing for host and port selection to
6224 * Added cert_app program to allow easy reading and
6231 in a function to allow easy future expansion
6232 * Changed symmetric cipher functions to
6234 * Changed ARC4 to use separate input/output buffer
6239 * Fixed bug resulting in failure to send the last
6260 * Added CMake makefiles as alternative to regular Makefiles.
6269 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
6272 to indicate invalid key lengths.
6308 input numbers are even and added testcases to check
6327 * Added support for CRL revocation to x509parse_verify() and
6333 * Migrated XySSL to PolarSSL
6349 * Fixed a bug in ssl_write() that caused the same payload to
6359 output data is non-aligned by falling back to the software
6362 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
6364 * Fixed x509_get_ext() to accept some rare certificates which have
6370 * Added an option to enable/disable the BN assembly code
6371 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
6373 selftest and benchmark to not test ciphers that have been disabled
6374 * Updated x509parse_cert_info() to correctly display byte 0 of the
6377 peer may cause xyssl to loop indefinitely by sending a certificate
6381 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
6382 * Modified ssl_parse_client_key_exchange() to protect against
6386 * Fixed assembly PPC compilation errors on Mac OS X, thanks to
6391 * Modified the HMAC functions to handle keys larger
6392 than 64 bytes, thanks to Stephane Desneux and gary ng
6393 * Fixed ssl_read_record() to properly update the handshake
6396 * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
6403 * Updated the RSA PKCS#1 code to allow choosing between
6405 * Updated ssl_read() to skip 0-length records from OpenSSL
6406 * Fixed the make install target to comply with *BSD make
6408 * mpi_is_prime() speedups, thanks to Kevin McLaughlin
6423 * Fixed the net_set_*block routines, thanks to Andreas
6427 * Rewrote README.txt in program/ssl/ca to better explain
6428 how to create a test PKI
6433 time, to reduce the memory footprint on embedded systems
6435 havege_struct for this processor, thanks to David Patiño
6437 thanks to Peking University and the OSU Open Source Lab
6450 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
6453 size of 16384 bytes to be rejected
6459 * Various improvement to the modular exponentiation code
6460 * Rewrote the headers to generate the API docs with doxygen
6463 version was not properly set), thanks to Didier Rebeix
6471 * Multiple fixes to enhance the compatibility with g++,
6472 thanks to Xosé Antón Otero Ferreira
6473 * Fixed a bug in the CBC code, thanks to dowst; also,
6475 * Updated rsa_pkcs1_sign to handle arbitrary large inputs
6477 and 486 processors, thanks to Arnaud Cornet
6481 * Updated timing.c to support ARM and MIPS arch
6482 * Updated the MPI code to support 8086 on MSVC 1.5
6484 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
6488 valid RSA keys to be dismissed (thanks to oldwolf)
6489 * Fixed a bug in mpi_is_prime that caused some primes to fail
6492 I'd also like to thank Younès Hafri for the CRUX linux port,