Lines Matching refs:was
32 mbedtls_x509_string_to_names(). This was caused by the function calling
78 This was sometimes not the case when an operation object is reused,
104 memcpy(..., NULL, 0). This was harmless in practice, but could trigger
154 or there was a cryptographic hardware failure when calculating the
176 1.2 and 1.3). The lack of support was causing handshake failures with
182 occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
194 computes the public key (which was immediately discarded). Fixes #9732.
321 entropy_poll.c and sha_256.c. There was a build warning during
341 * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled,
342 some code was defining 0-size arrays, resulting in compilation errors.
387 configuration file (renamed to mbedtls_config.h). This change was made
388 in Mbed TLS 3.0, but was not announced in a changelog entry at the time.
549 An attacker was able to prevent an Mbed TLS server from establishing any
555 - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
559 - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
560 was able to successfully establish a TLS 1.2 connection with the server.
602 the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the
603 RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
681 there was a flaw in the logic checking if the built-in implementation, in
683 accelerator. As a result, it was possible to declare no curves as
719 been called. Previously (in 3.3), this was restricted to a few modules,
720 and only in builds where MBEDTLS_MD_C was disabled; in particular the
721 entropy module was not covered which meant an external RNG had to be
782 - implementations are free to enable more than what it was strictly
827 MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
828 suggest. This did not affect any library code, because this macro was
847 * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
848 small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
849 undefined. Mbed TLS itself was unaffected by this, but user code
851 release containing this bug was Mbed TLS 3.4.0.
869 was sufficient for a particular program to work, it would only print
872 in the ecdsa.h header file. There was a build warning when the
873 configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
913 using ECC key. The certificate was rejected by some crypto frameworks.
925 mbedtls_x509_san_other_name struct. The type-id of the otherName was not
929 detected by comparing the wrong field and the check was erroneously
1074 * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
1101 whose binary representation is longer than 20 bytes. This was already
1109 was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
1115 possible to verify RSA PSS signatures with the pk module, which was
1131 MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
1140 least preferred. The selection error was introduced in Mbed TLS 3.3.0.
1157 the behaviour without it, where deterministic ECDSA was already used.
1176 window was reduced from 6 to 2, a value that gives the best or close
1187 of the IETF draft, and was marked experimental and disabled by default.
1293 for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
1301 turned off: if a shipped file was missing from the working directory,
1342 * Fix ECDSA verification, where it was not always validating the
1343 public key. This bug meant that it was possible to verify a
1359 with A > 0 created an unintended representation of the value 0 which was
1396 for IV lengths other than 12. The library was silently overwriting this
1413 This was intended as an experimental feature, but had not been explicitly
1434 information that was used to set up a message digest context.
1479 first ClientHello was not suitable to the server.
1541 provided by a client or server certificate for authentication was not
1556 * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
1557 enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
1559 ECDHE was indeed one that was offered. As a result, the client would
1560 accept any curve that it supported, even if that curve was not allowed
1582 The fix was released, but not announced, in Mbed TLS 3.1.0.
1624 application data size was already checked correctly.
1636 * Removed the prompt to exit from all windows build programs, which was causing
1745 The check was accidentally not performed when cross-compiling for Windows
1809 mbedtls_ssl_config.respect_cli_pref as private. This was an
1815 were introduced in mbedTLS 3.0 release, however their implementation was
1821 to set a callback, but was deemed unnecessary as it was yet another define
1926 leaving the PSK that was configured first intact.
1932 was unclear on this point, and this function happened to never do
1933 anything with the currently implemented AEADs, so in practice it was
1956 function mbedtls_xxx_ret() which was identical except for returning int
2023 compile-time option, which was off by default. Users should not trust
2082 behave as if it was always disabled. Fixes #4386.
2083 * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
2181 unintended representation of the value 0 which was not processed
2183 mbedtls_mpi_read_string() was called on "-0", or when
2184 mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
2191 minimum size was rounded down to the nearest multiple of 8.
2200 * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
2201 when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
2202 was disabled. Fix the dependency. Fixes #4472.
2230 * psa_verify_hash() was relying on implementation-specific behavior of
2231 mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
2236 * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
2249 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
2294 * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
2319 * In mbedtls_rsa_context objects, the ver field was formerly documented
2360 mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
2362 In such cases, a random nonce was necessary to achieve the advertised
2391 This was a regression introduced in the previous release. Reported in
2395 fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
2400 * Fixes a bug where, if the library was configured to include support for
2402 not loaded from storage. This was fixed by #3996.
2408 the extension was always marked as non-critical. This was fixed by
2454 agreement algorithm in use matches the algorithm the key was declared with.
2485 * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
2549 fails. Previously the key identifier was just ignored when creating a
2555 * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
2556 (an error condition) and the second operand was aliased to the result.
2563 the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
2564 until this property was inadvertently broken in Mbed TLS 2.19.0.
2579 * Remove the zeroization of a pointer variable in AES rounds. It was valid
2613 subjecAltName extension is present, the expected name was compared to any
2620 * When checking X.509 CRLs, a certificate was only considered as revoked if
2621 its revocationDate was in the past according to the local clock if
2633 countermeasure against Lucky 13 attacks. The previous countermeasure was
2772 output buffer overflow if the configuration declared a buffer that was
2835 happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
2865 is defined), regardless of what MFL was configured for it.
2991 structures, which was exposed only in an internal header.
3030 value, as specified in RFC 5915. Previously, the value was written
3036 blinding value was generated. This reduced the effectiveness of the
3214 * Server's RSA certificate in certs.c was SHA-1 signed. In the default
3257 passed keys that belonged to different group, the first key's data was
3354 * Fix for Clang, which was reporting a warning for the bignum.c inline
3362 was broken. Reported and fix suggested by Guido Vranken in #659.
3428 incoming message buffer was placed within the first 64KiB of address
3429 space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
3438 For example, the number of rounds was enough to securely generate RSA key
3439 pairs or Diffie-Hellman parameters, but was insufficient to validate
3461 an error if this was not possible. Now the salt size may be up to two bytes
3597 without providing a list of CAs. This was due to an overly strict bounds
3629 or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
3633 Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
3642 mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
3672 * Fix the key_app_writer example which was writing a leading zero byte which
3673 was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
3697 such a message was wrongly reported as an invalid record and therefore lead
3767 * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
3829 * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
3839 to make progress. Previously, this error code was also occasionally
3843 I/O was used. Found and reported by Hubert Mis in #772.
3850 maintained 2.7 branch. The soversion was increased in Mbed TLS
3852 increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
3939 * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
3943 with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
3990 * Fix a buffer overflow in RSA-PSS verification when the hash was too large
4004 was independently reported by Tim Nordell via e-mail and by Florin Petriuc
4100 regardless of the peer's preferences, or fail if SHA-1 was disabled.
4190 (default: 8) intermediates, even when it was not trusted. This could be
4192 (the default), the handshake was correctly aborted).
4213 chain was not verified due to an internal error (including in the verify
4287 Previous behaviour was to keep processing data even after the alert has
4297 a negative MPI. Previously the result was always negative. Found by Guido
4300 that was triggered uppon reading an empty line. Found by Guido Vranken.
4303 * Send fatal alerts in more cases. The previous behaviour was to skip
4352 using RSA through the PK module in 64-bit systems. The issue was caused by
4364 * Fixed a bug that caused freeing a buffer that was allocated on the stack,
4401 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
4403 MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
4426 * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
4527 * Fix memory leak that occurred only when ECJPAKE was enabled and ECDHE and
4528 ECDSA was disabled in config.h . The leak didn't occur by default.
4530 expired or not yet valid certificate was parsed before a valid certificate
4539 * Fix issue in ssl_fork_server which was preventing it from functioning. #429
4591 * The X509 max_pathlen constraint was not enforced on intermediate
4612 size/curve against the profile. Before that, there was no way to set a
4633 once in the same handhake and mbedtls_ssl_conf_psk() was used.
4825 ecdsa_write_signature_det() was deprecated.
4862 * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
4865 * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
4912 * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
4935 extendedKeyUsage on the leaf certificate was lost (results not accessible
5001 curve picked by the server was actually allowed.
5014 performance impact was bad for some users (this was introduced in 1.3.10).
5065 if memory_buffer_alloc_init() was called with buf not aligned and len not
5075 * ssl_get_verify_result() now works even if the handshake was aborted due
5079 issue with some servers when a zero-length extension was sent. (Reported
5102 * Lowest common hash was selected from signature_algorithms extension in
5108 (not affected if ECC support was compiled out) (found using Codenomicon
5121 renegotation was pending, and on client when a HelloRequest was received.
5150 It was possible to crash the server (and client) using crafted messages
5151 when a GCM suite was chosen.
5190 * Very small records were incorrectly rejected when truncated HMAC was in
5243 * mpi_fill_random() was creating numbers larger than requested on
5244 big-endian platform when size was not an integer number of limbs
5246 * Some parts of ssl_tls.c were compiled even when the module was disabled.
5271 * The notAfter date of some certificates was no longer checked since 1.3.5.
5279 * The length of various ClientKeyExchange messages was not properly checked.
5291 error if the output buffer was just 1 byte too small.
5328 attack was already impossible when authentication is required).
5344 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5346 * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
5347 * m_sleep() was sleeping twice too long on most Unix platforms.
5350 * ssl_cache was leaking memory when reusing a timed out entry containing a
5352 * ssl_srv was leaking memory when client presented a timed out ticket
5354 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5356 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5430 * SSL Renegotiation was refactored
5574 * ssl_get_verify_result() now works even if the handshake was aborted due
5578 issue with some servers when a zero-length extension was sent. (Reported
5605 renegotation was pending, and on client when a HelloRequest was received.
5633 attack was already impossible when authentication is required).
5639 It was possible to crash the server (and client) using crafted messages
5640 when a GCM suite was chosen.
5659 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
5661 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
5663 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
5673 * mpi_fill_random() was creating numbers larger than requested on
5674 big-endian platform when size was not an integer number of limbs
6216 * Fixed Makefile in library that was mistakenly merged
6361 * Fixed a memory leak in x509parse_crt() which was reported by Greg
6442 was not being correctly defined on ARM and MIPS
6461 * Fixed a bug in ssl_encrypt_buf (incorrect padding was
6463 version was not properly set), thanks to Didier Rebeix