Merge remote-tracking branch 'restricted/pr/601' into baremetal-proposed
* restricted/pr/601: (27 commits)
Fix compile-time guard for optional field in struct
Move code to reduce probability of conflicts
Fix typos caught by check-names.sh
Clarify conditions related to resumption in client
Introduce getter function for renego_status
Add getter function for handshake->resume
Remove now-redundant code
Remove cache callbacks from config on client
Fix a few style issues
Expand documentation of new options a bit
Fix renaming oversight in documentation
Remove backticks in doxygen in config.h
Declare dependency on tickets for two ssl-opt.sh tests
Exclude new negative options from config.pl full
Restore config.h defaults
Address review comments
Fix ssl_cli resumption guards
Fix check-files, check-names and check-generated-features
Add test to all.sh
Add changelog entry
...
diff --git a/ChangeLog b/ChangeLog
index e3c335e..515b19e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,24 +38,12 @@
ServerHello.
* Add new configuration option MBEDTLS_SSL_PROTO_NO_TLS that enables code
size savings in configurations where only DTLS is used.
-
-API Changes
- * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
- See the Features section for more information.
- * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
- for the benefit of saving RAM, by disabling the new compile-time
- option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
- API stability). Disabling this option makes mbedtls_ssl_get_peer_cert()
- always return NULL, and removes the peer_cert field from the
- mbedtls_ssl_session structure which otherwise stores the peer's
- certificate.
- * Add a new compile-time option `MBEDTLS_X509_ON_DEMAND_PARSING`,
- disabled by default, which allows to parse and cache X.509 CRTs
- on demand only, at the benefit of lower RAM usage. Enabling
- this option breaks the structure API of X.509 in that most
- fields of `mbedtls_x509_crt` are removed, but it keeps the
- X.509 function API. See the API changes section as well as
- the documentation in `config.h` for more information.
+ * Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that enables
+ code size savings in configurations where cache-based session resumption is
+ not used.
+ * Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that
+ enables code size savings in configurations where no form of session
+ resumption is used.
Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
@@ -105,6 +93,24 @@
improve clarity. Fixes #2258.
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
+API Changes
+ * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
+ See the Features section for more information.
+ * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
+ for the benefit of saving RAM, by disabling the new compile-time
+ option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
+ API stability). Disabling this option makes mbedtls_ssl_get_peer_cert()
+ always return NULL, and removes the peer_cert field from the
+ mbedtls_ssl_session structure which otherwise stores the peer's
+ certificate.
+ * Add a new compile-time option `MBEDTLS_X509_ON_DEMAND_PARSING`,
+ disabled by default, which allows to parse and cache X.509 CRTs
+ on demand only, at the benefit of lower RAM usage. Enabling
+ this option breaks the structure API of X.509 in that most
+ fields of `mbedtls_x509_crt` are removed, but it keeps the
+ X.509 function API. See the API changes section as well as
+ the documentation in `config.h` for more information.
+
= mbed TLS 2.16.1 branch released 2019-03-19
Features