Paul Elliott | 2238eed | 2022-07-08 18:19:12 +0100 | [diff] [blame] | 1 | Mbed TLS ChangeLog (Sorted per branch, date) |
| 2 | |
Minos Galanakis | 4492dbd | 2024-03-21 15:52:49 +0000 | [diff] [blame] | 3 | = Mbed TLS 3.6.0 branch released 2024-03-28 |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 4 | |
| 5 | API changes |
| 6 | * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and |
| 7 | mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data |
| 8 | feature may not be TLS 1.3 specific in the future. Fixes #6909. |
| 9 | |
| 10 | Default behavior changes |
| 11 | * psa_import_key() now only accepts RSA keys in the PSA standard formats. |
| 12 | The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, |
| 13 | PEM) accepted by the pkparse module has been removed. Applications that |
| 14 | need these formats can call mbedtls_pk_parse_{public,}key() followed by |
| 15 | mbedtls_pk_import_into_psa(). |
| 16 | |
| 17 | Requirement changes |
| 18 | * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5. |
| 19 | |
| 20 | New deprecations |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 21 | * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to |
| 22 | MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still |
| 23 | be used, but are deprecated. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 24 | * In the PSA API, domain parameters are no longer used for anything. |
| 25 | They are deprecated and will be removed in a future version of the |
| 26 | library. |
| 27 | * mbedtls_ecp_write_key() is deprecated in favor of |
| 28 | mbedtls_ecp_write_key_ext(). |
| 29 | |
| 30 | Removals |
| 31 | * In the PSA API, the experimental way to encode the public exponent of |
| 32 | an RSA key as a domain parameter is no longer supported. Use |
| 33 | psa_generate_key_ext() instead. |
| 34 | * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the |
| 35 | same behavior mbedtls_pk_get_psa_attributes() and |
| 36 | mbedtls_pk_import_into_psa() can be used to import a PK key into PSA, |
| 37 | while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque |
| 38 | PK context. |
| 39 | |
| 40 | Features |
| 41 | * Added an example program showing how to hash with the PSA API. |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 42 | * Support Armv8-A Crypto Extension acceleration for SHA-256 |
| 43 | when compiling for Thumb (T32) or 32-bit Arm (A32). |
| 44 | * AES-NI is now supported in Windows builds with clang and clang-cl. |
| 45 | Resolves #8372. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 46 | * Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows |
| 47 | parsing unsupported certificate extensions via user provided callback. |
| 48 | * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit |
| 49 | the decryption direction of block ciphers (AES, ARIA, Camellia). |
| 50 | This affects both the low-level modules and the high-level APIs |
| 51 | (the cipher and PSA interfaces). This option is incompatible with modes |
| 52 | that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES. |
| 53 | * Support use of Armv8-A Cryptographic Extensions for hardware acclerated |
| 54 | AES when compiling for Thumb (T32) or 32-bit Arm (A32). |
| 55 | * If a cipher or AEAD mechanism has a PSA driver, you can now build the |
| 56 | library without the corresponding built-in implementation. Generally |
| 57 | speaking that requires both the key type and algorithm to be accelerated |
| 58 | or they'll both be built in. However, for CCM and GCM the built-in |
| 59 | implementation is able to take advantage of a driver that only |
| 60 | accelerates the key type (that is, the block cipher primitive). See |
| 61 | docs/driver-only-builds.md for full details and current limitations. |
| 62 | * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is |
| 63 | disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to |
| 64 | MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES. |
| 65 | * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code |
| 66 | size by disabling it in more circumstances. In particular, the CCM and |
| 67 | GCM modules no longer depend on MBEDTLS_CIPHER_C. Also, |
| 68 | MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all |
| 69 | unauthenticated (non-AEAD) ciphers are disabled, or if they're all |
| 70 | fully provided by drivers. See docs/driver-only-builds.md for full |
| 71 | details and current limitations; in particular, NIST_KW and PKCS5/PKCS12 |
| 72 | decryption still unconditionally depend on MBEDTLS_CIPHER_C. |
| 73 | * Add support for record size limit extension as defined by RFC 8449 |
| 74 | and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT. |
| 75 | Application data sent and received will be fragmented according to |
| 76 | Record size limits negotiated during handshake. |
| 77 | * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when |
| 78 | hardware accelerated AES is not present (around 13-23% on 64-bit Arm). |
| 79 | * Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa() |
| 80 | to convert between Mbed TLS and PSA curve identifiers. |
| 81 | * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling |
| 82 | gaps made by making its fields private: mbedtls_ecp_set_public_key(), |
| 83 | mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(), |
| 84 | mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652. |
| 85 | * Add functions mbedtls_md_psa_alg_from_type() and |
| 86 | mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and |
| 87 | psa_algorithm_t. |
| 88 | * Add partial platform support for z/OS. |
| 89 | * Improve performance for gcc (versions older than 9.3.0) and IAR. |
| 90 | * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to |
| 91 | convert ECDSA signatures between raw and DER (ASN.1) formats. |
| 92 | * Add support for using AES-CBC 128, 192, and 256 bit schemes |
| 93 | with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse. |
| 94 | * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus |
| 95 | in bits, i.e. the key size for an RSA key. |
| 96 | * Add pc files for pkg-config, e.g.: |
| 97 | pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) |
| 98 | * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access |
| 99 | `mbedtls_ssl_session.ticket_creation_time`. |
| 100 | * The new functions mbedtls_pk_get_psa_attributes() and |
| 101 | mbedtls_pk_import_into_psa() provide a uniform way to create a PSA |
| 102 | key from a PK key. |
| 103 | * The benchmark program now reports times for both ephemeral and static |
| 104 | ECDH in all ECDH configurations. |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 105 | * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM |
| 106 | operations when hardware accelerated AES is not present. Improves |
| 107 | performance by around 30% on 64-bit Intel; 125% on Armv7-M. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 108 | * The new function psa_generate_key_ext() allows generating an RSA |
| 109 | key pair with a custom public exponent. |
| 110 | * The new function mbedtls_ecp_write_key_ext() is similar to |
| 111 | mbedtls_ecp_write_key(), but can be used without separately calculating |
| 112 | the output length. |
| 113 | * Add new accessor to expose the private group id member of |
| 114 | `mbedtls_ecdh_context` structure. |
| 115 | * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of |
| 116 | `mbedtls_x509_crt` structure. This requires setting |
| 117 | the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's |
| 118 | ext_types field. |
| 119 | * mbedtls_psa_get_random() is always available as soon as |
| 120 | MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is |
| 121 | called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be |
| 122 | used as random number generator function (f_rng) and context (p_rng) in |
| 123 | legacy functions. |
| 124 | * The new functions mbedtls_pk_copy_from_psa() and |
| 125 | mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context |
| 126 | with the same content as a PSA key. |
| 127 | * Add new accessors to expose the private session-id, |
| 128 | session-id length, and ciphersuite-id members of |
| 129 | `mbedtls_ssl_session` structure. |
| 130 | Add new accessor to expose the ciphersuite-id of |
| 131 | `mbedtls_ssl_ciphersuite_t` structure.Design ref: #8529 |
| 132 | * Mbed TLS now supports the writing and reading of TLS 1.3 early data (see |
| 133 | docs/tls13-early-data.md). The support enablement is controlled at build |
| 134 | time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by |
| 135 | the mbedtls_ssl_conf_early_data() API (by default disabled in both cases). |
| 136 | * Add protection for multithreaded access to the PSA keystore and protection |
| 137 | for multithreaded access to the the PSA global state, including |
| 138 | concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and |
| 139 | MBEDTLS_THREADING_PTHREAD are defined. See |
| 140 | docs/architecture/psa-thread-safety/psa-thread-safety.md for more details. |
| 141 | Resolves issues #3263 and #7945. |
| 142 | |
| 143 | Security |
| 144 | * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3 |
| 145 | ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A |
| 146 | malicious client could cause information disclosure or a denial of service. |
Ronald Cron | 93b660b | 2024-05-02 15:36:16 +0200 | [diff] [blame] | 147 | Fixes CVE-2024-30166. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 148 | * Passing buffers that are stored in untrusted memory as arguments |
| 149 | to PSA functions is now secure by default. |
| 150 | The PSA core now protects against modification of inputs or exposure |
| 151 | of intermediate outputs during operations. This is currently implemented |
| 152 | by copying buffers. |
| 153 | This feature increases code size and memory usage. If buffers passed to |
| 154 | PSA functions are owned exclusively by the PSA core for the duration of |
| 155 | the function call (i.e. no buffer parameters are in shared memory), |
| 156 | copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. |
| 157 | Note that setting this option will cause input-output buffer overlap to |
| 158 | be only partially supported (#3266). |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 159 | Fixes CVE-2024-28960. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 160 | * Restore the maximum TLS version to be negotiated to the configured one |
| 161 | when an SSL context is reset with the mbedtls_ssl_session_reset() API. |
| 162 | An attacker was able to prevent an Mbed TLS server from establishing any |
| 163 | TLS 1.3 connection potentially resulting in a Denial of Service or forced |
| 164 | version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e. |
| 165 | Fixes CVE-2024-28755. |
| 166 | * When negotiating TLS version on server side, do not fall back to the |
| 167 | TLS 1.2 implementation of the protocol if it is disabled. |
| 168 | - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 |
| 169 | client could put the TLS 1.3-only server in an infinite loop processing |
| 170 | a TLS 1.2 ClientHello, resulting in a denial of service. Reported by |
| 171 | Matthias Mucha and Thomas Blattmann, SICK AG. |
| 172 | - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client |
| 173 | was able to successfully establish a TLS 1.2 connection with the server. |
| 174 | Reported by alluettiv on GitHub. |
| 175 | Fixes CVE-2024-28836. |
| 176 | |
| 177 | Bugfix |
| 178 | * Fix the build with CMake when Everest or P256-m is enabled through |
| 179 | a user configuration file or the compiler command line. Fixes #8165. |
| 180 | * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is |
| 181 | disabled. |
| 182 | * Fix possible NULL dereference issue in X509 cert_req program if an entry |
| 183 | in the san parameter is not separated by a colon. |
| 184 | * Fix possible NULL dereference issue in X509 cert_write program if an entry |
| 185 | in the san parameter is not separated by a colon. |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 186 | * Fix an inconsistency between implementations and usages of `__cpuid`, |
| 187 | which mainly causes failures when building Windows target using |
| 188 | mingw or clang. Fixes #8334 & #8332. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 189 | * Fix build failure in conda-forge. Fixes #8422. |
| 190 | * Fix parsing of CSRs with critical extensions. |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 191 | * Switch to milliseconds as the unit for ticket creation and reception time |
| 192 | instead of seconds. That avoids rounding errors when computing the age of |
| 193 | tickets compared to peer using a millisecond clock (observed with GnuTLS). |
| 194 | Fixes #6623. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 195 | * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2 |
| 196 | is disabled at runtime. Fixes #8593. |
| 197 | * Remove accidental introduction of RSA signature algorithms |
| 198 | in TLS Suite B Profile. Fixes #8221. |
| 199 | * Fix unsupported PSA asymmetric encryption and decryption |
| 200 | (psa_asymmetric_[en|de]crypt) with opaque keys. |
| 201 | Resolves #8461. |
| 202 | * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512 |
| 203 | acceleration detection when the libc headers do not define the |
| 204 | corresponding constant. Reported by valord577. |
| 205 | * Correct initial capacities for key derivation algorithms:TLS12_PRF, |
| 206 | TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC |
| 207 | * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a |
| 208 | multiple of 8. Fixes #868. |
| 209 | * Avoid segmentation fault caused by releasing not initialized |
| 210 | entropy resource in gen_key example. Fixes #8809. |
| 211 | * mbedtls_pem_read_buffer() now performs a check on the padding data of |
| 212 | decrypted keys and it rejects invalid ones. |
| 213 | * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and |
| 214 | mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in |
| 215 | the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the |
| 216 | RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify |
| 217 | functions performed a PKCS#1 v1.5 signature instead and the |
| 218 | encrypt/decrypt functions returned an error. Fixes #8824. |
| 219 | * Fix missing bitflags in SSL session serialization headers. Their absence |
| 220 | allowed SSL sessions saved in one configuration to be loaded in a |
| 221 | different, incompatible configuration. |
| 222 | * In TLS 1.3 clients, fix an interoperability problem due to the client |
| 223 | generating a new random after a HelloRetryRequest. Fixes #8669. |
| 224 | * Fix the restoration of the ALPN when loading serialized connection with |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 225 | the mbedtls_ssl_context_load() API. |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 226 | * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using |
| 227 | an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type. |
| 228 | * Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the |
| 229 | primary algorithm of the wrapped PSA key. |
| 230 | * Fully support arbitrary overlap between inputs and outputs of PSA |
| 231 | functions. Note that overlap is still only partially supported when |
| 232 | MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266). |
| 233 | |
| 234 | Changes |
| 235 | * Use heap memory to allocate DER encoded public/private key. |
| 236 | This reduces stack usage significantly for writing a public/private |
| 237 | key to a PEM string. |
Minos Galanakis | 8d94aec | 2024-03-22 16:00:18 +0000 | [diff] [blame] | 238 | * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and |
| 239 | they are now treated separately. This means that they should be |
| 240 | individually enabled in order to enable respective support; also the |
| 241 | corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case |
| 242 | acceleration is required. |
| 243 | * Moved declaration of functions mbedtls_ecc_group_to_psa and |
| 244 | mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h |
Minos Galanakis | 2c1daef | 2024-03-21 15:46:39 +0000 | [diff] [blame] | 245 | * mbedtls_pk_sign_ext() is now always available, not just when |
| 246 | PSA (MBEDTLS_PSA_CRYPTO_C) is enabled. |
| 247 | * Extended PSA Crypto configurations options for FFDH by making it possible |
| 248 | to select only some of the parameters / groups, with the macros |
| 249 | PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro |
| 250 | for each size you want to support. Also, if you have an FFDH accelerator, |
| 251 | you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal |
| 252 | support for these domain parameters. |
| 253 | * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules, |
| 254 | saving code size when those are not otherwise enabled. |
| 255 | * mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations, |
| 256 | have changed their speed/memory compromise as part of a proactive security |
| 257 | improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly |
| 258 | preserves the current speed, at the expense of increasing memory |
| 259 | consumption. |
| 260 | * Rename directory containing Visual Studio files from visualc/VS2013 to |
| 261 | visualc/VS2017. |
| 262 | * The TLS 1.3 protocol is now enabled in the default configuration. |
| 263 | |
Dave Rodgman | 6ba4169 | 2024-01-22 15:40:12 +0000 | [diff] [blame] | 264 | = Mbed TLS 3.5.2 branch released 2024-01-26 |
| 265 | |
| 266 | Security |
| 267 | * Fix a timing side channel in private key RSA operations. This side channel |
| 268 | could be sufficient for an attacker to recover the plaintext. A local |
| 269 | attacker or a remote attacker who is close to the victim on the network |
| 270 | might have precise enough timing measurements to exploit this. It requires |
| 271 | the attacker to send a large number of messages for decryption. For |
| 272 | details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported |
| 273 | by Hubert Kario, Red Hat. |
| 274 | * Fix a failure to validate input when writing x509 extensions lengths which |
| 275 | could result in an integer overflow, causing a zero-length buffer to be |
| 276 | allocated to hold the extension. The extension would then be copied into |
| 277 | the buffer, causing a heap buffer overflow. |
| 278 | |
Dave Rodgman | 0a403d4 | 2023-11-03 12:28:08 +0000 | [diff] [blame] | 279 | = Mbed TLS 3.5.1 branch released 2023-11-06 |
| 280 | |
| 281 | Changes |
| 282 | * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later |
| 283 | license. Users may choose which license they take the code under. |
| 284 | |
Dave Rodgman | 7604915 | 2023-11-07 12:33:17 +0000 | [diff] [blame] | 285 | Bugfix |
| 286 | * Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules |
| 287 | in CMake. |
| 288 | |
Minos Galanakis | 974388f | 2023-10-03 22:07:22 +0100 | [diff] [blame] | 289 | = Mbed TLS 3.5.0 branch released 2023-10-05 |
Minos Galanakis | 80a8156 | 2023-10-03 22:03:50 +0100 | [diff] [blame] | 290 | |
| 291 | API changes |
| 292 | * Mbed TLS 3.4 introduced support for omitting the built-in implementation |
| 293 | of ECDSA and/or EC J-PAKE when those are provided by a driver. However, |
Dave Rodgman | c0e1f3e | 2023-11-03 11:08:05 +0000 | [diff] [blame] | 294 | there was a flaw in the logic checking if the built-in implementation, in |
| 295 | that it failed to check if all the relevant curves were supported by the |
Minos Galanakis | 80a8156 | 2023-10-03 22:03:50 +0100 | [diff] [blame] | 296 | accelerator. As a result, it was possible to declare no curves as |
| 297 | accelerated and still have the built-in implementation compiled out. |
| 298 | Starting with this release, it is necessary to declare which curves are |
| 299 | accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be |
| 300 | considered not accelerated, and the built-in implementation of the curves |
| 301 | and any algorithm possible using them will be included in the build. |
| 302 | * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()` |
| 303 | function, needed for TLS 1.3 ticket lifetimes. Alternative implementations |
| 304 | can be created using an ALT interface. |
| 305 | |
| 306 | Requirement changes |
| 307 | * Officially require Python 3.8 now that earlier versions are out of support. |
| 308 | * Minimum required Windows version is now Windows Vista, or |
| 309 | Windows Server 2008. |
| 310 | |
| 311 | New deprecations |
| 312 | * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and |
| 313 | MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA, |
| 314 | are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and |
| 315 | MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC, |
| 316 | IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about |
| 317 | the capabilities of the PSA side for either key. |
| 318 | * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of |
| 319 | MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests: |
| 320 | maximum size of any supported block cipher) or the new name |
| 321 | MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics: |
| 322 | maximum size of a block cipher supported by the CMAC module). |
| 323 | * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now |
| 324 | deprecated in favor of mbedtls_pkcs5_pbes2_ext() and |
| 325 | mbedtls_pkcs12_pbe_ext() as they offer more security by checking |
| 326 | for overflow of the output buffer and reporting the actual length |
| 327 | of the output. |
| 328 | |
| 329 | Features |
| 330 | * All modules that use hashes or HMAC can now take advantage of PSA Crypto |
| 331 | drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has |
| 332 | been called. Previously (in 3.3), this was restricted to a few modules, |
| 333 | and only in builds where MBEDTLS_MD_C was disabled; in particular the |
| 334 | entropy module was not covered which meant an external RNG had to be |
| 335 | provided - these limitations are lifted in this version. A new set of |
| 336 | feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used |
| 337 | to check for availability of hash algorithms, regardless of whether |
| 338 | they're provided by a built-in implementation, a driver or both. See |
| 339 | docs/driver-only-builds.md. |
| 340 | * When a PSA driver for ECDH is present, it is now possible to disable |
| 341 | MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2 |
| 342 | key exchanges based on ECDH(E) to work, this requires |
| 343 | MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in |
| 344 | TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet, |
| 345 | as PSA does not have an API for restartable ECDH yet. |
| 346 | * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by |
| 347 | a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C |
| 348 | if not required by another module) and still get support for ECC keys and |
| 349 | algorithms in PSA, with some limitations. See docs/driver-only-builds.txt |
| 350 | for details. |
| 351 | * Add parsing of directoryName subtype for subjectAltName extension in |
| 352 | x509 certificates. |
| 353 | * Add support for server-side TLS version negotiation. If both TLS 1.2 and |
| 354 | TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or |
| 355 | TLS 1.3 depending on the capabilities and preferences of TLS clients. |
| 356 | Fixes #6867. |
| 357 | * X.509 hostname verification now supports IPAddress Subject Alternate Names. |
| 358 | * Add support for reading and writing X25519 and X448 |
| 359 | public and private keys in RFC 8410 format using the existing PK APIs. |
| 360 | * When parsing X.509 certificates, support the extensions |
| 361 | SignatureKeyIdentifier and AuthorityKeyIdentifier. |
| 362 | * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc) |
| 363 | if no PAKE algorithms are requested |
| 364 | * Add support for the FFDH algorithm and DH key types in PSA, with |
| 365 | parameters from RFC 7919. This includes a built-in implementation based |
| 366 | on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative |
| 367 | implementations of FFDH through the driver entry points. |
| 368 | * It is now possible to generate certificates with SubjectAltNames. |
| 369 | Currently supported subtypes: DnsName, UniformResourceIdentifier, |
| 370 | IP address, OtherName, and DirectoryName, as defined in RFC 5280. |
| 371 | See mbedtls_x509write_crt_set_subject_alternative_name for |
| 372 | more information. |
| 373 | * X.509 hostname verification now partially supports URI Subject Alternate |
| 374 | Names. Only exact matching, without any normalization procedures |
| 375 | described in 7.4 of RFC5280, will result in a positive URI verification. |
| 376 | * Add function mbedtls_oid_from_numeric_string() to parse an OID from a |
| 377 | string to a DER-encoded mbedtls_asn1_buf. |
Dave Rodgman | 5d323bf | 2023-10-04 18:46:47 +0100 | [diff] [blame] | 378 | * Add SHA-3 family hash functions. |
Minos Galanakis | 80a8156 | 2023-10-03 22:03:50 +0100 | [diff] [blame] | 379 | * Add support to restrict AES to 128-bit keys in order to save code size. |
| 380 | A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be |
| 381 | used to enable this feature. |
| 382 | * AES performance improvements. Uplift varies by platform, |
| 383 | toolchain, optimisation flags and mode. |
| 384 | Aarch64, gcc -Os and CCM, GCM and XTS benefit the most. |
| 385 | On Aarch64, uplift is typically around 20 - 110%. |
| 386 | When compiling with gcc -Os on Aarch64, AES-XTS improves |
| 387 | by 4.5x. |
| 388 | * Add support for PBKDF2-HMAC through the PSA API. |
| 389 | * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and |
| 390 | MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA |
| 391 | or DH) were introduced in order to have finer accuracy in defining the |
| 392 | PSA capabilities for each key. These capabilities, named yyy above, can be |
| 393 | any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE. |
| 394 | - DERIVE is only available for ECC keys, not for RSA or DH ones. |
| 395 | - implementations are free to enable more than what it was strictly |
| 396 | requested. For example BASIC internally enables IMPORT and EXPORT |
| 397 | (useful for testing purposes), but this might change in the future. |
| 398 | * Add support for FFDH key exchange in TLS 1.3. |
| 399 | This is automatically enabled as soon as PSA_WANT_ALG_FFDH |
| 400 | and the ephemeral or psk-ephemeral key exchange mode are enabled. |
| 401 | By default, all groups are offered; the list of groups can be |
| 402 | configured using the existing API function mbedtls_ssl_conf_groups(). |
| 403 | * Improve mbedtls_x509_time performance and reduce memory use. |
| 404 | * Reduce syscalls to time() during certificate verification. |
| 405 | * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by |
| 406 | setting the CMake variable of the same name at configuration time. |
| 407 | * Add getter (mbedtls_ssl_cache_get_timeout()) to access |
| 408 | `mbedtls_ssl_cache_context.timeout`. |
| 409 | * Add getter (mbedtls_ssl_get_hostname()) to access |
| 410 | `mbedtls_ssl_context.hostname`. |
| 411 | * Add getter (mbedtls_ssl_conf_get_endpoint()) to access |
| 412 | `mbedtls_ssl_config.endpoint`. |
| 413 | * Support for "opaque" (PSA-held) ECC keys in the PK module has been |
| 414 | extended: it is now possible to use mbedtls_pk_write_key_der(), |
| 415 | mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and |
| 416 | mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes |
| 417 | allow it). |
| 418 | * The documentation of mbedtls_ecp_group now describes the optimized |
| 419 | representation of A for some curves. Fixes #8045. |
| 420 | * Add a possibility to generate CSR's with RCF822 and directoryName subtype |
| 421 | of subjectAltName extension in x509 certificates. |
| 422 | * Add support for PBKDF2-CMAC through the PSA API. |
| 423 | * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When |
| 424 | using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option |
| 425 | disables the plain C implementation and the run-time detection for the |
| 426 | CPU feature, which reduces code size and avoids the vulnerability of the |
| 427 | plain C implementation. |
| 428 | * Accept arbitrary AttributeType and AttributeValue in certificate |
| 429 | Distinguished Names using RFC 4514 syntax. |
| 430 | * Applications using ECC over secp256r1 through the PSA API can use a |
| 431 | new implementation with a much smaller footprint, but some minor |
| 432 | usage restrictions. See the documentation of the new configuration |
| 433 | option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details. |
| 434 | |
| 435 | Security |
| 436 | * Fix a case where potentially sensitive information held in memory would not |
| 437 | be completely zeroized during TLS 1.2 handshake, in both server and client |
| 438 | configurations. |
| 439 | * In configurations with ARIA or Camellia but not AES, the value of |
| 440 | MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might |
| 441 | suggest. This did not affect any library code, because this macro was |
| 442 | only used in relation with CMAC which does not support these ciphers. |
| 443 | This may affect application code that uses this macro. |
| 444 | * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should |
| 445 | review the size of the output buffer passed to this function, and note |
| 446 | that the output after decryption may include CBC padding. Consider moving |
| 447 | to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() |
| 448 | which checks for overflow of the output buffer and reports the actual |
| 449 | length of the output. |
| 450 | * Improve padding calculations in CBC decryption, NIST key unwrapping and |
| 451 | RSA OAEP decryption. With the previous implementation, some compilers |
| 452 | (notably recent versions of Clang and IAR) could produce non-constant |
| 453 | time code, which could allow a padding oracle attack if the attacker |
| 454 | has access to precise timing measurements. |
| 455 | * Updates to constant-time C code so that compilers are less likely to use |
| 456 | conditional instructions, which can have an observable difference in |
| 457 | timing. (Clang has been seen to do this.) Also introduce assembly |
| 458 | implementations for 32- and 64-bit Arm and for x86 and x86-64, which are |
| 459 | guaranteed not to use conditional instructions. |
| 460 | * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too |
| 461 | small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was |
| 462 | undefined. Mbed TLS itself was unaffected by this, but user code |
| 463 | which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only |
| 464 | release containing this bug was Mbed TLS 3.4.0. |
| 465 | * Fix a buffer overread when parsing short TLS application data records in |
| 466 | null-cipher cipher suites. Credit to OSS-Fuzz. |
| 467 | * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing. |
| 468 | In TLS 1.3, all configurations are affected except PSK-only ones, and |
| 469 | both clients and servers are affected. |
| 470 | In TLS 1.2, the affected configurations are those with |
| 471 | MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled, |
| 472 | and only servers are affected, not clients. |
| 473 | Credit to OSS-Fuzz. |
| 474 | |
| 475 | Bugfix |
| 476 | * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and |
| 477 | PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger |
| 478 | than all built-in ones and RSA is disabled. |
| 479 | Resolves #6622. |
| 480 | * Add missing md.h includes to some of the external programs from |
| 481 | the programs directory. Without this, even though the configuration |
| 482 | was sufficient for a particular program to work, it would only print |
| 483 | a message that one of the required defines is missing. |
| 484 | * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function |
| 485 | in the ecdsa.h header file. There was a build warning when the |
| 486 | configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined. |
| 487 | Resolves #7407. |
| 488 | * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not |
| 489 | MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498. |
| 490 | * Fix missing PSA initialization in sample programs when |
| 491 | MBEDTLS_USE_PSA_CRYPTO is enabled. |
| 492 | * Fix the J-PAKE driver interface for user and peer to accept any values |
| 493 | (previously accepted values were limited to "client" or "server"). |
| 494 | * Fix clang and armclang compilation error when targeting certain Arm |
| 495 | M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23, |
| 496 | SecurCore SC000). Fixes #1077. |
| 497 | * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when |
| 498 | built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a |
| 499 | way to detect the crypto extensions required. A warning is still issued. |
| 500 | * Fixed an issue that caused compile errors when using CMake and the IAR |
| 501 | toolchain. |
| 502 | * Fix very high stack usage in SSL debug code. Reported by Maximilian |
| 503 | Gerhardt in #7804. |
| 504 | * Fix a compilation failure in the constant_time module when |
| 505 | building for arm64_32 (e.g., for watchos). Reported by Paulo |
| 506 | Coutinho in #7787. |
| 507 | * Fix crypt_and_hash decryption fail when used with a stream cipher |
| 508 | mode of operation due to the input not being multiple of block size. |
| 509 | Resolves #7417. |
| 510 | * Fix a bug in which mbedtls_x509_string_to_names() would return success |
| 511 | when given a invalid name string if it did not contain '=' or ','. |
| 512 | * Fix compilation warnings in aes.c, which prevented the |
| 513 | example TF-M configuration in configs/ from building cleanly: |
| 514 | tfm_mbedcrypto_config_profile_medium.h with |
| 515 | crypto_config_profile_medium.h. |
| 516 | * In TLS 1.3, fix handshake failure when a client in its ClientHello |
| 517 | proposes an handshake based on PSK only key exchange mode or at least |
| 518 | one of the key exchange modes using ephemeral keys to a server that |
| 519 | supports only the PSK key exchange mode. |
| 520 | * Fix CCM* with no tag being not supported in a build with CCM as the only |
| 521 | symmetric encryption algorithm and the PSA configuration enabled. |
| 522 | * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516. |
| 523 | * Fix a compilation error on some platforms when including mbedtls/ssl.h |
| 524 | with all TLS support disabled. Fixes #6628. |
| 525 | * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when |
| 526 | using ECC key. The certificate was rejected by some crypto frameworks. |
| 527 | Fixes #2924. |
| 528 | * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc() |
| 529 | is called with zero length and padlock is not enabled. |
| 530 | * Fix compile failure due to empty enum in cipher_wrap.c, when building |
| 531 | with a very minimal configuration. Fixes #7625. |
| 532 | * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA |
| 533 | signature can silently return an incorrect result in low memory conditions. |
| 534 | * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when |
| 535 | MBEDTLS_PSA_CRYPTO_CONFIG is disabled. |
| 536 | * Fix IAR compiler warnings. |
| 537 | * Fix an issue when parsing an otherName subject alternative name into a |
| 538 | mbedtls_x509_san_other_name struct. The type-id of the otherName was not |
| 539 | copied to the struct. This meant that the struct had incomplete |
| 540 | information about the otherName SAN and contained uninitialized memory. |
| 541 | * Fix the detection of HardwareModuleName otherName SANs. These were being |
| 542 | detected by comparing the wrong field and the check was erroneously |
| 543 | inverted. |
| 544 | * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG |
| 545 | enabled, where some low-level modules required by requested PSA crypto |
| 546 | features were not getting automatically enabled. Fixes #7420. |
| 547 | * Fix undefined symbols in some builds using TLS 1.3 with a custom |
| 548 | configuration file. |
| 549 | * Fix log level for the got supported group message. Fixes #6765 |
| 550 | * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx |
| 551 | error code on failure. Before, they returned 1 to indicate failure in |
| 552 | some cases involving a missing entry or a full cache. |
| 553 | * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys. |
Dave Rodgman | 5d323bf | 2023-10-04 18:46:47 +0100 | [diff] [blame] | 554 | * Fix the build with CMake when Everest or P256-m is enabled through |
| 555 | a user configuration file or the compiler command line. Fixes #8165. |
Minos Galanakis | 80a8156 | 2023-10-03 22:03:50 +0100 | [diff] [blame] | 556 | |
| 557 | Changes |
| 558 | * Enable Arm / Thumb bignum assembly for most Arm platforms when |
| 559 | compiling with gcc, clang or armclang and -O0. |
| 560 | * Enforce minimum RSA key size when generating a key |
| 561 | to avoid accidental misuse. |
| 562 | * Use heap memory to allocate DER encoded RSA private key. |
| 563 | This reduces stack usage significantly for RSA signature |
| 564 | operations when MBEDTLS_PSA_CRYPTO_C is defined. |
| 565 | * Update Windows code to use BCryptGenRandom and wcslen, and |
| 566 | ensure that conversions between size_t, ULONG, and int are |
| 567 | always done safely. Original contribution by Kevin Kane #635, #730 |
| 568 | followed by Simon Butcher #1453. |
Dave Rodgman | 5d323bf | 2023-10-04 18:46:47 +0100 | [diff] [blame] | 569 | * Users integrating their own PSA drivers should be aware that |
Minos Galanakis | 80a8156 | 2023-10-03 22:03:50 +0100 | [diff] [blame] | 570 | the file library/psa_crypto_driver_wrappers.c has been renamed |
| 571 | to psa_crypto_driver_wrappers_no_static.c. |
| 572 | * When using CBC with the cipher module, the requirement to call |
| 573 | mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting |
| 574 | this call accidentally applied a default padding mode chosen at compile |
| 575 | time. |
| 576 | |
Gilles Peskine | 4a415fd | 2023-08-02 12:51:44 +0200 | [diff] [blame] | 577 | = Mbed TLS 3.4.1 branch released 2023-08-04 |
Gilles Peskine | 82c159f | 2023-08-02 12:51:01 +0200 | [diff] [blame] | 578 | |
| 579 | Bugfix |
| 580 | * Fix builds on Windows with clang |
| 581 | |
| 582 | Changes |
| 583 | * Update test data to avoid failures of unit tests after 2023-08-07. |
| 584 | |
Paul Elliott | dbe435c | 2023-03-23 10:43:15 +0000 | [diff] [blame] | 585 | = Mbed TLS 3.4.0 branch released 2023-03-28 |
| 586 | |
| 587 | Default behavior changes |
| 588 | * The default priority order of TLS 1.3 cipher suites has been modified to |
| 589 | follow the same rules as the TLS 1.2 cipher suites (see |
| 590 | ssl_ciphersuites.c). The preferred cipher suite is now |
| 591 | TLS_CHACHA20_POLY1305_SHA256. |
| 592 | |
| 593 | New deprecations |
| 594 | * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of |
| 595 | mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any |
| 596 | direct dependency of X509 on BIGNUM_C. |
| 597 | * PSA to mbedtls error translation is now unified in psa_util.h, |
| 598 | deprecating mbedtls_md_error_from_psa. Each file that performs error |
| 599 | translation should define its own version of PSA_TO_MBEDTLS_ERR, |
| 600 | optionally providing file-specific error pairs. Please see psa_util.h for |
| 601 | more details. |
| 602 | |
| 603 | Features |
| 604 | * Added partial support for parsing the PKCS #7 Cryptographic Message |
| 605 | Syntax, as defined in RFC 2315. Currently, support is limited to the |
| 606 | following: |
| 607 | - Only the signed-data content type, version 1 is supported. |
| 608 | - Only DER encoding is supported. |
| 609 | - Only a single digest algorithm per message is supported. |
| 610 | - Certificates must be in X.509 format. A message must have either 0 |
| 611 | or 1 certificates. |
| 612 | - There is no support for certificate revocation lists. |
| 613 | - The authenticated and unauthenticated attribute fields of SignerInfo |
| 614 | must be empty. |
| 615 | Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for |
| 616 | contributing this feature, and to Demi-Marie Obenour for contributing |
| 617 | various improvements, tests and bug fixes. |
| 618 | * General performance improvements by accessing multiple bytes at a time. |
| 619 | Fixes #1666. |
| 620 | * Improvements to use of unaligned and byte-swapped memory, reducing code |
| 621 | size and improving performance (depending on compiler and target |
| 622 | architecture). |
| 623 | * Add support for reading points in compressed format |
| 624 | (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary() |
| 625 | (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4 |
| 626 | (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves |
| 627 | except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1) |
| 628 | * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively. |
| 629 | This helps in saving code size when some of the above hashes are not |
| 630 | required. |
| 631 | * Add parsing of V3 extensions (key usage, Netscape cert-type, |
| 632 | Subject Alternative Names) in x509 Certificate Sign Requests. |
| 633 | * Use HOSTCC (if it is set) when compiling C code during generation of the |
| 634 | configuration-independent files. This allows them to be generated when |
| 635 | CC is set for cross compilation. |
| 636 | * Add parsing of uniformResourceIdentifier subtype for subjectAltName |
| 637 | extension in x509 certificates. |
| 638 | * Add an interruptible version of sign and verify hash to the PSA interface, |
| 639 | backed by internal library support for ECDSA signing and verification. |
| 640 | * Add parsing of rfc822Name subtype for subjectAltName |
| 641 | extension in x509 certificates. |
| 642 | * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and |
| 643 | MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for |
| 644 | the headers "psa/crypto_platform.h" and "psa/crypto_struct.h". |
| 645 | * When a PSA driver for ECDSA is present, it is now possible to disable |
| 646 | MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509 |
| 647 | and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled. |
| 648 | Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not |
| 649 | supported in those builds yet, as driver support for interruptible ECDSA |
| 650 | operations is not present yet. |
| 651 | * Add a driver dispatch layer for EC J-PAKE, enabling alternative |
| 652 | implementations of EC J-PAKE through the driver entry points. |
| 653 | * Add new API mbedtls_ssl_cache_remove for cache entry removal by |
| 654 | its session id. |
| 655 | * Add support to include the SubjectAltName extension to a CSR. |
| 656 | * Add support for AES with the Armv8-A Cryptographic Extension on |
| 657 | 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can |
| 658 | be used to enable this feature. Run-time detection is supported |
| 659 | under Linux only. |
| 660 | * When a PSA driver for EC J-PAKE is present, it is now possible to disable |
| 661 | MBEDTLS_ECJPAKE_C in the build in order to save code size. For the |
| 662 | corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs |
| 663 | to be enabled. |
| 664 | * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg() |
| 665 | to read non-public fields for padding mode and hash id from |
| 666 | an mbedtls_rsa_context, as requested in #6917. |
| 667 | * AES-NI is now supported with Visual Studio. |
| 668 | * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM |
| 669 | is disabled, when compiling with GCC or Clang or a compatible compiler |
| 670 | for a target CPU that supports the requisite instructions (for example |
| 671 | gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like |
| 672 | compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.) |
| 673 | * It is now possible to use a PSA-held (opaque) password with the TLS 1.2 |
| 674 | ECJPAKE key exchange, using the new API function |
| 675 | mbedtls_ssl_set_hs_ecjpake_password_opaque(). |
| 676 | |
| 677 | Security |
| 678 | * Use platform-provided secure zeroization function where possible, such as |
| 679 | explicit_bzero(). |
| 680 | * Zeroize SSL cache entries when they are freed. |
| 681 | * Fix a potential heap buffer overread in TLS 1.3 client-side when |
| 682 | MBEDTLS_DEBUG_C is enabled. This may result in an application crash. |
| 683 | * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit |
| 684 | Arm, so that these systems are no longer vulnerable to timing side-channel |
| 685 | attacks. This is configured by MBEDTLS_AESCE_C, which is on by default. |
| 686 | Reported by Demi Marie Obenour. |
| 687 | * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on |
| 688 | builds that couldn't compile the GCC-style assembly implementation |
| 689 | (most notably builds with Visual Studio), leaving them vulnerable to |
| 690 | timing side-channel attacks. There is now an intrinsics-based AES-NI |
| 691 | implementation as a fallback for when the assembly one cannot be used. |
| 692 | |
| 693 | Bugfix |
| 694 | * Fix possible integer overflow in mbedtls_timing_hardclock(), which |
| 695 | could cause a crash in programs/test/benchmark. |
| 696 | * Fix IAR compiler warnings. Fixes #6924. |
| 697 | * Fix a bug in the build where directory names containing spaces were |
| 698 | causing generate_errors.pl to error out resulting in a build failure. |
| 699 | Fixes issue #6879. |
| 700 | * In TLS 1.3, when using a ticket for session resumption, tweak its age |
| 701 | calculation on the client side. It prevents a server with more accurate |
| 702 | ticket timestamps (typically timestamps in milliseconds) compared to the |
| 703 | Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller |
| 704 | than the age computed and transmitted by the client and thus potentially |
| 705 | reject the ticket. Fix #6623. |
| 706 | * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are |
| 707 | defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. |
| 708 | * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can |
| 709 | be toggled with config.py. |
| 710 | * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be |
| 711 | used on a shared secret from a key agreement since its input must be |
| 712 | an ECC public key. Reject this properly. |
| 713 | * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers |
| 714 | whose binary representation is longer than 20 bytes. This was already |
| 715 | forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being |
| 716 | enforced also at code level. |
| 717 | * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by |
| 718 | Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by |
| 719 | Aaron Ucko under Valgrind. |
| 720 | * Fix behavior of certain sample programs which could, when run with no |
| 721 | arguments, access uninitialized memory in some cases. Fixes #6700 (which |
| 722 | was found by TrustInSoft Analyzer during REDOCS'22) and #1120. |
| 723 | * Fix parsing of X.509 SubjectAlternativeName extension. Previously, |
| 724 | malformed alternative name components were not caught during initial |
| 725 | certificate parsing, but only on subsequent calls to |
| 726 | mbedtls_x509_parse_subject_alt_name(). Fixes #2838. |
| 727 | * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it |
| 728 | possible to verify RSA PSS signatures with the pk module, which was |
| 729 | inadvertently broken since Mbed TLS 3.0. |
| 730 | * Fix bug in conversion from OID to string in |
| 731 | mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed |
| 732 | correctly. |
| 733 | * Reject OIDs with overlong-encoded subidentifiers when converting |
| 734 | them to a string. |
| 735 | * Reject OIDs with subidentifier values exceeding UINT_MAX. Such |
| 736 | subidentifiers can be valid, but Mbed TLS cannot currently handle them. |
| 737 | * Reject OIDs that have unterminated subidentifiers, or (equivalently) |
| 738 | have the most-significant bit set in their last byte. |
| 739 | * Silence warnings from clang -Wdocumentation about empty \retval |
| 740 | descriptions, which started appearing with Clang 15. Fixes #6960. |
| 741 | * Fix the handling of renegotiation attempts in TLS 1.3. They are now |
| 742 | systematically rejected. |
| 743 | * Fix an unused-variable warning in TLS 1.3-only builds if |
| 744 | MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200. |
| 745 | * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if |
| 746 | len argument is 0 and buffer is NULL. |
| 747 | * Allow setting user and peer identifiers for EC J-PAKE operation |
| 748 | instead of role in PAKE PSA Crypto API as described in the specification. |
| 749 | This is a partial fix that allows only "client" and "server" identifiers. |
| 750 | * Fix a compilation error when PSA Crypto is built with support for |
| 751 | TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125. |
| 752 | * In the TLS 1.3 server, select the preferred client cipher suite, not the |
| 753 | least preferred. The selection error was introduced in Mbed TLS 3.3.0. |
| 754 | * Fix TLS 1.3 session resumption when the established pre-shared key is |
| 755 | 384 bits long. That is the length of pre-shared keys created under a |
| 756 | session where the cipher suite is TLS_AES_256_GCM_SHA384. |
| 757 | * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT |
| 758 | enabled, which required specifying compiler flags enabling SHA3 Crypto |
| 759 | Extensions, where some compilers would emit EOR3 instructions in other |
| 760 | modules, which would then fail if run on a CPU without the SHA3 |
| 761 | extensions. Fixes #5758. |
| 762 | |
| 763 | Changes |
| 764 | * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS, |
| 765 | typically /usr/lib/cmake/MbedTLS. |
| 766 | * Mixed-endian systems are explicitly not supported any more. |
| 767 | * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both |
| 768 | defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA |
| 769 | signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to |
| 770 | the behaviour without it, where deterministic ECDSA was already used. |
| 771 | * Visual Studio: Rename the directory containing Visual Studio files from |
| 772 | visualc/VS2010 to visualc/VS2013 as we do not support building with versions |
| 773 | older than 2013. Update the solution file to specify VS2013 as a minimum. |
| 774 | * programs/x509/cert_write: |
| 775 | - now it accepts the serial number in 2 different formats: decimal and |
| 776 | hex. They cannot be used simultaneously |
| 777 | - "serial" is used for the decimal format and it's limted in size to |
| 778 | unsigned long long int |
| 779 | - "serial_hex" is used for the hex format; max length here is |
| 780 | MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2 |
| 781 | * The C code follows a new coding style. This is transparent for users but |
| 782 | affects contributors and maintainers of local patches. For more |
| 783 | information, see |
| 784 | https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/ |
| 785 | * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. |
| 786 | As tested in issue 6790, the correlation between this define and |
| 787 | RSA decryption performance has changed lately due to security fixes. |
| 788 | To fix the performance degradation when using default values the |
| 789 | window was reduced from 6 to 2, a value that gives the best or close |
| 790 | to best results when tested on Cortex-M4 and Intel i7. |
| 791 | * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or |
| 792 | MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify |
| 793 | compiler target flags on the command line; the library now sets target |
| 794 | options within the appropriate modules. |
| 795 | |
Dave Rodgman | 69591e9 | 2022-12-08 14:59:54 +0000 | [diff] [blame] | 796 | = Mbed TLS 3.3.0 branch released 2022-12-14 |
| 797 | |
Dave Rodgman | 69591e9 | 2022-12-08 14:59:54 +0000 | [diff] [blame] | 798 | Default behavior changes |
| 799 | * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05 |
| 800 | of the IETF draft, and was marked experimental and disabled by default. |
| 801 | It is now no longer experimental, and implements the final version from |
| 802 | RFC 9146, which is not interoperable with the draft-05 version. |
| 803 | If you need to communicate with peers that use earlier versions of |
| 804 | Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT |
| 805 | to 1, but then you won't be able to communicate with peers that use the |
| 806 | standard (non-draft) version. |
| 807 | If you need to interoperate with both classes of peers with the |
| 808 | same build of Mbed TLS, please let us know about your situation on the |
| 809 | mailing list or GitHub. |
| 810 | |
| 811 | Requirement changes |
| 812 | * When building with PSA drivers using generate_driver_wrappers.py, or |
| 813 | when building the library from the development branch rather than |
| 814 | from a release, the Python module jsonschema is now necessary, in |
| 815 | addition to jinja2. The official list of required Python modules is |
| 816 | maintained in scripts/basic.requirements.txt and may change again |
| 817 | in the future. |
| 818 | |
| 819 | New deprecations |
| 820 | * Deprecate mbedtls_asn1_free_named_data(). |
| 821 | Use mbedtls_asn1_free_named_data_list() |
| 822 | or mbedtls_asn1_free_named_data_list_shallow(). |
| 823 | |
| 824 | Features |
| 825 | * Support rsa_pss_rsae_* signature algorithms in TLS 1.2. |
| 826 | * make: enable building unversioned shared library, with e.g.: |
| 827 | "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib" |
| 828 | resulting in library names like "libmbedtls.so" rather than |
| 829 | "libmbedcrypto.so.11". |
| 830 | * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API. |
| 831 | Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm |
| 832 | are supported in this implementation. |
| 833 | * Some modules can now use PSA drivers for hashes, including with no |
| 834 | built-in implementation present, but only in some configurations. |
| 835 | - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use |
| 836 | hashes from PSA when (and only when) MBEDTLS_MD_C is disabled. |
| 837 | - PEM parsing of encrypted files now uses MD-5 from PSA when (and only |
| 838 | when) MBEDTLS_MD5_C is disabled. |
| 839 | See the documentation of the corresponding macros in mbedtls_config.h for |
| 840 | details. |
| 841 | Note that some modules are not able to use hashes from PSA yet, including |
| 842 | the entropy module. As a consequence, for now the only way to build with |
| 843 | all hashes only provided by drivers (no built-in hash) is to use |
| 844 | MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. |
| 845 | * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now |
| 846 | properly negotiate/accept hashes based on their availability in PSA. |
| 847 | As a consequence, they now work in configurations where the built-in |
| 848 | implementations of (some) hashes are excluded and those hashes are only |
| 849 | provided by PSA drivers. (See previous entry for limitation on RSA-PSS |
| 850 | though: that module only use hashes from PSA when MBEDTLS_MD_C is off). |
| 851 | * Add support for opaque keys as the private keys associated to certificates |
| 852 | for authentication in TLS 1.3. |
| 853 | * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme. |
| 854 | Signature verification is production-ready, but generation is for testing |
| 855 | purposes only. This currently only supports one parameter set |
| 856 | (LMS_SHA256_M32_H10), meaning that each private key can be used to sign |
| 857 | 1024 messages. As such, it is not intended for use in TLS, but instead |
| 858 | for verification of assets transmitted over an insecure channel, |
| 859 | particularly firmware images. |
| 860 | * Add the LM-OTS post-quantum-safe one-time signature scheme, which is |
| 861 | required for LMS. This can be used independently, but each key can only |
| 862 | be used to sign one message so is impractical for most circumstances. |
| 863 | * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys. |
| 864 | The pre-shared keys can be provisioned externally or via the ticket |
| 865 | mechanism (session resumption). |
| 866 | The ticket mechanism is supported when the configuration option |
| 867 | MBEDTLS_SSL_SESSION_TICKETS is enabled. |
| 868 | New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED |
| 869 | control the support for the three possible TLS 1.3 key exchange modes. |
| 870 | * cert_write: support for setting extended key usage attributes. A |
| 871 | corresponding new public API call has been added in the library, |
| 872 | mbedtls_x509write_crt_set_ext_key_usage(). |
| 873 | * cert_write: support for writing certificate files in either PEM |
| 874 | or DER format. |
| 875 | * The PSA driver wrapper generator generate_driver_wrappers.py now |
| 876 | supports a subset of the driver description language, including |
| 877 | the following entry points: import_key, export_key, export_public_key, |
| 878 | get_builtin_key, copy_key. |
| 879 | * The new functions mbedtls_asn1_free_named_data_list() and |
| 880 | mbedtls_asn1_free_named_data_list_shallow() simplify the management |
| 881 | of memory in named data lists in X.509 structures. |
| 882 | * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API. |
| 883 | Additional PSA key slots will be allocated in the process of such key |
| 884 | exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and |
| 885 | MBEDTLS_USE_PSA_CRYPTO. |
| 886 | * Add support for DTLS Connection ID as defined by RFC 9146, controlled by |
| 887 | MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with |
| 888 | mbedtls_ssl_set_cid(). |
| 889 | * Add a driver dispatch layer for raw key agreement, enabling alternative |
| 890 | implementations of raw key agreement through the key_agreement driver |
| 891 | entry point. This entry point is specified in the proposed PSA driver |
| 892 | interface, but had not yet been implemented. |
Dave Rodgman | 552e107 | 2022-12-14 17:01:51 +0000 | [diff] [blame] | 893 | * Add an ad-hoc key derivation function handling EC J-PAKE to PMS |
| 894 | calculation that can be used to derive the session secret in TLS 1.2, |
| 895 | as described in draft-cragie-tls-ecjpake-01. This can be achieved by |
| 896 | using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm. |
Dave Rodgman | 69591e9 | 2022-12-08 14:59:54 +0000 | [diff] [blame] | 897 | |
| 898 | Security |
| 899 | * Fix potential heap buffer overread and overwrite in DTLS if |
| 900 | MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and |
| 901 | MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. |
Tom Cosgrove | b3c6a1e | 2023-03-08 15:47:00 +0000 | [diff] [blame] | 902 | * Fix an issue where an adversary with access to precise enough information |
| 903 | about memory accesses (typically, an untrusted operating system attacking |
| 904 | a secure enclave) could recover an RSA private key after observing the |
| 905 | victim performing a single private-key operation if the window size used |
| 906 | for the exponentiation was 3 or smaller. Found and reported by Zili KOU, |
Dave Rodgman | 69591e9 | 2022-12-08 14:59:54 +0000 | [diff] [blame] | 907 | Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks |
| 908 | and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation |
| 909 | and Test in Europe 2023. |
| 910 | |
| 911 | Bugfix |
| 912 | * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147. |
| 913 | * Fix an issue with in-tree CMake builds in releases with GEN_FILES |
| 914 | turned off: if a shipped file was missing from the working directory, |
| 915 | it could be turned into a symbolic link to itself. |
| 916 | * Fix a long-standing build failure when building x86 PIC code with old |
| 917 | gcc (4.x). The code will be slower, but will compile. We do however |
| 918 | recommend upgrading to a more recent compiler instead. Fixes #1910. |
| 919 | * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined. |
| 920 | Contributed by Kazuyuki Kimura to fix #2020. |
| 921 | * Use double quotes to include private header file psa_crypto_cipher.h. |
| 922 | Fixes 'file not found with <angled> include' error |
| 923 | when building with Xcode. |
| 924 | * Fix handling of broken symlinks when loading certificates using |
| 925 | mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a |
| 926 | broken link is encountered, skip the broken link and continue parsing |
| 927 | other certificate files. Contributed by Eduardo Silva in #2602. |
| 928 | * Fix an interoperability failure between an Mbed TLS client with both |
| 929 | TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports |
| 930 | rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS |
| 931 | advertised support for PSS in both TLS 1.2 and 1.3, but only |
| 932 | actually supported PSS in TLS 1.3. |
| 933 | * Fix a compilation error when using CMake with an IAR toolchain. |
| 934 | Fixes #5964. |
| 935 | * Fix a build error due to a missing prototype warning when |
| 936 | MBEDTLS_DEPRECATED_REMOVED is enabled. |
| 937 | * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When |
| 938 | MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an |
| 939 | uninitialized context. |
| 940 | * Fix a build issue on Windows using CMake where the source and build |
| 941 | directories could not be on different drives. Fixes #5751. |
| 942 | * Fix bugs and missing dependencies when building and testing |
| 943 | configurations with only one encryption type enabled in TLS 1.2. |
| 944 | * Provide the missing definition of mbedtls_setbuf() in some configurations |
| 945 | with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196. |
| 946 | * Fix compilation errors when trying to build with |
| 947 | PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305). |
| 948 | * Fix memory leak in ssl_parse_certificate_request() caused by |
| 949 | mbedtls_x509_get_name() not freeing allocated objects in case of error. |
| 950 | Change mbedtls_x509_get_name() to clean up allocated objects on error. |
| 951 | * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not |
| 952 | MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408. |
| 953 | * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not |
| 954 | MBEDTLS_PK_PARSE_C. Fixes #6409. |
| 955 | * Fix ECDSA verification, where it was not always validating the |
| 956 | public key. This bug meant that it was possible to verify a |
| 957 | signature with an invalid public key, in some cases. Reported by |
| 958 | Guido Vranken using Cryptofuzz in #4420. |
| 959 | * Fix a possible null pointer dereference if a memory allocation fails |
| 960 | in TLS PRF code. Reported by Michael Madsen in #6516. |
| 961 | * Fix TLS 1.3 session resumption. Fixes #6488. |
| 962 | * Add a configuration check to exclude optional client authentication |
| 963 | in TLS 1.3 (where it is forbidden). |
| 964 | * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable |
| 965 | bytes when parsing certificates containing a binary RFC 4108 |
| 966 | HardwareModuleName as a Subject Alternative Name extension. Hardware |
| 967 | serial numbers are now rendered in hex format. Fixes #6262. |
| 968 | * Fix bug in error reporting in dh_genprime.c where upon failure, |
| 969 | the error code returned by mbedtls_mpi_write_file() is overwritten |
| 970 | and therefore not printed. |
| 971 | * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) |
| 972 | with A > 0 created an unintended representation of the value 0 which was |
| 973 | not processed correctly by some bignum operations. Fix this. This had no |
| 974 | consequence on cryptography code, but might affect applications that call |
| 975 | bignum directly and use negative numbers. |
| 976 | * Fix a bug whereby the list of signature algorithms sent as part of |
| 977 | the TLS 1.2 server certificate request would get corrupted, meaning the |
| 978 | first algorithm would not get sent and an entry consisting of two random |
| 979 | bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian. |
| 980 | * Fix undefined behavior (typically harmless in practice) of |
| 981 | mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() |
| 982 | when both operands are 0 and the left operand is represented with 0 limbs. |
| 983 | * Fix undefined behavior (typically harmless in practice) when some bignum |
| 984 | functions receive the most negative value of mbedtls_mpi_sint. Credit |
| 985 | to OSS-Fuzz. Fixes #6597. |
| 986 | * Fix undefined behavior (typically harmless in practice) in PSA ECB |
| 987 | encryption and decryption. |
| 988 | * Move some SSL-specific code out of libmbedcrypto where it had been placed |
| 989 | accidentally. |
| 990 | * Fix a build error when compiling the bignum module for some Arm platforms. |
| 991 | Fixes #6089, #6124, #6217. |
| 992 | |
| 993 | Changes |
| 994 | * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config. |
| 995 | * Calling AEAD tag-specific functions for non-AEAD algorithms (which |
| 996 | should not be done - they are documented for use only by AES-GCM and |
| 997 | ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE |
| 998 | instead of success (0). |
| 999 | |
Paul Elliott | 869298b | 2022-07-12 10:39:42 +0100 | [diff] [blame] | 1000 | = Mbed TLS 3.2.1 branch released 2022-07-12 |
| 1001 | |
| 1002 | Bugfix |
Paul Elliott | 4ecb1b5 | 2022-09-20 14:33:13 +0100 | [diff] [blame] | 1003 | * Re-add missing generated file library/psa_crypto_driver_wrappers.c |
Paul Elliott | 869298b | 2022-07-12 10:39:42 +0100 | [diff] [blame] | 1004 | |
Paul Elliott | 2238eed | 2022-07-08 18:19:12 +0100 | [diff] [blame] | 1005 | = Mbed TLS 3.2.0 branch released 2022-07-11 |
| 1006 | |
| 1007 | Default behavior changes |
| 1008 | * mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305 |
| 1009 | for IV lengths other than 12. The library was silently overwriting this |
| 1010 | length with 12, but did not inform the caller about it. Fixes #4301. |
| 1011 | |
| 1012 | Requirement changes |
| 1013 | * The library will no longer compile out of the box on a platform without |
| 1014 | setbuf(). If your platform does not have setbuf(), you can configure an |
| 1015 | alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or |
| 1016 | MBEDTLS_PLATFORM_SETBUF_MACRO. |
| 1017 | |
| 1018 | New deprecations |
| 1019 | * Deprecate mbedtls_ssl_conf_max_version() and |
| 1020 | mbedtls_ssl_conf_min_version() in favor of |
| 1021 | mbedtls_ssl_conf_max_tls_version() and |
| 1022 | mbedtls_ssl_conf_min_tls_version(). |
| 1023 | * Deprecate mbedtls_cipher_setup_psa(). Use psa_aead_xxx() or |
| 1024 | psa_cipher_xxx() directly instead. |
| 1025 | * Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated. |
| 1026 | This was intended as an experimental feature, but had not been explicitly |
| 1027 | documented as such. Use opaque drivers with the interface enabled by |
| 1028 | MBEDTLS_PSA_CRYPTO_DRIVERS instead. |
| 1029 | * Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic |
| 1030 | mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and |
| 1031 | TLS 1.3 handshake should now be configured with |
| 1032 | mbedtls_ssl_conf_sig_algs(). |
| 1033 | |
| 1034 | Features |
| 1035 | * Add accessor to obtain ciphersuite id from ssl context. |
| 1036 | * Add accessors to get members from ciphersuite info. |
| 1037 | * Add mbedtls_ssl_ticket_rotate() for external ticket rotation. |
| 1038 | * Add accessor to get the raw buffer pointer from a PEM context. |
| 1039 | * The structures mbedtls_ssl_config and mbedtls_ssl_context now store |
| 1040 | a piece of user data which is reserved for the application. The user |
| 1041 | data can be either a pointer or an integer. |
| 1042 | * Add an accessor function to get the configuration associated with |
| 1043 | an SSL context. |
| 1044 | * Add a function to access the protocol version from an SSL context in a |
| 1045 | form that's easy to compare. Fixes #5407. |
| 1046 | * Add function mbedtls_md_info_from_ctx() to recall the message digest |
| 1047 | information that was used to set up a message digest context. |
| 1048 | * Add ALPN support in TLS 1.3 clients. |
| 1049 | * Add server certificate selection callback near end of Client Hello. |
| 1050 | Register callback with mbedtls_ssl_conf_cert_cb(). |
| 1051 | * Provide mechanism to reset handshake cert list by calling |
| 1052 | mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param. |
| 1053 | * Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within |
| 1054 | cert callback (mbedtls_ssl_conf_cert_cb()) during handshake. |
| 1055 | * The X.509 module now uses PSA hash acceleration if present. |
| 1056 | * Add support for psa crypto key derivation for elliptic curve |
| 1057 | keys. Fixes #3260. |
| 1058 | * Add function mbedtls_timing_get_final_delay() to access the private |
| 1059 | final delay field in an mbedtls_timing_delay_context, as requested in |
| 1060 | #5183. |
| 1061 | * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when |
| 1062 | PSA Crypto is enabled. |
| 1063 | * Add function mbedtls_ecp_export() to export ECP key pair parameters. |
| 1064 | Fixes #4838. |
| 1065 | * Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL |
| 1066 | Handshake has completed or not, and thus whether to continue calling |
| 1067 | mbedtls_ssl_handshake_step(), requested in #4383. |
| 1068 | * Add the function mbedtls_ssl_get_own_cid() to access our own connection id |
| 1069 | within mbedtls_ssl_context, as requested in #5184. |
| 1070 | * Introduce mbedtls_ssl_hs_cb_t typedef for use with |
| 1071 | mbedtls_ssl_conf_cert_cb() and perhaps future callbacks |
| 1072 | during TLS handshake. |
| 1073 | * Add functions mbedtls_ssl_conf_max_tls_version() and |
| 1074 | mbedtls_ssl_conf_min_tls_version() that use a single value to specify |
| 1075 | the protocol version. |
| 1076 | * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support |
| 1077 | mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET |
| 1078 | holding the other secret. |
| 1079 | * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto |
| 1080 | feature requirements in the file named by the new macro |
| 1081 | MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h. |
| 1082 | Furthermore you may name an additional file to include after the main |
| 1083 | file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE. |
| 1084 | * Add the function mbedtls_x509_crt_has_ext_type() to access the ext types |
| 1085 | field within mbedtls_x509_crt context, as requested in #5585. |
| 1086 | * Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API. |
| 1087 | * Add support for the ARMv8 SHA-2 acceleration instructions when building |
| 1088 | for Aarch64. |
| 1089 | * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers. |
| 1090 | * Add support for server HelloRetryRequest message. The TLS 1.3 client is |
| 1091 | now capable of negotiating another shared secret if the one sent in its |
| 1092 | first ClientHello was not suitable to the server. |
| 1093 | * Add support for client-side TLS version negotiation. If both TLS 1.2 and |
| 1094 | TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now |
| 1095 | negotiates TLS 1.3 or TLS 1.2 with TLS servers. |
| 1096 | * Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS |
| 1097 | 1.2 protocol support. |
| 1098 | * Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key |
| 1099 | establishment only). See docs/architecture/tls13-support.md for a |
| 1100 | description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and |
| 1101 | MBEDTLS_SSL_SRV_C configuration options control this. |
| 1102 | * Add accessors to configure DN hints for certificate request: |
| 1103 | mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints() |
| 1104 | * The configuration option MBEDTLS_USE_PSA_CRYPTO, which previously |
| 1105 | affected only a limited subset of crypto operations in TLS, X.509 and PK, |
| 1106 | now causes most of them to be done using PSA Crypto; see |
| 1107 | docs/use-psa-crypto.md for the list of exceptions. |
| 1108 | * The function mbedtls_pk_setup_opaque() now supports RSA key pairs as well. |
| 1109 | Opaque keys can now be used everywhere a private key is expected in the |
| 1110 | TLS and X.509 modules. |
| 1111 | * Opaque pre-shared keys for TLS, provisioned with |
| 1112 | mbedtls_ssl_conf_psk_opaque() or mbedtls_ssl_set_hs_psk_opaque(), which |
| 1113 | previously only worked for "pure" PSK key exchange, now can also be used |
| 1114 | for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK. |
| 1115 | * cmake now detects if it is being built as a sub-project, and in that case |
| 1116 | disables the target export/installation and package configuration. |
| 1117 | * Make USE_PSA_CRYPTO compatible with KEY_ID_ENCODES_OWNER. Fixes #5259. |
| 1118 | * Add example programs cipher_aead_demo.c, md_hmac_demo.c, aead_demo.c |
| 1119 | and hmac_demo.c, which use PSA and the md/cipher interfaces side |
| 1120 | by side in order to illustrate how the operation is performed in PSA. |
| 1121 | Addresses #5208. |
| 1122 | |
| 1123 | Security |
| 1124 | * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage |
| 1125 | module before freeing them. These buffers contain secret key material, and |
| 1126 | could thus potentially leak the key through freed heap. |
| 1127 | * Fix potential memory leak inside mbedtls_ssl_cache_set() with |
| 1128 | an invalid session id length. |
| 1129 | * Add the platform function mbedtls_setbuf() to allow buffering to be |
| 1130 | disabled on stdio files, to stop secrets loaded from said files being |
| 1131 | potentially left in memory after file operations. Reported by |
| 1132 | Glenn Strauss. |
| 1133 | * Fix a potential heap buffer overread in TLS 1.2 server-side when |
| 1134 | MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with |
| 1135 | mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite |
| 1136 | is selected. This may result in an application crash or potentially an |
| 1137 | information leak. |
| 1138 | * Fix a buffer overread in DTLS ClientHello parsing in servers with |
| 1139 | MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client |
| 1140 | or a man-in-the-middle could cause a DTLS server to read up to 255 bytes |
| 1141 | after the end of the SSL input buffer. The buffer overread only happens |
| 1142 | when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on |
| 1143 | the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(), |
| 1144 | and possibly up to 571 bytes with a custom cookie check function. |
| 1145 | Reported by the Cybeats PSI Team. |
| 1146 | * Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated |
| 1147 | client or server could cause an MbedTLS server or client to overread up |
| 1148 | to 64 kBytes of data and potentially overread the input buffer by that |
| 1149 | amount minus the size of the input buffer. As overread data undergoes |
| 1150 | various checks, the likelihood of reaching the boundary of the input |
| 1151 | buffer is rather small but increases as its size |
| 1152 | MBEDTLS_SSL_IN_CONTENT_LEN decreases. |
| 1153 | * Fix check of certificate key usage in TLS 1.3. The usage of the public key |
| 1154 | provided by a client or server certificate for authentication was not |
| 1155 | checked properly when validating the certificate. This could cause a |
| 1156 | client or server to be able to authenticate itself through a certificate |
| 1157 | to an Mbed TLS TLS 1.3 server or client while it does not own a proper |
| 1158 | certificate to do so. |
| 1159 | |
| 1160 | Bugfix |
| 1161 | * Declare or use PSA_WANT_ALG_CCM_STAR_NO_TAG following the general |
| 1162 | pattern for PSA_WANT_xxx symbols. Previously you had to specify |
| 1163 | PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG. |
| 1164 | * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice. |
| 1165 | * Fixed swap of client and server random bytes when exporting them alongside |
| 1166 | TLS 1.3 handshake and application traffic secret. |
| 1167 | * Fix several bugs (warnings, compiler and linker errors, test failures) |
| 1168 | in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled. |
| 1169 | * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was |
| 1170 | enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the |
| 1171 | client would fail to check that the curve selected by the server for |
| 1172 | ECDHE was indeed one that was offered. As a result, the client would |
| 1173 | accept any curve that it supported, even if that curve was not allowed |
| 1174 | according to its configuration. Fixes #5291. |
| 1175 | * The TLS 1.3 implementation is now compatible with the |
| 1176 | MBEDTLS_USE_PSA_CRYPTO configuration option. |
| 1177 | * Fix unit tests that used 0 as the file UID. This failed on some |
| 1178 | implementations of PSA ITS. Fixes #3838. |
| 1179 | * Fix mbedtls_ssl_get_version() not reporting TLSv1.3. Fixes #5406. |
| 1180 | * Fix API violation in mbedtls_md_process() test by adding a call to |
| 1181 | mbedtls_md_starts(). Fixes #2227. |
| 1182 | * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests |
| 1183 | to catch bad uses of time.h. |
| 1184 | * Fix a race condition in out-of-source builds with CMake when generated data |
| 1185 | files are already present. Fixes #5374. |
| 1186 | * Fix the library search path when building a shared library with CMake |
| 1187 | on Windows. |
| 1188 | * Fix bug in the alert sending function mbedtls_ssl_send_alert_message() |
| 1189 | potentially leading to corrupted alert messages being sent in case |
| 1190 | the function needs to be re-called after initially returning |
| 1191 | MBEDTLS_SSL_WANT_WRITE. Fixes #1916. |
| 1192 | * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not |
| 1193 | MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null |
| 1194 | pointer dereference. Fix this. Fixes #3998. |
| 1195 | The fix was released, but not announced, in Mbed TLS 3.1.0. |
| 1196 | * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous |
| 1197 | documentation stated that the `allowed_pks` field applies to signatures |
| 1198 | only, but in fact it does apply to the public key type of the end entity |
| 1199 | certificate, too. Fixes #1992. |
| 1200 | * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is |
| 1201 | not NULL and val_len is zero. |
| 1202 | * Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211. |
| 1203 | * Fix compilation error when using C++ Builder on Windows. Reported by |
| 1204 | Miroslav Mastny in #4015. |
| 1205 | * psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when |
| 1206 | applicable. Fixes #5735. |
| 1207 | * Fix a bug in the x25519 example program where the removal of |
| 1208 | MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and |
| 1209 | #3191. |
| 1210 | * Fix a TLS 1.3 handshake failure when the peer Finished message has not |
| 1211 | been received yet when we first try to fetch it. |
| 1212 | * Encode X.509 dates before 1/1/2000 as UTCTime rather than |
| 1213 | GeneralizedTime. Fixes #5465. |
| 1214 | * Add mbedtls_x509_dn_get_next function to return the next relative DN in |
| 1215 | an X509 name, to allow walking the name list. Fixes #5431. |
| 1216 | * Fix order value of curve x448. |
| 1217 | * Fix string representation of DNs when outputting values containing commas |
| 1218 | and other special characters, conforming to RFC 1779. Fixes #769. |
| 1219 | * Silence a warning from GCC 12 in the selftest program. Fixes #5974. |
| 1220 | * Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE |
| 1221 | when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other |
| 1222 | dependencies explicit in the documentation. Fixes #5610. |
| 1223 | * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0. |
| 1224 | * Fix a TLS 1.3 handshake failure when the first attempt to send the client |
| 1225 | Finished message on the network cannot be satisfied. Fixes #5499. |
| 1226 | * Fix resource leaks in mbedtls_pk_parse_public_key() in low |
| 1227 | memory conditions. |
| 1228 | * Fix server connection identifier setting for outgoing encrypted records |
| 1229 | on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with |
| 1230 | connection identifier, the Mbed TLS client now properly sends the server |
| 1231 | connection identifier in encrypted record headers. Fix #5872. |
| 1232 | * Fix a null pointer dereference when performing some operations on zero |
| 1233 | represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing |
| 1234 | by 2, and mbedtls_mpi_write_string() in base 2). |
| 1235 | * Fix record sizes larger than 16384 being sometimes accepted despite being |
| 1236 | non-compliant. This could not lead to a buffer overflow. In particular, |
| 1237 | application data size was already checked correctly. |
| 1238 | * Fix MBEDTLS_SVC_KEY_ID_GET_KEY_ID() and MBEDTLS_SVC_KEY_ID_GET_OWNER_ID() |
| 1239 | which have been broken, resulting in compilation errors, since Mbed TLS |
| 1240 | 3.0. |
| 1241 | * Ensure that TLS 1.2 ciphersuite/certificate and key selection takes into |
| 1242 | account not just the type of the key (RSA vs EC) but also what it can |
| 1243 | actually do. Resolves #5831. |
| 1244 | * Fix CMake windows host detection, especially when cross compiling. |
| 1245 | * Fix an error in make where the absence of a generated file caused |
| 1246 | make to break on a clean checkout. Fixes #5340. |
| 1247 | * Work around an MSVC ARM64 compiler bug causing incorrect behaviour |
| 1248 | in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467. |
Dave Rodgman | 2b52a2e | 2022-12-12 15:23:44 +0000 | [diff] [blame] | 1249 | * Removed the prompt to exit from all windows build programs, which was causing |
Paul Elliott | 2238eed | 2022-07-08 18:19:12 +0100 | [diff] [blame] | 1250 | issues in CI/CD environments. |
| 1251 | |
| 1252 | Changes |
| 1253 | * The file library/psa_crypto_driver_wrappers.c is now generated |
| 1254 | from a template. In the future, the generation will support |
| 1255 | driver descriptions. For the time being, to customize this file, |
| 1256 | see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md |
| 1257 | * Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot |
| 1258 | AEAD functions is not an AEAD algorithm. This aligns them with the |
| 1259 | multipart functions, and the PSA Crypto API 1.1 specification. |
| 1260 | * In mbedtls_pk_parse_key(), if no password is provided, don't allocate a |
| 1261 | temporary variable on the heap. Suggested by Sergey Kanatov in #5304. |
| 1262 | * Assume source files are in UTF-8 when using MSVC with CMake. |
| 1263 | * Fix runtime library install location when building with CMake and MinGW. |
| 1264 | DLLs are now installed in the bin directory instead of lib. |
| 1265 | * cmake: Use GnuInstallDirs to customize install directories |
| 1266 | Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR |
| 1267 | variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if |
| 1268 | LIB_INSTALL_DIR is set. |
| 1269 | * Add a CMake option that enables static linking of the runtime library |
| 1270 | in Microsoft Visual C++ compiler. Contributed by Microplankton. |
| 1271 | * In CMake builds, add aliases for libraries so that the normal MbedTLS::* |
| 1272 | targets work when MbedTLS is built as a subdirectory. This allows the |
| 1273 | use of FetchContent, as requested in #5688. |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 1274 | |
Ronald Cron | 1ffa6a5 | 2021-12-14 15:57:17 +0100 | [diff] [blame] | 1275 | = mbed TLS 3.1.0 branch released 2021-12-17 |
Ronald Cron | 831cf48 | 2021-12-15 09:02:38 +0100 | [diff] [blame] | 1276 | |
| 1277 | API changes |
| 1278 | * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL. |
| 1279 | Alternative GCM implementations are expected to verify |
| 1280 | the length of the provided output buffers and to return the |
| 1281 | MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small. |
| 1282 | * You can configure groups for a TLS key exchange with the new function |
| 1283 | mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves(). |
| 1284 | * Declare a number of structure fields as public: the fields of |
| 1285 | mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and |
| 1286 | X.509 parsing, and finally the field fd of mbedtls_net_context on |
| 1287 | POSIX/Unix-like platforms. |
| 1288 | |
| 1289 | Requirement changes |
| 1290 | * Sign-magnitude and one's complement representations for signed integers are |
| 1291 | not supported. Two's complement is the only supported representation. |
| 1292 | |
| 1293 | New deprecations |
| 1294 | * Deprecate mbedtls_ssl_conf_curves() in favor of the more generic |
| 1295 | mbedtls_ssl_conf_groups(). |
| 1296 | |
| 1297 | Removals |
| 1298 | * Remove the partial support for running unit tests via Greentea on Mbed OS, |
| 1299 | which had been unmaintained since 2018. |
| 1300 | |
| 1301 | Features |
| 1302 | * Enable support for Curve448 via the PSA API. Contributed by |
| 1303 | Archana Madhavan in #4626. Fixes #3399 and #4249. |
| 1304 | * The identifier of the CID TLS extension can be configured by defining |
| 1305 | MBEDTLS_TLS_EXT_CID at compile time. |
| 1306 | * Implement the PSA multipart AEAD interface, currently supporting |
| 1307 | ChaChaPoly and GCM. |
| 1308 | * Warn if errors from certain functions are ignored. This is currently |
| 1309 | supported on GCC-like compilers and on MSVC and can be configured through |
| 1310 | the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled |
| 1311 | (where supported) for critical functions where ignoring the return |
| 1312 | value is almost always a bug. Enable the new configuration option |
| 1313 | MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This |
| 1314 | is currently implemented in the AES, DES and md modules, and will be |
| 1315 | extended to other modules in the future. |
| 1316 | * Add missing PSA macros declared by PSA Crypto API 1.0.0: |
| 1317 | PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. |
| 1318 | * Add support for CCM*-no-tag cipher to the PSA. |
| 1319 | Currently only 13-byte long IV's are supported. |
| 1320 | For decryption a minimum of 16-byte long input is expected. |
| 1321 | These restrictions may be subject to change. |
Ronald Cron | 1ffa6a5 | 2021-12-14 15:57:17 +0100 | [diff] [blame] | 1322 | * Add new API mbedtls_ct_memcmp for constant time buffer comparison. |
Ronald Cron | 831cf48 | 2021-12-15 09:02:38 +0100 | [diff] [blame] | 1323 | * Add functions to get the IV and block size from cipher_info structs. |
| 1324 | * Add functions to check if a cipher supports variable IV or key size. |
| 1325 | * Add the internal implementation of and support for CCM to the PSA multipart |
| 1326 | AEAD interface. |
| 1327 | * Mbed TLS provides a minimum viable implementation of the TLS 1.3 |
| 1328 | protocol. See docs/architecture/tls13-support.md for the definition of |
| 1329 | the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3 |
| 1330 | configuration option controls the enablement of the support. The APIs |
| 1331 | mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow |
| 1332 | to select the 1.3 version of the protocol to establish a TLS connection. |
| 1333 | * Add PSA API definition for ARIA. |
| 1334 | |
| 1335 | Security |
| 1336 | * Zeroize several intermediate variables used to calculate the expected |
| 1337 | value when verifying a MAC or AEAD tag. This hardens the library in |
| 1338 | case the value leaks through a memory disclosure vulnerability. For |
| 1339 | example, a memory disclosure vulnerability could have allowed a |
| 1340 | man-in-the-middle to inject fake ciphertext into a DTLS connection. |
| 1341 | * In psa_aead_generate_nonce(), do not read back from the output buffer. |
| 1342 | This fixes a potential policy bypass or decryption oracle vulnerability |
| 1343 | if the output buffer is in memory that is shared with an untrusted |
| 1344 | application. |
| 1345 | * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back |
| 1346 | from the output buffer. This fixes a potential policy bypass or decryption |
| 1347 | oracle vulnerability if the output buffer is in memory that is shared with |
| 1348 | an untrusted application. |
| 1349 | * Fix a double-free that happened after mbedtls_ssl_set_session() or |
| 1350 | mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED |
| 1351 | (out of memory). After that, calling mbedtls_ssl_session_free() |
| 1352 | and mbedtls_ssl_free() would cause an internal session buffer to |
| 1353 | be free()'d twice. |
| 1354 | |
| 1355 | Bugfix |
| 1356 | * Stop using reserved identifiers as local variables. Fixes #4630. |
| 1357 | * The GNU makefiles invoke python3 in preference to python except on Windows. |
| 1358 | The check was accidentally not performed when cross-compiling for Windows |
| 1359 | on Linux. Fix this. Fixes #4774. |
| 1360 | * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or |
| 1361 | PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. |
| 1362 | * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. |
| 1363 | * Don't use the obsolete header path sys/fcntl.h in unit tests. |
| 1364 | These header files cause compilation errors in musl. |
| 1365 | Fixes #4969. |
| 1366 | * Fix missing constraints on x86_64 and aarch64 assembly code |
| 1367 | for bignum multiplication that broke some bignum operations with |
| 1368 | (at least) Clang 12. |
| 1369 | Fixes #4116, #4786, #4917, #4962. |
| 1370 | * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. |
| 1371 | * Failures of alternative implementations of AES or DES single-block |
| 1372 | functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, |
| 1373 | MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. |
| 1374 | This does not concern the implementation provided with Mbed TLS, |
| 1375 | where this function cannot fail, or full-module replacements with |
| 1376 | MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. |
| 1377 | * Some failures of HMAC operations were ignored. These failures could only |
| 1378 | happen with an alternative implementation of the underlying hash module. |
| 1379 | * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. |
| 1380 | * Fix compile-time or run-time errors in PSA |
| 1381 | AEAD functions when ChachaPoly is disabled. Fixes #5065. |
| 1382 | * Remove PSA'a AEAD finish/verify output buffer limitation for GCM. |
| 1383 | The requirement of minimum 15 bytes for output buffer in |
| 1384 | psa_aead_finish() and psa_aead_verify() does not apply to the built-in |
| 1385 | implementation of GCM. |
| 1386 | * Move GCM's update output buffer length verification from PSA AEAD to |
| 1387 | the built-in implementation of the GCM. |
| 1388 | The requirement for output buffer size to be equal or greater then |
| 1389 | input buffer size is valid only for the built-in implementation of GCM. |
| 1390 | Alternative GCM implementations can process whole blocks only. |
| 1391 | * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor |
| 1392 | MBEDTLS_ERROR_STRERROR_DUMMY is enabled. |
| 1393 | * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. |
| 1394 | This algorithm now accepts only the same salt length for verification |
| 1395 | that it produces when signing, as documented. Use the new algorithm |
| 1396 | PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. |
| 1397 | * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved |
| 1398 | for algorithm values that fully encode the hashing step, as per the PSA |
| 1399 | Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and |
| 1400 | PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers |
| 1401 | all algorithms that can be used with psa_{sign,verify}_hash(), including |
| 1402 | these two. |
| 1403 | * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries |
| 1404 | not to list other shared libraries they need. |
Ronald Cron | 1ffa6a5 | 2021-12-14 15:57:17 +0100 | [diff] [blame] | 1405 | * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv |
| 1406 | exceeds 2^32. Fixes #4884. |
Ronald Cron | 831cf48 | 2021-12-15 09:02:38 +0100 | [diff] [blame] | 1407 | * Fix an uninitialized variable warning in test_suite_ssl.function with GCC |
| 1408 | version 11. |
| 1409 | * Fix the build when no SHA2 module is included. Fixes #4930. |
| 1410 | * Fix the build when only the bignum module is included. Fixes #4929. |
| 1411 | * Fix a potential invalid pointer dereference and infinite loop bugs in |
| 1412 | pkcs12 functions when the password is empty. Fix the documentation to |
| 1413 | better describe the inputs to these functions and their possible values. |
| 1414 | Fixes #5136. |
| 1415 | * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC |
| 1416 | operations psa_mac_compute() and psa_mac_sign_setup(). |
| 1417 | * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC |
| 1418 | operations psa_mac_verify() and psa_mac_verify_setup(). |
| 1419 | |
| 1420 | Changes |
| 1421 | * Explicitly mark the fields mbedtls_ssl_session.exported and |
| 1422 | mbedtls_ssl_config.respect_cli_pref as private. This was an |
| 1423 | oversight during the run-up to the release of Mbed TLS 3.0. |
| 1424 | The fields were never intended to be public. |
| 1425 | * Implement multi-part CCM API. |
| 1426 | The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(), |
| 1427 | mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish() |
| 1428 | were introduced in mbedTLS 3.0 release, however their implementation was |
| 1429 | postponed until now. |
| 1430 | Implemented functions support chunked data input for both CCM and CCM* |
| 1431 | algorithms. |
| 1432 | * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the |
| 1433 | code size by about 80B on an M0 build. This option only gated an ability |
| 1434 | to set a callback, but was deemed unnecessary as it was yet another define |
| 1435 | to remember when writing tests, or test configurations. Fixes #4653. |
| 1436 | * Improve the performance of base64 constant-flow code. The result is still |
| 1437 | slower than the original non-constant-flow implementation, but much faster |
| 1438 | than the previous constant-flow implementation. Fixes #4814. |
| 1439 | * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations. |
| 1440 | For CCM* encryption/decryption without authentication, input |
| 1441 | length will be ignored. |
| 1442 | * Indicate in the error returned if the nonce length used with |
| 1443 | ChaCha20-Poly1305 is invalid, and not just unsupported. |
Ronald Cron | 1ffa6a5 | 2021-12-14 15:57:17 +0100 | [diff] [blame] | 1444 | * The mbedcrypto library includes a new source code module constant_time.c, |
| 1445 | containing various functions meant to resist timing side channel attacks. |
| 1446 | This module does not have a separate configuration option, and functions |
| 1447 | from this module will be included in the build as required. Currently |
| 1448 | most of the interface of this module is private and may change at any |
| 1449 | time. |
| 1450 | * The generated configuration-independent files are now automatically |
| 1451 | generated by the CMake build system on Unix-like systems. This is not |
| 1452 | yet supported when cross-compiling. |
Ronald Cron | 831cf48 | 2021-12-15 09:02:38 +0100 | [diff] [blame] | 1453 | |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1454 | = Mbed TLS 3.0.0 branch released 2021-07-07 |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1455 | |
| 1456 | API changes |
| 1457 | * Remove HAVEGE module. |
| 1458 | The design of HAVEGE makes it unsuitable for microcontrollers. Platforms |
| 1459 | with a more complex CPU usually have an operating system interface that |
| 1460 | provides better randomness. Instead of HAVEGE, declare OS or hardware RNG |
| 1461 | interfaces with mbedtls_entropy_add_source() and/or use an entropy seed |
| 1462 | file created securely during device provisioning. See |
Dave Rodgman | b319684 | 2022-10-12 16:47:08 +0100 | [diff] [blame] | 1463 | https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1464 | more information. |
| 1465 | * Add missing const attributes to API functions. |
| 1466 | * Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the |
| 1467 | header compat-1.3.h and the script rename.pl. |
| 1468 | * Remove certs module from the API. |
| 1469 | Transfer keys and certificates embedded in the library to the test |
| 1470 | component. This contributes to minimizing library API and discourages |
| 1471 | users from using unsafe keys in production. |
| 1472 | * Move alt helpers and definitions. |
| 1473 | Various helpers and definitions available for use in alt implementations |
| 1474 | have been moved out of the include/ directory and into the library/ |
| 1475 | directory. The files concerned are ecp_internal.h and rsa_internal.h |
Gilles Peskine | 6a2fb61 | 2021-05-24 22:25:04 +0200 | [diff] [blame] | 1476 | which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1477 | respectively. |
| 1478 | * Move internal headers. |
| 1479 | Header files that were only meant for the library's internal use and |
| 1480 | were not meant to be used in application code have been moved out of |
| 1481 | the include/ directory. The headers concerned are bn_mul.h, aesni.h, |
| 1482 | padlock.h, entropy_poll.h and *_internal.h. |
| 1483 | * Drop support for parsing SSLv2 ClientHello |
| 1484 | (MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO). |
| 1485 | * Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3). |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1486 | * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT). |
| 1487 | * Drop support for RC4 TLS ciphersuites. |
| 1488 | * Drop support for single-DES ciphersuites. |
| 1489 | * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1490 | * Update AEAD output size macros to bring them in line with the PSA Crypto |
| 1491 | API version 1.0 spec. This version of the spec parameterizes them on the |
| 1492 | key type used, as well as the key bit-size in the case of |
| 1493 | PSA_AEAD_TAG_LENGTH. |
| 1494 | * Add configuration option MBEDTLS_X509_REMOVE_INFO which |
| 1495 | removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt() |
| 1496 | as well as other functions and constants only used by |
| 1497 | those functions. This reduces the code footprint by |
| 1498 | several kB. |
| 1499 | * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` |
| 1500 | and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never |
| 1501 | returned from the public SSL API. |
| 1502 | * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return |
| 1503 | `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead. |
Dave Rodgman | 814b099 | 2021-07-02 12:11:14 +0100 | [diff] [blame] | 1504 | * The output parameter of mbedtls_sha512_finish, mbedtls_sha512, |
| 1505 | mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1506 | rather than array type. This removes spurious warnings in some compilers |
| 1507 | when outputting a SHA-384 or SHA-224 hash into a buffer of exactly |
| 1508 | the hash size. |
| 1509 | * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388. |
| 1510 | * The interface of the GCM module has changed to remove restrictions on |
| 1511 | how the input to multipart operations is broken down. mbedtls_gcm_finish() |
Dave Rodgman | eaef0b7 | 2021-07-01 16:59:13 +0100 | [diff] [blame] | 1512 | now takes extra output parameters for the last partial output block. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1513 | mbedtls_gcm_update() now takes extra parameters for the output length. |
| 1514 | The software implementation always produces the full output at each |
| 1515 | call to mbedtls_gcm_update(), but alternative implementations activated |
| 1516 | by MBEDTLS_GCM_ALT may delay partial blocks to the next call to |
| 1517 | mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications |
| 1518 | no longer pass the associated data to mbedtls_gcm_starts(), but to the |
| 1519 | new function mbedtls_gcm_update_ad(). |
| 1520 | These changes are backward compatible for users of the cipher API. |
| 1521 | * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C. |
| 1522 | This separates config option enabling the SHA384 algorithm from option |
| 1523 | enabling the SHA512 algorithm. Fixes #4034. |
| 1524 | * Introduce MBEDTLS_SHA224_C. |
| 1525 | This separates config option enabling the SHA224 algorithm from option |
| 1526 | enabling SHA256. |
Dave Rodgman | 745e358 | 2021-07-05 18:53:31 +0100 | [diff] [blame] | 1527 | * The getter and setter API of the SSL session cache (used for |
| 1528 | session-ID based session resumption) has changed to that of |
| 1529 | a key-value store with keys being session IDs and values |
| 1530 | being opaque instances of `mbedtls_ssl_session`. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1531 | * Remove the mode parameter from RSA operation functions. Signature and |
| 1532 | decryption functions now always use the private key and verification and |
| 1533 | encryption use the public key. Verification functions also no longer have |
| 1534 | RNG parameters. |
Dave Rodgman | 745e358 | 2021-07-05 18:53:31 +0100 | [diff] [blame] | 1535 | * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`: |
| 1536 | In Mbed TLS 2.X, the API prescribes that later calls overwrite |
| 1537 | the effect of earlier calls. In Mbed TLS 3.0, calling |
| 1538 | `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail, |
| 1539 | leaving the PSK that was configured first intact. |
| 1540 | Support for more than one PSK may be added in 3.X. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1541 | * The function mbedtls_x509write_csr_set_extension() has an extra parameter |
| 1542 | which allows to mark an extension as critical. Fixes #4055. |
| 1543 | * For multi-part AEAD operations with the cipher module, calling |
| 1544 | mbedtls_cipher_finish() is now mandatory. Previously the documentation |
| 1545 | was unclear on this point, and this function happened to never do |
| 1546 | anything with the currently implemented AEADs, so in practice it was |
| 1547 | possible to skip calling it, which is no longer supported. |
| 1548 | * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables |
| 1549 | instead of computing tables in runtime. Thus, this option now increase |
| 1550 | code size, and it does not increase RAM usage in runtime anymore. |
| 1551 | * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and |
| 1552 | mbedtls_ssl_get_output_max_frag_len(), and add a new API |
| 1553 | mbedtls_ssl_get_max_in_record_payload(), complementing the existing |
| 1554 | mbedtls_ssl_get_max_out_record_payload(). |
| 1555 | Uses of mbedtls_ssl_get_input_max_frag_len() and |
| 1556 | mbedtls_ssl_get_input_max_frag_len() should be replaced by |
| 1557 | mbedtls_ssl_get_max_in_record_payload() and |
| 1558 | mbedtls_ssl_get_max_out_record_payload(), respectively. |
| 1559 | * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA |
| 1560 | key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding() |
| 1561 | after initializing the context. mbedtls_rsa_set_padding() now returns an |
| 1562 | error if its parameters are invalid. |
Dave Rodgman | 745e358 | 2021-07-05 18:53:31 +0100 | [diff] [blame] | 1563 | * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime |
| 1564 | configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1565 | * Instead of accessing the len field of a DHM context, which is no longer |
| 1566 | supported, use the new function mbedtls_dhm_get_len() . |
| 1567 | * In modules that implement cryptographic hash functions, many functions |
| 1568 | mbedtls_xxx() now return int instead of void, and the corresponding |
| 1569 | function mbedtls_xxx_ret() which was identical except for returning int |
| 1570 | has been removed. This also concerns mbedtls_xxx_drbg_update(). See the |
| 1571 | migration guide for more information. Fixes #4212. |
| 1572 | * For all functions that take a random number generator (RNG) as a |
| 1573 | parameter, this parameter is now mandatory (that is, NULL is not an |
| 1574 | acceptable value). Functions which previously accepted NULL and now |
| 1575 | reject it are: the X.509 CRT and CSR writing functions; the PK and RSA |
| 1576 | sign and decrypt function; mbedtls_rsa_private(); the functions |
| 1577 | in DHM and ECDH that compute the shared secret; the scalar multiplication |
| 1578 | functions in ECP. |
| 1579 | * The following functions now require an RNG parameter: |
| 1580 | mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(), |
| 1581 | mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile(). |
| 1582 | * mbedtls_ssl_conf_export_keys_ext_cb() and |
| 1583 | mbedtls_ssl_conf_export_keys_cb() have been removed and |
| 1584 | replaced by a new API mbedtls_ssl_set_export_keys_cb(). |
| 1585 | Raw keys and IVs are no longer passed to the callback. |
| 1586 | Further, callbacks now receive an additional parameter |
| 1587 | indicating the type of secret that's being exported, |
| 1588 | paving the way for the larger number of secrets |
| 1589 | in TLS 1.3. Finally, the key export callback and |
| 1590 | context are now connection-specific. |
| 1591 | * Signature functions in the RSA and PK modules now require the hash |
| 1592 | length parameter to be the size of the hash input. For RSA signatures |
| 1593 | other than raw PKCS#1 v1.5, this must match the output size of the |
| 1594 | specified hash algorithm. |
| 1595 | * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(), |
| 1596 | mbedtls_ecdsa_write_signature() and |
| 1597 | mbedtls_ecdsa_write_signature_restartable() now take an extra parameter |
| 1598 | indicating the size of the output buffer for the signature. |
| 1599 | * Implement one-shot cipher functions, psa_cipher_encrypt and |
| 1600 | psa_cipher_decrypt, according to the PSA Crypto API 1.0.0 |
| 1601 | specification. |
| 1602 | * Direct access to fields of structures declared in public headers is no |
| 1603 | longer supported except for fields that are documented public. Use accessor |
| 1604 | functions instead. For more information, see the migration guide entry |
| 1605 | "Most structure fields are now private". |
Dave Rodgman | 9bd0389 | 2021-07-01 16:59:49 +0100 | [diff] [blame] | 1606 | * mbedtls_ssl_get_session_pointer() has been removed, and |
| 1607 | mbedtls_ssl_{set,get}_session() may now only be called once for any given |
| 1608 | SSL context. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1609 | |
| 1610 | Default behavior changes |
| 1611 | * Enable by default the functionalities which have no reason to be disabled. |
| 1612 | They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and |
| 1613 | Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036. |
| 1614 | * Some default policies for X.509 certificate verification and TLS have |
| 1615 | changed: curves and hashes weaker than 255 bits are no longer accepted |
| 1616 | by default. The default order in TLS now favors faster curves over larger |
| 1617 | curves. |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1618 | |
| 1619 | Requirement changes |
| 1620 | * The library now uses the %zu format specifier with the printf() family of |
| 1621 | functions, so requires a toolchain that supports it. This change does not |
| 1622 | affect the maintained LTS branches, so when contributing changes please |
| 1623 | bear this in mind and do not add them to backported code. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1624 | * If you build the development version of Mbed TLS, rather than an official |
| 1625 | release, some configuration-independent files are now generated at build |
| 1626 | time rather than checked into source control. This includes some library |
| 1627 | source files as well as the Visual Studio solution. Perl, Python 3 and a |
| 1628 | C compiler for the host platform are required. See “Generated source files |
| 1629 | in the development branch” in README.md for more information. |
| 1630 | * Refresh the minimum supported versions of tools to build the |
| 1631 | library. CMake versions older than 3.10.2 and Python older |
| 1632 | than 3.6 are no longer supported. |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1633 | |
| 1634 | Removals |
| 1635 | * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES |
| 1636 | compile-time option, which was off by default. Users should not trust |
| 1637 | certificates signed with SHA-1 due to the known attacks against SHA-1. |
Manuel Pégourié-Gonnard | 143b1e3 | 2021-05-05 09:46:01 +0200 | [diff] [blame] | 1638 | If needed, SHA-1 certificates can still be verified by using a custom |
Manuel Pégourié-Gonnard | e756306 | 2021-04-26 10:08:29 +0200 | [diff] [blame] | 1639 | verification profile. |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1640 | * Removed deprecated things in psa/crypto_compat.h. Fixes #4284 |
| 1641 | * Removed deprecated functions from hashing modules. Fixes #4280. |
| 1642 | * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality, |
| 1643 | lacks automated tests and has scarce documentation. Also, PSA Crypto |
| 1644 | provides a more flexible private key management. |
| 1645 | More details on PCKS#11 wrapper removal can be found in the mailing list |
| 1646 | https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html |
| 1647 | * Remove deprecated error codes. Fix #4283 |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1648 | * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416. |
| 1649 | * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES |
| 1650 | compile-time option. This option has been inactive for a long time. |
| 1651 | Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()` |
| 1652 | instead. |
| 1653 | * Remove the following deprecated functions and constants of hex-encoded |
| 1654 | primes based on RFC 5114 and RFC 3526 from library code and tests: |
| 1655 | mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(), |
| 1656 | mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(), |
| 1657 | mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(), |
| 1658 | mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(), |
| 1659 | mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(), |
| 1660 | MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G, |
| 1661 | MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G, |
| 1662 | MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G, |
| 1663 | MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G. |
| 1664 | Remove the deprecated file: include/mbedtls/net.h. Fixes #4282. |
| 1665 | * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since |
| 1666 | MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace |
| 1667 | it. Fixes #4362. |
| 1668 | * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its |
| 1669 | previous action. Fixes #4361. |
| 1670 | * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for |
| 1671 | CBC record splitting, fallback SCSV, and the ability to configure |
| 1672 | ciphersuites per version, which are no longer relevant. This removes the |
| 1673 | configuration options MBEDTLS_SSL_PROTO_TLS1, |
| 1674 | MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and |
| 1675 | MBEDTLS_SSL_FALLBACK_SCSV as well as the functions |
| 1676 | mbedtls_ssl_conf_cbc_record_splitting(), |
| 1677 | mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(), |
| 1678 | and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286. |
| 1679 | * The RSA module no longer supports private-key operations with the public |
| 1680 | key and vice versa. |
| 1681 | * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403. |
| 1682 | * Remove all the 3DES ciphersuites: |
| 1683 | MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, |
| 1684 | MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, |
| 1685 | MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
| 1686 | MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, |
| 1687 | MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
| 1688 | MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, |
| 1689 | MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, |
| 1690 | MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, |
| 1691 | MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the |
| 1692 | MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant. |
| 1693 | Fixes #4367. |
| 1694 | * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code |
| 1695 | behave as if it was always disabled. Fixes #4386. |
| 1696 | * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for |
| 1697 | backward compatibility which is no longer supported. Addresses #4404. |
| 1698 | * Remove the following macros: MBEDTLS_CHECK_PARAMS, |
| 1699 | MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED, |
| 1700 | MBEDTLS_PARAM_FAILED_ALT. Fixes #4313. |
| 1701 | * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h |
| 1702 | option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for |
| 1703 | migration path. Fixes #4378. |
Dave Rodgman | 745e358 | 2021-07-05 18:53:31 +0100 | [diff] [blame] | 1704 | * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and |
| 1705 | MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code |
| 1706 | behave as if they were always enabled. Fixes #4405. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1707 | * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is |
| 1708 | now determined automatically based on supported curves. |
Dave Rodgman | 745e358 | 2021-07-05 18:53:31 +0100 | [diff] [blame] | 1709 | * Remove the following functions: mbedtls_timing_self_test(), |
| 1710 | mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and |
| 1711 | mbedtls_set_alarm(). Fixes #4083. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1712 | * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as |
| 1713 | it no longer had any effect. |
Dave Rodgman | 745e358 | 2021-07-05 18:53:31 +0100 | [diff] [blame] | 1714 | * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the |
| 1715 | corresponding modules and all their APIs and related configuration |
| 1716 | options. Fixes #4084. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1717 | * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove |
| 1718 | MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by |
| 1719 | using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC. |
| 1720 | See issue #4341 for more details. |
| 1721 | * Remove the compile-time option |
| 1722 | MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE. |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1723 | |
| 1724 | Features |
| 1725 | * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a |
| 1726 | signature with a specific salt length. This function allows to validate |
| 1727 | test cases provided in the NIST's CAVP test suite. Contributed by Cédric |
| 1728 | Meuter in PR #3183. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1729 | * Added support for built-in driver keys through the PSA opaque crypto |
| 1730 | driver interface. Refer to the documentation of |
| 1731 | MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. |
| 1732 | * Implement psa_sign_message() and psa_verify_message(). |
| 1733 | * The multi-part GCM interface (mbedtls_gcm_update() or |
| 1734 | mbedtls_cipher_update()) no longer requires the size of partial inputs to |
| 1735 | be a multiple of 16. |
| 1736 | * The multi-part GCM interface now supports chunked associated data through |
| 1737 | multiple calls to mbedtls_gcm_update_ad(). |
| 1738 | * The new function mbedtls_mpi_random() generates a random value in a |
| 1739 | given range uniformly. |
| 1740 | * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing |
| 1741 | modules had undocumented constraints on their context types. These |
| 1742 | constraints have been relaxed. |
| 1743 | See docs/architecture/alternative-implementations.md for the remaining |
| 1744 | constraints. |
| 1745 | * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() |
| 1746 | query the size of the modulus in a Diffie-Hellman context. |
| 1747 | * The new function mbedtls_dhm_get_value() copy a field out of a |
| 1748 | Diffie-Hellman context. |
| 1749 | * Use the new function mbedtls_ecjpake_set_point_format() to select the |
| 1750 | point format for ECJPAKE instead of accessing the point_format field |
| 1751 | directly, which is no longer supported. |
| 1752 | * Implement psa_mac_compute() and psa_mac_verify() as defined in the |
| 1753 | PSA Cryptograpy API 1.0.0 specification. |
| 1754 | |
| 1755 | Security |
Dave Rodgman | 5b13f60 | 2021-07-05 18:09:16 +0100 | [diff] [blame] | 1756 | * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) |
| 1757 | private keys and of blinding values for DHM and elliptic curves (ECP) |
| 1758 | computations. Reported by FlorianF89 in #4245. |
| 1759 | * Fix a potential side channel vulnerability in ECDSA ephemeral key generation. |
| 1760 | An adversary who is capable of very precise timing measurements could |
| 1761 | learn partial information about the leading bits of the nonce used for the |
| 1762 | signature, allowing the recovery of the private key after observing a |
| 1763 | large number of signature operations. This completes a partial fix in |
| 1764 | Mbed TLS 2.20.0. |
Tom Cosgrove | b3c6a1e | 2023-03-08 15:47:00 +0000 | [diff] [blame] | 1765 | * Fix an issue where an adversary with access to precise enough information |
| 1766 | about memory accesses (typically, an untrusted operating system attacking |
| 1767 | a secure enclave) could recover an RSA private key after observing the |
| 1768 | victim performing a single private-key operation. Found and reported by |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1769 | Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. |
Tom Cosgrove | b3c6a1e | 2023-03-08 15:47:00 +0000 | [diff] [blame] | 1770 | * Fix an issue where an adversary with access to precise enough timing |
| 1771 | information (typically, a co-located process) could recover a Curve25519 |
| 1772 | or Curve448 static ECDH key after inputting a chosen public key and |
| 1773 | observing the victim performing the corresponding private-key operation. |
| 1774 | Found and reported by Leila Batina, Lukas Chmielewski, Björn Haase, Niels |
| 1775 | Samwel and Peter Schwabe. |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1776 | |
| 1777 | Bugfix |
| 1778 | * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may |
| 1779 | lead to the seed file corruption in case if the path to the seed file is |
| 1780 | equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor |
| 1781 | Krasnoshchok in #3616. |
| 1782 | * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather |
| 1783 | than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key |
| 1784 | to create is not valid, bringing them in line with version 1.0.0 of the |
| 1785 | specification. Fix #4271. |
| 1786 | * Add printf function attributes to mbedtls_debug_print_msg to ensure we |
| 1787 | get printf format specifier warnings. |
| 1788 | * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE |
| 1789 | rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them |
| 1790 | in line with version 1.0.0 of the specification. Fix #4162. |
| 1791 | * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits |
| 1792 | zero. Fixes #1792 |
Gilles Peskine | f4998b0 | 2021-06-10 15:51:54 +0200 | [diff] [blame] | 1793 | * Fix some cases in the bignum module where the library constructed an |
| 1794 | unintended representation of the value 0 which was not processed |
| 1795 | correctly by some bignum operations. This could happen when |
| 1796 | mbedtls_mpi_read_string() was called on "-0", or when |
| 1797 | mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of |
| 1798 | the arguments being negative and the other being 0. Fixes #4643. |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1799 | * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is |
| 1800 | defined. Fixes #4217. |
| 1801 | * Fix an incorrect error code when parsing a PKCS#8 private key. |
| 1802 | * In a TLS client, enforce the Diffie-Hellman minimum parameter size |
| 1803 | set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the |
| 1804 | minimum size was rounded down to the nearest multiple of 8. |
| 1805 | * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are |
| 1806 | defined to specific values. If the code is used in a context |
| 1807 | where these are already defined, this can result in a compilation |
| 1808 | error. Instead, assume that if they are defined, the values will |
| 1809 | be adequate to build Mbed TLS. |
| 1810 | * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built |
| 1811 | nonetheless, resulting in undefined reference errors when building a |
| 1812 | shared library. Reported by Guillermo Garcia M. in #4411. |
| 1813 | * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available |
| 1814 | when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 |
| 1815 | was disabled. Fix the dependency. Fixes #4472. |
| 1816 | * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499. |
| 1817 | * Fix test suite code on platforms where int32_t is not int, such as |
| 1818 | Arm Cortex-M. Fixes #4530. |
| 1819 | * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced |
| 1820 | directive in a header and a missing initialization in the self-test. |
| 1821 | * Fix a missing initialization in the Camellia self-test, affecting |
| 1822 | MBEDTLS_CAMELLIA_ALT implementations. |
| 1823 | * Restore the ability to configure PSA via Mbed TLS options to support RSA |
| 1824 | key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME |
| 1825 | is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). |
| 1826 | Fixes #4512. |
| 1827 | * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites |
| 1828 | (when the encrypt-then-MAC extension is not in use) with some ALT |
| 1829 | implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing |
| 1830 | the affected side to wrongly reject valid messages. Fixes #4118. |
| 1831 | * Remove outdated check-config.h check that prevented implementing the |
| 1832 | timing module on Mbed OS. Fixes #4633. |
| 1833 | * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive |
| 1834 | about missing inputs. |
| 1835 | * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with |
| 1836 | MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. |
| 1837 | * Fix a resource leak in a test suite with an alternative AES |
| 1838 | implementation. Fixes #4176. |
| 1839 | * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This |
| 1840 | could notably be triggered by setting the TLS debug level to 3 or above |
| 1841 | and using a Montgomery curve for the key exchange. Reported by lhuang04 |
| 1842 | in #4578. Fixes #4608. |
| 1843 | * psa_verify_hash() was relying on implementation-specific behavior of |
| 1844 | mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT |
| 1845 | implementations. This reliance is now removed. Fixes #3990. |
| 1846 | * Disallow inputs of length different from the corresponding hash when |
| 1847 | signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates |
| 1848 | that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.) |
| 1849 | * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with |
| 1850 | A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug |
| 1851 | could not be triggered by code that constructed A with one of the |
| 1852 | mbedtls_mpi_read_xxx functions (including in particular TLS code) since |
| 1853 | those always built an mpi object with at least one limb. |
| 1854 | Credit to OSS-Fuzz. Fixes #4641. |
| 1855 | * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no |
| 1856 | effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect |
| 1857 | applications that call mbedtls_mpi_gcd() directly. Fixes #4642. |
| 1858 | * The PSA API no longer allows the creation or destruction of keys with a |
| 1859 | read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY |
| 1860 | can now only be used as intended, for keys that cannot be modified through |
| 1861 | normal use of the API. |
| 1862 | * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included |
| 1863 | in all the right places. Include it from crypto_platform.h, which is |
| 1864 | the natural place. Fixes #4649. |
| 1865 | * Fix which alert is sent in some cases to conform to the |
| 1866 | applicable RFC: on an invalid Finished message value, an |
| 1867 | invalid max_fragment_length extension, or an |
| 1868 | unsupported extension used by the server. |
Dave Rodgman | a84a8eb | 2021-07-01 17:01:04 +0100 | [diff] [blame] | 1869 | * Correct (change from 12 to 13 bytes) the value of the macro describing the |
| 1870 | maximum nonce length returned by psa_aead_generate_nonce(). |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1871 | |
| 1872 | Changes |
| 1873 | * Fix the setting of the read timeout in the DTLS sample programs. |
| 1874 | * Add extra printf compiler warning flags to builds. |
| 1875 | * Fix memsan build false positive in x509_crt.c with clang 11 |
Dave Rodgman | bb2eece | 2021-06-30 18:07:19 +0100 | [diff] [blame] | 1876 | * Alternative implementations of CMAC may now opt to not support 3DES as a |
| 1877 | CMAC block cipher, and still pass the CMAC self test. |
| 1878 | * Remove the AES sample application programs/aes/aescrypt2 which shows |
| 1879 | bad cryptographic practice. Fix #1906. |
| 1880 | * Remove configs/config-psa-crypto.h, which no longer had any intended |
| 1881 | differences from the default configuration, but had accidentally diverged. |
| 1882 | * When building the test suites with GNU make, invoke python3 or python, not |
| 1883 | python2, which is no longer supported upstream. |
| 1884 | * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on. |
| 1885 | When that flag is on, standard GNU C printf format specifiers |
| 1886 | should be used. |
| 1887 | * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and |
| 1888 | MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option |
| 1889 | MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335. |
| 1890 | * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage |
| 1891 | during ECC operations at a negligible performance cost. |
| 1892 | * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and |
| 1893 | mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs |
| 1894 | when their input has length 0. Note that this is an implementation detail |
| 1895 | and can change at any time, so this change should be transparent, but it |
| 1896 | may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string() |
| 1897 | now writing an empty string where it previously wrote one or more |
| 1898 | zero digits when operating from values constructed with an mpi_read |
| 1899 | function and some mpi operations. |
| 1900 | * Add CMake package config generation for CMake projects consuming Mbed TLS. |
| 1901 | * config.h has been split into build_info.h and mbedtls_config.h |
| 1902 | build_info.h is intended to be included from C code directly, while |
| 1903 | mbedtls_config.h is intended to be edited by end users wishing to |
| 1904 | change the build configuration, and should generally only be included from |
| 1905 | build_info.h. |
| 1906 | * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h. |
| 1907 | * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced. |
| 1908 | Defining it to a particular value will ensure that Mbed TLS interprets |
| 1909 | the config file in a way that's compatible with the config file format |
| 1910 | used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same |
| 1911 | value. |
| 1912 | The only value supported by Mbed TLS 3.0.0 is 0x03000000. |
| 1913 | * Various changes to which alert and/or error code may be returned |
| 1914 | * during the TLS handshake. |
| 1915 | * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when |
| 1916 | PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag |
| 1917 | when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension |
| 1918 | is also applied when loading a key from storage. |
Dave Rodgman | 10ba553 | 2021-04-26 14:58:26 +0100 | [diff] [blame] | 1919 | |
Dave Rodgman | 74755e4 | 2021-03-08 18:35:44 +0000 | [diff] [blame] | 1920 | = mbed TLS 2.26.0 branch released 2021-03-08 |
| 1921 | |
| 1922 | API changes |
| 1923 | * Renamed the PSA Crypto API output buffer size macros to bring them in line |
| 1924 | with version 1.0.0 of the specification. |
| 1925 | * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size |
| 1926 | in bits rather than bytes, with an additional flag to indicate if the |
| 1927 | size may have been rounded up to a whole number of bytes. |
| 1928 | * Renamed the PSA Crypto API AEAD tag length macros to bring them in line |
| 1929 | with version 1.0.0 of the specification. |
| 1930 | |
| 1931 | Default behavior changes |
| 1932 | * In mbedtls_rsa_context objects, the ver field was formerly documented |
| 1933 | as always 0. It is now reserved for internal purposes and may take |
| 1934 | different values. |
| 1935 | |
| 1936 | New deprecations |
| 1937 | * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE, |
| 1938 | PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and |
| 1939 | PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names |
| 1940 | deprecated. |
| 1941 | * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH |
| 1942 | have been renamed, and the old names deprecated. |
| 1943 | |
| 1944 | Features |
| 1945 | * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG. |
| 1946 | CTR_DRBG is used by default if it is available, but you can override |
| 1947 | this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time. |
| 1948 | Fix #3354. |
| 1949 | * Automatic fallback to a software implementation of ECP when |
| 1950 | MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off |
| 1951 | through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. |
| 1952 | * The PSA crypto subsystem can now be configured to use less static RAM by |
| 1953 | tweaking the setting for the maximum amount of keys simultaneously in RAM. |
| 1954 | MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that |
| 1955 | can exist simultaneously. It has a sensible default if not overridden. |
| 1956 | * Partial implementation of the PSA crypto driver interface: Mbed TLS can |
| 1957 | now use an external random generator instead of the library's own |
| 1958 | entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG |
| 1959 | and see the documentation of mbedtls_psa_external_get_random() for details. |
| 1960 | * Applications using both mbedtls_xxx and psa_xxx functions (for example, |
| 1961 | applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA |
| 1962 | random generator with mbedtls_xxx functions. See the documentation of |
| 1963 | mbedtls_psa_get_random() for details. |
| 1964 | * In the PSA API, the policy for a MAC or AEAD algorithm can specify a |
| 1965 | minimum MAC or tag length thanks to the new wildcards |
| 1966 | PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and |
| 1967 | PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. |
| 1968 | |
| 1969 | Security |
| 1970 | * Fix a security reduction in CTR_DRBG when the initial seeding obtained a |
| 1971 | nonce from entropy. Applications were affected if they called |
| 1972 | mbedtls_ctr_drbg_set_nonce_len(), if they called |
| 1973 | mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key |
| 1974 | length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. |
| 1975 | In such cases, a random nonce was necessary to achieve the advertised |
| 1976 | security strength, but the code incorrectly used a constant instead of |
| 1977 | entropy from the nonce. |
| 1978 | Found by John Stroebel in #3819 and fixed in #3973. |
| 1979 | * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating |
| 1980 | |A| - |B| where |B| is larger than |A| and has more limbs (so the |
| 1981 | function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only |
| 1982 | applications calling mbedtls_mpi_sub_abs() directly are affected: |
| 1983 | all calls inside the library were safe since this function is |
| 1984 | only called with |A| >= |B|. Reported by Guido Vranken in #4042. |
| 1985 | * Fix an errorneous estimation for an internal buffer in |
| 1986 | mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd |
| 1987 | value the function might fail to write a private RSA keys of the largest |
| 1988 | supported size. |
| 1989 | Found by Daniel Otte, reported in #4093 and fixed in #4094. |
| 1990 | * Fix a stack buffer overflow with mbedtls_net_poll() and |
| 1991 | mbedtls_net_recv_timeout() when given a file descriptor that is |
| 1992 | beyond FD_SETSIZE. Reported by FigBug in #4169. |
| 1993 | * Guard against strong local side channel attack against base64 tables by |
| 1994 | making access aceess to them use constant flow code. |
| 1995 | |
| 1996 | Bugfix |
| 1997 | * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c |
| 1998 | * Fix memory leak that occured when calling psa_close_key() on a |
| 1999 | wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. |
| 2000 | * Fix an incorrect error code if an RSA private operation glitched. |
| 2001 | * Fix a memory leak in an error case in psa_generate_derived_key_internal(). |
| 2002 | * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C |
| 2003 | is enabled, on platforms where initializing a mutex allocates resources. |
| 2004 | This was a regression introduced in the previous release. Reported in |
| 2005 | #4017, #4045 and #4071. |
| 2006 | * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free() |
| 2007 | twice is safe. This happens for RSA when some Mbed TLS library functions |
| 2008 | fail. Such a double-free was not safe when MBEDTLS_THREADING_C was |
| 2009 | enabled on platforms where freeing a mutex twice is not safe. |
| 2010 | * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key() |
| 2011 | when MBEDTLS_THREADING_C is enabled on platforms where initializing |
| 2012 | a mutex allocates resources. |
| 2013 | * Fixes a bug where, if the library was configured to include support for |
| 2014 | both the old SE interface and the new PSA driver interface, external keys were |
| 2015 | not loaded from storage. This was fixed by #3996. |
| 2016 | * This change makes 'mbedtls_x509write_crt_set_basic_constraints' |
| 2017 | consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST |
| 2018 | include this extension in all CA certificates that contain public keys |
| 2019 | used to validate digital signatures on certificates and MUST mark the |
| 2020 | extension as critical in such certificates." Previous to this change, |
| 2021 | the extension was always marked as non-critical. This was fixed by |
| 2022 | #3698. |
| 2023 | |
| 2024 | Changes |
| 2025 | * A new library C file psa_crypto_client.c has been created to contain |
| 2026 | the PSA code needed by a PSA crypto client when the PSA crypto |
| 2027 | implementation is not included into the library. |
| 2028 | * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module |
| 2029 | now uses the getrandom syscall instead of reading from /dev/urandom. |
| 2030 | |
Janos Follath | 56b38c2 | 2020-12-09 01:34:21 +0000 | [diff] [blame] | 2031 | = mbed TLS 2.25.0 branch released 2020-12-11 |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2032 | |
| 2033 | API changes |
| 2034 | * The numerical values of the PSA Crypto API macros have been updated to |
| 2035 | conform to version 1.0.0 of the specification. |
| 2036 | * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4. |
| 2037 | The underlying stream cipher is determined by the key type |
| 2038 | (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4). |
| 2039 | * The functions mbedtls_cipher_auth_encrypt() and |
| 2040 | mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, |
| 2041 | as they have no way to check if the output buffer is large enough. |
| 2042 | Please use mbedtls_cipher_auth_encrypt_ext() and |
| 2043 | mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and |
| 2044 | Cryptofuzz. Fixes #3665. |
| 2045 | |
| 2046 | Requirement changes |
Janos Follath | e921626 | 2020-12-10 11:03:01 +0000 | [diff] [blame] | 2047 | * Update the minimum required CMake version to 2.8.12. This silences a |
| 2048 | warning on CMake 3.19.0. #3801 |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2049 | |
| 2050 | New deprecations |
Bence Szépkúti | fe9a425 | 2021-02-08 18:13:02 +0100 | [diff] [blame] | 2051 | * PSA_ALG_CHACHA20 and PSA_ALG_ARC4 have been deprecated. |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2052 | Use PSA_ALG_STREAM_CIPHER instead. |
| 2053 | * The functions mbedtls_cipher_auth_encrypt() and |
| 2054 | mbedtls_cipher_auth_decrypt() are deprecated in favour of the new |
| 2055 | functions mbedtls_cipher_auth_encrypt_ext() and |
| 2056 | mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, |
| 2057 | these new functions always append the tag to the ciphertext, and include |
| 2058 | the tag in the ciphertext length. |
| 2059 | |
| 2060 | Features |
Janos Follath | d6ce116 | 2020-12-09 16:32:01 +0000 | [diff] [blame] | 2061 | * Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric |
| 2062 | ciphers, asymmetric signing/verification and key generation, validate_key |
| 2063 | entry point, and export_public_key interface.) |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2064 | * Add support for ECB to the PSA cipher API. |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2065 | * In PSA, allow using a key declared with a base key agreement algorithm |
| 2066 | in combined key agreement and derivation operations, as long as the key |
| 2067 | agreement algorithm in use matches the algorithm the key was declared with. |
| 2068 | This is currently non-standard behaviour, but expected to make it into a |
| 2069 | future revision of the PSA Crypto standard. |
| 2070 | * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls, |
| 2071 | mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by |
| 2072 | external CMake projects that include this one to avoid CMake target name |
| 2073 | clashes. The default value of this variable is "", so default target names |
| 2074 | are unchanged. |
| 2075 | * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan |
| 2076 | Pascal, improved by Ron Eldor. |
| 2077 | * In the PSA API, it is no longer necessary to open persistent keys: |
| 2078 | operations now accept the key identifier. The type psa_key_handle_t is now |
| 2079 | identical to psa_key_id_t instead of being platform-defined. This bridges |
| 2080 | the last major gap to compliance with the PSA Cryptography specification |
| 2081 | version 1.0.0. Opening persistent keys is still supported for backward |
| 2082 | compatibility, but will be deprecated and later removed in future |
| 2083 | releases. |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2084 | * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and |
| 2085 | PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version |
| 2086 | 1.0.0 of the PSA Crypto API specification. |
| 2087 | |
| 2088 | Security |
| 2089 | * The functions mbedtls_cipher_auth_encrypt() and |
| 2090 | mbedtls_cipher_auth_decrypt() would write past the minimum documented |
| 2091 | size of the output buffer when used with NIST_KW. As a result, code using |
| 2092 | those functions as documented with NIST_KW could have a buffer overwrite |
| 2093 | of up to 15 bytes, with consequences ranging up to arbitrary code |
| 2094 | execution depending on the location of the output buffer. |
| 2095 | * Limit the size of calculations performed by mbedtls_mpi_exp_mod to |
| 2096 | MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when |
| 2097 | generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. |
| 2098 | * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), |
| 2099 | which is how most uses of randomization in asymmetric cryptography |
| 2100 | (including key generation, intermediate value randomization and blinding) |
| 2101 | are implemented. This could cause failures or the silent use of non-random |
| 2102 | values. A random generator can fail if it needs reseeding and cannot not |
| 2103 | obtain entropy, or due to an internal failure (which, for Mbed TLS's own |
| 2104 | CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). |
| 2105 | * Fix a compliance issue whereby we were not checking the tag on the |
| 2106 | algorithm parameters (only the size) when comparing the signature in the |
| 2107 | description part of the cert to the real signature. This meant that a |
| 2108 | NULL algorithm parameters entry would look identical to an array of REAL |
| 2109 | (size zero) to the library and thus the certificate would be considered |
| 2110 | valid. However, if the parameters do not match in *any* way then the |
| 2111 | certificate should be considered invalid, and indeed OpenSSL marks these |
| 2112 | certs as invalid when mbedtls did not. |
| 2113 | Many thanks to guidovranken who found this issue via differential fuzzing |
| 2114 | and reported it in #3629. |
| 2115 | * Zeroising of local buffers and variables which are used for calculations |
| 2116 | in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), |
| 2117 | mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() |
| 2118 | functions to erase sensitive data from memory. Reported by |
| 2119 | Johan Malmgren and Johan Uppman Bruce from Sectra. |
| 2120 | |
| 2121 | Bugfix |
Janos Follath | 76027f6 | 2020-12-09 16:28:35 +0000 | [diff] [blame] | 2122 | * Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() |
| 2123 | when the input has trailing garbage. Fixes #2512. |
Janos Follath | 7ac5fd1 | 2020-12-09 15:03:46 +0000 | [diff] [blame] | 2124 | * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is |
| 2125 | enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294. |
| 2126 | * Include the psa_constant_names generated source code in the source tree |
| 2127 | instead of generating it at build time. Fixes #3524. |
| 2128 | * Fix rsa_prepare_blinding() to retry when the blinding value is not |
| 2129 | invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This |
| 2130 | addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). |
| 2131 | Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). |
| 2132 | Fixes #3647. |
| 2133 | * Use socklen_t on Android and other POSIX-compliant system |
| 2134 | * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. |
| 2135 | Fix #3432. |
| 2136 | * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input |
| 2137 | sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the |
| 2138 | psa_cipher_* functions compliant with the PSA Crypto API specification. |
| 2139 | * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names |
| 2140 | "x25519" and "x448". These curves support ECDH but not ECDSA. If you need |
| 2141 | only the curves that support ECDSA, filter the list with |
| 2142 | mbedtls_ecdsa_can_do(). |
| 2143 | * Fix psa_generate_key() returning an error when asked to generate |
| 2144 | an ECC key pair on Curve25519 or secp244k1. |
| 2145 | * Fix psa_key_derivation_output_key() to allow the output of a combined key |
| 2146 | agreement and subsequent key derivation operation to be used as a key |
| 2147 | inside of the PSA Crypto core. |
| 2148 | * Fix handling of EOF against 0xff bytes and on platforms with unsigned |
| 2149 | chars. Fixes a build failure on platforms where char is unsigned. Fixes |
| 2150 | #3794. |
| 2151 | * Fix an off-by-one error in the additional data length check for |
| 2152 | CCM, which allowed encryption with a non-standard length field. |
| 2153 | Fixes #3719. |
| 2154 | * Correct the default IV size for mbedtls_cipher_info_t structures using |
| 2155 | MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs. |
| 2156 | * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is |
| 2157 | defined. Fix contributed in #3571. |
| 2158 | * Fix conditions for including string.h in error.c. Fixes #3866. |
| 2159 | * psa_set_key_id() now also sets the lifetime to persistent for keys located |
| 2160 | in a secure element. |
| 2161 | * Attempting to create a volatile key with a non-zero key identifier now |
| 2162 | fails. Previously the key identifier was just ignored when creating a |
| 2163 | volatile key. |
| 2164 | * Attempting to create or register a key with a key identifier in the vendor |
| 2165 | range now fails. |
| 2166 | * Fix build failures on GCC 11. Fixes #3782. |
| 2167 | * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf. |
| 2168 | * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative |
| 2169 | (an error condition) and the second operand was aliased to the result. |
| 2170 | * Fix a case in elliptic curve arithmetic where an out-of-memory condition |
| 2171 | could go undetected, resulting in an incorrect result. |
| 2172 | * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). |
| 2173 | Fixes #2927. |
| 2174 | * In PEM writing functions, fill the trailing part of the buffer with null |
| 2175 | bytes. This guarantees that the corresponding parsing function can read |
| 2176 | the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem |
| 2177 | until this property was inadvertently broken in Mbed TLS 2.19.0. |
| 2178 | Fixes #3682. |
| 2179 | * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT |
| 2180 | option on. In this configuration key management methods that are required |
| 2181 | for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. |
| 2182 | Fixes #3818. Reported by John Stroebel. |
| 2183 | |
| 2184 | Changes |
| 2185 | * Reduce stack usage significantly during sliding window exponentiation. |
| 2186 | Reported in #3591 and fix contributed in #3592 by Daniel Otte. |
| 2187 | * The PSA persistent storage format is updated to always store the key bits |
| 2188 | attribute. No automatic upgrade path is provided. Previously stored keys |
| 2189 | must be erased, or manually upgraded based on the key storage format |
| 2190 | specification (docs/architecture/mbed-crypto-storage-specification.md). |
| 2191 | Fixes #3740. |
| 2192 | * Remove the zeroization of a pointer variable in AES rounds. It was valid |
| 2193 | but spurious and misleading since it looked like a mistaken attempt to |
| 2194 | zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA |
| 2195 | Leti, France. |
| 2196 | |
Janos Follath | 6012f0e | 2020-08-26 15:32:10 +0100 | [diff] [blame] | 2197 | = mbed TLS 2.24.0 branch released 2020-09-01 |
Janos Follath | c18a7b8 | 2020-08-26 14:49:16 +0100 | [diff] [blame] | 2198 | |
| 2199 | API changes |
Janos Follath | 6012f0e | 2020-08-26 15:32:10 +0100 | [diff] [blame] | 2200 | * In the PSA API, rename the types of elliptic curve and Diffie-Hellman |
| 2201 | group families to psa_ecc_family_t and psa_dh_family_t, in line with the |
| 2202 | PSA Crypto API specification version 1.0.0. |
Janos Follath | c18a7b8 | 2020-08-26 14:49:16 +0100 | [diff] [blame] | 2203 | Rename associated macros as well: |
| 2204 | PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx |
| 2205 | PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx |
| 2206 | PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY |
| 2207 | PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY |
| 2208 | |
| 2209 | Default behavior changes |
| 2210 | * Stop storing persistent information about externally stored keys created |
| 2211 | through PSA Crypto with a volatile lifetime. Reported in #3288 and |
| 2212 | contributed by Steven Cooreman in #3382. |
| 2213 | |
| 2214 | Features |
| 2215 | * The new function mbedtls_ecp_write_key() exports private ECC keys back to |
| 2216 | a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key(). |
| 2217 | * Support building on e2k (Elbrus) architecture: correctly enable |
| 2218 | -Wformat-signedness, and fix the code that causes signed-one-bit-field |
| 2219 | and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) |
| 2220 | <akemi_homura@kurisa.ch>. |
| 2221 | |
| 2222 | Security |
| 2223 | * Fix a vulnerability in the verification of X.509 certificates when |
| 2224 | matching the expected common name (the cn argument of |
| 2225 | mbedtls_x509_crt_verify()) with the actual certificate name: when the |
| 2226 | subjecAltName extension is present, the expected name was compared to any |
| 2227 | name in that extension regardless of its type. This means that an |
| 2228 | attacker could for example impersonate a 4-bytes or 16-byte domain by |
| 2229 | getting a certificate for the corresponding IPv4 or IPv6 (this would |
| 2230 | require the attacker to control that IP address, though). Similar attacks |
| 2231 | using other subjectAltName name types might be possible. Found and |
| 2232 | reported by kFYatek in #3498. |
| 2233 | * When checking X.509 CRLs, a certificate was only considered as revoked if |
| 2234 | its revocationDate was in the past according to the local clock if |
| 2235 | available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, |
| 2236 | certificates were never considered as revoked. On builds with |
| 2237 | MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for |
| 2238 | example, an untrusted OS attacking a secure enclave) could prevent |
| 2239 | revocation of certificates via CRLs. Fixed by no longer checking the |
| 2240 | revocationDate field, in accordance with RFC 5280. Reported by |
| 2241 | yuemonangong in #3340. Reported independently and fixed by |
| 2242 | Raoul Strackx and Jethro Beekman in #3433. |
| 2243 | * In (D)TLS record decryption, when using a CBC ciphersuites without the |
| 2244 | Encrypt-then-Mac extension, use constant code flow memory access patterns |
| 2245 | to extract and check the MAC. This is an improvement to the existing |
| 2246 | countermeasure against Lucky 13 attacks. The previous countermeasure was |
| 2247 | effective against network-based attackers, but less so against local |
| 2248 | attackers. The new countermeasure defends against local attackers, even |
| 2249 | if they have access to fine-grained measurements. In particular, this |
| 2250 | fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, |
| 2251 | Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler |
| 2252 | (University of Florida) and Dave Tian (Purdue University). |
| 2253 | * Fix side channel in RSA private key operations and static (finite-field) |
| 2254 | Diffie-Hellman. An adversary with precise enough timing and memory access |
| 2255 | information (typically an untrusted operating system attacking a secure |
| 2256 | enclave) could bypass an existing counter-measure (base blinding) and |
| 2257 | potentially fully recover the private key. |
| 2258 | * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). |
| 2259 | Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine |
| 2260 | for pinpointing the problematic code. |
| 2261 | * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused |
| 2262 | application data from memory. Reported in #689 by |
| 2263 | Johan Uppman Bruce of Sectra. |
| 2264 | |
| 2265 | Bugfix |
| 2266 | * Library files installed after a CMake build no longer have execute |
| 2267 | permission. |
Janos Follath | 6012f0e | 2020-08-26 15:32:10 +0100 | [diff] [blame] | 2268 | * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol |
| 2269 | redefinition if the function is inlined. |
Janos Follath | c18a7b8 | 2020-08-26 14:49:16 +0100 | [diff] [blame] | 2270 | Reported in #3451 and fix contributed in #3452 by okhowang. |
| 2271 | * Fix the endianness of Curve25519 keys imported/exported through the PSA |
| 2272 | APIs. psa_import_key and psa_export_key will now correctly expect/output |
| 2273 | Montgomery keys in little-endian as defined by RFC7748. Contributed by |
| 2274 | Steven Cooreman in #3425. |
| 2275 | * Fix build errors when the only enabled elliptic curves are Montgomery |
| 2276 | curves. Raised by signpainter in #941 and by Taiki-San in #1412. This |
| 2277 | also fixes missing declarations reported by Steven Cooreman in #1147. |
| 2278 | * Fix self-test failure when the only enabled short Weierstrass elliptic |
| 2279 | curve is secp192k1. Fixes #2017. |
| 2280 | * PSA key import will now correctly import a Curve25519/Curve448 public key |
| 2281 | instead of erroring out. Contributed by Steven Cooreman in #3492. |
| 2282 | * Use arc4random_buf on NetBSD instead of rand implementation with cyclical |
| 2283 | lower bits. Fix contributed in #3540. |
| 2284 | * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory |
| 2285 | conditions. Reported and fix suggested by Guido Vranken in #3486. |
| 2286 | * Fix bug in redirection of unit test outputs on platforms where stdout is |
| 2287 | defined as a macro. First reported in #2311 and fix contributed in #3528. |
| 2288 | |
| 2289 | Changes |
| 2290 | * Only pass -Wformat-signedness to versions of GCC that support it. Reported |
| 2291 | in #3478 and fix contributed in #3479 by okhowang. |
| 2292 | * Reduce the stack consumption of mbedtls_x509write_csr_der() which |
| 2293 | previously could lead to stack overflow on constrained devices. |
| 2294 | Contributed by Doru Gucea and Simon Leet in #3464. |
| 2295 | * Undefine the ASSERT macro before defining it locally, in case it is defined |
| 2296 | in a platform header. Contributed by Abdelatif Guettouche in #3557. |
| 2297 | * Update copyright notices to use Linux Foundation guidance. As a result, |
| 2298 | the copyright of contributors other than Arm is now acknowledged, and the |
| 2299 | years of publishing are no longer tracked in the source files. This also |
| 2300 | eliminates the need for the lines declaring the files to be part of |
| 2301 | MbedTLS. Fixes #3457. |
| 2302 | * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 |
| 2303 | example applications which allows to provide a password for the key file |
| 2304 | specified through the existing key_file argument. This allows the use of |
| 2305 | these applications with password-protected key files. Analogously but for |
| 2306 | ssl_server2 only, add the command line parameter key_pwd2 which allows to |
| 2307 | set a password for the key file provided through the existing key_file2 |
| 2308 | argument. |
| 2309 | |
Janos Follath | 13cba68 | 2020-06-26 12:40:52 +0100 | [diff] [blame] | 2310 | = mbed TLS 2.23.0 branch released 2020-07-01 |
Janos Follath | 1959010 | 2020-06-26 11:26:02 +0100 | [diff] [blame] | 2311 | |
| 2312 | Default behavior changes |
| 2313 | * In the experimental PSA secure element interface, change the encoding of |
| 2314 | key lifetimes to encode a persistence level and the location. Although C |
| 2315 | prototypes do not effectively change, code calling |
| 2316 | psa_register_se_driver() must be modified to pass the driver's location |
| 2317 | instead of the keys' lifetime. If the library is upgraded on an existing |
| 2318 | device, keys created with the old lifetime value will not be readable or |
| 2319 | removable through Mbed TLS after the upgrade. |
| 2320 | |
| 2321 | Features |
| 2322 | * New functions in the error module return constant strings for |
| 2323 | high- and low-level error codes, complementing mbedtls_strerror() |
| 2324 | which constructs a string for any error code, including compound |
| 2325 | ones, but requires a writable buffer. Contributed by Gaurav Aggarwal |
| 2326 | in #3176. |
| 2327 | * The new utility programs/ssl/ssl_context_info prints a human-readable |
| 2328 | dump of an SSL context saved with mbedtls_ssl_context_save(). |
| 2329 | * Add support for midipix, a POSIX layer for Microsoft Windows. |
| 2330 | * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows |
| 2331 | parsing unsupported certificate extensions via user provided callback. |
| 2332 | Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as |
| 2333 | a solution to #3241. |
| 2334 | * Pass the "certificate policies" extension to the callback supplied to |
| 2335 | mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported |
| 2336 | policies (#3419). |
| 2337 | * Added support to entropy_poll for the kern.arandom syscall supported on |
| 2338 | some BSD systems. Contributed by Nia Alarie in #3423. |
| 2339 | * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 |
| 2340 | |
| 2341 | Security |
| 2342 | * Fix a side channel vulnerability in modular exponentiation that could |
| 2343 | reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, |
| 2344 | Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute |
| 2345 | of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul |
| 2346 | Strackx (Fortanix) in #3394. |
| 2347 | * Fix side channel in mbedtls_ecp_check_pub_priv() and |
| 2348 | mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a |
| 2349 | private key that didn't include the uncompressed public key), as well as |
| 2350 | mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL |
| 2351 | f_rng argument. An attacker with access to precise enough timing and |
| 2352 | memory access information (typically an untrusted operating system |
| 2353 | attacking a secure enclave) could fully recover the ECC private key. |
| 2354 | Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. |
| 2355 | * Fix issue in Lucky 13 counter-measure that could make it ineffective when |
| 2356 | hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT |
| 2357 | macros). This would cause the original Lucky 13 attack to be possible in |
| 2358 | those configurations, allowing an active network attacker to recover |
| 2359 | plaintext after repeated timing measurements under some conditions. |
| 2360 | Reported and fix suggested by Luc Perneel in #3246. |
| 2361 | |
| 2362 | Bugfix |
| 2363 | * Fix the Visual Studio Release x64 build configuration for mbedtls itself. |
| 2364 | Completes a previous fix in Mbed TLS 2.19 that only fixed the build for |
| 2365 | the example programs. Reported in #1430 and fix contributed by irwir. |
| 2366 | * Fix undefined behavior in X.509 certificate parsing if the |
| 2367 | pathLenConstraint basic constraint value is equal to INT_MAX. |
| 2368 | The actual effect with almost every compiler is the intended |
| 2369 | behavior, so this is unlikely to be exploitable anywhere. #3192 |
| 2370 | * Fix issue with a detected HW accelerated record error not being exposed |
| 2371 | due to shadowed variable. Contributed by Sander Visser in #3310. |
| 2372 | * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a |
| 2373 | NULL pointer argument. Contributed by Sander Visser in #3312. |
| 2374 | * Fix potential linker errors on dual world platforms by inlining |
| 2375 | mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately |
| 2376 | from psa_crypto.c. Fixes #3300. |
| 2377 | * Remove dead code in X.509 certificate parsing. Contributed by irwir in |
| 2378 | #2855. |
| 2379 | * Include asn1.h in error.c. Fixes #3328 reported by David Hu. |
| 2380 | * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() |
| 2381 | when PRNG function fails. Contributed by Jonas Lejeune in #3318. |
| 2382 | * Remove unused macros from MSVC projects. Reported in #3297 and fix |
| 2383 | submitted in #3333 by irwir. |
| 2384 | * Add additional bounds checks in ssl_write_client_hello() preventing |
| 2385 | output buffer overflow if the configuration declared a buffer that was |
| 2386 | too small. |
| 2387 | * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and |
| 2388 | fix submitted in #3421 by Nia Alarie. |
| 2389 | * Fix building library/net_sockets.c and the ssl_mail_client program on |
| 2390 | NetBSD. Contributed by Nia Alarie in #3422. |
| 2391 | * Fix false positive uninitialised variable reported by cpp-check. |
| 2392 | Contributed by Sander Visser in #3311. |
| 2393 | * Update iv and len context pointers manually when reallocating buffers |
| 2394 | using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues |
| 2395 | when receiving a connection with CID, when these fields were shifted |
| 2396 | in ssl_parse_record_header(). |
| 2397 | |
| 2398 | Changes |
| 2399 | * Fix warnings about signedness issues in format strings. The build is now |
| 2400 | clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen |
| 2401 | in #3153. |
| 2402 | * Fix minor performance issue in operations on Curve25519 caused by using a |
| 2403 | suboptimal modular reduction in one place. Found and fix contributed by |
| 2404 | Aurelien Jarno in #3209. |
| 2405 | * Combine identical cases in switch statements in md.c. Contributed |
| 2406 | by irwir in #3208. |
| 2407 | * Simplify a bounds check in ssl_write_certificate_request(). Contributed |
| 2408 | by irwir in #3150. |
| 2409 | * Unify the example programs termination to call mbedtls_exit() instead of |
| 2410 | using a return command. This has been done to enable customization of the |
| 2411 | behavior in bare metal environments. |
| 2412 | * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". |
| 2413 | Contributed by Koh M. Nakagawa in #3326. |
| 2414 | * Use FindPython3 when cmake version >= 3.15.0 |
| 2415 | * Abort the ClientHello writing function as soon as some extension doesn't |
| 2416 | fit into the record buffer. Previously, such extensions were silently |
| 2417 | dropped. As a consequence, the TLS handshake now fails when the output |
| 2418 | buffer is not large enough to hold the ClientHello. |
David Horstmann | 5b93d97 | 2024-10-31 15:36:05 +0000 | [diff] [blame] | 2419 | * The unit tests now rely on header files in framework/tests/include/test and source |
| 2420 | files in framework/tests/src. When building with make or cmake, the files in |
| 2421 | framework/tests/src are compiled and the resulting object linked into each test |
Janos Follath | 1959010 | 2020-06-26 11:26:02 +0100 | [diff] [blame] | 2422 | executable. |
| 2423 | * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on |
| 2424 | `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel |
| 2425 | coutermeasures. If side channels are not a concern, this dependency can |
| 2426 | be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. |
| 2427 | * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes |
| 2428 | Martinho. #3147 |
| 2429 | * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported |
| 2430 | in #3182 and fix submitted by irwir. #3217 |
| 2431 | * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319 |
| 2432 | |
Janos Follath | 876e025 | 2020-04-08 17:15:18 +0100 | [diff] [blame] | 2433 | = mbed TLS 2.22.0 branch released 2020-04-14 |
Andres Amaya Garcia | 84b4e79 | 2018-12-05 22:39:38 +0000 | [diff] [blame] | 2434 | |
| 2435 | New deprecations |
| 2436 | * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the |
| 2437 | SSL module for hardware acceleration of individual records. |
Andrzej Kurek | 90c6e84 | 2020-04-03 05:25:29 -0400 | [diff] [blame] | 2438 | * Deprecate mbedtls_ssl_get_max_frag_len() in favour of |
| 2439 | mbedtls_ssl_get_output_max_frag_len() and |
| 2440 | mbedtls_ssl_get_input_max_frag_len() to be more precise about which max |
| 2441 | fragment length is desired. |
Andres Amaya Garcia | 84b4e79 | 2018-12-05 22:39:38 +0000 | [diff] [blame] | 2442 | |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 2443 | Security |
| 2444 | * Fix issue in DTLS handling of new associations with the same parameters |
| 2445 | (RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to |
| 2446 | the server could cause it to drop established associations with |
| 2447 | legitimate clients, resulting in a Denial of Service. This could only |
| 2448 | happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h |
| 2449 | (which it is by default). |
Manuel Pégourié-Gonnard | a4aa89b | 2020-03-25 12:41:29 +0100 | [diff] [blame] | 2450 | * Fix side channel in ECC code that allowed an adversary with access to |
| 2451 | precise enough timing and memory access information (typically an |
| 2452 | untrusted operating system attacking a secure enclave) to fully recover |
| 2453 | an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, |
| 2454 | Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932 |
Gilles Peskine | 1c66813 | 2019-09-27 14:07:00 +0200 | [diff] [blame] | 2455 | * Fix a potentially remotely exploitable buffer overread in a |
| 2456 | DTLS client when parsing the Hello Verify Request message. |
Manuel Pégourié-Gonnard | 824655c | 2020-03-11 12:51:42 +0100 | [diff] [blame] | 2457 | |
Janos Follath | ee85686 | 2020-04-08 16:58:36 +0100 | [diff] [blame] | 2458 | Features |
| 2459 | * The new build option MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH automatically |
| 2460 | resizes the I/O buffers before and after handshakes, reducing the memory |
| 2461 | consumption during application data transfer. |
| 2462 | |
Manuel Pégourié-Gonnard | 830540b | 2020-02-26 09:58:26 +0100 | [diff] [blame] | 2463 | Bugfix |
| 2464 | * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and |
| 2465 | MBEDTLS_SSL_HW_RECORD_ACCEL are enabled. |
irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 2466 | * Remove a spurious check in ssl_parse_client_psk_identity that triggered |
| 2467 | a warning with some compilers. Fix contributed by irwir in #2856. |
Janos Follath | 940bc00 | 2020-04-09 09:34:47 +0100 | [diff] [blame] | 2468 | * Fix a function name in a debug message. Contributed by Ercan Ozturk in |
| 2469 | #3013. |
Manuel Pégourié-Gonnard | 830540b | 2020-02-26 09:58:26 +0100 | [diff] [blame] | 2470 | |
Gilles Peskine | 2f084fe | 2020-03-02 21:48:03 +0100 | [diff] [blame] | 2471 | Changes |
| 2472 | * Mbed Crypto is no longer a Git submodule. The crypto part of the library |
| 2473 | is back directly in the present repository. |
Andrzej Kurek | 90c6e84 | 2020-04-03 05:25:29 -0400 | [diff] [blame] | 2474 | * Split mbedtls_ssl_get_max_frag_len() into |
| 2475 | mbedtls_ssl_get_output_max_frag_len() and |
| 2476 | mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input |
| 2477 | buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH |
| 2478 | is defined), regardless of what MFL was configured for it. |
Gilles Peskine | 2f084fe | 2020-03-02 21:48:03 +0100 | [diff] [blame] | 2479 | |
Janos Follath | 138c2ea | 2020-02-19 14:32:24 +0000 | [diff] [blame] | 2480 | = mbed TLS 2.21.0 branch released 2020-02-20 |
Jaeden Amero | 62236d7 | 2020-01-24 18:20:22 +0000 | [diff] [blame] | 2481 | |
Andres Amaya Garcia | 0963424 | 2018-11-29 09:55:41 +0000 | [diff] [blame] | 2482 | New deprecations |
| 2483 | * Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing |
| 2484 | SSLv2 ClientHello messages. |
Andres Amaya Garcia | 88c2cc7 | 2018-11-29 09:56:02 +0000 | [diff] [blame] | 2485 | * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3. |
Gilles Peskine | 907e95a | 2020-01-23 15:51:40 +0100 | [diff] [blame] | 2486 | * Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper |
| 2487 | library which allows TLS authentication to use keys stored in a |
| 2488 | PKCS#11 token such as a smartcard. |
Andres Amaya Garcia | 0963424 | 2018-11-29 09:55:41 +0000 | [diff] [blame] | 2489 | |
Gilles Peskine | f142d4c | 2020-02-11 19:05:03 +0100 | [diff] [blame] | 2490 | Security |
| 2491 | * Fix potential memory overread when performing an ECDSA signature |
| 2492 | operation. The overread only happens with cryptographically low |
| 2493 | probability (of the order of 2^-n where n is the bitsize of the curve) |
| 2494 | unless the RNG is broken, and could result in information disclosure or |
| 2495 | denial of service (application crash or extra resource consumption). |
| 2496 | Found by Auke Zeilstra and Peter Schwabe, using static analysis. |
Gilles Peskine | 25a5c09 | 2020-02-11 19:12:49 +0100 | [diff] [blame] | 2497 | * To avoid a side channel vulnerability when parsing an RSA private key, |
| 2498 | read all the CRT parameters from the DER structure rather than |
| 2499 | reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob |
| 2500 | Brumley. Reported and fix contributed by Jack Lloyd. |
| 2501 | ARMmbed/mbed-crypto#352 |
Gilles Peskine | f142d4c | 2020-02-11 19:05:03 +0100 | [diff] [blame] | 2502 | |
| 2503 | Features |
| 2504 | * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512 |
| 2505 | support without SHA-384. |
| 2506 | |
| 2507 | API changes |
| 2508 | * Change the encoding of key types and curves in the PSA API. The new |
| 2509 | values are aligned with the upcoming release of the PSA Crypto API |
| 2510 | specification version 1.0.0. The main change which may break some |
| 2511 | existing code is that elliptic curve key types no longer encode the |
| 2512 | exact curve: a psa_ecc_curve_t or psa_key_type_t value only encodes |
| 2513 | a curve family and the key size determines the exact curve (for example, |
| 2514 | PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330 |
| 2515 | |
Jaeden Amero | 62236d7 | 2020-01-24 18:20:22 +0000 | [diff] [blame] | 2516 | Bugfix |
Gilles Peskine | 4073d4e | 2020-01-22 18:58:20 +0100 | [diff] [blame] | 2517 | * Fix an unchecked call to mbedtls_md() in the x509write module. |
Gilles Peskine | 80fcace | 2020-01-22 19:18:35 +0100 | [diff] [blame] | 2518 | * Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by |
| 2519 | Jack Lloyd in #2859. Fix submitted by jiblime in #2963. |
Gilles Peskine | 393defe | 2020-02-11 15:31:18 +0100 | [diff] [blame] | 2520 | * Fix some false-positive uninitialized variable warnings in X.509. Fix |
| 2521 | contributed by apple-ihack-geek in #2663. |
Gilles Peskine | 25a5c09 | 2020-02-11 19:12:49 +0100 | [diff] [blame] | 2522 | * Fix a possible error code mangling in psa_mac_verify_finish() when |
| 2523 | a cryptographic accelerator fails. ARMmbed/mbed-crypto#345 |
Janos Follath | d1692ee | 2020-02-19 11:23:55 +0000 | [diff] [blame] | 2524 | * Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some |
| 2525 | RSA keys that would later be rejected by functions expecting private |
| 2526 | keys. Found by Catena cyber using oss-fuzz (issue 20467). |
| 2527 | * Fix a bug in mbedtls_pk_parse_key() that would cause it to |
| 2528 | accept some RSA keys with invalid values by silently fixing those values. |
Jaeden Amero | 62236d7 | 2020-01-24 18:20:22 +0000 | [diff] [blame] | 2529 | |
Jaeden Amero | d56a2af | 2020-01-15 18:07:20 +0000 | [diff] [blame] | 2530 | = mbed TLS 2.20.0 branch released 2020-01-15 |
irwir | 6c0da64 | 2019-09-26 21:07:41 +0300 | [diff] [blame] | 2531 | |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2532 | Default behavior changes |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2533 | * The initial seeding of a CTR_DRBG instance makes a second call to the |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2534 | entropy function to obtain entropy for a nonce if the entropy size is less |
| 2535 | than 3/2 times the key size. In case you want to disable the extra call to |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2536 | grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2537 | nonce length to 0. |
| 2538 | |
| 2539 | Security |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2540 | * Enforce that mbedtls_entropy_func() gathers a total of |
| 2541 | MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2542 | default configuration, on a platform with a single entropy source, the |
| 2543 | entropy module formerly only grabbed 32 bytes, which is good enough for |
| 2544 | security if the source is genuinely strong, but less than the expected 64 |
| 2545 | bytes (size of the entropy accumulator). |
Gilles Peskine | e3b285d | 2020-01-27 14:01:42 +0100 | [diff] [blame] | 2546 | * Zeroize local variables in mbedtls_internal_aes_encrypt() and |
| 2547 | mbedtls_internal_aes_decrypt() before exiting the function. The value of |
| 2548 | these variables can be used to recover the last round key. To follow best |
| 2549 | practice and to limit the impact of buffer overread vulnerabilities (like |
| 2550 | Heartbleed) we need to zeroize them before exiting the function. |
| 2551 | Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, |
| 2552 | Grant Hernandez, and Kevin Butler (University of Florida) and |
| 2553 | Dave Tian (Purdue University). |
| 2554 | * Fix side channel vulnerability in ECDSA. Our bignum implementation is not |
| 2555 | constant time/constant trace, so side channel attacks can retrieve the |
| 2556 | blinded value, factor it (as it is smaller than RSA keys and not guaranteed |
| 2557 | to have only large prime factors), and then, by brute force, recover the |
| 2558 | key. Reported by Alejandro Cabrera Aldaya and Billy Brumley. |
| 2559 | * Fix side channel vulnerability in ECDSA key generation. Obtaining precise |
| 2560 | timings on the comparison in the key generation enabled the attacker to |
| 2561 | learn leading bits of the ephemeral key used during ECDSA signatures and to |
| 2562 | recover the private key. Reported by Jeremy Dubeuf. |
| 2563 | * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught |
| 2564 | failures could happen with alternative implementations of AES. Bug |
| 2565 | reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, |
| 2566 | Sectra. |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2567 | |
| 2568 | Features |
| 2569 | * Key derivation inputs in the PSA API can now either come from a key object |
| 2570 | or from a buffer regardless of the step type. |
| 2571 | * The CTR_DRBG module can grab a nonce from the entropy source during the |
| 2572 | initial seeding. The default nonce length is chosen based on the key size |
| 2573 | to achieve the security strength defined by NIST SP 800-90A. You can |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2574 | change it with mbedtls_ctr_drbg_set_nonce_len(). |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2575 | * Add ENUMERATED tag support to the ASN.1 module. Contributed by |
Gilles Peskine | 50f5770 | 2020-01-22 19:02:59 +0100 | [diff] [blame] | 2576 | msopiha-linaro in ARMmbed/mbed-crypto#307. |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2577 | |
| 2578 | API changes |
| 2579 | * In the PSA API, forbid zero-length keys. To pass a zero-length input to a |
| 2580 | key derivation function, use a buffer instead (this is now always |
| 2581 | possible). |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2582 | * Rename psa_asymmetric_sign() to psa_sign_hash() and |
| 2583 | psa_asymmetric_verify() to psa_verify_hash(). |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2584 | |
irwir | 6c0da64 | 2019-09-26 21:07:41 +0300 | [diff] [blame] | 2585 | Bugfix |
| 2586 | * Fix an incorrect size in a debugging message. Reported and fix |
| 2587 | submitted by irwir. Fixes #2717. |
| 2588 | * Fix an unused variable warning when compiling without DTLS. |
| 2589 | Reported and fix submitted by irwir. Fixes #2800. |
| 2590 | * Remove a useless assignment. Reported and fix submitted by irwir. |
| 2591 | Fixes #2801. |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2592 | * Fix a buffer overflow in the PSA HMAC code when using a long key with an |
Gilles Peskine | 50f5770 | 2020-01-22 19:02:59 +0100 | [diff] [blame] | 2593 | unsupported algorithm. Fixes ARMmbed/mbed-crypto#254. |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2594 | * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2595 | to OSS-Fuzz for finding a bug in an intermediate version of the fix. |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2596 | * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2597 | most 2 bytes. |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2598 | * mbedtls_ctr_drbg_set_entropy_len() and |
| 2599 | mbedtls_hmac_drbg_set_entropy_len() now work if you call them before |
| 2600 | mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed(). |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2601 | |
| 2602 | Changes |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2603 | * Remove the technical possibility to define custom mbedtls_md_info |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2604 | structures, which was exposed only in an internal header. |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2605 | * psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2606 | before). |
| 2607 | * Variables containing error codes are now initialized to an error code |
| 2608 | rather than success, so that coding mistakes or memory corruption tends to |
| 2609 | cause functions to return this error code rather than a success. There are |
| 2610 | no known instances where this changes the behavior of the library: this is |
Gilles Peskine | 50f5770 | 2020-01-22 19:02:59 +0100 | [diff] [blame] | 2611 | merely a robustness improvement. ARMmbed/mbed-crypto#323 |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2612 | * Remove a useless call to mbedtls_ecp_group_free(). Contributed by |
Gilles Peskine | 50f5770 | 2020-01-22 19:02:59 +0100 | [diff] [blame] | 2613 | Alexander Krizhanovsky in ARMmbed/mbed-crypto#210. |
Gilles Peskine | 6a4c340 | 2020-01-22 18:28:24 +0100 | [diff] [blame] | 2614 | * Speed up PBKDF2 by caching the digest calculation. Contributed by Jack |
Gilles Peskine | 50f5770 | 2020-01-22 19:02:59 +0100 | [diff] [blame] | 2615 | Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277. |
Gilles Peskine | 8c7d2c2 | 2020-01-22 19:02:09 +0100 | [diff] [blame] | 2616 | * Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by |
Gilles Peskine | 50f5770 | 2020-01-22 19:02:59 +0100 | [diff] [blame] | 2617 | Alexander Krizhanovsky in ARMmbed/mbed-crypto#308. |
irwir | 6c0da64 | 2019-09-26 21:07:41 +0300 | [diff] [blame] | 2618 | |
Jaeden Amero | 914a507 | 2019-09-18 13:35:57 +0100 | [diff] [blame] | 2619 | = mbed TLS 2.19.1 branch released 2019-09-16 |
| 2620 | |
| 2621 | Features |
Zachary J. Fields | 96134ef | 2020-01-27 16:12:02 -0600 | [diff] [blame] | 2622 | * Declare include headers as PUBLIC to propagate to CMake project consumers |
| 2623 | Contributed by Zachary J. Fields in PR #2949. |
Jaeden Amero | 914a507 | 2019-09-18 13:35:57 +0100 | [diff] [blame] | 2624 | * Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of |
| 2625 | TLS sessions with tools like Wireshark. |
| 2626 | |
| 2627 | API Changes |
| 2628 | * Make client_random and server_random const in |
| 2629 | mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged |
| 2630 | from modifying the client/server hello. |
| 2631 | |
Gilles Peskine | 3ca1bcc | 2019-09-30 17:20:23 +0200 | [diff] [blame] | 2632 | Bugfix |
Gilles Peskine | 393defe | 2020-02-11 15:31:18 +0100 | [diff] [blame] | 2633 | * Fix some false-positive uninitialized variable warnings in crypto. Fix |
Gilles Peskine | 3ca1bcc | 2019-09-30 17:20:23 +0200 | [diff] [blame] | 2634 | contributed by apple-ihack-geek in #2663. |
| 2635 | |
Jaeden Amero | 4197f0e | 2019-09-06 14:40:10 +0100 | [diff] [blame] | 2636 | = mbed TLS 2.19.0 branch released 2019-09-06 |
Jaeden Amero | d5d01a0 | 2019-03-26 14:50:06 +0000 | [diff] [blame] | 2637 | |
Gilles Peskine | 5215783 | 2018-08-11 00:51:04 +0200 | [diff] [blame] | 2638 | Security |
Jaeden Amero | 4197f0e | 2019-09-06 14:40:10 +0100 | [diff] [blame] | 2639 | * Fix a missing error detection in ECJPAKE. This could have caused a |
| 2640 | predictable shared secret if a hardware accelerator failed and the other |
| 2641 | side of the key exchange had a similar bug. |
Gilles Peskine | 5215783 | 2018-08-11 00:51:04 +0200 | [diff] [blame] | 2642 | * When writing a private EC key, use a constant size for the private |
| 2643 | value, as specified in RFC 5915. Previously, the value was written |
| 2644 | as an ASN.1 INTEGER, which caused the size of the key to leak |
| 2645 | about 1 bit of information on average and could cause the value to be |
| 2646 | 1 byte too large for the output buffer. |
Janos Follath | 12fff15 | 2019-01-04 16:18:46 +0000 | [diff] [blame] | 2647 | * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to |
| 2648 | implement blinding. Because of this for the same key and message the same |
| 2649 | blinding value was generated. This reduced the effectiveness of the |
| 2650 | countermeasure and leaked information about the private key through side |
| 2651 | channels. Reported by Jack Lloyd. |
Gilles Peskine | 5215783 | 2018-08-11 00:51:04 +0200 | [diff] [blame] | 2652 | |
Jaeden Amero | c73fde7 | 2019-03-27 14:50:21 +0000 | [diff] [blame] | 2653 | Features |
Manuel Pégourié-Gonnard | 6472263 | 2019-05-24 10:23:55 +0200 | [diff] [blame] | 2654 | * Add new API functions mbedtls_ssl_session_save() and |
Manuel Pégourié-Gonnard | 686adb4 | 2019-06-03 09:55:16 +0200 | [diff] [blame] | 2655 | mbedtls_ssl_session_load() to allow serializing a session, for example to |
Manuel Pégourié-Gonnard | 6472263 | 2019-05-24 10:23:55 +0200 | [diff] [blame] | 2656 | store it in non-volatile storage, and later using it for TLS session |
| 2657 | resumption. |
Jarno Lamsa | 9e90df5 | 2019-08-23 09:08:31 +0300 | [diff] [blame] | 2658 | * Add a new API function mbedtls_ssl_check_record() to allow checking that |
| 2659 | an incoming record is valid, authentic and has not been seen before. This |
| 2660 | feature can be used alongside Connection ID and SSL context serialisation. |
| 2661 | The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING |
| 2662 | option. |
Jaeden Amero | 49fcbea | 2019-08-30 15:50:45 +0100 | [diff] [blame] | 2663 | * New implementation of X25519 (ECDH using Curve25519) from Project Everest |
| 2664 | (https://project-everest.github.io/). It can be enabled at compile time |
| 2665 | with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally |
| 2666 | verified and significantly faster, but is only supported on x86 platforms |
| 2667 | (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by |
| 2668 | Christoph Wintersteiger from Microsoft Research. |
Jaeden Amero | 8dd6bc7 | 2019-09-03 16:41:51 +0100 | [diff] [blame] | 2669 | * Add mbedtls_net_close(), enabling the building of forking servers where |
| 2670 | the parent process closes the client socket and continue accepting, and |
| 2671 | the child process closes the listening socket and handles the client |
| 2672 | socket. Contributed by Robert Larsen in #2803. |
Jaeden Amero | c73fde7 | 2019-03-27 14:50:21 +0000 | [diff] [blame] | 2673 | |
Gilles Peskine | 60b29d6 | 2019-08-14 18:37:59 +0200 | [diff] [blame] | 2674 | API Changes |
Gilles Peskine | 60b29d6 | 2019-08-14 18:37:59 +0200 | [diff] [blame] | 2675 | * Add DER-encoded test CRTs to library/certs.c, allowing |
| 2676 | the example programs ssl_server2 and ssl_client2 to be run |
| 2677 | if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. |
| 2678 | * The HAVEGE state type now uses uint32_t elements instead of int. |
Jaeden Amero | 49fcbea | 2019-08-30 15:50:45 +0100 | [diff] [blame] | 2679 | * The functions mbedtls_ecp_curve_list() and mbedtls_ecp_grp_id_list() now |
| 2680 | list all curves for which at least one of ECDH or ECDSA is supported, not |
| 2681 | just curves for which both are supported. Call mbedtls_ecdsa_can_do() or |
| 2682 | mbedtls_ecdh_can_do() on each result to check whether each algorithm is |
| 2683 | supported. |
Jaeden Amero | 4197f0e | 2019-09-06 14:40:10 +0100 | [diff] [blame] | 2684 | * The new function mbedtls_ecdsa_sign_det_ext() is similar to |
| 2685 | mbedtls_ecdsa_sign_det() but allows passing an external RNG for the |
| 2686 | purpose of blinding. |
Janos Follath | 12fff15 | 2019-01-04 16:18:46 +0000 | [diff] [blame] | 2687 | |
| 2688 | New deprecations |
| 2689 | * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an |
| 2690 | RNG function as an input. |
| 2691 | * Calling mbedtls_ecdsa_write_signature() with NULL as the f_rng argument |
| 2692 | is now deprecated. |
Gilles Peskine | 60b29d6 | 2019-08-14 18:37:59 +0200 | [diff] [blame] | 2693 | |
Jaeden Amero | d5d01a0 | 2019-03-26 14:50:06 +0000 | [diff] [blame] | 2694 | Bugfix |
Hanno Becker | 3c03a88 | 2019-06-04 10:27:43 +0100 | [diff] [blame] | 2695 | * Fix missing bounds checks in X.509 parsing functions that could |
| 2696 | lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. |
| 2697 | * Fix multiple X.509 functions previously returning ASN.1 low-level error |
| 2698 | codes to always wrap these codes into X.509 high level error codes before |
| 2699 | returning. Fixes #2431. |
Simon Butcher | f35bb5a | 2019-04-18 15:57:30 +0100 | [diff] [blame] | 2700 | * Fix to allow building test suites with any warning that detects unused |
| 2701 | functions. Fixes #1628. |
Jaeden Amero | a152e42 | 2019-05-29 09:38:29 +0100 | [diff] [blame] | 2702 | * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. |
Jaeden Amero | a180926 | 2019-05-30 13:15:33 +0100 | [diff] [blame] | 2703 | * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. |
Jaeden Amero | 32eb58f | 2019-05-30 13:18:24 +0100 | [diff] [blame] | 2704 | * Fix build failure when building with mingw on Windows by including |
| 2705 | stdarg.h where needed. Fixes #2656. |
Jaeden Amero | 4f4af6e | 2019-06-03 08:13:10 +0100 | [diff] [blame] | 2706 | * Fix Visual Studio Release x64 build configuration by inheriting |
| 2707 | PlatformToolset from the project configuration. Fixes #1430 reported by |
| 2708 | irwir. |
Jaeden Amero | d431104 | 2019-06-03 08:27:16 +0100 | [diff] [blame] | 2709 | * Enable Suite B with subset of ECP curves. Make sure the code compiles even |
| 2710 | if some curves are not defined. Fixes #1591 reported by dbedev. |
Gilles Peskine | f3820e3 | 2019-06-07 16:42:35 +0200 | [diff] [blame] | 2711 | * Fix misuse of signed arithmetic in the HAVEGE module. #2598 |
Hanno Becker | 73540c0 | 2019-05-04 08:18:09 +0100 | [diff] [blame] | 2712 | * Avoid use of statically sized stack buffers for certificate writing. |
| 2713 | This previously limited the maximum size of DER encoded certificates |
| 2714 | in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. |
Sébastien Duquette | 661d725 | 2019-06-23 17:45:26 -0400 | [diff] [blame] | 2715 | * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716. |
Gilles Peskine | 55603ee | 2019-08-03 14:08:46 +0200 | [diff] [blame] | 2716 | * Update test certificates that were about to expire. Reported by |
| 2717 | Bernhard M. Wiedemann in #2357. |
Gilles Peskine | a5cb7d4 | 2019-08-05 11:34:11 +0200 | [diff] [blame] | 2718 | * Fix the build on ARMv5TE in ARM mode to not use assembly instructions |
| 2719 | that are only available in Thumb mode. Fix contributed by Aurelien Jarno |
| 2720 | in #2169. |
Hanno Becker | bf84d50 | 2019-07-19 12:52:08 +0100 | [diff] [blame] | 2721 | * Fix propagation of restart contexts in restartable EC operations. |
| 2722 | This could previously lead to segmentation faults in builds using an |
| 2723 | address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. |
Jaeden Amero | a66fc94 | 2019-09-03 13:45:34 +0100 | [diff] [blame] | 2724 | * Fix memory leak in in mpi_miller_rabin(). Contributed by |
| 2725 | Jens Wiklander <jens.wiklander@linaro.org> in #2363 |
Andy Gross | 1f62714 | 2019-01-30 10:25:53 -0600 | [diff] [blame] | 2726 | * Improve code clarity in x509_crt module, removing false-positive |
| 2727 | uninitialized variable warnings on some recent toolchains (GCC8, etc). |
| 2728 | Discovered and fixed by Andy Gross (Linaro), #2392. |
Jaeden Amero | aeb5a4a | 2019-09-05 14:43:14 +0100 | [diff] [blame] | 2729 | * Fix bug in endianness conversion in bignum module. This lead to |
| 2730 | functionally incorrect code on bigendian systems which don't have |
| 2731 | __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. |
Jaeden Amero | 4e0db56 | 2019-08-27 11:18:28 +0100 | [diff] [blame] | 2732 | |
Jaeden Amero | d5d01a0 | 2019-03-26 14:50:06 +0000 | [diff] [blame] | 2733 | Changes |
Hanno Becker | 136512b | 2019-05-30 11:16:02 +0100 | [diff] [blame] | 2734 | * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. |
Gilles Peskine | c7ad122 | 2019-06-13 16:44:19 +0200 | [diff] [blame] | 2735 | * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h |
| 2736 | suggests). #2671 |
Jaeden Amero | befe1e15 | 2019-06-03 09:14:14 +0100 | [diff] [blame] | 2737 | * Make `make clean` clean all programs always. Fixes #1862. |
Peter Kolbus | e4e2d3a | 2018-12-24 09:04:54 -0600 | [diff] [blame] | 2738 | * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh, |
| 2739 | docker-env.sh) to simplify running test suites on a Linux host. Contributed |
| 2740 | by Peter Kolbus (Garmin). |
Jaeden Amero | f473fa8 | 2019-07-09 13:41:54 +0100 | [diff] [blame] | 2741 | * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable |
| 2742 | test runs without variability. Contributed by Philippe Antoine (Catena |
| 2743 | cyber) in #2681. |
| 2744 | * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi. |
Philippe Antoine | 801194b | 2019-06-04 14:17:41 +0200 | [diff] [blame] | 2745 | * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz. |
| 2746 | Contributed by Philippe Antoine (Catena cyber). |
Gilles Peskine | 2f084fe | 2020-03-02 21:48:03 +0100 | [diff] [blame] | 2747 | * Remove the crypto part of the library from Mbed TLS. The crypto |
| 2748 | code and tests are now only available via Mbed Crypto, which |
| 2749 | Mbed TLS references as a Git submodule. |
Jaeden Amero | d5d01a0 | 2019-03-26 14:50:06 +0000 | [diff] [blame] | 2750 | |
Jaeden Amero | 3aeb13e | 2019-06-18 17:27:20 +0100 | [diff] [blame] | 2751 | = mbed TLS 2.18.1 branch released 2019-07-12 |
| 2752 | |
Jaeden Amero | ded319d | 2019-05-30 13:18:24 +0100 | [diff] [blame] | 2753 | Bugfix |
| 2754 | * Fix build failure when building with mingw on Windows by including |
| 2755 | stdarg.h where needed. Fixes #2656. |
| 2756 | |
Jaeden Amero | 3aeb13e | 2019-06-18 17:27:20 +0100 | [diff] [blame] | 2757 | Changes |
| 2758 | * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by |
| 2759 | Ashley Duncan in #2609. |
| 2760 | |
Jaeden Amero | b1c72f5 | 2019-06-11 17:18:09 +0100 | [diff] [blame] | 2761 | = mbed TLS 2.18.0 branch released 2019-06-11 |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2762 | |
Hanno Becker | ac4172c | 2019-01-31 09:27:04 +0000 | [diff] [blame] | 2763 | Features |
| 2764 | * Add the Any Policy certificate policy oid, as defined in |
| 2765 | rfc 5280 section 4.2.1.4. |
| 2766 | * It is now possible to use NIST key wrap mode via the mbedtls_cipher API. |
| 2767 | Contributed by Jack Lloyd and Fortanix Inc. |
Andres Amaya Garcia | ce04951 | 2019-02-20 10:00:03 +0000 | [diff] [blame] | 2768 | * Add the Wi-SUN Field Area Network (FAN) device extended key usage. |
| 2769 | * Add the oid certificate policy x509 extension. |
Andres Amaya Garcia | 4a51228 | 2018-10-30 18:21:41 +0000 | [diff] [blame] | 2770 | * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest. |
Andres Amaya Garcia | 22a8905 | 2018-11-26 20:57:49 +0000 | [diff] [blame] | 2771 | Contributed by Jack Lloyd and Fortanix Inc. |
| 2772 | * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, |
Hanno Becker | ac4172c | 2019-01-31 09:27:04 +0000 | [diff] [blame] | 2773 | and the used tls-prf. |
| 2774 | * Add public API for tls-prf function, according to requested enum. |
| 2775 | * Add support for parsing otherName entries in the Subject Alternative Name |
| 2776 | X.509 certificate extension, specifically type hardware module name, |
Hanno Becker | e31505d | 2019-02-07 13:42:45 +0000 | [diff] [blame] | 2777 | as defined in RFC 4108 section 5. |
| 2778 | * Add support for parsing certificate policies extension, as defined in |
| 2779 | RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is |
| 2780 | supported. |
| 2781 | * List all SAN types in the subject_alt_names field of the certificate. |
| 2782 | Resolves #459. |
| 2783 | * Add support for draft-05 of the Connection ID extension, as specified |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2784 | in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05. |
| 2785 | The Connection ID extension allows to keep DTLS connections beyond the |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 2786 | lifetime of the underlying transport by adding a connection identifier |
| 2787 | to the DTLS record header. This identifier can be used to associated an |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2788 | incoming record with the correct connection data even after the peer has |
| 2789 | changed its IP or port. The feature is enabled at compile-time by setting |
Hanno Becker | ac4172c | 2019-01-31 09:27:04 +0000 | [diff] [blame] | 2790 | MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time |
| 2791 | through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid(). |
| 2792 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2793 | |
Jaeden Amero | 4e0db56 | 2019-08-27 11:18:28 +0100 | [diff] [blame] | 2794 | API Changes |
| 2795 | * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, |
| 2796 | and the used tls-prf. |
| 2797 | * Add public API for tls-prf function, according to requested enum. |
| 2798 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2799 | Bugfix |
| 2800 | * Fix private key DER output in the key_app_writer example. File contents |
| 2801 | were shifted by one byte, creating an invalid ASN.1 tag. Fixed by |
| 2802 | Christian Walther in #2239. |
| 2803 | * Fix potential memory leak in X.509 self test. Found and fixed by |
| 2804 | Junhwan Park, #2106. |
| 2805 | * Reduce stack usage of hkdf tests. Fixes #2195. |
| 2806 | * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when |
| 2807 | used with negative inputs. Found by Guido Vranken in #2404. Credit to |
| 2808 | OSS-Fuzz. |
| 2809 | * Fix bugs in the AEAD test suite which would be exposed by ciphers which |
| 2810 | either used both encrypt and decrypt key schedules, or which perform padding. |
| 2811 | GCM and CCM were not affected. Fixed by Jack Lloyd. |
| 2812 | * Fix incorrect default port number in ssl_mail_client example's usage. |
| 2813 | Found and fixed by irwir. #2337 |
| 2814 | * Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx. |
| 2815 | Fixed by Peter Kolbus (Garmin). #2579 |
| 2816 | * Add missing parentheses around parameters in the definition of the |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 2817 | public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation |
| 2818 | in case operators binding less strongly than subtraction were used |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2819 | for the parameter. |
| 2820 | * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl |
Hanno Becker | ac4172c | 2019-01-31 09:27:04 +0000 | [diff] [blame] | 2821 | sni entry parameter. Reported by inestlerode in #560. |
| 2822 | * Set the next sequence of the subject_alt_name to NULL when deleting |
| 2823 | sequence on failure. Found and fix suggested by Philippe Antoine. |
| 2824 | Credit to OSS-Fuzz. |
| 2825 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2826 | Changes |
| 2827 | * Server's RSA certificate in certs.c was SHA-1 signed. In the default |
| 2828 | mbedTLS configuration only SHA-2 signed certificates are accepted. |
| 2829 | This certificate is used in the demo server programs, which lead the |
| 2830 | client programs to fail at the peer's certificate verification |
| 2831 | due to an unacceptable hash signature. The certificate has been |
| 2832 | updated to one that is SHA-256 signed. Fix contributed by |
| 2833 | Illya Gerasymchuk. |
| 2834 | * Return from various debugging routines immediately if the |
| 2835 | provided SSL context is unset. |
| 2836 | * Remove dead code from bignum.c in the default configuration. |
| 2837 | Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. |
| 2838 | * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. |
| 2839 | Contributed by Peter Kolbus (Garmin). |
| 2840 | * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to |
| 2841 | improve clarity. Fixes #2258. |
| 2842 | |
| 2843 | = mbed TLS 2.17.0 branch released 2019-03-19 |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 2844 | |
| 2845 | Features |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2846 | * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()` |
| 2847 | which allows copy-less parsing of DER encoded X.509 CRTs, |
Hanno Becker | ac4172c | 2019-01-31 09:27:04 +0000 | [diff] [blame] | 2848 | at the cost of additional lifetime constraints on the input |
| 2849 | buffer, but at the benefit of reduced RAM consumption. |
| 2850 | * Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1 |
| 2851 | named bitstring in DER as required by RFC 5280 Appendix B. |
| 2852 | * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites |
| 2853 | from the default list (enabled by default). See |
| 2854 | https://sweet32.info/SWEET32_CCS16.pdf. |
| 2855 | |
| 2856 | API Changes |
| 2857 | * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2858 | See the Features section for more information. |
| 2859 | * Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert() |
| 2860 | for the benefit of saving RAM, by disabling the new compile-time |
| 2861 | option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for |
| 2862 | API stability). Disabling this option makes mbedtls_ssl_get_peer_cert() |
| 2863 | always return NULL, and removes the peer_cert field from the |
| 2864 | mbedtls_ssl_session structure which otherwise stores the peer's |
Gilles Peskine | ccf8ba0 | 2018-11-07 22:39:16 +0100 | [diff] [blame] | 2865 | certificate. |
| 2866 | |
| 2867 | Security |
| 2868 | * Make mbedtls_ecdh_get_params return an error if the second key |
| 2869 | belongs to a different group from the first. Before, if an application |
| 2870 | passed keys that belonged to different group, the first key's data was |
| 2871 | interpreted according to the second group, which could lead to either |
| 2872 | an error or a meaningless output from mbedtls_ecdh_get_params. In the |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2873 | latter case, this could expose at most 5 bits of the private key. |
| 2874 | |
| 2875 | Bugfix |
| 2876 | * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined |
| 2877 | when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. |
| 2878 | * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. |
| 2879 | Raised as a comment in #1996. |
| 2880 | * Reduce the stack consumption of mbedtls_mpi_fill_random() which could |
| 2881 | previously lead to a stack overflow on constrained targets. |
| 2882 | * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions |
| 2883 | in the header files, which missed the precompilation check. #971 |
| 2884 | * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. |
| 2885 | * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. |
Hanno Becker | 1b6d2b2 | 2019-01-10 09:22:16 +0000 | [diff] [blame] | 2886 | * Remove the mbedtls namespacing from the header file, to fix a "file not found" |
| 2887 | build error. Fixed by Haijun Gu #2319. |
Ron Eldor | 8a6917d | 2018-11-27 10:33:38 +0200 | [diff] [blame] | 2888 | * Fix signed-to-unsigned integer conversion warning |
| 2889 | in X.509 module. Fixes #2212. |
Peter Kolbus | 995d5c1 | 2019-02-03 08:41:41 -0600 | [diff] [blame] | 2890 | * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. |
| 2891 | Fixes #2190. |
Andres Amaya Garcia | d588ff7 | 2018-09-26 10:59:20 +0100 | [diff] [blame] | 2892 | * Fix false failure in all.sh when backup files exist in include/mbedtls |
| 2893 | (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. |
| 2894 | * Ensure that unused bits are zero when writing ASN.1 bitstrings when using |
| 2895 | mbedtls_asn1_write_bitstring(). |
| 2896 | * Fix issue when writing the named bitstrings in KeyUsage and NsCertType |
| 2897 | extensions in CSRs and CRTs that caused these bitstrings to not be encoded |
Simon Butcher | 41f9519 | 2018-12-01 18:42:47 +0000 | [diff] [blame] | 2898 | correctly as trailing zeroes were not accounted for as unused bits in the |
| 2899 | leading content octet. Fixes #1610. |
Hanno Becker | bd9d51d | 2019-01-30 15:14:21 +0000 | [diff] [blame] | 2900 | |
| 2901 | Changes |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2902 | * Reduce RAM consumption during session renegotiation by not storing |
| 2903 | the peer CRT chain and session ticket twice. |
| 2904 | * Include configuration file in all header files that use configuration, |
| 2905 | instead of relying on other header files that they include. |
| 2906 | Inserted as an enhancement for #1371 |
Andrzej Kurek | 8764ccc | 2019-02-05 04:57:13 -0500 | [diff] [blame] | 2907 | * Add support for alternative CSR headers, as used by Microsoft and defined |
| 2908 | in RFC 7468. Found by Michael Ernst. Fixes #767. |
| 2909 | * Correct many misspellings. Fixed by MisterDA #2371. |
| 2910 | * Provide an abstraction of vsnprintf to allow alternative implementations |
| 2911 | for platforms that don't provide it. Based on contributions by Joris Aerts |
| 2912 | and Nathaniel Wesley Filardo. |
| 2913 | * Fix clobber list in MIPS assembly for large integer multiplication. |
| 2914 | Previously, this could lead to functionally incorrect assembly being |
| 2915 | produced by some optimizing compilers, showing up as failures in |
k-stachowiak | c5a4a13 | 2019-02-05 09:11:58 +0100 | [diff] [blame] | 2916 | e.g. RSA or ECC signature operations. Reported in #1722, fix suggested |
| 2917 | by Aurelien Jarno and submitted by Jeffrey Martin. |
Andres Amaya Garcia | aabe52f | 2018-10-16 22:18:53 +0100 | [diff] [blame] | 2918 | * Reduce the complexity of the timing tests. They were assuming more than the |
| 2919 | underlying OS actually guarantees. |
k-stachowiak | cddbd01 | 2019-02-19 12:40:34 +0100 | [diff] [blame] | 2920 | * Fix configuration queries in ssl-opt.h. #2030 |
| 2921 | * Ensure that ssl-opt.h can be run in OS X. #2029 |
Andres Amaya Garcia | f8dffb3 | 2019-02-19 20:14:00 +0000 | [diff] [blame] | 2922 | * Re-enable certain interoperability tests in ssl-opt.sh which had previously |
| 2923 | been disabled for lack of a sufficiently recent version of GnuTLS on the CI. |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 2924 | * Ciphersuites based on 3DES now have the lowest priority by default when |
| 2925 | they are enabled. |
| 2926 | |
| 2927 | = mbed TLS 2.16.0 branch released 2018-12-21 |
| 2928 | |
| 2929 | Features |
| 2930 | * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation |
| 2931 | of parameters in the API. This allows detection of obvious misuses of the |
| 2932 | API, such as passing NULL pointers. The API of existing functions hasn't |
| 2933 | changed, but requirements on parameters have been made more explicit in |
| 2934 | the documentation. See the corresponding API documentation for each |
| 2935 | function to see for which parameter values it is defined. This feature is |
| 2936 | disabled by default. See its API documentation in config.h for additional |
| 2937 | steps you have to take when enabling it. |
| 2938 | |
| 2939 | API Changes |
| 2940 | * The following functions in the random generator modules have been |
| 2941 | deprecated and replaced as shown below. The new functions change |
| 2942 | the return type from void to int to allow returning error codes when |
| 2943 | using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest |
| 2944 | primitive. Fixes #1798. |
| 2945 | mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() |
| 2946 | mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() |
| 2947 | * Extend ECDH interface to enable alternative implementations. |
| 2948 | * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for |
| 2949 | ARIA, CAMELLIA and Blowfish. These error codes will be replaced by |
| 2950 | the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. |
| 2951 | * Additional parameter validation checks have been added for the following |
| 2952 | modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, |
| 2953 | ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. |
| 2954 | Where modules have had parameter validation added, existing parameter |
| 2955 | checks may have changed. Some modules, such as Chacha20 had existing |
| 2956 | parameter validation whereas other modules had little. This has now been |
| 2957 | changed so that the same level of validation is present in all modules, and |
| 2958 | that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default |
| 2959 | is off. That means that checks which were previously present by default |
| 2960 | will no longer be. |
| 2961 | |
| 2962 | New deprecations |
| 2963 | * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update |
| 2964 | in favor of functions that can return an error code. |
| 2965 | |
| 2966 | Bugfix |
| 2967 | * Fix for Clang, which was reporting a warning for the bignum.c inline |
| 2968 | assembly for AMD64 targets creating string literals greater than those |
| 2969 | permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. |
| 2970 | * Fix runtime error in `mbedtls_platform_entropy_poll()` when run |
| 2971 | through qemu user emulation. Reported and fix suggested by randombit |
| 2972 | in #1212. Fixes #1212. |
| 2973 | * Fix an unsafe bounds check when restoring an SSL session from a ticket. |
| 2974 | This could lead to a buffer overflow, but only in case ticket authentication |
| 2975 | was broken. Reported and fix suggested by Guido Vranken in #659. |
| 2976 | * Add explicit integer to enumeration type casts to example program |
| 2977 | programs/pkey/gen_key which previously led to compilation failure |
| 2978 | on some toolchains. Reported by phoenixmcallister. Fixes #2170. |
| 2979 | * Fix double initialization of ECC hardware that made some accelerators |
| 2980 | hang. |
| 2981 | * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence |
Andrzej Kurek | 8764ccc | 2019-02-05 04:57:13 -0500 | [diff] [blame] | 2982 | of check for certificate/key matching. Reported by Attila Molnar, #507. |
| 2983 | |
| 2984 | = mbed TLS 2.15.1 branch released 2018-11-30 |
| 2985 | |
| 2986 | Changes |
| 2987 | * Update the Mbed Crypto submodule to version 0.1.0b2. |
| 2988 | |
| 2989 | = mbed TLS 2.15.0 branch released 2018-11-23 |
| 2990 | |
| 2991 | Features |
| 2992 | * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of |
| 2993 | Mbed Crypto as the source of the cryptography implementation. |
| 2994 | * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable |
| 2995 | the PSA Crypto API from Mbed Crypto when additionally used with the |
| 2996 | USE_CRYPTO_SUBMODULE build option. |
| 2997 | |
| 2998 | Changes |
| 2999 | * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 3000 | from the cipher abstraction layer. Fixes #2198. |
| 3001 | |
| 3002 | = mbed TLS 2.14.1 branch released 2018-11-30 |
| 3003 | |
| 3004 | Security |
| 3005 | * Fix timing variations and memory access variations in RSA PKCS#1 v1.5 |
| 3006 | decryption that could lead to a Bleichenbacher-style padding oracle |
| 3007 | attack. In TLS, this affects servers that accept ciphersuites based on |
| 3008 | RSA decryption (i.e. ciphersuites whose name contains RSA but not |
| 3009 | (EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham |
| 3010 | (University of Adelaide), Daniel Genkin (University of Michigan), |
| 3011 | Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom |
| 3012 | (University of Adelaide, Data61). The attack is described in more detail |
| 3013 | in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608 |
| 3014 | * In mbedtls_mpi_write_binary(), don't leak the exact size of the number |
| 3015 | via branching and memory access patterns. An attacker who could submit |
| 3016 | a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing |
| 3017 | of the decryption and not its result could nonetheless decrypt RSA |
| 3018 | plaintexts and forge RSA signatures. Other asymmetric algorithms may |
| 3019 | have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham, |
| 3020 | Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom. |
| 3021 | * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG |
| 3022 | modules. |
| 3023 | |
| 3024 | API Changes |
| 3025 | * The new functions mbedtls_ctr_drbg_update_ret() and |
| 3026 | mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() |
| 3027 | and mbedtls_hmac_drbg_update() respectively, but the new functions |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 3028 | report errors whereas the old functions return void. We recommend that |
Simon Butcher | c1b9892 | 2018-11-19 18:31:40 +0000 | [diff] [blame] | 3029 | applications use the new functions. |
Manuel Pégourié-Gonnard | 171a481 | 2017-05-15 17:23:37 +0200 | [diff] [blame] | 3030 | |
Hanno Becker | d3445da | 2018-11-02 09:36:45 +0000 | [diff] [blame] | 3031 | = mbed TLS 2.14.0 branch released 2018-11-19 |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3032 | |
Simon Butcher | b35e59d | 2018-11-19 15:49:26 +0000 | [diff] [blame] | 3033 | Security |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3034 | * Fix overly strict DN comparison when looking for CRLs belonging to a |
| 3035 | particular CA. This previously led to ignoring CRLs when the CRL's issuer |
| 3036 | name and the CA's subject name differed in their string encoding (e.g., |
| 3037 | one using PrintableString and the other UTF8String) or in the choice of |
Hanno Becker | dc71ef8 | 2018-10-08 13:51:38 +0100 | [diff] [blame] | 3038 | upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue |
Simon Butcher | b35e59d | 2018-11-19 15:49:26 +0000 | [diff] [blame] | 3039 | #1784. |
Hanno Becker | dc71ef8 | 2018-10-08 13:51:38 +0100 | [diff] [blame] | 3040 | * Fix a flawed bounds check in server PSK hint parsing. In case the |
Simon Butcher | b35e59d | 2018-11-19 15:49:26 +0000 | [diff] [blame] | 3041 | incoming message buffer was placed within the first 64KiB of address |
| 3042 | space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker |
Janos Follath | e0e7ddf | 2018-09-06 10:40:04 +0100 | [diff] [blame] | 3043 | to trigger a memory access up to 64KiB beyond the incoming message buffer, |
| 3044 | potentially leading to an application crash or information disclosure. |
| 3045 | * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The |
| 3046 | previous settings for the number of rounds made it practical for an |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3047 | adversary to construct non-primes that would be erroneously accepted as |
| 3048 | primes with high probability. This does not have an impact on the |
Janos Follath | e0e7ddf | 2018-09-06 10:40:04 +0100 | [diff] [blame] | 3049 | security of TLS, but can matter in other contexts with numbers chosen |
| 3050 | potentially by an adversary that should be prime and can be validated. |
| 3051 | For example, the number of rounds was enough to securely generate RSA key |
| 3052 | pairs or Diffie-Hellman parameters, but was insufficient to validate |
| 3053 | Diffie-Hellman parameters properly. |
Hanno Becker | d3445da | 2018-11-02 09:36:45 +0000 | [diff] [blame] | 3054 | See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and |
Manuel Pégourié-Gonnard | 171a481 | 2017-05-15 17:23:37 +0200 | [diff] [blame] | 3055 | Kenneth G. Paterson and Juraj Somorovsky. |
Manuel Pégourié-Gonnard | f0bbd7e | 2018-10-15 13:22:41 +0200 | [diff] [blame] | 3056 | |
Simon Butcher | b35e59d | 2018-11-19 15:49:26 +0000 | [diff] [blame] | 3057 | Features |
| 3058 | * Add support for temporarily suspending expensive ECC computations after |
| 3059 | some configurable amount of operations. This is intended to be used in |
| 3060 | constrained, single-threaded systems where ECC is time consuming and can |
| 3061 | block other operations until they complete. This is disabled by default, |
Manuel Pégourié-Gonnard | f0bbd7e | 2018-10-15 13:22:41 +0200 | [diff] [blame] | 3062 | but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and |
| 3063 | configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new |
| 3064 | xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported |
| 3065 | yet), and to existing functions in ECDH and SSL (currently only |
Simon Butcher | 4a865ef | 2018-10-28 18:00:51 +0000 | [diff] [blame] | 3066 | implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, |
| 3067 | including client authentication). |
| 3068 | * Add support for Arm CPU DSP extensions to accelerate asymmetric key |
| 3069 | operations. On CPUs where the extensions are available, they can accelerate |
Simon Butcher | b35e59d | 2018-11-19 15:49:26 +0000 | [diff] [blame] | 3070 | MPI multiplications used in ECC and RSA cryptography. Contributed by |
| 3071 | Aurelien Jarno. |
| 3072 | * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS |
| 3073 | signature always used a salt with the same length as the hash, and returned |
| 3074 | an error if this was not possible. Now the salt size may be up to two bytes |
Simon Butcher | 06d80cf | 2018-11-06 23:46:04 +0000 | [diff] [blame] | 3075 | shorter. This allows the library to support all hash and signature sizes |
| 3076 | that comply with FIPS 186-4, including SHA-512 with a 1024-bit key. |
Manuel Pégourié-Gonnard | 823c915 | 2018-07-02 12:05:49 +0200 | [diff] [blame] | 3077 | * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter |
Simon Butcher | e51d4b3 | 2018-11-09 19:57:53 +0000 | [diff] [blame] | 3078 | than 256 bits limits the security of generated material to 128 bits. |
Simon Butcher | 2ab14bb | 2018-11-09 20:09:33 +0000 | [diff] [blame] | 3079 | |
| 3080 | API Changes |
| 3081 | * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for |
| 3082 | a feature that is not supported by underlying alternative |
Simon Butcher | e51d4b3 | 2018-11-09 19:57:53 +0000 | [diff] [blame] | 3083 | implementations implementing cryptographic primitives. This is useful for |
Ron Eldor | 6aa9fb4 | 2018-10-04 14:32:05 +0300 | [diff] [blame] | 3084 | hardware accelerators that don't implement all options or features. |
Simon Butcher | 2ab14bb | 2018-11-09 20:09:33 +0000 | [diff] [blame] | 3085 | |
| 3086 | New deprecations |
| 3087 | * All module specific errors following the form |
| 3088 | MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3089 | supported are deprecated and are now replaced by the new equivalent |
Simon Butcher | 2ab14bb | 2018-11-09 20:09:33 +0000 | [diff] [blame] | 3090 | platform error. |
| 3091 | * All module specific generic hardware acceleration errors following the |
Janos Follath | e0e7ddf | 2018-09-06 10:40:04 +0100 | [diff] [blame] | 3092 | form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced |
| 3093 | by the equivalent plaform error. |
| 3094 | * Deprecate the function mbedtls_mpi_is_prime() in favor of |
Ron Eldor | 6aa9fb4 | 2018-10-04 14:32:05 +0300 | [diff] [blame] | 3095 | mbedtls_mpi_is_prime_ext() which allows specifying the number of |
Simon Butcher | b363382 | 2018-07-30 22:10:48 +0100 | [diff] [blame] | 3096 | Miller-Rabin rounds. |
Simon Butcher | 2b5be1e | 2018-10-30 15:55:10 +0000 | [diff] [blame] | 3097 | |
| 3098 | Bugfix |
| 3099 | * Fix wrong order of freeing in programs/ssl/ssl_server2 example |
| 3100 | application leading to a memory leak in case both |
Simon Butcher | c86993e | 2018-09-27 09:48:54 +0100 | [diff] [blame] | 3101 | MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. |
| 3102 | Fixes #2069. |
Simon Butcher | 1afc767 | 2018-09-27 11:35:19 +0100 | [diff] [blame] | 3103 | * Fix a bug in the update function for SSL ticket keys which previously |
| 3104 | invalidated keys of a lifetime of less than a 1s. Fixes #1968. |
Hanno Becker | f24c336 | 2018-10-17 14:53:05 +0100 | [diff] [blame] | 3105 | * Fix failure in hmac_drbg in the benchmark sample application, when |
| 3106 | MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095 |
| 3107 | * Fix a bug in the record decryption routine ssl_decrypt_buf() |
Hanno Becker | 617a321 | 2018-10-05 09:51:36 +0100 | [diff] [blame] | 3108 | which lead to accepting properly authenticated but improperly |
| 3109 | padded records in case of CBC ciphersuites using Encrypt-then-MAC. |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3110 | * Fix memory leak and freeing without initialization in the example |
| 3111 | program programs/x509/cert_write. Fixes #1422. |
Hanno Becker | 7e1f3be | 2018-10-15 13:20:28 +0100 | [diff] [blame] | 3112 | * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is |
| 3113 | MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091. |
| 3114 | * Zeroize memory used for buffering or reassembling handshake messages |
| 3115 | after use. |
Hanno Becker | f143a78 | 2018-11-06 17:43:16 +0000 | [diff] [blame] | 3116 | * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization |
| 3117 | of sensitive data in the example programs aescrypt2 and crypt_and_hash. |
| 3118 | * Change the default string format used for various X.509 DN attributes to |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3119 | UTF8String. Previously, the use of the PrintableString format led to |
| 3120 | wildcards and non-ASCII characters being unusable in some DN attributes. |
Hanno Becker | e4f965d | 2018-10-11 10:54:45 +0100 | [diff] [blame] | 3121 | Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by |
| 3122 | Thomas-Dee. |
| 3123 | * Fix compilation failure for configurations which use compile time |
| 3124 | replacements of standard calloc/free functions through the macros |
Simon Butcher | c86993e | 2018-09-27 09:48:54 +0100 | [diff] [blame] | 3125 | MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. |
| 3126 | Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706. |
Simon Butcher | c0514bf | 2018-09-26 18:07:18 +0100 | [diff] [blame] | 3127 | |
Simon Butcher | c86993e | 2018-09-27 09:48:54 +0100 | [diff] [blame] | 3128 | Changes |
Gilles Peskine | 604ccc6 | 2018-07-10 15:55:52 +0200 | [diff] [blame] | 3129 | * Removed support for Yotta as a build tool. |
| 3130 | * Add tests for session resumption in DTLS. |
| 3131 | * Close a test gap in (D)TLS between the client side and the server side: |
Simon Butcher | ddc9e26 | 2018-10-27 18:27:41 +0100 | [diff] [blame] | 3132 | test the handling of large packets and small packets on the client side |
| 3133 | in the same way as on the server side. |
Simon Butcher | 404aa65 | 2018-10-01 14:44:22 +0100 | [diff] [blame] | 3134 | * Change the dtls_client and dtls_server samples to work by default over |
| 3135 | IPv6 and optionally by a build option over IPv4. |
| 3136 | * Change the use of Windows threading to use Microsoft Visual C++ runtime |
Simon Butcher | 681edee | 2018-11-07 16:25:38 +0000 | [diff] [blame] | 3137 | calls, rather than Win32 API calls directly. This is necessary to avoid |
| 3138 | conflict with C runtime usage. Found and fixed by irwir. |
| 3139 | * Remember the string format of X.509 DN attributes when replicating |
| 3140 | X.509 DNs. Previously, DN attributes were always written in their default |
| 3141 | string format (mostly PrintableString), which could lead to CRTs being |
| 3142 | created which used PrintableStrings in the issuer field even though the |
| 3143 | signing CA used UTF8Strings in its subject field; while X.509 compliant, |
| 3144 | such CRTs were rejected in some applications, e.g. some versions of |
Hanno Becker | 0bb204c | 2018-10-30 10:08:33 +0000 | [diff] [blame] | 3145 | Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by |
| 3146 | Thomas-Dee. |
Janos Follath | 3332937 | 2018-09-06 10:41:33 +0100 | [diff] [blame] | 3147 | * Improve documentation of mbedtls_ssl_get_verify_result(). |
| 3148 | Fixes #517 reported by github-monoculture. |
| 3149 | * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and |
Simon Butcher | c86993e | 2018-09-27 09:48:54 +0100 | [diff] [blame] | 3150 | use it to reduce error probability in RSA key generation to levels mandated |
Simon Butcher | 5d40f67 | 2018-09-06 16:24:48 +0100 | [diff] [blame] | 3151 | by FIPS-186-4. |
Simon Butcher | b363382 | 2018-07-30 22:10:48 +0100 | [diff] [blame] | 3152 | |
Andres Amaya Garcia | a7b9f15 | 2018-08-16 21:46:35 +0100 | [diff] [blame] | 3153 | = mbed TLS 2.13.1 branch released 2018-09-06 |
Hanno Becker | acef292 | 2018-09-05 16:19:07 +0100 | [diff] [blame] | 3154 | |
Hanno Becker | 921b76d | 2018-09-05 16:21:36 +0100 | [diff] [blame] | 3155 | API Changes |
Andres Amaya Garcia | a7b9f15 | 2018-08-16 21:46:35 +0100 | [diff] [blame] | 3156 | * Extend the platform module with an abstraction mbedtls_platform_gmtime_r() |
Hanno Becker | acef292 | 2018-09-05 16:19:07 +0100 | [diff] [blame] | 3157 | whose implementation should behave as a thread-safe version of gmtime(). |
| 3158 | This allows users to configure such an implementation at compile time when |
| 3159 | the target system cannot be deduced automatically, by setting the option |
Andres Amaya Garcia | a7b9f15 | 2018-08-16 21:46:35 +0100 | [diff] [blame] | 3160 | MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to |
Simon Butcher | b363382 | 2018-07-30 22:10:48 +0100 | [diff] [blame] | 3161 | automatically select implementations for Windows and POSIX C libraries. |
Andres Amaya Garcia | 8c9a620 | 2018-09-05 11:30:28 +0100 | [diff] [blame] | 3162 | |
| 3163 | Bugfix |
Simon Butcher | b363382 | 2018-07-30 22:10:48 +0100 | [diff] [blame] | 3164 | * Fix build failures on platforms where only gmtime() is available but |
Simon Butcher | 4d075cd | 2018-08-31 15:59:10 +0100 | [diff] [blame] | 3165 | neither gmtime_r() nor gmtime_s() are present. Fixes #1907. |
Gilles Peskine | 5bdb671 | 2018-03-22 21:34:15 +0100 | [diff] [blame] | 3166 | |
k-stachowiak | 21feae5 | 2018-07-09 14:42:35 +0200 | [diff] [blame] | 3167 | = mbed TLS 2.13.0 branch released 2018-08-31 |
k-stachowiak | 6ca436a | 2018-07-16 12:20:10 +0200 | [diff] [blame] | 3168 | |
| 3169 | Security |
| 3170 | * Fix an issue in the X.509 module which could lead to a buffer overread |
| 3171 | during certificate extensions parsing. In case of receiving malformed |
k-stachowiak | 21feae5 | 2018-07-09 14:42:35 +0200 | [diff] [blame] | 3172 | input (extensions length field equal to 0), an illegal read of one byte |
Manuel Pégourié-Gonnard | 01ec4af | 2017-09-21 13:16:52 +0200 | [diff] [blame] | 3173 | beyond the input buffer is made. Found and analyzed by Nathan Crandall. |
Manuel Pégourié-Gonnard | 6e7aaca | 2018-08-20 10:37:23 +0200 | [diff] [blame] | 3174 | |
| 3175 | Features |
Manuel Pégourié-Gonnard | f2f1d40 | 2018-08-21 09:53:22 +0200 | [diff] [blame] | 3176 | * Add support for fragmentation of outgoing DTLS handshake messages. This |
Manuel Pégourié-Gonnard | 6e7aaca | 2018-08-20 10:37:23 +0200 | [diff] [blame] | 3177 | is controlled by the maximum fragment length as set locally or negotiated |
Manuel Pégourié-Gonnard | b8eec19 | 2018-08-20 09:34:02 +0200 | [diff] [blame] | 3178 | with the peer, as well as by a new per-connection MTU option, set using |
| 3179 | mbedtls_ssl_set_mtu(). |
| 3180 | * Add support for auto-adjustment of MTU to a safe value during the |
Hanno Becker | d87a59c | 2018-08-14 16:34:55 +0100 | [diff] [blame] | 3181 | handshake when flights do not get through (RFC 6347, section 4.1.1.1, |
| 3182 | last paragraph). |
Hanno Becker | 02f6f5a | 2018-08-28 12:54:27 +0100 | [diff] [blame] | 3183 | * Add support for packing multiple records within a single datagram, |
Hanno Becker | aa24937 | 2018-08-22 10:27:13 +0100 | [diff] [blame] | 3184 | enabled by default. |
| 3185 | * Add support for buffering out-of-order handshake messages in DTLS. |
| 3186 | The maximum amount of RAM used for this can be controlled by the |
Hanno Becker | d87a59c | 2018-08-14 16:34:55 +0100 | [diff] [blame] | 3187 | compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined |
| 3188 | in mbedtls/config.h. |
Hanno Becker | 1841b0a | 2018-08-24 11:13:57 +0100 | [diff] [blame] | 3189 | |
Hanno Becker | d87a59c | 2018-08-14 16:34:55 +0100 | [diff] [blame] | 3190 | API Changes |
Manuel Pégourié-Gonnard | 01ec4af | 2017-09-21 13:16:52 +0200 | [diff] [blame] | 3191 | * Add function mbedtls_ssl_set_datagram_packing() to configure |
Gilles Peskine | 104d858 | 2018-06-27 10:57:33 +0200 | [diff] [blame] | 3192 | the use of datagram packing (enabled by default). |
Simon Butcher | b5afb97 | 2018-08-31 11:59:56 +0100 | [diff] [blame] | 3193 | |
| 3194 | Bugfix |
Gilles Peskine | 104d858 | 2018-06-27 10:57:33 +0200 | [diff] [blame] | 3195 | * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation |
| 3196 | failure in the function could lead to other buffers being leaked. |
Jaeden Amero | f48163a | 2018-08-10 10:49:10 +0100 | [diff] [blame] | 3197 | * Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if |
| 3198 | MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890 |
Ron Eldor | 3f38cf7 | 2018-06-21 16:40:24 +0300 | [diff] [blame] | 3199 | * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. |
Ron Eldor | 84e62f8 | 2018-06-28 11:09:09 +0300 | [diff] [blame] | 3200 | Fix contributed by Espressif Systems. |
| 3201 | * Add ecc extensions only if an ecc based ciphersuite is used. |
Simon Butcher | b5afb97 | 2018-08-31 11:59:56 +0100 | [diff] [blame] | 3202 | This improves compliance to RFC 4492, and as a result, solves |
| 3203 | interoperability issues with BouncyCastle. Raised by milenamil in #1157. |
Hanno Becker | 9dc3be7 | 2018-08-14 15:22:05 +0100 | [diff] [blame] | 3204 | * Replace printf with mbedtls_printf in the ARIA module. Found by |
Hanno Becker | 361f254 | 2018-08-13 16:36:58 +0100 | [diff] [blame] | 3205 | TrinityTonic in #1908. |
Hanno Becker | eb2b15a | 2018-08-17 09:47:22 +0100 | [diff] [blame] | 3206 | * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len() |
| 3207 | and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941. |
| 3208 | * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake |
| 3209 | with TLS versions 1.1 and earlier when the server requested authentication |
| 3210 | without providing a list of CAs. This was due to an overly strict bounds |
Hanno Becker | 4481464 | 2018-08-03 09:53:48 +0100 | [diff] [blame] | 3211 | check in parsing the CertificateRequest message, |
| 3212 | introduced in Mbed TLS 2.12.0. Fixes #1954. |
| 3213 | * Fix a miscalculation of the maximum record expansion in |
Simon Butcher | b5afb97 | 2018-08-31 11:59:56 +0100 | [diff] [blame] | 3214 | mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites, |
| 3215 | or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914. |
Hanno Becker | a70fb95 | 2017-10-08 16:13:03 +0100 | [diff] [blame] | 3216 | * Fix undefined shifts with negative values in certificates parsing |
| 3217 | (found by Catena cyber using oss-fuzz) |
Simon Butcher | b5afb97 | 2018-08-31 11:59:56 +0100 | [diff] [blame] | 3218 | * Fix memory leak and free without initialization in pk_encrypt |
Gilles Peskine | 104d858 | 2018-06-27 10:57:33 +0200 | [diff] [blame] | 3219 | and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128. |
Jaeden Amero | 372b50b | 2018-08-10 10:56:31 +0100 | [diff] [blame] | 3220 | * Remove redundant else statement. Raised by irwir. Fixes #1776. |
| 3221 | |
| 3222 | Changes |
Jaeden Amero | 03bd484 | 2018-08-10 11:17:14 +0100 | [diff] [blame] | 3223 | * Copy headers preserving timestamps when doing a "make install". |
| 3224 | Contributed by xueruini. |
Jaeden Amero | d8f41698 | 2018-08-10 11:23:15 +0100 | [diff] [blame] | 3225 | * Allow the forward declaration of public structs. Contributed by Dawid |
| 3226 | Drozd. Fixes #1215 raised by randombit. |
Hanno Becker | f103542 | 2018-08-16 16:07:27 +0100 | [diff] [blame] | 3227 | * Improve compatibility with some alternative CCM implementations by using |
Janos Follath | 08a4aeb | 2018-08-06 14:20:15 +0100 | [diff] [blame] | 3228 | CCM test vectors from RAM. |
| 3229 | * Add support for buffering of out-of-order handshake messages. |
| 3230 | * Add warnings to the documentation of the HKDF module to reduce the risk |
| 3231 | of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand() |
Gilles Peskine | 5bdb671 | 2018-03-22 21:34:15 +0100 | [diff] [blame] | 3232 | functions. Fixes #1775. Reported by Brian J. Murray. |
| 3233 | |
Gilles Peskine | 104d858 | 2018-06-27 10:57:33 +0200 | [diff] [blame] | 3234 | = mbed TLS 2.12.0 branch released 2018-07-25 |
| 3235 | |
| 3236 | Security |
| 3237 | * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384, |
| 3238 | in (D)TLS 1.0 to 1.2, that allowed an active network attacker to |
| 3239 | partially recover the plaintext of messages under some conditions by |
| 3240 | exploiting timing measurements. With DTLS, the attacker could perform |
| 3241 | this recovery by sending many messages in the same connection. With TLS |
| 3242 | or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only |
| 3243 | worked if the same secret (for example a HTTP Cookie) has been repeatedly |
| 3244 | sent over connections manipulated by the attacker. Connections using GCM |
| 3245 | or CCM instead of CBC, using hash sizes other than SHA-384, or using |
| 3246 | Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was |
| 3247 | caused by a miscalculation (for SHA-384) in a countermeasure to the |
Manuel Pégourié-Gonnard | 1cc1fb0 | 2018-06-28 12:10:27 +0200 | [diff] [blame] | 3248 | original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi |
| 3249 | Shamir. |
| 3250 | * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to |
Manuel Pégourié-Gonnard | 830ce11 | 2018-07-11 18:27:08 +0200 | [diff] [blame] | 3251 | 1.2, that allowed a local attacker, able to execute code on the local |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 3252 | machine as well as manipulate network packets, to partially recover the |
Manuel Pégourié-Gonnard | 830ce11 | 2018-07-11 18:27:08 +0200 | [diff] [blame] | 3253 | plaintext of messages under some conditions by using a cache attack |
| 3254 | targeting an internal MD/SHA buffer. With TLS or if |
| 3255 | mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if |
| 3256 | the same secret (for example a HTTP Cookie) has been repeatedly sent over |
| 3257 | connections manipulated by the attacker. Connections using GCM or CCM |
Manuel Pégourié-Gonnard | 7b42030 | 2018-06-28 10:38:35 +0200 | [diff] [blame] | 3258 | instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. |
| 3259 | Found by Kenny Paterson, Eyal Ronen and Adi Shamir. |
| 3260 | * Add a counter-measure against a vulnerability in TLS ciphersuites based |
| 3261 | on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to |
| 3262 | execute code on the local machine as well as manipulate network packets, |
| 3263 | to partially recover the plaintext of messages under some conditions (see |
| 3264 | previous entry) by using a cache attack targeting the SSL input record |
| 3265 | buffer. Connections using GCM or CCM instead of CBC or using |
Gilles Peskine | 104d858 | 2018-06-27 10:57:33 +0200 | [diff] [blame] | 3266 | Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson, |
Manuel Pégourié-Gonnard | ce8314f | 2018-05-03 12:49:58 +0200 | [diff] [blame] | 3267 | Eyal Ronen and Adi Shamir. |
| 3268 | |
Manuel Pégourié-Gonnard | 1f092b4 | 2018-06-19 12:48:24 +0200 | [diff] [blame] | 3269 | Features |
Simon Butcher | f11a7cd | 2018-07-25 17:26:56 +0100 | [diff] [blame] | 3270 | * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time |
Manuel Pégourié-Gonnard | 1f092b4 | 2018-06-19 12:48:24 +0200 | [diff] [blame] | 3271 | authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed |
Simon Butcher | 231d7e5 | 2018-07-10 11:56:19 +0100 | [diff] [blame] | 3272 | by Daniel King. |
| 3273 | * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905. |
Simon Butcher | 00af447 | 2018-07-10 15:35:43 +0100 | [diff] [blame] | 3274 | * Add platform support for the Haiku OS. (https://www.haiku-os.org). |
| 3275 | Contributed by Augustin Cavalier. |
| 3276 | * Make the receive and transmit buffers independent sizes, for situations |
| 3277 | where the outgoing buffer can be fixed at a smaller size than the incoming |
| 3278 | buffer, which can save some RAM. If buffer lengths are kept equal, there |
Ron Eldor | 9cf0d53 | 2018-07-15 09:34:35 +0300 | [diff] [blame] | 3279 | is no functional difference. Contributed by Angus Gratton, and also |
Simon Butcher | f11a7cd | 2018-07-25 17:26:56 +0100 | [diff] [blame] | 3280 | independently contributed again by Paul Sokolovsky. |
Manuel Pégourié-Gonnard | ce8314f | 2018-05-03 12:49:58 +0200 | [diff] [blame] | 3281 | * Add support for key wrapping modes based on AES as defined by |
Simon Butcher | 9e02b97 | 2018-06-28 11:56:57 +0100 | [diff] [blame] | 3282 | NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649. |
| 3283 | |
| 3284 | Bugfix |
niisato | b7d39db | 2018-06-25 20:44:57 +0900 | [diff] [blame] | 3285 | * Fix the key_app_writer example which was writing a leading zero byte which |
niisato | 164b9cd | 2018-06-25 20:47:05 +0900 | [diff] [blame] | 3286 | was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257. |
Simon Butcher | 1d97cab | 2018-06-28 12:06:16 +0100 | [diff] [blame] | 3287 | * Fix compilation error on C++, because of a variable named new. |
Simon Butcher | f11a7cd | 2018-07-25 17:26:56 +0100 | [diff] [blame] | 3288 | Found and fixed by Hirotaka Niisato in #1783. |
Andres Amaya Garcia | a562c26 | 2017-07-11 14:39:30 +0100 | [diff] [blame] | 3289 | * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix |
| 3290 | contributed by tabascoeye. |
Simon Butcher | 1ab9b57 | 2018-06-28 12:10:56 +0100 | [diff] [blame] | 3291 | * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid |
| 3292 | return value. Found by @davidwu2000. #839 |
Simon Butcher | 05fa46e | 2018-07-02 12:00:54 +0100 | [diff] [blame] | 3293 | * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber, |
| 3294 | Philippe Antoine. Fixes #1623. |
Ron Eldor | da2a312 | 2018-06-17 14:51:59 +0300 | [diff] [blame] | 3295 | * Remove unused headers included in x509.c. Found by Chris Hanson and fixed |
| 3296 | by Brendan Shanks. Part of a fix for #992. |
Simon Butcher | f11a7cd | 2018-07-25 17:26:56 +0100 | [diff] [blame] | 3297 | * Fix compilation error when MBEDTLS_ARC4_C is disabled and |
| 3298 | MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719. |
Simon Butcher | 6c34442 | 2018-06-24 16:20:56 +0100 | [diff] [blame] | 3299 | * Added length checks to some TLS parsing functions. Found and fixed by |
| 3300 | Philippe Antoine from Catena cyber. #1663. |
Ron Eldor | 6332e36 | 2017-10-01 17:11:54 +0300 | [diff] [blame] | 3301 | * Fix the inline assembly for the MPI multiply helper function for i386 and |
Ron Eldor | 6fd941f | 2017-05-14 16:17:33 +0300 | [diff] [blame] | 3302 | i386 with SSE2. Found by László Langó. Fixes #1550 |
Simon Butcher | ecb635e | 2018-07-24 10:03:41 +0100 | [diff] [blame] | 3303 | * Fix namespacing in header files. Remove the `mbedtls` namespacing in |
| 3304 | the `#include` in the header files. Resolves #857 |
| 3305 | * Fix compiler warning of 'use before initialisation' in |
Simon Butcher | 0533054 | 2018-07-24 12:54:15 +0100 | [diff] [blame] | 3306 | mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid |
| 3307 | Drozd. #1098 |
| 3308 | * Fix decryption for zero length messages (which contain all padding) when a |
| 3309 | CBC based ciphersuite is used together with Encrypt-then-MAC. Previously, |
| 3310 | such a message was wrongly reported as an invalid record and therefore lead |
| 3311 | to the connection being terminated. Seen most often with OpenSSL using |
Andres Amaya Garcia | 81f0633 | 2018-07-04 10:01:39 +0100 | [diff] [blame] | 3312 | TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix |
| 3313 | contributed by Espressif Systems. Fixes #1632 |
| 3314 | * Fix ssl_client2 example to send application data with 0-length content |
Simon Butcher | f11a7cd | 2018-07-25 17:26:56 +0100 | [diff] [blame] | 3315 | when the request_size argument is set to 0 as stated in the documentation. |
| 3316 | Fixes #1833. |
Simon Butcher | 2c92949 | 2018-07-24 17:20:17 +0100 | [diff] [blame] | 3317 | * Correct the documentation for `mbedtls_ssl_get_session()`. This API has |
Simon Butcher | 9e02b97 | 2018-06-28 11:56:57 +0100 | [diff] [blame] | 3318 | deep copy of the session, and the peer certificate is not lost. Fixes #926. |
Simon Butcher | 9fa21bf | 2018-06-27 10:50:58 +0100 | [diff] [blame] | 3319 | * Fix build using -std=c99. Fixed by Nick Wilson. |
Simon Butcher | f11a7cd | 2018-07-25 17:26:56 +0100 | [diff] [blame] | 3320 | |
| 3321 | Changes |
| 3322 | * Fail when receiving a TLS alert message with an invalid length, or invalid |
| 3323 | zero-length messages when using TLS 1.2. Contributed by Espressif Systems. |
| 3324 | * Change the default behaviour of mbedtls_hkdf_extract() to return an error |
Simon Butcher | 9fa21bf | 2018-06-27 10:50:58 +0100 | [diff] [blame] | 3325 | when calling with a NULL salt and non-zero salt_len. Contributed by |
| 3326 | Brian J Murray |
Nicholas Wilson | 512b4ee | 2017-12-05 12:07:33 +0000 | [diff] [blame] | 3327 | * Change the shebang line in Perl scripts to look up perl in the PATH. |
| 3328 | Contributed by fbrosson. |
| 3329 | * Allow overriding the time on Windows via the platform-time abstraction. |
Simon Butcher | 9fa21bf | 2018-06-27 10:50:58 +0100 | [diff] [blame] | 3330 | Fixed by Nick Wilson. |
Manuel Pégourié-Gonnard | 823c915 | 2018-07-02 12:05:49 +0200 | [diff] [blame] | 3331 | * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson. |
| 3332 | |
| 3333 | = mbed TLS 2.11.0 branch released 2018-06-18 |
Simon Butcher | 4ed3880 | 2018-06-12 17:35:06 +0100 | [diff] [blame] | 3334 | |
| 3335 | Features |
| 3336 | * Add additional block mode, OFB (Output Feedback), to the AES module and |
| 3337 | cipher abstraction module. |
| 3338 | * Implement the HMAC-based extract-and-expand key derivation function |
Jaeden Amero | f4474e7 | 2018-05-23 14:21:02 +0100 | [diff] [blame] | 3339 | (HKDF) per RFC 5869. Contributed by Thomas Fossati. |
| 3340 | * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4. |
Gilles Peskine | b44692f | 2018-04-24 12:18:19 +0200 | [diff] [blame] | 3341 | * Add support for the XTS block cipher mode with AES (AES-XTS). |
| 3342 | Contributed by Aorimn in pull request #414. |
| 3343 | * In TLS servers, support offloading private key operations to an external |
Simon Butcher | ebe23ed | 2018-06-12 16:46:45 +0100 | [diff] [blame] | 3344 | cryptoprocessor. Private key operations can be asynchronous to allow |
Simon Butcher | 601144e | 2018-06-12 17:04:58 +0100 | [diff] [blame] | 3345 | non-blocking operation of the TLS server stack. |
Simon Butcher | 4ed3880 | 2018-06-12 17:35:06 +0100 | [diff] [blame] | 3346 | |
| 3347 | Bugfix |
Simon Butcher | e5cd868 | 2018-06-14 10:30:19 +0100 | [diff] [blame] | 3348 | * Fix the cert_write example to handle certificates signed with elliptic |
| 3349 | curves as well as RSA. Fixes #777 found by dbedev. |
Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 3350 | * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition |
| 3351 | used by user applications. Found and fixed by Fabio Alessandrelli. |
Simon Butcher | 925568a | 2018-06-18 11:54:44 +0100 | [diff] [blame] | 3352 | * Fix compilation warnings with IAR toolchain, on 32 bit platform. |
Simon Butcher | 4ed3880 | 2018-06-12 17:35:06 +0100 | [diff] [blame] | 3353 | Reported by rahmanih in #683 |
| 3354 | * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552. |
| 3355 | |
Simon Butcher | b6a5bff | 2018-06-18 11:51:36 +0100 | [diff] [blame] | 3356 | Changes |
| 3357 | * Changed CMake defaults for IAR to treat all compiler warnings as errors. |
| 3358 | * Changed the Clang parameters used in the CMake build files to work for |
Manuel Pégourié-Gonnard | 171a481 | 2017-05-15 17:23:37 +0200 | [diff] [blame] | 3359 | versions later than 3.6. Versions of Clang earlier than this may no longer |
Simon Butcher | d5a09f1 | 2018-06-06 14:47:47 +0100 | [diff] [blame] | 3360 | work. Fixes #1072 |
Gilles Peskine | 5bdb671 | 2018-03-22 21:34:15 +0100 | [diff] [blame] | 3361 | |
Manuel Pégourié-Gonnard | 08d1e91 | 2018-02-27 12:43:35 +0100 | [diff] [blame] | 3362 | = mbed TLS 2.10.0 branch released 2018-06-06 |
| 3363 | |
| 3364 | Features |
| 3365 | * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites |
Gilles Peskine | 80aa3b8 | 2018-04-04 10:33:45 +0200 | [diff] [blame] | 3366 | (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h |
Andres Amaya Garcia | 1962405 | 2018-03-08 20:06:03 +0000 | [diff] [blame] | 3367 | |
| 3368 | API Changes |
| 3369 | * Extend the platform module with a util component that contains |
| 3370 | functionality shared by multiple Mbed TLS modules. At this stage |
| 3371 | platform_util.h (and its associated platform_util.c) only contain |
| 3372 | mbedtls_platform_zeroize(), which is a critical function from a security |
| 3373 | point of view. mbedtls_platform_zeroize() needs to be regularly tested |
| 3374 | against compilers to ensure that calls to it are not removed from the |
| 3375 | output binary as part of redundant code elimination optimizations. |
Hanno Becker | 2bd5757 | 2018-03-28 14:52:35 +0100 | [diff] [blame] | 3376 | Therefore, mbedtls_platform_zeroize() is moved to the platform module to |
Simon Butcher | d72700a | 2018-06-01 19:11:55 +0100 | [diff] [blame] | 3377 | facilitate testing and maintenance. |
| 3378 | |
| 3379 | Bugfix |
| 3380 | * Fix an issue with MicroBlaze support in bn_mul.h which was causing the |
Gilles Peskine | b2f09c3 | 2018-03-21 12:38:00 +0100 | [diff] [blame] | 3381 | build to fail. Found by zv-io. Fixes #1651. |
| 3382 | |
Moran Peker | a64fba4 | 2018-02-25 13:29:03 +0200 | [diff] [blame] | 3383 | Changes |
| 3384 | * Support TLS testing in out-of-source builds using cmake. Fixes #1193. |
Gilles Peskine | b2f09c3 | 2018-03-21 12:38:00 +0100 | [diff] [blame] | 3385 | * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by |
Jaeden Amero | 7d7bad6 | 2018-04-27 13:07:13 +0100 | [diff] [blame] | 3386 | TrinityTonic. #1359. |
Ron Eldor | fb46c32 | 2016-12-16 16:15:56 +0200 | [diff] [blame] | 3387 | |
Simon Butcher | f85c90a | 2017-07-27 15:11:52 +0100 | [diff] [blame] | 3388 | = mbed TLS 2.9.0 branch released 2018-04-30 |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3389 | |
| 3390 | Security |
| 3391 | * Fix an issue in the X.509 module which could lead to a buffer overread |
| 3392 | during certificate validation. Additionally, the issue could also lead to |
| 3393 | unnecessary callback checks being made or to some validation checks to be |
| 3394 | omitted. The overread could be triggered remotely, while the other issues |
| 3395 | would require a non DER-compliant certificate to be correctly signed by a |
| 3396 | trusted CA, or a trusted CA with a non DER-compliant certificate. Found by |
| 3397 | luocm. Fixes #825. |
| 3398 | * Fix the buffer length assertion in the ssl_parse_certificate_request() |
| 3399 | function which led to an arbitrary overread of the message buffer. The |
| 3400 | overreads could be caused by receiving a malformed message at the point |
| 3401 | where an optional signature algorithms list is expected when the signature |
Andrzej Kurek | b7a18c0 | 2018-04-25 05:25:30 -0400 | [diff] [blame] | 3402 | algorithms section is too short. In builds with debug output, the overread |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3403 | data is output with the debug data. |
| 3404 | * Fix a client-side bug in the validation of the server's ciphersuite choice |
| 3405 | which could potentially lead to the client accepting a ciphersuite it didn't |
| 3406 | offer or a ciphersuite that cannot be used with the TLS or DTLS version |
Gilles Peskine | 5bdb671 | 2018-03-22 21:34:15 +0100 | [diff] [blame] | 3407 | chosen by the server. This could lead to corruption of internal data |
Gilles Peskine | 15ad579 | 2018-03-22 22:21:55 +0100 | [diff] [blame] | 3408 | structures for some configurations. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3409 | |
| 3410 | Features |
| 3411 | * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES |
Gilles Peskine | 15ad579 | 2018-03-22 22:21:55 +0100 | [diff] [blame] | 3412 | tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB. |
| 3413 | Suggested and contributed by jkivilin in pull request #394. |
| 3414 | * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and |
Simon Butcher | e6a2a1a | 2018-05-01 13:57:53 +0100 | [diff] [blame] | 3415 | ECDH primitive functions (mbedtls_ecdh_gen_public(), |
Hanno Becker | 371f31c | 2017-06-07 15:56:54 +0100 | [diff] [blame] | 3416 | mbedtls_ecdh_compute_shared()) are supported for now. Contributed by |
| 3417 | Nicholas Wilson in pull request #348. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3418 | |
| 3419 | API Changes |
| 3420 | * Extend the public API with the function of mbedtls_net_poll() to allow user |
| 3421 | applications to wait for a network context to become ready before reading |
| 3422 | or writing. |
| 3423 | * Add function mbedtls_ssl_check_pending() to the public API to allow |
Gilles Peskine | 557e77d | 2018-04-04 09:18:11 +0200 | [diff] [blame] | 3424 | a check for whether more more data is pending to be processed in the |
| 3425 | internal message buffers. |
Hanno Becker | 371f31c | 2017-06-07 15:56:54 +0100 | [diff] [blame] | 3426 | This function is necessary to determine when it is safe to idle on the |
Andres AG | ee7157e | 2016-12-07 10:25:19 +0000 | [diff] [blame] | 3427 | underlying transport in case event-driven IO is used. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3428 | |
Gilles Peskine | 0818540 | 2018-03-22 21:50:48 +0100 | [diff] [blame] | 3429 | Bugfix |
Gilles Peskine | 51d9394 | 2018-03-23 01:42:44 +0100 | [diff] [blame] | 3430 | * Fix a spurious uninitialized variable warning in cmac.c. Fix independently |
| 3431 | contributed by Brian J Murray and David Brown. |
| 3432 | * Add missing dependencies in test suites that led to build failures |
Jaeden Amero | b604960 | 2018-03-26 18:25:58 +0100 | [diff] [blame] | 3433 | in configurations that omit certain hashes or public-key algorithms. |
| 3434 | Fixes #1040. |
Gilles Peskine | f69ad5a | 2018-03-27 23:08:53 +0200 | [diff] [blame] | 3435 | * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3436 | #1353 |
| 3437 | * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and |
| 3438 | MBEDTLS_VERSION_FEATURES in some test suites. Contributed by |
| 3439 | Deomid Ryabkov. Fixes #1299, #1475. |
Jethro Beekman | d2df936 | 2018-02-16 13:11:04 -0800 | [diff] [blame] | 3440 | * Fix the Makefile build process for building shared libraries on Mac OS X. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3441 | Fixed by mnacamura. |
Jethro Beekman | cb12237 | 2018-04-11 08:40:38 -0700 | [diff] [blame] | 3442 | * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3443 | unable to parse keys which had only the optional parameters field of the |
| 3444 | ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379. |
| 3445 | * Return the plaintext data more quickly on unpadded CBC decryption, as |
Gilles Peskine | b9e8696 | 2018-04-04 09:20:59 +0200 | [diff] [blame] | 3446 | stated in the mbedtls_cipher_update() documentation. Contributed by |
| 3447 | Andy Leiserson. |
Hanno Becker | c53826b | 2017-10-12 07:46:41 +0100 | [diff] [blame] | 3448 | * Fix overriding and ignoring return values when parsing and writing to |
| 3449 | a file in pk_sign program. Found by kevlut in #1142. |
| 3450 | * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations |
| 3451 | where data needs to be fetched from the underlying transport in order |
| 3452 | to make progress. Previously, this error code was also occasionally |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3453 | returned when unexpected messages were being discarded, ignoring that |
| 3454 | further messages could potentially already be pending to be processed |
Gilles Peskine | f2b76cd | 2018-04-19 17:41:39 +0200 | [diff] [blame] | 3455 | in the internal buffers; these cases led to deadlocks when event-driven |
| 3456 | I/O was used. Found and reported by Hubert Mis in #772. |
| 3457 | * Fix buffer length assertions in the ssl_parse_certificate_request() |
Andrzej Kurek | 5462e02 | 2018-04-20 07:58:53 -0400 | [diff] [blame] | 3458 | function which leads to a potential one byte overread of the message |
| 3459 | buffer. |
Simon Butcher | e6a2a1a | 2018-05-01 13:57:53 +0100 | [diff] [blame] | 3460 | * Fix invalid buffer sizes passed to zlib during record compression and |
| 3461 | decompression. |
| 3462 | * Fix the soversion of libmbedcrypto to match the soversion of the |
| 3463 | maintained 2.7 branch. The soversion was increased in Mbed TLS |
Gilles Peskine | 0818540 | 2018-03-22 21:50:48 +0100 | [diff] [blame] | 3464 | version 2.7.1 to reflect breaking changes in that release, but the |
Gilles Peskine | 5bdb671 | 2018-03-22 21:34:15 +0100 | [diff] [blame] | 3465 | increment was missed in 2.8.0 and later releases outside of the 2.7 branch. |
| 3466 | |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3467 | Changes |
| 3468 | * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub. |
Gilles Peskine | 51d9394 | 2018-03-23 01:42:44 +0100 | [diff] [blame] | 3469 | * Support cmake builds where Mbed TLS is a subproject. Fix contributed |
| 3470 | independently by Matthieu Volat and Arne Schwabe. |
| 3471 | * Improve testing in configurations that omit certain hashes or |
Andres Amaya Garcia | 768bbaf | 2018-03-21 15:05:12 +0000 | [diff] [blame] | 3472 | public-key algorithms. Includes contributions by Gert van Dijk. |
| 3473 | * Improve negative testing of X.509 parsing. |
| 3474 | * Do not define global mutexes around readdir() and gmtime() in |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3475 | configurations where the feature is disabled. Found and fixed by Gergely |
| 3476 | Budai. |
| 3477 | * Harden the function mbedtls_ssl_config_free() against misuse, so that it |
| 3478 | doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and |
Andres Amaya Garcia | cb47a79 | 2018-03-27 21:19:50 +0100 | [diff] [blame] | 3479 | instead incorrectly manipulates the configuration structure directly. |
| 3480 | Found and fix submitted by junyeonLEE in #1220. |
| 3481 | * Provide an empty implementation of mbedtls_pkcs5_pbes2() when |
Manuel Pégourié-Gonnard | fff308e | 2018-03-28 11:13:05 +0200 | [diff] [blame] | 3482 | MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2 |
| 3483 | without PBES2. Fixed by Marcos Del Sol Vives. |
| 3484 | * Add the order of the base point as N in the mbedtls_ecp_group structure |
Jaeden Amero | 4ba87fc | 2018-03-29 11:01:38 +0100 | [diff] [blame] | 3485 | for Curve25519 (other curves had it already). Contributed by Nicholas |
| 3486 | Wilson #481 |
Darryl Green | eea1c4e | 2018-03-29 16:05:44 +0100 | [diff] [blame] | 3487 | * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan |
| 3488 | Krylov. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3489 | * Improve the documentation of mbedtls_ssl_write(). Suggested by |
Andres Amaya Garcia | d1b1788 | 2018-03-27 19:14:24 +0100 | [diff] [blame] | 3490 | Paul Sokolovsky in #1356. |
| 3491 | * Add an option in the Makefile to support ar utilities where the operation |
Andres Amaya Garcia | ea5a8a4 | 2018-03-25 23:57:09 +0100 | [diff] [blame] | 3492 | letter must not be prefixed by '-', such as LLVM. Found and fixed by |
Andres Amaya Garcia | d1b1788 | 2018-03-27 19:14:24 +0100 | [diff] [blame] | 3493 | Alex Hixon. |
Gilles Peskine | 4e4be7c | 2018-03-21 16:29:03 +0100 | [diff] [blame] | 3494 | * Allow configuring the shared library extension by setting the DLEXT |
Gilles Peskine | 092bf3d | 2018-04-01 12:43:48 +0200 | [diff] [blame] | 3495 | environment variable when using the project makefiles. |
Gilles Peskine | a09453f | 2018-04-04 09:14:12 +0200 | [diff] [blame] | 3496 | * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution |
| 3497 | by Alexey Skalozub in #405. |
| 3498 | * In the SSL module, when f_send, f_recv or f_recv_timeout report |
Gilles Peskine | c96ccf4 | 2018-03-31 22:57:03 +0200 | [diff] [blame] | 3499 | transmitting more than the required length, return an error. Raised by |
| 3500 | Sam O'Connor in #1245. |
| 3501 | * Improve robustness of mbedtls_ssl_derive_keys against the use of |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3502 | HMAC functions with non-HMAC ciphersuites. Independently contributed |
| 3503 | by Jiayuan Chen in #1377. Fixes #1437. |
Gilles Peskine | 81021ca | 2018-04-19 20:59:06 +0200 | [diff] [blame] | 3504 | * Improve security of RSA key generation by including criteria from |
| 3505 | FIPS 186-4. Contributed by Jethro Beekman. #1380 |
| 3506 | * Declare functions in header files even when an alternative implementation |
| 3507 | of the corresponding module is activated by defining the corresponding |
| 3508 | MBEDTLS_XXX_ALT macro. This means that alternative implementations do |
Andrzej Kurek | aca09c7 | 2018-04-13 05:18:08 -0400 | [diff] [blame] | 3509 | not need to copy the declarations, and ensures that they will have the |
Gilles Peskine | 5bdb671 | 2018-03-22 21:34:15 +0100 | [diff] [blame] | 3510 | same API. |
Jaeden Amero | 8be0e6d | 2018-03-16 16:25:12 +0000 | [diff] [blame] | 3511 | * Add platform setup and teardown calls in test suites. |
Gilles Peskine | 27b0754 | 2018-02-14 14:07:48 +0100 | [diff] [blame] | 3512 | |
Gilles Peskine | 04f9bd0 | 2018-02-22 15:22:44 +0100 | [diff] [blame] | 3513 | = mbed TLS 2.8.0 branch released 2018-03-16 |
| 3514 | |
Thomas Daubney | d596e99 | 2021-06-18 11:50:56 +0100 | [diff] [blame] | 3515 | Default behavior changes |
| 3516 | * The truncated HMAC extension now conforms to RFC 6066. This means |
| 3517 | that when both sides of a TLS connection negotiate the truncated |
| 3518 | HMAC extension, Mbed TLS can now interoperate with other |
| 3519 | compliant implementations, but this breaks interoperability with |
| 3520 | prior versions of Mbed TLS. To restore the old behavior, enable |
| 3521 | the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in |
| 3522 | config.h. Found by Andreas Walz (ivESK, Offenburg University of |
| 3523 | Applied Sciences). |
| 3524 | |
Hanno Becker | 7dc832b | 2017-11-16 17:39:34 +0000 | [diff] [blame] | 3525 | Security |
Gilles Peskine | 04f9bd0 | 2018-02-22 15:22:44 +0100 | [diff] [blame] | 3526 | * Fix implementation of the truncated HMAC extension. The previous |
| 3527 | implementation allowed an offline 2^80 brute force attack on the |
| 3528 | HMAC key of a single, uninterrupted connection (with no |
| 3529 | resumption of the session). |
Gilles Peskine | 553a06f | 2018-03-13 17:15:34 +0100 | [diff] [blame] | 3530 | * Verify results of RSA private key operations to defend |
| 3531 | against Bellcore glitch attack. |
Krzysztof Stachowiak | 00bbf57 | 2018-03-14 11:14:13 +0100 | [diff] [blame] | 3532 | * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause |
| 3533 | a crash on invalid input. |
Krzysztof Stachowiak | 7fa1ae7 | 2018-03-13 17:17:38 +0100 | [diff] [blame] | 3534 | * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a |
| 3535 | crash on invalid input. |
Manuel Pégourié-Gonnard | fd3e4fb | 2018-03-13 11:53:30 +0100 | [diff] [blame] | 3536 | * Fix CRL parsing to reject CRLs containing unsupported critical |
| 3537 | extensions. Found by Falko Strenzke and Evangelos Karatsiolis. |
Hanno Becker | 7dc832b | 2017-11-16 17:39:34 +0000 | [diff] [blame] | 3538 | |
Antonio Quartulli | 12ccef2 | 2017-12-20 07:03:55 +0800 | [diff] [blame] | 3539 | Features |
| 3540 | * Extend PKCS#8 interface by introducing support for the entire SHA |
| 3541 | algorithms family when encrypting private keys using PKCS#5 v2.0. |
Gilles Peskine | 1d80a67 | 2018-02-14 11:33:30 +0100 | [diff] [blame] | 3542 | This allows reading encrypted PEM files produced by software that |
| 3543 | uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, |
| 3544 | OpenVPN Inc. Fixes #1339 |
Gilles Peskine | 3dabd6a | 2018-02-14 17:19:41 +0100 | [diff] [blame] | 3545 | * Add support for public keys encoded in PKCS#1 format. #1122 |
Antonio Quartulli | 12ccef2 | 2017-12-20 07:03:55 +0800 | [diff] [blame] | 3546 | |
Hanno Becker | cf092b2 | 2018-03-06 14:23:38 +0000 | [diff] [blame] | 3547 | New deprecations |
| 3548 | * Deprecate support for record compression (configuration option |
| 3549 | MBEDTLS_ZLIB_SUPPORT). |
| 3550 | |
Gilles Peskine | 27b0754 | 2018-02-14 14:07:48 +0100 | [diff] [blame] | 3551 | Bugfix |
| 3552 | * Fix the name of a DHE parameter that was accidentally changed in 2.7.0. |
| 3553 | Fixes #1358. |
Gilles Peskine | 1e3fd69 | 2018-02-14 15:12:49 +0100 | [diff] [blame] | 3554 | * Fix test_suite_pk to work on 64-bit ILP32 systems. #849 |
Ron Eldor | 099e61d | 2018-02-06 17:34:27 +0200 | [diff] [blame] | 3555 | * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates |
| 3556 | with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. |
Gilles Peskine | 1bf6123 | 2018-02-27 08:37:52 +0100 | [diff] [blame] | 3557 | In the context of SSL, this resulted in handshake failure. Reported by |
| 3558 | daniel in the Mbed TLS forum. #1351 |
Jaeden Amero | c5d08f8 | 2018-02-21 13:32:39 +0000 | [diff] [blame] | 3559 | * Fix Windows x64 builds with the included mbedTLS.sln file. #1347 |
Gilles Peskine | b4c571e | 2018-03-11 00:44:14 +0100 | [diff] [blame] | 3560 | * Fix setting version TLSv1 as minimal version, even if TLS 1 |
| 3561 | is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION |
| 3562 | and MBEDTLS_SSL_MIN_MINOR_VERSION instead of |
| 3563 | MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664 |
Ron Eldor | 2f73c93 | 2017-09-26 15:06:56 +0300 | [diff] [blame] | 3564 | * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE |
| 3565 | only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and |
Ron Eldor | bc18eb3 | 2017-09-06 17:49:10 +0300 | [diff] [blame] | 3566 | Nick Wilson on issue #355 |
Gilles Peskine | 08af538 | 2018-03-11 00:15:56 +0100 | [diff] [blame] | 3567 | * In test_suite_pk, pass valid parameters when testing for hash length |
itayzafrir | 693a1d9 | 2018-02-26 12:02:10 +0200 | [diff] [blame] | 3568 | overflow. #1179 |
Gilles Peskine | a31d820 | 2018-03-12 23:45:08 +0100 | [diff] [blame] | 3569 | * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found |
| 3570 | by Guido Vranken. #639 |
Gilles Peskine | 3ff4a07 | 2018-03-12 23:54:20 +0100 | [diff] [blame] | 3571 | * Log correct number of ciphersuites used in Client Hello message. #918 |
Gilles Peskine | 5f19328 | 2018-03-13 17:18:06 +0100 | [diff] [blame] | 3572 | * Fix X509 CRT parsing that would potentially accept an invalid tag when |
| 3573 | parsing the subject alternative names. |
Krzysztof Stachowiak | 00bbf57 | 2018-03-14 11:14:13 +0100 | [diff] [blame] | 3574 | * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() |
| 3575 | that could cause a key exchange to fail on valid data. |
Krzysztof Stachowiak | 7fa1ae7 | 2018-03-13 17:17:38 +0100 | [diff] [blame] | 3576 | * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that |
| 3577 | could cause a key exchange to fail on valid data. |
Gilles Peskine | 8db3efb | 2018-02-21 19:16:20 +0100 | [diff] [blame] | 3578 | * Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under |
| 3579 | MBEDTLS_DEPRECATED_REMOVED. #1388 |
Sanne Wouda | cf79312 | 2017-09-07 16:33:44 +0100 | [diff] [blame] | 3580 | * Fix a 1-byte heap buffer overflow (read-only) during private key parsing. |
| 3581 | Found through fuzz testing. |
Gilles Peskine | 27b0754 | 2018-02-14 14:07:48 +0100 | [diff] [blame] | 3582 | |
| 3583 | Changes |
| 3584 | * Fix tag lengths and value ranges in the documentation of CCM encryption. |
| 3585 | Contributed by Mathieu Briand. |
Gilles Peskine | 5daa765 | 2018-02-14 14:10:24 +0100 | [diff] [blame] | 3586 | * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky. |
Gilles Peskine | df29868 | 2018-02-14 15:49:54 +0100 | [diff] [blame] | 3587 | * Remove support for the library reference configuration for picocoin. |
Gilles Peskine | bb2565c | 2018-02-21 17:59:40 +0100 | [diff] [blame] | 3588 | * MD functions deprecated in 2.7.0 are no longer inline, to provide |
| 3589 | a migration path for those depending on the library's ABI. |
Gilles Peskine | 9c4f403 | 2017-05-29 14:46:36 +0200 | [diff] [blame] | 3590 | * Clarify the documentation of mbedtls_ssl_setup. |
Gilles Peskine | 6dc4a31 | 2018-03-13 00:13:06 +0100 | [diff] [blame] | 3591 | * Use (void) when defining functions with no parameters. Contributed by |
| 3592 | Joris Aerts. #678 |
Gilles Peskine | 27b0754 | 2018-02-14 14:07:48 +0100 | [diff] [blame] | 3593 | |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3594 | = mbed TLS 2.7.0 branch released 2018-02-03 |
Andres Amaya Garcia | 06fc665 | 2017-06-26 15:19:26 +0100 | [diff] [blame] | 3595 | |
Gilles Peskine | 28a0c72 | 2017-10-17 19:01:38 +0200 | [diff] [blame] | 3596 | Security |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3597 | * Fix a heap corruption issue in the implementation of the truncated HMAC |
| 3598 | extension. When the truncated HMAC extension is enabled and CBC is used, |
| 3599 | sending a malicious application packet could be used to selectively corrupt |
| 3600 | 6 bytes on the peer's heap, which could potentially lead to crash or remote |
| 3601 | code execution. The issue could be triggered remotely from either side in |
| 3602 | both TLS and DTLS. CVE-2018-0488 |
| 3603 | * Fix a buffer overflow in RSA-PSS verification when the hash was too large |
| 3604 | for the key size, which could potentially lead to crash or remote code |
| 3605 | execution. Found by Seth Terashima, Qualcomm Product Security Initiative, |
| 3606 | Qualcomm Technologies Inc. CVE-2018-0487 |
| 3607 | * Fix buffer overflow in RSA-PSS verification when the unmasked data is all |
| 3608 | zeros. |
| 3609 | * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding |
| 3610 | 64 KiB to the address of the SSL buffer and causing a wrap around. |
| 3611 | * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by |
Hanno Becker | 930025d | 2017-09-18 16:07:19 +0100 | [diff] [blame] | 3612 | default enabled) maximum fragment length extension is disabled in the |
| 3613 | config and the application data buffer passed to mbedtls_ssl_write |
| 3614 | is larger than the internal message buffer (16384 bytes by default), the |
| 3615 | latter overflows. The exploitability of this issue depends on whether the |
| 3616 | application layer can be forced into sending such large packets. The issue |
| 3617 | was independently reported by Tim Nordell via e-mail and by Florin Petriuc |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3618 | and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. |
| 3619 | Fixes #707. |
| 3620 | * Add a provision to prevent compiler optimizations breaking the time |
| 3621 | constancy of mbedtls_ssl_safer_memcmp(). |
Andres Amaya Garcia | 364051f | 2017-07-05 15:40:17 +0100 | [diff] [blame] | 3622 | * Ensure that buffers are cleared after use if they contain sensitive data. |
Andres Amaya Garcia | d48ba2b | 2017-07-06 17:17:43 +0100 | [diff] [blame] | 3623 | Changes were introduced in multiple places in the library. |
Ron Eldor | 31162e4 | 2017-09-05 15:34:35 +0300 | [diff] [blame] | 3624 | * Set PEM buffer to zero before freeing it, to avoid decoded private keys |
| 3625 | being leaked to memory after release. |
Janos Follath | b174c84 | 2017-09-20 16:26:04 +0100 | [diff] [blame] | 3626 | * Fix dhm_check_range() failing to detect trivial subgroups and potentially |
| 3627 | leaking 1 bit of the private key. Reported by prashantkspatil. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3628 | * Make mbedtls_mpi_read_binary() constant-time with respect to the input |
| 3629 | data. Previously, trailing zero bytes were detected and omitted for the |
| 3630 | sake of saving memory, but potentially leading to slight timing |
| 3631 | differences. Reported by Marco Macchetti, Kudelski Group. |
Hanno Becker | 509fef7 | 2017-10-19 10:10:18 +0100 | [diff] [blame] | 3632 | * Wipe stack buffer temporarily holding EC private exponent |
| 3633 | after keypair generation. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3634 | * Fix a potential heap buffer over-read in ALPN extension parsing |
Manuel Pégourié-Gonnard | 239987f | 2018-01-09 10:43:43 +0100 | [diff] [blame] | 3635 | (server-side). Could result in application crash, but only if an ALPN |
| 3636 | name larger than 16 bytes had been configured on the server. |
Hanno Becker | 0cd5b94 | 2017-10-13 17:17:28 +0100 | [diff] [blame] | 3637 | * Change default choice of DHE parameters from untrustworthy RFC 5114 |
| 3638 | to RFC 3526 containing parameters generated in a nothing-up-my-sleeve |
| 3639 | manner. |
Gilles Peskine | 28a0c72 | 2017-10-17 19:01:38 +0200 | [diff] [blame] | 3640 | |
Gilles Peskine | b04e2c3 | 2017-09-29 15:45:12 +0200 | [diff] [blame] | 3641 | Features |
| 3642 | * Allow comments in test data files. |
Gilles Peskine | c82fbb4 | 2017-12-15 15:01:27 +0100 | [diff] [blame] | 3643 | * The selftest program can execute a subset of the tests based on command |
| 3644 | line arguments. |
Gilles Peskine | 8873bcc | 2017-10-27 18:42:32 +0200 | [diff] [blame] | 3645 | * New unit tests for timing. Improve the self-test to be more robust |
| 3646 | when run on a heavily-loaded machine. |
Gilles Peskine | 618d091 | 2018-01-02 16:04:19 +0100 | [diff] [blame] | 3647 | * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, |
Jaeden Amero | 91d49e8 | 2018-01-11 16:35:44 +0000 | [diff] [blame] | 3648 | MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs. |
Jaeden Amero | 1526330 | 2017-09-21 12:53:48 +0100 | [diff] [blame] | 3649 | * Add support for alternative implementations of GCM, selected by the |
Gilles Peskine | 8e09d8f | 2018-01-02 16:09:42 +0100 | [diff] [blame] | 3650 | configuration flag MBEDTLS_GCM_ALT. |
Ron Eldor | 314adb6 | 2017-10-10 18:28:25 +0300 | [diff] [blame] | 3651 | * Add support for alternative implementations for ECDSA, controlled by new |
| 3652 | configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and |
| 3653 | MBEDTLS_ECDSDA_GENKEY_AT in config.h. |
Ron Eldor | 2981a0a | 2017-09-24 15:41:09 +0300 | [diff] [blame] | 3654 | The following functions from the ECDSA module can be replaced |
Ron Eldor | 314adb6 | 2017-10-10 18:28:25 +0300 | [diff] [blame] | 3655 | with alternative implementation: |
Ron Eldor | 2981a0a | 2017-09-24 15:41:09 +0300 | [diff] [blame] | 3656 | mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). |
Hanno Becker | 087d5ad | 2018-01-24 16:06:25 +0000 | [diff] [blame] | 3657 | * Add support for alternative implementation of ECDH, controlled by the |
| 3658 | new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and |
Ron Eldor | a84c1cb | 2017-10-10 19:04:27 +0300 | [diff] [blame] | 3659 | MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h. |
Ron Eldor | 8b76621 | 2017-09-24 15:44:56 +0300 | [diff] [blame] | 3660 | The following functions from the ECDH module can be replaced |
| 3661 | with an alternative implementation: |
| 3662 | mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). |
Hanno Becker | 087d5ad | 2018-01-24 16:06:25 +0000 | [diff] [blame] | 3663 | * Add support for alternative implementation of ECJPAKE, controlled by |
| 3664 | the new configuration flag MBEDTLS_ECJPAKE_ALT. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3665 | * Add mechanism to provide alternative implementation of the DHM module. |
Gilles Peskine | 26182ed | 2017-09-29 15:45:12 +0200 | [diff] [blame] | 3666 | |
Hanno Becker | a47023e | 2017-12-22 17:08:03 +0000 | [diff] [blame] | 3667 | API Changes |
| 3668 | * Extend RSA interface by multiple functions allowing structure- |
| 3669 | independent setup and export of RSA contexts. Most notably, |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3670 | mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting |
Hanno Becker | a47023e | 2017-12-22 17:08:03 +0000 | [diff] [blame] | 3671 | up RSA contexts from partial key material and having them completed to the |
| 3672 | needs of the implementation automatically. This allows to setup private RSA |
| 3673 | contexts from keys consisting of N,D,E only, even if P,Q are needed for the |
| 3674 | purpose or CRT and/or blinding. |
| 3675 | * The configuration option MBEDTLS_RSA_ALT can be used to define alternative |
| 3676 | implementations of the RSA interface declared in rsa.h. |
Gilles Peskine | 0a96910 | 2018-01-22 14:55:20 +0100 | [diff] [blame] | 3677 | * The following functions in the message digest modules (MD2, MD4, MD5, |
| 3678 | SHA1, SHA256, SHA512) have been deprecated and replaced as shown below. |
| 3679 | The new functions change the return type from void to int to allow |
| 3680 | returning error codes when using MBEDTLS_<MODULE>_ALT. |
| 3681 | mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret() |
| 3682 | mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret() |
| 3683 | mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret() |
Andres Amaya Garcia | f01a644 | 2017-07-03 16:00:59 +0100 | [diff] [blame] | 3684 | mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process() |
Gilles Peskine | b04e2c3 | 2017-09-29 15:45:12 +0200 | [diff] [blame] | 3685 | |
Ron Eldor | 73a3817 | 2017-10-03 15:58:26 +0300 | [diff] [blame] | 3686 | New deprecations |
| 3687 | * Deprecate usage of RSA primitives with non-matching key-type |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3688 | (e.g. signing with a public key). |
Andres Amaya Garcia | f569f70 | 2017-06-28 09:25:10 +0100 | [diff] [blame] | 3689 | * Direct manipulation of structure fields of RSA contexts is deprecated. |
| 3690 | Users are advised to use the extended RSA API instead. |
Jaeden Amero | 005239e | 2018-01-25 14:47:39 +0000 | [diff] [blame] | 3691 | * Deprecate usage of message digest functions that return void |
| 3692 | (mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update, |
| 3693 | mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is |
| 3694 | any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions |
| 3695 | that can return an error code. |
Hanno Becker | 0cd5b94 | 2017-10-13 17:17:28 +0100 | [diff] [blame] | 3696 | * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by |
| 3697 | parameters from RFC 3526 or the newly added parameters from RFC 7919. |
| 3698 | * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. |
| 3699 | Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN |
| 3700 | etc. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3701 | * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters |
| 3702 | from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin() |
Hanno Becker | 0cd5b94 | 2017-10-13 17:17:28 +0100 | [diff] [blame] | 3703 | accepting DHM parameters in binary form, matching the new constants. |
Andres Amaya Garcia | 06fc665 | 2017-06-26 15:19:26 +0100 | [diff] [blame] | 3704 | |
Andres Amaya Garcia | 06fc665 | 2017-06-26 15:19:26 +0100 | [diff] [blame] | 3705 | Bugfix |
| 3706 | * Fix ssl_parse_record_header() to silently discard invalid DTLS records |
| 3707 | as recommended in RFC 6347 Section 4.1.2.7. |
Simon Butcher | 2c4f946 | 2017-09-30 23:39:46 +0100 | [diff] [blame] | 3708 | * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3709 | Found by projectgus and Jethro Beekman, #836. |
Simon Butcher | 16373a5 | 2017-10-02 19:12:54 +0100 | [diff] [blame] | 3710 | * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin. |
Ron Eldor | 73a3817 | 2017-10-03 15:58:26 +0300 | [diff] [blame] | 3711 | * Parse signature algorithm extension when renegotiating. Previously, |
| 3712 | renegotiated handshakes would only accept signatures using SHA-1 |
| 3713 | regardless of the peer's preferences, or fail if SHA-1 was disabled. |
Andres Amaya Garcia | 735b37e | 2016-11-21 15:38:02 +0000 | [diff] [blame] | 3714 | * Fix leap year calculation in x509_date_is_valid() to ensure that invalid |
| 3715 | dates on leap years with 100 and 400 intervals are handled correctly. Found |
| 3716 | by Nicholas Wilson. #694 |
Gilles Peskine | 91048a3 | 2017-10-19 17:46:14 +0200 | [diff] [blame] | 3717 | * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were |
| 3718 | accepted. Generating these signatures required the private key. |
Gilles Peskine | e770722 | 2017-11-24 15:35:50 +0100 | [diff] [blame] | 3719 | * Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys. |
| 3720 | Found independently by Florian in the mbed TLS forum and by Mishamax. |
| 3721 | #878, #1019. |
Andres Amaya Garcia | 79ae065 | 2017-06-27 16:17:54 +0100 | [diff] [blame] | 3722 | * Fix variable used before assignment compilation warnings with IAR |
| 3723 | toolchain. Found by gkerrien38. |
Andres AG | 51a7ae1 | 2017-02-22 16:23:26 +0000 | [diff] [blame] | 3724 | * Fix unchecked return codes from AES, DES and 3DES functions in |
| 3725 | pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively. |
| 3726 | If a call to one of the functions of the cryptographic primitive modules |
| 3727 | failed, the error may not be noticed by the function |
| 3728 | mbedtls_pem_read_buffer() causing it to return invalid values. Found by |
| 3729 | Guido Vranken. #756 |
Gilles Peskine | 4b117d9 | 2017-11-28 17:23:37 +0100 | [diff] [blame] | 3730 | * Include configuration file in md.h, to fix compilation warnings. |
| 3731 | Reported by aaronmdjones in #1001 |
Hanno Becker | 041a6b0 | 2017-09-28 14:52:26 +0100 | [diff] [blame] | 3732 | * Correct extraction of signature-type from PK instance in X.509 CRT and CSR |
| 3733 | writing routines that prevented these functions to work with alternative |
| 3734 | RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011. |
Hanno Becker | 86e5230 | 2017-10-05 09:08:53 +0100 | [diff] [blame] | 3735 | * Don't print X.509 version tag for v1 CRT's, and omit extensions for |
| 3736 | non-v3 CRT's. |
Gilles Peskine | d742b74 | 2017-11-28 17:40:56 +0100 | [diff] [blame] | 3737 | * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3738 | * Fix net_would_block() to avoid modification by errno through fcntl() call. |
Hanno Becker | a6ed9c5 | 2017-05-04 13:39:22 +0100 | [diff] [blame] | 3739 | Found by nkolban. Fixes #845. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3740 | * Fix handling of handshake messages in mbedtls_ssl_read() in case |
Hanno Becker | 479e8e2 | 2017-10-12 15:39:45 +0100 | [diff] [blame] | 3741 | MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3742 | * Add a check for invalid private parameters in mbedtls_ecdsa_sign(). |
Darryl Green | 36ba8b6 | 2017-11-21 09:55:33 +0000 | [diff] [blame] | 3743 | Reported by Yolan Romailler. |
Gilles Peskine | ff01e00 | 2017-12-01 23:42:17 +0100 | [diff] [blame] | 3744 | * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64. |
Gilles Peskine | d629411 | 2017-12-01 23:46:58 +0100 | [diff] [blame] | 3745 | * Fix incorrect unit in benchmark output. #850 |
Hanno Becker | 81e96dd | 2017-09-18 11:07:25 +0100 | [diff] [blame] | 3746 | * Add size-checks for record and handshake message content, securing |
| 3747 | fragile yet non-exploitable code-paths. |
Ron Eldor | e1a9a4a | 2017-10-17 18:15:41 +0300 | [diff] [blame] | 3748 | * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by |
| 3749 | MilenkoMitrovic, #1104 |
Manuel Pégourié-Gonnard | 5405962 | 2018-01-29 10:16:30 +0100 | [diff] [blame] | 3750 | * Fix mbedtls_timing_alarm(0) on Unix and MinGW. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3751 | * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1. |
Gilles Peskine | ec9c626 | 2018-01-02 16:27:50 +0100 | [diff] [blame] | 3752 | * Fix possible memory leaks in mbedtls_gcm_self_test(). |
| 3753 | * Added missing return code checks in mbedtls_aes_self_test(). |
Hanno Becker | 997e218 | 2018-01-10 10:39:20 +0000 | [diff] [blame] | 3754 | * Fix issues in RSA key generation program programs/x509/rsa_genkey and the |
| 3755 | RSA test suite where the failure of CTR DRBG initialization lead to |
| 3756 | freeing an RSA context and several MPI's without proper initialization |
| 3757 | beforehand. |
Gilles Peskine | 980d203 | 2018-01-22 23:10:53 +0100 | [diff] [blame] | 3758 | * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. |
Gilles Peskine | cb1e5eb | 2018-01-23 00:57:34 +0100 | [diff] [blame] | 3759 | * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. |
| 3760 | Found and fixed by Martijn de Milliano. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3761 | * Fix an issue in the cipher decryption with the mode |
| 3762 | MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding. |
| 3763 | Note, this padding mode is not used by the TLS protocol. Found and fixed by |
| 3764 | Micha Kraus. |
Gilles Peskine | d91f2a2 | 2018-01-19 11:25:10 +0100 | [diff] [blame] | 3765 | * Fix the entropy.c module to not call mbedtls_sha256_starts() or |
| 3766 | mbedtls_sha512_starts() in the mbedtls_entropy_init() function. |
| 3767 | * Fix the entropy.c module to ensure that mbedtls_sha256_init() or |
| 3768 | mbedtls_sha512_init() is called before operating on the relevant context |
Gilles Peskine | 0a96910 | 2018-01-22 14:55:20 +0100 | [diff] [blame] | 3769 | structure. Do not assume that zeroizing a context is a correct way to |
| 3770 | reset it. Found independently by ccli8 on Github. |
| 3771 | * In mbedtls_entropy_free(), properly free the message digest context. |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3772 | * Fix status handshake status message in programs/ssl/dtls_client.c. Found |
| 3773 | and fixed by muddog. |
Hanno Becker | 86e5230 | 2017-10-05 09:08:53 +0100 | [diff] [blame] | 3774 | |
| 3775 | Changes |
Simon Butcher | 55fc4e0 | 2018-02-05 01:09:13 +0000 | [diff] [blame] | 3776 | * Extend cert_write example program by options to set the certificate version |
Hanno Becker | 86e5230 | 2017-10-05 09:08:53 +0100 | [diff] [blame] | 3777 | and the message digest. Further, allow enabling/disabling of authority |
| 3778 | identifier, subject identifier and basic constraints extensions. |
Hanno Becker | 32297e8 | 2017-12-22 10:24:32 +0000 | [diff] [blame] | 3779 | * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In |
| 3780 | particular, don't require P,Q if neither CRT nor blinding are |
| 3781 | used. Reported and fix proposed independently by satur9nine and sliai |
| 3782 | on GitHub. |
Gilles Peskine | ec9c626 | 2018-01-02 16:27:50 +0100 | [diff] [blame] | 3783 | * Only run AES-192 self-test if AES-192 is available. Fixes #963. |
Gilles Peskine | 5098400 | 2018-01-17 08:01:37 +0100 | [diff] [blame] | 3784 | * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the |
| 3785 | undeclared dependency of the RSA module on the ASN.1 module. |
Gilles Peskine | 0a96910 | 2018-01-22 14:55:20 +0100 | [diff] [blame] | 3786 | * Update all internal usage of deprecated message digest functions to the |
| 3787 | new ones with return codes. In particular, this modifies the |
| 3788 | mbedtls_md_info_t structure. Propagate errors from these functions |
| 3789 | everywhere except some locations in the ssl_tls.c module. |
Jaeden Amero | 791e08a | 2018-01-26 12:04:12 +0000 | [diff] [blame] | 3790 | * Improve CTR_DRBG error handling by propagating underlying AES errors. |
Gilles Peskine | 7ecab3d | 2018-01-26 17:56:38 +0100 | [diff] [blame] | 3791 | * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography |
| 3792 | modules where the software implementation can be replaced by a hardware |
| 3793 | implementation. |
Hanno Becker | 2a03794 | 2017-10-06 12:29:50 +0100 | [diff] [blame] | 3794 | * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4 |
| 3795 | throughout the library. |
Andres Amaya Garcia | 06fc665 | 2017-06-26 15:19:26 +0100 | [diff] [blame] | 3796 | |
Simon Butcher | 72ea31b | 2017-08-10 11:51:16 +0100 | [diff] [blame] | 3797 | = mbed TLS 2.6.0 branch released 2017-08-10 |
Ron Eldor | d5a75f4 | 2016-12-16 16:15:56 +0200 | [diff] [blame] | 3798 | |
Simon Butcher | b060cc2 | 2017-07-28 01:04:34 +0100 | [diff] [blame] | 3799 | Security |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3800 | * Fix authentication bypass in SSL/TLS: when authmode is set to optional, |
Simon Butcher | f85c90a | 2017-07-27 15:11:52 +0100 | [diff] [blame] | 3801 | mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's |
| 3802 | X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3803 | (default: 8) intermediates, even when it was not trusted. This could be |
| 3804 | triggered remotely from either side. (With authmode set to 'required' |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3805 | (the default), the handshake was correctly aborted). |
| 3806 | * Reliably wipe sensitive data after use in the AES example applications |
Hanno Becker | 7ec83df | 2017-06-27 08:26:53 +0100 | [diff] [blame] | 3807 | programs/aes/aescrypt2 and programs/aes/crypt_and_hash. |
| 3808 | Found by Laurent Simon. |
Simon Butcher | f85c90a | 2017-07-27 15:11:52 +0100 | [diff] [blame] | 3809 | |
Andres Amaya Garcia | 2187e03 | 2017-07-07 13:19:13 +0100 | [diff] [blame] | 3810 | Features |
| 3811 | * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown() |
Andres Amaya Garcia | 24f3641 | 2017-07-12 11:27:05 +0100 | [diff] [blame] | 3812 | and the context struct mbedtls_platform_context to perform |
| 3813 | platform-specific setup and teardown operations. The macro |
Andres Amaya Garcia | 5478bc7 | 2017-07-18 10:24:26 +0100 | [diff] [blame] | 3814 | MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3815 | by the user in a platform_alt.h file. These new functions are required in |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3816 | some embedded environments to provide a means of initialising underlying |
| 3817 | cryptographic acceleration hardware. |
Andres Amaya Garcia | 2187e03 | 2017-07-07 13:19:13 +0100 | [diff] [blame] | 3818 | |
Simon Butcher | ab67043 | 2017-07-20 12:33:41 +0200 | [diff] [blame] | 3819 | API Changes |
| 3820 | * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the |
| 3821 | API consistent with mbed TLS 2.5.0. Specifically removed the inline |
| 3822 | qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt, |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3823 | mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found |
| 3824 | by James Cowgill. #978 |
Simon Butcher | f85c90a | 2017-07-27 15:11:52 +0100 | [diff] [blame] | 3825 | * Certificate verification functions now set flags to -1 in case the full |
| 3826 | chain was not verified due to an internal error (including in the verify |
| 3827 | callback) or chain length limitations. |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3828 | * With authmode set to optional, the TLS handshake is now aborted if the |
Simon Butcher | f85c90a | 2017-07-27 15:11:52 +0100 | [diff] [blame] | 3829 | verification of the peer's certificate failed due to an overlong chain or |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3830 | a fatal error in the verify callback. |
Simon Butcher | ab67043 | 2017-07-20 12:33:41 +0200 | [diff] [blame] | 3831 | |
Ron Eldor | e2efaea | 2016-12-16 16:15:56 +0200 | [diff] [blame] | 3832 | Bugfix |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3833 | * Add a check if iv_len is zero in GCM, and return an error if it is zero. |
| 3834 | Reported by roberto. #716 |
| 3835 | * Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD) |
Ron Eldor | 6314068 | 2017-01-09 19:27:59 +0200 | [diff] [blame] | 3836 | to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3837 | always be implemented by pthread support. #696 |
Simon Butcher | 01971d0 | 2017-08-10 10:48:01 +0100 | [diff] [blame] | 3838 | * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(), |
| 3839 | in the case of an error. Found by redplait. #590 |
Ron Eldor | ca6ff58 | 2017-01-12 14:50:50 +0200 | [diff] [blame] | 3840 | * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random. |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3841 | Reported and fix suggested by guidovranken. #740 |
Andres Amaya Garcia | b820bf8 | 2017-05-04 11:05:55 +0100 | [diff] [blame] | 3842 | * Fix conditional preprocessor directives in bignum.h to enable 64-bit |
| 3843 | compilation when using ARM Compiler 6. |
Simon Butcher | 5deb518 | 2017-07-26 17:25:55 +0100 | [diff] [blame] | 3844 | * Fix a potential integer overflow in the version verification for DER |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3845 | encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs |
Simon Butcher | 5deb518 | 2017-07-26 17:25:55 +0100 | [diff] [blame] | 3846 | to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, |
| 3847 | KNOX Security, Samsung Research America |
Andres AG | 2e65a54 | 2017-02-17 13:54:43 +0000 | [diff] [blame] | 3848 | * Fix potential integer overflow in the version verification for DER |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3849 | encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs |
Andres AG | 2e65a54 | 2017-02-17 13:54:43 +0000 | [diff] [blame] | 3850 | to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, |
| 3851 | KNOX Security, Samsung Research America |
Simon Butcher | 5deb518 | 2017-07-26 17:25:55 +0100 | [diff] [blame] | 3852 | * Fix a potential integer overflow in the version verification for DER |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3853 | encoded X.509 certificates. The overflow could enable maliciously |
Simon Butcher | 5deb518 | 2017-07-26 17:25:55 +0100 | [diff] [blame] | 3854 | constructed certificates to bypass the certificate verification check. |
Simon Butcher | a418e82 | 2017-07-28 23:52:10 +0100 | [diff] [blame] | 3855 | * Fix a call to the libc function time() to call the platform abstraction |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3856 | function mbedtls_time() instead. Found by wairua. #666 |
| 3857 | * Avoid shadowing of time and index functions through mbed TLS function |
| 3858 | arguments. Found by inestlerode. #557. |
Manuel Pégourié-Gonnard | d15795a | 2017-06-22 12:19:27 +0200 | [diff] [blame] | 3859 | |
Janos Follath | 78b1473 | 2017-06-22 10:02:07 +0100 | [diff] [blame] | 3860 | Changes |
Janos Follath | b85291c | 2017-06-22 10:02:07 +0100 | [diff] [blame] | 3861 | * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3862 | 64-bit division. This is useful on embedded platforms where 64-bit division |
| 3863 | created a dependency on external libraries. #708 |
Janos Follath | 78b1473 | 2017-06-22 10:02:07 +0100 | [diff] [blame] | 3864 | * Removed mutexes from ECP hardware accelerator code. Now all hardware |
| 3865 | accelerator code in the library leaves concurrency handling to the |
| 3866 | platform. Reported by Steven Cooreman. #863 |
Andres Amaya Garcia | d0e15d7 | 2017-06-26 12:57:44 +0100 | [diff] [blame] | 3867 | * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file |
| 3868 | config-no-entropy.h to reduce the RAM footprint. |
Simon Butcher | 3f2557e | 2017-08-01 18:06:12 +0100 | [diff] [blame] | 3869 | * Added a test script that can be hooked into git that verifies commits |
| 3870 | before they are pushed. |
Hanno Becker | 85b602e | 2017-05-04 11:27:39 +0100 | [diff] [blame] | 3871 | * Improve documentation of PKCS1 decryption functions. |
Janos Follath | 78b1473 | 2017-06-22 10:02:07 +0100 | [diff] [blame] | 3872 | |
Simon Butcher | f2a597f | 2017-06-20 23:08:10 +0100 | [diff] [blame] | 3873 | = mbed TLS 2.5.1 released 2017-06-21 |
Hanno Becker | eccf60c | 2017-06-05 15:19:01 +0100 | [diff] [blame] | 3874 | |
Gilles Peskine | 5e79cb3 | 2017-05-04 16:17:21 +0200 | [diff] [blame] | 3875 | Security |
Hanno Becker | bf4c2e3 | 2017-06-09 11:28:45 +0100 | [diff] [blame] | 3876 | * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read(). |
| 3877 | The issue could only happen client-side with renegotiation enabled. |
| 3878 | Could result in DoS (application crash) or information leak |
| 3879 | (if the application layer sent data read from mbedtls_ssl_read() |
| 3880 | back to the server or to a third party). Can be triggered remotely. |
Gilles Peskine | 5d2511c | 2017-05-12 13:16:40 +0200 | [diff] [blame] | 3881 | * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for |
| 3882 | certificate verification. SHA-1 can be turned back on with a compile-time |
| 3883 | option if needed. |
Gilles Peskine | d50177f | 2017-05-16 17:53:03 +0200 | [diff] [blame] | 3884 | * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to |
| 3885 | detect it sometimes. Reported by Hugo Leisink. #810 |
Manuel Pégourié-Gonnard | c1380de | 2017-05-11 12:49:51 +0200 | [diff] [blame] | 3886 | * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a |
| 3887 | potential Bleichenbacher/BERserk-style attack. |
Gilles Peskine | 5e79cb3 | 2017-05-04 16:17:21 +0200 | [diff] [blame] | 3888 | |
Hanno Becker | eccf60c | 2017-06-05 15:19:01 +0100 | [diff] [blame] | 3889 | Bugfix |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3890 | * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not |
| 3891 | valid C and they prevented the test from compiling in Visual Studio 2015 |
| 3892 | and with GCC using the -Wpedantic compilation option. |
Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3893 | * Fix insufficient support for signature-hash-algorithm extension, |
| 3894 | resulting in compatibility problems with Chrome. Found by hfloyrd. #823 |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3895 | * Fix behaviour that hid the original cause of fatal alerts in some cases |
| 3896 | when sending the alert failed. The fix makes sure not to hide the error |
Gilles Peskine | 3df98f5 | 2017-05-10 17:47:40 +0200 | [diff] [blame] | 3897 | that triggered the alert. |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3898 | * Fix SSLv3 renegotiation behaviour and stop processing data received from |
| 3899 | peer after sending a fatal alert to refuse a renegotiation attempt. |
| 3900 | Previous behaviour was to keep processing data even after the alert has |
| 3901 | been sent. |
Hanno Becker | 39ae8cd | 2017-05-08 16:31:14 +0100 | [diff] [blame] | 3902 | * Accept empty trusted CA chain in authentication mode |
Simon Butcher | b03120a | 2018-04-30 16:40:25 +0100 | [diff] [blame] | 3903 | MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864 |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3904 | * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate |
| 3905 | fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to |
| 3906 | reflect bad EC curves within verification result. |
| 3907 | * Fix bug that caused the modular inversion function to accept the invalid |
| 3908 | modulus 1 and therefore to hang. Found by blaufish. #641. |
| 3909 | * Fix incorrect sign computation in modular exponentiation when the base is |
| 3910 | a negative MPI. Previously the result was always negative. Found by Guido |
| 3911 | Vranken. |
| 3912 | * Fix a numerical underflow leading to stack overflow in mpi_read_file() |
| 3913 | that was triggered uppon reading an empty line. Found by Guido Vranken. |
Gilles Peskine | 3df98f5 | 2017-05-10 17:47:40 +0200 | [diff] [blame] | 3914 | |
Gilles Peskine | 36091fe | 2017-05-03 16:55:03 +0200 | [diff] [blame] | 3915 | Changes |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3916 | * Send fatal alerts in more cases. The previous behaviour was to skip |
| 3917 | sending the fatal alert and just drop the connection. |
Janos Follath | 0a5154b | 2017-03-10 11:31:41 +0000 | [diff] [blame] | 3918 | * Clarify ECDSA documentation and improve the sample code to avoid |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3919 | misunderstanding and potentially dangerous use of the API. Pointed out |
Janos Follath | 0a5154b | 2017-03-10 11:31:41 +0000 | [diff] [blame] | 3920 | by Jean-Philippe Aumasson. |
Gilles Peskine | 36091fe | 2017-05-03 16:55:03 +0200 | [diff] [blame] | 3921 | |
Simon Butcher | 9f77017 | 2017-05-15 15:13:59 +0100 | [diff] [blame] | 3922 | = mbed TLS 2.5.0 branch released 2017-05-17 |
Andres Amaya Garcia | 75fdf63 | 2017-05-02 16:01:20 +0100 | [diff] [blame] | 3923 | |
Janos Follath | 45182a0 | 2017-03-23 10:41:56 +0000 | [diff] [blame] | 3924 | Security |
Gilles Peskine | 4a7f6a0 | 2017-03-23 14:37:37 +0100 | [diff] [blame] | 3925 | * Wipe stack buffers in RSA private key operations |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3926 | (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent |
| 3927 | Simon. |
Janos Follath | 45182a0 | 2017-03-23 10:41:56 +0000 | [diff] [blame] | 3928 | * Add exponent blinding to RSA private operations as a countermeasure |
| 3929 | against side-channel attacks like the cache attack described in |
| 3930 | https://arxiv.org/abs/1702.08719v2. |
| 3931 | Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss, |
| 3932 | Clémentine Maurice and Stefan Mangard. |
| 3933 | |
Simon Butcher | 4775e83 | 2017-05-13 22:56:08 +0100 | [diff] [blame] | 3934 | Features |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3935 | * Add hardware acceleration support for the Elliptic Curve Point module. |
| 3936 | This involved exposing parts of the internal interface to enable |
| 3937 | replacing the core functions and adding and alternative, module level |
| 3938 | replacement support for enabling the extension of the interface. |
Janos Follath | 7a8a090 | 2017-04-10 16:13:06 +0100 | [diff] [blame] | 3939 | * Add a new configuration option to 'mbedtls_ssl_config' to enable |
| 3940 | suppressing the CA list in Certificate Request messages. The default |
| 3941 | behaviour has not changed, namely every configured CAs name is included. |
| 3942 | |
Andres AG | f5bf718 | 2017-03-03 14:09:56 +0000 | [diff] [blame] | 3943 | API Changes |
| 3944 | * The following functions in the AES module have been deprecated and replaced |
| 3945 | by the functions shown below. The new functions change the return type from |
| 3946 | void to int to allow returning error codes when using MBEDTLS_AES_ALT, |
| 3947 | MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT. |
| 3948 | mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt() |
| 3949 | mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt() |
| 3950 | |
Andres Amaya Garcia | 75fdf63 | 2017-05-02 16:01:20 +0100 | [diff] [blame] | 3951 | Bugfix |
| 3952 | * Remove macros from compat-1.3.h that correspond to deleted items from most |
| 3953 | recent versions of the library. Found by Kyle Keen. |
Janos Follath | 5a1c0e7 | 2017-06-16 09:00:07 +0100 | [diff] [blame] | 3954 | * Fixed issue in the Threading module that prevented mutexes from |
| 3955 | initialising. Found by sznaider. #667 #843 |
| 3956 | * Add checks in the PK module for the RSA functions on 64-bit systems. |
| 3957 | The PK and RSA modules use different types for passing hash length and |
| 3958 | without these checks the type cast could lead to data loss. Found by Guido |
| 3959 | Vranken. |
Andres Amaya Garcia | 75fdf63 | 2017-05-02 16:01:20 +0100 | [diff] [blame] | 3960 | |
Simon Butcher | b65c2be | 2017-03-10 18:50:44 +0000 | [diff] [blame] | 3961 | = mbed TLS 2.4.2 branch released 2017-03-08 |
Andres AG | 703990b | 2016-10-24 11:23:36 +0100 | [diff] [blame] | 3962 | |
Janos Follath | 182013f | 2016-10-25 10:50:22 +0100 | [diff] [blame] | 3963 | Security |
Simon Butcher | b65c2be | 2017-03-10 18:50:44 +0000 | [diff] [blame] | 3964 | * Add checks to prevent signature forgeries for very large messages while |
| 3965 | using RSA through the PK module in 64-bit systems. The issue was caused by |
| 3966 | some data loss when casting a size_t to an unsigned int value in the |
| 3967 | functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and |
| 3968 | mbedtls_pk_sign(). Found by Jean-Philippe Aumasson. |
Andres AG | 939954c | 2016-12-08 17:08:44 +0000 | [diff] [blame] | 3969 | * Fixed potential livelock during the parsing of a CRL in PEM format in |
| 3970 | mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing |
| 3971 | characters after the footer could result in the execution of an infinite |
| 3972 | loop. The issue can be triggered remotely. Found by Greg Zaverucha, |
| 3973 | Microsoft. |
Janos Follath | 182013f | 2016-10-25 10:50:22 +0100 | [diff] [blame] | 3974 | * Removed MD5 from the allowed hash algorithms for CertificateRequest and |
| 3975 | CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. |
Simon Butcher | 0621b1f | 2017-02-05 16:48:47 +0000 | [diff] [blame] | 3976 | Introduced by interoperability fix for #513. |
Janos Follath | 7dadc2f | 2017-01-27 16:05:20 +0000 | [diff] [blame] | 3977 | * Fixed a bug that caused freeing a buffer that was allocated on the stack, |
| 3978 | when verifying the validity of a key on secp224k1. This could be |
| 3979 | triggered remotely for example with a maliciously constructed certificate |
Simon Butcher | 71e9d58 | 2017-02-28 18:47:27 +0000 | [diff] [blame] | 3980 | and potentially could lead to remote code execution on some platforms. |
Simon Butcher | 8b98750 | 2017-03-07 12:37:14 +0000 | [diff] [blame] | 3981 | Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos |
| 3982 | team. #569 CVE-2017-2784 |
Janos Follath | 7dadc2f | 2017-01-27 16:05:20 +0000 | [diff] [blame] | 3983 | |
Andres AG | 703990b | 2016-10-24 11:23:36 +0100 | [diff] [blame] | 3984 | Bugfix |
Andres AG | d165066 | 2016-12-09 17:26:23 +0000 | [diff] [blame] | 3985 | * Fix output certificate verification flags set by x509_crt_verify_top() when |
| 3986 | traversing a chain of trusted CA. The issue would cause both flags, |
| 3987 | MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be |
| 3988 | set when the verification conditions are not met regardless of the cause. |
| 3989 | Found by Harm Verhagen and inestlerode. #665 #561 |
Simon Butcher | d57c8f0 | 2017-02-02 13:08:37 +0000 | [diff] [blame] | 3990 | * Fix the redefinition of macro ssl_set_bio to an undefined symbol |
| 3991 | mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it. |
| 3992 | Found by omlib-lin. #673 |
Andres AG | c0db511 | 2016-12-07 15:05:53 +0000 | [diff] [blame] | 3993 | * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and |
| 3994 | x509_csr.c that are reported when building mbed TLS with a config.h that |
Simon Butcher | a333b3c | 2017-02-02 16:17:37 +0000 | [diff] [blame] | 3995 | does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562 |
Andres AG | 2196c7f | 2016-12-15 17:01:16 +0000 | [diff] [blame] | 3996 | * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that |
| 3997 | would compare 64 bits of the record counter instead of 48 bits as indicated |
| 3998 | in RFC 6347 Section 4.3.1. This could cause the execution of the |
| 3999 | renegotiation routines at unexpected times when the protocol is DTLS. Found |
| 4000 | by wariua. #687 |
Andres AG | 703990b | 2016-10-24 11:23:36 +0100 | [diff] [blame] | 4001 | * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing |
Andres AG | 9c94b69 | 2016-10-24 14:31:54 +0100 | [diff] [blame] | 4002 | the input string in PEM format to extract the different components. Found |
Andres AG | 703990b | 2016-10-24 11:23:36 +0100 | [diff] [blame] | 4003 | by Eyal Itkin. |
Andres Amaya Garcia | 6a54336 | 2017-01-17 23:04:22 +0000 | [diff] [blame] | 4004 | * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could |
| 4005 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
| 4006 | * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could |
| 4007 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
| 4008 | * Fixed potential arithmetic overflow in mbedtls_md2_update() that could |
| 4009 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
Andres AG | 4623d83 | 2017-01-18 17:21:03 +0000 | [diff] [blame] | 4010 | * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could |
| 4011 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
Janos Follath | 87c9807 | 2017-02-03 12:36:59 +0000 | [diff] [blame] | 4012 | * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng |
| 4013 | Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America. |
Andres AG | 5708dcb | 2016-12-08 17:19:21 +0000 | [diff] [blame] | 4014 | * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused |
| 4015 | by missing calls to mbedtls_pem_free() in cases when a |
Simon Butcher | d02dc14 | 2017-02-28 16:36:22 +0000 | [diff] [blame] | 4016 | MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and |
| 4017 | fix proposed by Guido Vranken. #722 |
Simon Butcher | 956c58f | 2017-03-02 09:18:09 +0000 | [diff] [blame] | 4018 | * Fixed the templates used to generate project and solution files for Visual |
| 4019 | Studio 2015 as well as the files themselves, to remove a build warning |
| 4020 | generated in Visual Studio 2015. Reported by Steve Valliere. #742 |
Ron Eldor | 12e0b80 | 2017-01-29 18:51:35 +0200 | [diff] [blame] | 4021 | * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C. |
| 4022 | Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771 |
Andres AG | d1cc7f6 | 2017-01-06 13:17:35 +0000 | [diff] [blame] | 4023 | * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI |
| 4024 | number to write in hexadecimal is negative and requires an odd number of |
| 4025 | digits. Found and fixed by Guido Vranken. |
Simon Butcher | 81cf88f | 2017-03-07 19:35:49 +0000 | [diff] [blame] | 4026 | * Fix unlisted DES configuration dependency in some pkparse test cases. Found |
| 4027 | by inestlerode. #555 |
Andres AG | 703990b | 2016-10-24 11:23:36 +0100 | [diff] [blame] | 4028 | |
Janos Follath | 4c006cd | 2016-12-13 14:14:03 +0000 | [diff] [blame] | 4029 | = mbed TLS 2.4.1 branch released 2016-12-13 |
Janos Follath | 5da3a6f | 2016-12-13 11:51:04 +0000 | [diff] [blame] | 4030 | |
| 4031 | Changes |
| 4032 | * Update to CMAC test data, taken from - NIST Special Publication 800-38B - |
| 4033 | Recommendation for Block Cipher Modes of Operation: The CMAC Mode for |
| 4034 | Authentication – October 2016 |
| 4035 | |
Simon Butcher | 19dbd41 | 2016-10-16 19:35:49 +0100 | [diff] [blame] | 4036 | = mbed TLS 2.4.0 branch released 2016-10-17 |
Simon Butcher | cf8c1f4 | 2016-09-02 21:29:39 +0300 | [diff] [blame] | 4037 | |
Andres AG | 60dbc93 | 2016-09-02 15:23:48 +0100 | [diff] [blame] | 4038 | Security |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4039 | * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant |
| 4040 | with RFC-5116 and could lead to session key recovery in very long TLS |
| 4041 | sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in |
| 4042 | TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic. |
| 4043 | https://eprint.iacr.org/2016/475.pdf |
| 4044 | * Fixed potential stack corruption in mbedtls_x509write_crt_der() and |
Andres AG | 60dbc93 | 2016-09-02 15:23:48 +0100 | [diff] [blame] | 4045 | mbedtls_x509write_csr_der() when the signature is copied to the buffer |
Andres AG | e0af995 | 2016-09-07 11:09:44 +0100 | [diff] [blame] | 4046 | without checking whether there is enough space in the destination. The |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4047 | issue cannot be triggered remotely. Found by Jethro Beekman. |
Andres AG | 60dbc93 | 2016-09-02 15:23:48 +0100 | [diff] [blame] | 4048 | |
Simon Butcher | cf8c1f4 | 2016-09-02 21:29:39 +0300 | [diff] [blame] | 4049 | Features |
Simon Butcher | 21c5481 | 2016-10-05 14:17:37 +0100 | [diff] [blame] | 4050 | * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by |
| 4051 | NIST SP 800-38B, RFC-4493 and RFC-4615. |
Simon Butcher | cf8c1f4 | 2016-09-02 21:29:39 +0300 | [diff] [blame] | 4052 | * Added hardware entropy selftest to verify that the hardware entropy source |
| 4053 | is functioning correctly. |
| 4054 | * Added a script to print build environment info for diagnostic use in test |
| 4055 | scripts, which is also now called by all.sh. |
Andres AG | f911319 | 2016-09-02 14:06:04 +0100 | [diff] [blame] | 4056 | * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to |
| 4057 | configure the maximum length of a file path that can be buffered when |
| 4058 | calling mbedtls_x509_crt_parse_path(). |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4059 | * Added a configuration file config-no-entropy.h that configures the subset of |
Andres AG | f84f892 | 2016-09-19 15:33:30 +0100 | [diff] [blame] | 4060 | library features that do not require an entropy source. |
Andres AG | 7abc974 | 2016-09-23 17:58:49 +0100 | [diff] [blame] | 4061 | * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users |
| 4062 | to configure the minimum number of bytes for entropy sources using the |
| 4063 | mbedtls_hardware_poll() function. |
Simon Butcher | cf8c1f4 | 2016-09-02 21:29:39 +0300 | [diff] [blame] | 4064 | |
| 4065 | Bugfix |
| 4066 | * Fix for platform time abstraction to avoid dependency issues where a build |
| 4067 | may need time but not the standard C library abstraction, and added |
| 4068 | configuration consistency checks to check_config.h |
| 4069 | * Fix dependency issue in Makefile to allow parallel builds. |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4070 | * Fix incorrect handling of block lengths in crypt_and_hash.c sample program, |
| 4071 | when GCM is used. Found by udf2457. #441 |
Simon Butcher | cad6e93 | 2016-09-05 01:46:59 +0300 | [diff] [blame] | 4072 | * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't |
| 4073 | enabled unless others were also present. Found by David Fernandez. #428 |
Simon Butcher | c0d76b8 | 2016-09-07 17:25:16 +0300 | [diff] [blame] | 4074 | * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on |
| 4075 | a contribution from Tobias Tangemann. #541 |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4076 | * Fixed cert_app.c sample program for debug output and for use when no root |
Simon Butcher | d43fb95 | 2016-09-26 20:48:56 +0100 | [diff] [blame] | 4077 | certificates are provided. |
Andres AG | 776a6fc | 2016-09-26 09:52:41 +0100 | [diff] [blame] | 4078 | * Fix conditional statement that would cause a 1 byte overread in |
Simon Butcher | 3a5e070 | 2016-10-12 16:37:59 +0100 | [diff] [blame] | 4079 | mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599 |
Simon Butcher | 851ae29 | 2016-10-11 10:13:52 +0100 | [diff] [blame] | 4080 | * Fixed pthread implementation to avoid unintended double initialisations |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4081 | and double frees. Found by Niklas Amnebratt. |
Simon Butcher | f77309c | 2016-10-07 15:56:07 +0100 | [diff] [blame] | 4082 | * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for |
| 4083 | builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found |
| 4084 | by inestlerode. #559. |
Andres AG | 4bdbe09 | 2016-09-19 16:58:45 +0100 | [diff] [blame] | 4085 | * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf |
| 4086 | data structure until after error checks are successful. Found by |
Simon Butcher | b81496b | 2016-10-13 14:03:37 +0100 | [diff] [blame] | 4087 | subramanyam-c. #622 |
Andres AG | 821da84 | 2016-09-26 10:09:30 +0100 | [diff] [blame] | 4088 | * Fix documentation and implementation missmatch for function arguments of |
Simon Butcher | f6e3b9e | 2016-10-12 19:47:29 +0100 | [diff] [blame] | 4089 | mbedtls_gcm_finish(). Found by cmiatpaar. #602 |
Simon Butcher | 4d69ecd | 2016-10-13 00:14:37 +0100 | [diff] [blame] | 4090 | * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558 |
Andres AG | 5a87c93 | 2016-09-26 14:53:05 +0100 | [diff] [blame] | 4091 | * Fix potential byte overread when verifying malformed SERVER_HELLO in |
| 4092 | ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken. |
Andres AG | 4b76aec | 2016-09-23 13:16:02 +0100 | [diff] [blame] | 4093 | * Fix check for validity of date when parsing in mbedtls_x509_get_time(). |
Simon Butcher | 2bd0fba | 2016-10-13 16:29:56 +0100 | [diff] [blame] | 4094 | Found by subramanyam-c. #626 |
Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4095 | * Fix compatibility issue with Internet Explorer client authentication, |
| 4096 | where the limited hash choices prevented the client from sending its |
| 4097 | certificate. Found by teumas. #513 |
Janos Follath | 240f185 | 2016-10-14 15:23:21 +0100 | [diff] [blame] | 4098 | * Fix compilation without MBEDTLS_SELF_TEST enabled. |
Simon Butcher | cf8c1f4 | 2016-09-02 21:29:39 +0300 | [diff] [blame] | 4099 | |
| 4100 | Changes |
| 4101 | * Extended test coverage of special cases, and added new timing test suite. |
| 4102 | * Removed self-tests from the basic-built-test.sh script, and added all |
| 4103 | missing self-tests to the test suites, to ensure self-tests are only |
| 4104 | executed once. |
| 4105 | * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len(). |
| 4106 | * Added support for a Yotta specific configuration file - |
| 4107 | through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE. |
Simon Butcher | 5908bcc | 2016-09-04 15:12:09 +0100 | [diff] [blame] | 4108 | * Added optimization for code space for X.509/OID based on configured |
Simon Butcher | ef8fa01 | 2016-10-16 00:44:08 +0100 | [diff] [blame] | 4109 | features. Contributed by Aviv Palivoda. |
Andres AG | 788aa4a | 2016-09-14 14:32:09 +0100 | [diff] [blame] | 4110 | * Renamed source file library/net.c to library/net_sockets.c to avoid |
| 4111 | naming collision in projects which also have files with the common name |
| 4112 | net.c. For consistency, the corresponding header file, net.h, is marked as |
| 4113 | deprecated, and its contents moved to net_sockets.h. |
Simon Butcher | 59bffa2 | 2016-10-13 15:55:56 +0100 | [diff] [blame] | 4114 | * Changed the strategy for X.509 certificate parsing and validation, to no |
| 4115 | longer disregard certificates with unrecognised fields. |
Simon Butcher | cf8c1f4 | 2016-09-02 21:29:39 +0300 | [diff] [blame] | 4116 | |
Simon Butcher | 46125fb | 2016-06-27 19:43:55 +0100 | [diff] [blame] | 4117 | = mbed TLS 2.3.0 branch released 2016-06-28 |
Manuel Pégourié-Gonnard | afbb310 | 2016-01-07 13:26:11 +0100 | [diff] [blame] | 4118 | |
Janos Follath | cc4eba7 | 2016-02-10 16:25:55 +0000 | [diff] [blame] | 4119 | Security |
Janos Follath | e43b81a | 2016-02-10 16:25:55 +0000 | [diff] [blame] | 4120 | * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt |
Janos Follath | 3218b21 | 2016-02-10 16:14:10 +0000 | [diff] [blame] | 4121 | required by PKCS1 v2.2 |
Janos Follath | e43b81a | 2016-02-10 16:25:55 +0000 | [diff] [blame] | 4122 | * Fix potential integer overflow to buffer overflow in |
| 4123 | mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt |
Manuel Pégourié-Gonnard | 8ddc93f | 2016-02-11 10:35:13 +0100 | [diff] [blame] | 4124 | (not triggerable remotely in (D)TLS). |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 4125 | * Fix a potential integer underflow to buffer overread in |
Janos Follath | bc247c9 | 2016-02-11 11:15:44 +0000 | [diff] [blame] | 4126 | mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in |
| 4127 | SSL/TLS. |
Janos Follath | cc4eba7 | 2016-02-10 16:25:55 +0000 | [diff] [blame] | 4128 | |
Simon Butcher | 3fe6cd3 | 2016-04-26 19:51:29 +0100 | [diff] [blame] | 4129 | Features |
| 4130 | * Support for platform abstraction of the standard C library time() |
| 4131 | function. |
| 4132 | |
Manuel Pégourié-Gonnard | afbb310 | 2016-01-07 13:26:11 +0100 | [diff] [blame] | 4133 | Bugfix |
| 4134 | * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three |
| 4135 | arguments where the same (in-place doubling). Found and fixed by Janos |
Manuel Pégourié-Gonnard | 3551901 | 2016-01-07 13:06:51 +0100 | [diff] [blame] | 4136 | Follath. #309 |
Manuel Pégourié-Gonnard | c990189 | 2016-01-12 13:59:39 +0000 | [diff] [blame] | 4137 | * Fix potential build failures related to the 'apidoc' target, introduced |
| 4138 | in the previous patch release. Found by Robert Scheck. #390 #391 |
Manuel Pégourié-Gonnard | 3551901 | 2016-01-07 13:06:51 +0100 | [diff] [blame] | 4139 | * Fix issue in Makefile that prevented building using armar. #386 |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 4140 | * Fix memory leak that occurred only when ECJPAKE was enabled and ECDHE and |
Janos Follath | 4ae5c29 | 2016-02-10 11:27:43 +0000 | [diff] [blame] | 4141 | ECDSA was disabled in config.h . The leak didn't occur by default. |
Simon Butcher | f59e66b | 2016-03-01 20:26:16 +0000 | [diff] [blame] | 4142 | * Fix an issue that caused valid certificates to be rejected whenever an |
| 4143 | expired or not yet valid certificate was parsed before a valid certificate |
| 4144 | in the trusted certificate list. |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 4145 | * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the |
Janos Follath | cc0e49d | 2016-02-17 14:34:12 +0000 | [diff] [blame] | 4146 | buffer after DER certificates to be included in the raw representation. |
Simon Butcher | 3f5c875 | 2016-04-15 19:06:59 +0100 | [diff] [blame] | 4147 | * Fix issue that caused a hang when generating RSA keys of odd bitlength |
Janos Follath | 1ed9f99 | 2016-03-18 11:45:44 +0000 | [diff] [blame] | 4148 | * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer |
| 4149 | dereference possible. |
Janos Follath | 8a31705 | 2016-04-21 23:37:09 +0100 | [diff] [blame] | 4150 | * Fix issue that caused a crash if invalid curves were passed to |
| 4151 | mbedtls_ssl_conf_curves. #373 |
Simon Butcher | f893507 | 2016-04-29 00:05:32 +0100 | [diff] [blame] | 4152 | * Fix issue in ssl_fork_server which was preventing it from functioning. #429 |
Paul Bakker | 8f0e4c2 | 2016-05-12 16:38:27 +0100 | [diff] [blame] | 4153 | * Fix memory leaks in test framework |
Paul Bakker | f8e3794 | 2016-05-13 10:50:41 +0100 | [diff] [blame] | 4154 | * Fix test in ssl-opt.sh that does not run properly with valgrind |
Simon Butcher | 46125fb | 2016-06-27 19:43:55 +0100 | [diff] [blame] | 4155 | * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502 |
Manuel Pégourié-Gonnard | afbb310 | 2016-01-07 13:26:11 +0100 | [diff] [blame] | 4156 | |
Manuel Pégourié-Gonnard | 25caaf3 | 2016-01-08 14:29:11 +0100 | [diff] [blame] | 4157 | Changes |
| 4158 | * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, |
| 4159 | don't use the optimized assembly for bignum multiplication. This removes |
| 4160 | the need to pass -fomit-frame-pointer to avoid a build error with -O0. |
Simon Butcher | d7e9ad7 | 2016-04-25 16:07:12 +0100 | [diff] [blame] | 4161 | * Disabled SSLv3 in the default configuration. |
Simon Butcher | a543d11 | 2016-04-26 12:51:37 +0100 | [diff] [blame] | 4162 | * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey |
| 4163 | Skalozub). |
Janos Follath | c6dab2b | 2016-05-23 14:27:02 +0100 | [diff] [blame] | 4164 | * Fix non-compliance server extension handling. Extensions for SSLv3 are now |
| 4165 | ignored, as required by RFC6101. |
Manuel Pégourié-Gonnard | f92c86e | 2016-01-07 13:18:01 +0100 | [diff] [blame] | 4166 | |
| 4167 | = mbed TLS 2.2.1 released 2016-01-05 |
| 4168 | |
| 4169 | Security |
Manuel Pégourié-Gonnard | 97b5209 | 2015-12-10 10:50:51 +0100 | [diff] [blame] | 4170 | * Fix potential double free when mbedtls_asn1_store_named_data() fails to |
Manuel Pégourié-Gonnard | 1e07562 | 2015-12-10 14:46:25 +0100 | [diff] [blame] | 4171 | allocate memory. Only used for certificate generation, not triggerable |
Simon Butcher | 00923c1 | 2015-12-22 19:04:24 +0000 | [diff] [blame] | 4172 | remotely in SSL/TLS. Found by Rafał Przywara. #367 |
Manuel Pégourié-Gonnard | f4569b1 | 2015-11-19 09:23:06 +0100 | [diff] [blame] | 4173 | * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the |
| 4174 | SLOTH attack on TLS 1.2 server authentication (other attacks from the |
| 4175 | SLOTH paper do not apply to any version of mbed TLS or PolarSSL). |
Manuel Pégourié-Gonnard | 7f88b8e | 2016-01-04 17:36:44 +0100 | [diff] [blame] | 4176 | https://www.mitls.org/pages/attacks/SLOTH |
Simon Butcher | 1285ab5 | 2016-01-01 21:42:47 +0000 | [diff] [blame] | 4177 | |
Manuel Pégourié-Gonnard | 7f88b8e | 2016-01-04 17:36:44 +0100 | [diff] [blame] | 4178 | Bugfix |
| 4179 | * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362 |
| 4180 | * Fix bug in certificate validation that caused valid chains to be rejected |
| 4181 | when the first intermediate certificate has pathLenConstraint=0. Found by |
| 4182 | Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280 |
Simon Butcher | 207990d | 2015-12-16 01:51:30 +0000 | [diff] [blame] | 4183 | * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by |
Simon Butcher | 8254ed2 | 2015-11-04 11:04:00 +0000 | [diff] [blame] | 4184 | JayaraghavendranK. #372 |
Simon Butcher | 04799a4 | 2015-09-29 00:31:09 +0100 | [diff] [blame] | 4185 | * Fix suboptimal handling of unexpected records that caused interop issues |
Manuel Pégourié-Gonnard | 2b624e9 | 2015-10-30 09:35:03 +0100 | [diff] [blame] | 4186 | with some peers over unreliable links. Avoid dropping an entire DTLS |
Manuel Pégourié-Gonnard | 173c790 | 2015-10-20 19:56:45 +0200 | [diff] [blame] | 4187 | datagram if a single record in a datagram is unexpected, instead only |
| 4188 | drop the record and look at subsequent records (if any are present) in |
| 4189 | the same datagram. Found by jeannotlapin. #345 |
Manuel Pégourié-Gonnard | 261faed | 2015-10-21 10:16:29 +0200 | [diff] [blame] | 4190 | |
| 4191 | = mbed TLS 2.2.0 released 2015-11-04 |
Simon Butcher | 59a8fa7 | 2015-11-03 23:09:28 +0000 | [diff] [blame] | 4192 | |
Manuel Pégourié-Gonnard | 22c3b7b | 2015-10-21 12:07:47 +0200 | [diff] [blame] | 4193 | Security |
| 4194 | * Fix potential double free if mbedtls_ssl_conf_psk() is called more than |
| 4195 | once and some allocation fails. Cannot be forced remotely. Found by Guido |
Simon Butcher | 59a8fa7 | 2015-11-03 23:09:28 +0000 | [diff] [blame] | 4196 | Vranken, Intelworks. |
Manuel Pégourié-Gonnard | 2b624e9 | 2015-10-30 09:35:03 +0100 | [diff] [blame] | 4197 | * Fix potential heap corruption on Windows when |
| 4198 | mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be |
| 4199 | triggered remotely. Found by Guido Vranken, Intelworks. |
| 4200 | * Fix potential buffer overflow in some asn1_write_xxx() functions. |
Manuel Pégourié-Gonnard | 1ef96c2 | 2015-10-20 15:04:57 +0200 | [diff] [blame] | 4201 | Cannot be triggered remotely unless you create X.509 certificates based |
| 4202 | on untrusted input or write keys of untrusted origin. Found by Guido |
| 4203 | Vranken, Intelworks. |
| 4204 | * The X509 max_pathlen constraint was not enforced on intermediate |
| 4205 | certificates. Found by Nicholas Wilson, fix and tests provided by |
Manuel Pégourié-Gonnard | 65eefc8 | 2015-10-23 14:08:48 +0200 | [diff] [blame] | 4206 | Janos Follath. #280 and #319 |
Manuel Pégourié-Gonnard | 4104864 | 2015-10-09 14:47:17 +0100 | [diff] [blame] | 4207 | |
Manuel Pégourié-Gonnard | 2b624e9 | 2015-10-30 09:35:03 +0100 | [diff] [blame] | 4208 | Features |
| 4209 | * Experimental support for EC J-PAKE as defined in Thread 1.0.0. |
| 4210 | Disabled by default as the specification might still change. |
Manuel Pégourié-Gonnard | 4104864 | 2015-10-09 14:47:17 +0100 | [diff] [blame] | 4211 | * Added a key extraction callback to accees the master secret and key |
| 4212 | block. (Potential uses include EAP-TLS and Thread.) |
Manuel Pégourié-Gonnard | e5f3072 | 2015-10-22 17:01:15 +0200 | [diff] [blame] | 4213 | |
| 4214 | Bugfix |
Simon Butcher | 62aab15 | 2015-10-27 16:05:34 +0000 | [diff] [blame] | 4215 | * Self-signed certificates were not excluded from pathlen counting, |
| 4216 | resulting in some valid X.509 being incorrectly rejected. Found and fix |
Manuel Pégourié-Gonnard | 65eefc8 | 2015-10-23 14:08:48 +0200 | [diff] [blame] | 4217 | provided by Janos Follath. #319 |
| 4218 | * Fix build error with configurations where ECDHE-PSK is the only key |
| 4219 | exchange. Found and fix provided by Chris Hammond. #270 |
Simon Butcher | 5f7c34b | 2015-10-27 15:14:55 +0000 | [diff] [blame] | 4220 | * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or |
Manuel Pégourié-Gonnard | 7c5fcdc | 2015-10-21 14:52:24 +0200 | [diff] [blame] | 4221 | ECHD-ECDSA if the only key exchange. Multiple reports. #310 |
| 4222 | * Fixed a bug causing some handshakes to fail due to some non-fatal alerts |
Manuel Pégourié-Gonnard | 66fc073 | 2015-10-21 16:40:29 +0200 | [diff] [blame] | 4223 | not being properly ignored. Found by mancha and Kasom Koht-arsa, #308 |
Manuel Pégourié-Gonnard | c99dffa | 2015-11-02 06:00:02 +0900 | [diff] [blame] | 4224 | * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and |
| 4225 | size/curve against the profile. Before that, there was no way to set a |
| 4226 | minimum key size for end-entity certificates with RSA keys. Found by |
Simon Butcher | 5f7c34b | 2015-10-27 15:14:55 +0000 | [diff] [blame] | 4227 | Matthew Page of Scannex Electronics Ltd. |
Manuel Pégourié-Gonnard | e0b2fea | 2015-10-27 10:24:54 +0100 | [diff] [blame] | 4228 | * Fix failures in MPI on Sparc(64) due to use of bad assembly code. |
| 4229 | Found by Kurt Danielson. #292 |
| 4230 | * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314 |
Manuel Pégourié-Gonnard | 4104864 | 2015-10-09 14:47:17 +0100 | [diff] [blame] | 4231 | * Fix bug in ASN.1 encoding of booleans that caused generated CA |
| 4232 | certificates to be rejected by some applications, including OS X |
| 4233 | Keychain. Found and fixed by Jonathan Leroy, Inikup. |
Simon Butcher | 04799a4 | 2015-09-29 00:31:09 +0100 | [diff] [blame] | 4234 | |
Manuel Pégourié-Gonnard | ca056c7 | 2015-10-05 18:21:34 +0100 | [diff] [blame] | 4235 | Changes |
Simon Butcher | c48b66b | 2015-10-05 10:18:17 +0100 | [diff] [blame] | 4236 | * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1 |
| 4237 | or -1. |
Simon Butcher | 5b8d1d6 | 2015-10-04 22:06:51 +0100 | [diff] [blame] | 4238 | |
| 4239 | = mbed TLS 2.1.2 released 2015-10-06 |
Simon Butcher | c48b66b | 2015-10-05 10:18:17 +0100 | [diff] [blame] | 4240 | |
| 4241 | Security |
Manuel Pégourié-Gonnard | d02a1da | 2015-09-28 18:34:48 +0200 | [diff] [blame] | 4242 | * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer |
| 4243 | overflow of the hostname or session ticket. Found by Guido Vranken, |
Simon Butcher | c48b66b | 2015-10-05 10:18:17 +0100 | [diff] [blame] | 4244 | Intelworks. |
Manuel Pégourié-Gonnard | 58fb495 | 2015-09-28 13:48:04 +0200 | [diff] [blame] | 4245 | * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than |
Simon Butcher | c48b66b | 2015-10-05 10:18:17 +0100 | [diff] [blame] | 4246 | once in the same handhake and mbedtls_ssl_conf_psk() was used. |
| 4247 | Found and patch provided by Guido Vranken, Intelworks. Cannot be forced |
| 4248 | remotely. |
| 4249 | * Fix stack buffer overflow in pkcs12 decryption (used by |
Simon Butcher | a45aa13 | 2015-10-05 00:26:36 +0100 | [diff] [blame] | 4250 | mbedtls_pk_parse_key(file)() when the password is > 129 bytes. |
Simon Butcher | c48b66b | 2015-10-05 10:18:17 +0100 | [diff] [blame] | 4251 | Found by Guido Vranken, Intelworks. Not triggerable remotely. |
| 4252 | * Fix potential buffer overflow in mbedtls_mpi_read_string(). |
| 4253 | Found by Guido Vranken, Intelworks. Not exploitable remotely in the context |
| 4254 | of TLS, but might be in other uses. On 32 bit machines, requires reading a |
| 4255 | string of close to or larger than 1GB to exploit; on 64 bit machines, would |
| 4256 | require reading a string of close to or larger than 2^62 bytes. |
Manuel Pégourié-Gonnard | 24417f0 | 2015-09-28 18:09:45 +0200 | [diff] [blame] | 4257 | * Fix potential random memory allocation in mbedtls_pem_read_buffer() |
Simon Butcher | fec73a8 | 2015-10-05 10:40:31 +0100 | [diff] [blame] | 4258 | on crafted PEM input data. Found and fix provided by Guido Vranken, |
| 4259 | Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you |
Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 4260 | accept PEM data from an untrusted source. |
| 4261 | * Fix possible heap buffer overflow in base64_encoded() when the input |
| 4262 | buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken, |
Simon Butcher | 475cf0a | 2015-10-05 11:57:54 +0100 | [diff] [blame] | 4263 | Intelworks. Not trigerrable remotely in TLS. |
Simon Butcher | 04799a4 | 2015-09-29 00:31:09 +0100 | [diff] [blame] | 4264 | * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on |
Manuel Pégourié-Gonnard | 0431735 | 2015-10-05 12:16:06 +0100 | [diff] [blame] | 4265 | the same mbedtls_ssl_config object and memory allocation fails. Found by |
| 4266 | Guido Vranken, Intelworks. Cannot be forced remotely. |
| 4267 | * Fix potential heap buffer overflow in servers that perform client |
Simon Butcher | 7776fc3 | 2015-10-05 15:44:18 +0100 | [diff] [blame] | 4268 | authentication against a crafted CA cert. Cannot be triggered remotely |
Manuel Pégourié-Gonnard | 0431735 | 2015-10-05 12:16:06 +0100 | [diff] [blame] | 4269 | unless you allow third parties to pick trust CAs for client auth. |
Simon Butcher | 04799a4 | 2015-09-29 00:31:09 +0100 | [diff] [blame] | 4270 | Found by Guido Vranken, Intelworks. |
| 4271 | |
| 4272 | Bugfix |
Simon Butcher | a12e3c0 | 2015-10-01 01:59:33 +0100 | [diff] [blame] | 4273 | * Fix compile error in net.c with musl libc. Found and patch provided by |
| 4274 | zhasha (#278). |
Simon Butcher | 04799a4 | 2015-09-29 00:31:09 +0100 | [diff] [blame] | 4275 | * Fix macroization of 'inline' keyword when building as C++. (#279) |
Simon Butcher | 5624ec8 | 2015-09-29 01:06:06 +0100 | [diff] [blame] | 4276 | |
Manuel Pégourié-Gonnard | 4f3368e | 2015-07-19 15:01:28 +0200 | [diff] [blame] | 4277 | Changes |
Manuel Pégourié-Gonnard | 5f50104 | 2015-09-03 20:03:15 +0200 | [diff] [blame] | 4278 | * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure |
| 4279 | domain names are compliant with RFC 1035. |
| 4280 | * Fixed paths for check_config.h in example config files. (Found by bachp) |
| 4281 | (#291) |
Manuel Pégourié-Gonnard | c2ed802 | 2015-09-09 12:15:13 +0200 | [diff] [blame] | 4282 | |
| 4283 | = mbed TLS 2.1.1 released 2015-09-17 |
Simon Butcher | 5b8d1d6 | 2015-10-04 22:06:51 +0100 | [diff] [blame] | 4284 | |
| 4285 | Security |
Manuel Pégourié-Gonnard | c2ed802 | 2015-09-09 12:15:13 +0200 | [diff] [blame] | 4286 | * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5 |
Simon Butcher | a1a1128 | 2015-09-14 21:30:40 +0100 | [diff] [blame] | 4287 | signatures. (Found by Florian Weimer, Red Hat.) |
| 4288 | https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ |
Manuel Pégourié-Gonnard | f7022d1 | 2015-09-16 11:32:18 +0200 | [diff] [blame] | 4289 | * Fix possible client-side NULL pointer dereference (read) when the client |
| 4290 | tries to continue the handshake after it failed (a misuse of the API). |
| 4291 | (Found and patch provided by Fabian Foerg, Gotham Digital Science using |
Simon Butcher | d69f14b | 2015-09-11 20:00:20 +0100 | [diff] [blame] | 4292 | afl-fuzz.) |
| 4293 | |
| 4294 | Bugfix |
Manuel Pégourié-Gonnard | 14c2574 | 2015-09-08 15:12:45 +0200 | [diff] [blame] | 4295 | * Fix warning when using a 64bit platform. (found by embedthis) (#275) |
| 4296 | * Fix off-by-one error in parsing Supported Point Format extension that |
| 4297 | caused some handshakes to fail. |
| 4298 | |
| 4299 | Changes |
| 4300 | * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow |
| 4301 | use of mbedtls_x509_crt_profile_next. (found by NWilson) |
Simon Butcher | d69f14b | 2015-09-11 20:00:20 +0100 | [diff] [blame] | 4302 | * When a client initiates a reconnect from the same port as a live |
Manuel Pégourié-Gonnard | c2ed802 | 2015-09-09 12:15:13 +0200 | [diff] [blame] | 4303 | connection, if cookie verification is available |
Manuel Pégourié-Gonnard | 5f50104 | 2015-09-03 20:03:15 +0200 | [diff] [blame] | 4304 | (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie |
Manuel Pégourié-Gonnard | 32da9f6 | 2015-07-31 15:52:30 +0200 | [diff] [blame] | 4305 | callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be |
Manuel Pégourié-Gonnard | 0a0c22e | 2015-09-04 14:38:26 +0200 | [diff] [blame] | 4306 | detected and mbedtls_ssl_read() will return |
| 4307 | MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new |
Manuel Pégourié-Gonnard | 32da9f6 | 2015-07-31 15:52:30 +0200 | [diff] [blame] | 4308 | handshake with the same context. (See RFC 6347 section 4.2.8.) |
Manuel Pégourié-Gonnard | 4f3368e | 2015-07-19 15:01:28 +0200 | [diff] [blame] | 4309 | |
| 4310 | = mbed TLS 2.1.0 released 2015-09-04 |
Manuel Pégourié-Gonnard | bcb0460 | 2015-07-19 16:00:04 +0200 | [diff] [blame] | 4311 | |
| 4312 | Features |
Manuel Pégourié-Gonnard | a6e5bd5 | 2015-07-23 12:14:13 +0200 | [diff] [blame] | 4313 | * Added support for yotta as a build system. |
| 4314 | * Primary open source license changed to Apache 2.0 license. |
Manuel Pégourié-Gonnard | 52a5079 | 2015-07-27 10:36:12 +0200 | [diff] [blame] | 4315 | |
Manuel Pégourié-Gonnard | 6f42417 | 2015-07-24 16:53:46 +0200 | [diff] [blame] | 4316 | Bugfix |
Manuel Pégourié-Gonnard | 52a5079 | 2015-07-27 10:36:12 +0200 | [diff] [blame] | 4317 | * Fix segfault in the benchmark program when benchmarking DHM. |
| 4318 | * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo |
Manuel Pégourié-Gonnard | e96ce08 | 2015-07-30 22:46:55 +0200 | [diff] [blame] | 4319 | Leisink). |
Manuel Pégourié-Gonnard | 2006408 | 2015-08-03 10:24:05 +0200 | [diff] [blame] | 4320 | * Fix bug when parsing a ServerHello without extensions (found by David |
| 4321 | Sears). |
Manuel Pégourié-Gonnard | 9983993 | 2015-08-03 10:34:09 +0200 | [diff] [blame] | 4322 | * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed |
| 4323 | (found by Benoit Lecocq). |
Manuel Pégourié-Gonnard | e33316c | 2015-08-07 13:17:23 +0200 | [diff] [blame] | 4324 | * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be |
| 4325 | installed (found by Rawi666). |
| 4326 | * Fix compile error with armcc 5 with --gnu option. |
Manuel Pégourié-Gonnard | ed46c43 | 2015-08-10 10:17:32 +0200 | [diff] [blame] | 4327 | * Fix bug in Makefile that caused programs not to be installed correctly |
Manuel Pégourié-Gonnard | c98204e | 2015-08-11 04:21:01 +0200 | [diff] [blame] | 4328 | (found by robotanarchy) (#232). |
| 4329 | * Fix bug in Makefile that prevented from installing without building the |
Manuel Pégourié-Gonnard | 1385a28 | 2015-08-27 11:30:58 +0200 | [diff] [blame] | 4330 | tests (found by robotanarchy) (#232). |
| 4331 | * Fix missing -static-libgcc when building shared libraries for Windows |
| 4332 | with make. |
Simon Butcher | 5275459 | 2015-09-03 13:06:01 +0100 | [diff] [blame] | 4333 | * Fix link error when building shared libraries for Windows with make. |
| 4334 | * Fix error when loading libmbedtls.so. |
| 4335 | * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to |
| 4336 | be always used (found by dcb314) (#235) |
| 4337 | * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could |
| 4338 | result trying to unlock an unlocked mutex on invalid input (found by |
| 4339 | Fredrik Axelsson) (#257) |
Manuel Pégourié-Gonnard | 52a5079 | 2015-07-27 10:36:12 +0200 | [diff] [blame] | 4340 | * Fix -Wshadow warnings (found by hnrkp) (#240) |
Manuel Pégourié-Gonnard | 052d10c | 2015-07-31 11:09:59 +0200 | [diff] [blame] | 4341 | * Fix memory corruption on client with overlong PSK identity, around |
| 4342 | SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by |
Manuel Pégourié-Gonnard | 32da9f6 | 2015-07-31 15:52:30 +0200 | [diff] [blame] | 4343 | Aleksandrs Saveljevs) (#238) |
| 4344 | * Fix unused function warning when using MBEDTLS_MDx_ALT or |
| 4345 | MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) |
Manuel Pégourié-Gonnard | b2beb84 | 2015-09-01 19:37:32 +0200 | [diff] [blame] | 4346 | * Fix memory corruption in pkey programs (found by yankuncheng) (#210) |
| 4347 | |
| 4348 | Changes |
Simon Butcher | 5275459 | 2015-09-03 13:06:01 +0100 | [diff] [blame] | 4349 | * The PEM parser now accepts a trailing space at end of lines (#226). |
| 4350 | * It is now possible to #include a user-provided configuration file at the |
| 4351 | end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the |
| 4352 | compiler's command line. |
Manuel Pégourié-Gonnard | 4f3368e | 2015-07-19 15:01:28 +0200 | [diff] [blame] | 4353 | * When verifying a certificate chain, if an intermediate certificate is |
Paul Bakker | 4cb87f4 | 2015-07-10 14:09:43 +0100 | [diff] [blame] | 4354 | trusted, no later cert is checked. (suggested by hannes-landeholm) |
Paul Bakker | 9c5898f | 2015-02-16 16:18:33 +0100 | [diff] [blame] | 4355 | (#220). |
Manuel Pégourié-Gonnard | f4acfe1 | 2014-09-17 10:56:54 +0200 | [diff] [blame] | 4356 | * Prepend a "thread identifier" to debug messages (issue pointed out by |
Manuel Pégourié-Gonnard | 866eb47 | 2015-05-25 19:41:37 +0200 | [diff] [blame] | 4357 | Hugo Leisink) (#210). |
| 4358 | * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment |
| 4359 | length. |
| 4360 | |
| 4361 | = mbed TLS 2.0.0 released 2015-07-13 |
| 4362 | |
Manuel Pégourié-Gonnard | 88d3785 | 2015-06-17 14:26:49 +0200 | [diff] [blame] | 4363 | Features |
| 4364 | * Support for DTLS 1.0 and 1.2 (RFC 6347). |
| 4365 | * Ability to override core functions from MDx, SHAx, AES and DES modules |
| 4366 | with custom implementation (eg hardware accelerated), complementing the |
| 4367 | ability to override the whole module. |
| 4368 | * New server-side implementation of session tickets that rotate keys to |
Manuel Pégourié-Gonnard | 4d7fbbf | 2014-10-15 15:40:55 +0200 | [diff] [blame] | 4369 | preserve forward secrecy, and allows sharing across multiple contexts. |
Manuel Pégourié-Gonnard | f4acfe1 | 2014-09-17 10:56:54 +0200 | [diff] [blame] | 4370 | * Added a concept of X.509 cerificate verification profile that controls |
Manuel Pégourié-Gonnard | a25ffc3 | 2015-06-25 12:01:16 +0200 | [diff] [blame] | 4371 | which algorithms and key sizes (curves for ECDSA) are acceptable. |
| 4372 | * Expanded configurability of security parameters in the SSL module with |
Manuel Pégourié-Gonnard | d54e617 | 2015-04-28 17:56:12 +0200 | [diff] [blame] | 4373 | mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes(). |
Manuel Pégourié-Gonnard | 6e088f9 | 2015-05-06 17:53:08 +0100 | [diff] [blame] | 4374 | * Introduced a concept of presets for SSL security-relevant configuration |
Manuel Pégourié-Gonnard | d54e617 | 2015-04-28 17:56:12 +0200 | [diff] [blame] | 4375 | parameters. |
Manuel Pégourié-Gonnard | 6e088f9 | 2015-05-06 17:53:08 +0100 | [diff] [blame] | 4376 | |
Manuel Pégourié-Gonnard | 898e0aa | 2015-06-18 15:28:12 +0200 | [diff] [blame] | 4377 | API Changes |
Manuel Pégourié-Gonnard | 797f48a | 2015-06-18 15:45:05 +0200 | [diff] [blame] | 4378 | * The library has been split into libmbedcrypto, libmbedx509, libmbedtls. |
| 4379 | You now need to link to all of them if you use TLS for example. |
| 4380 | * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace. |
Manuel Pégourié-Gonnard | d54e617 | 2015-04-28 17:56:12 +0200 | [diff] [blame] | 4381 | Some names have been further changed to make them more consistent. |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 4382 | Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are |
Manuel Pégourié-Gonnard | f4acfe1 | 2014-09-17 10:56:54 +0200 | [diff] [blame] | 4383 | provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt |
Manuel Pégourié-Gonnard | e6bdc44 | 2014-09-17 11:34:57 +0200 | [diff] [blame] | 4384 | * Renamings of fields inside structures, not covered by the previous list: |
Manuel Pégourié-Gonnard | 6963ff0 | 2015-04-28 18:02:54 +0200 | [diff] [blame] | 4385 | mbedtls_cipher_info_t.key_length -> key_bitlen |
Manuel Pégourié-Gonnard | 2f84e97 | 2015-05-11 09:52:24 +0200 | [diff] [blame] | 4386 | mbedtls_cipher_context_t.key_length -> key_bitlen |
Manuel Pégourié-Gonnard | 06939ce | 2015-05-11 11:25:46 +0200 | [diff] [blame] | 4387 | mbedtls_ecp_curve_info.size -> bit_size |
Manuel Pégourié-Gonnard | 41d479e | 2015-04-29 00:48:22 +0200 | [diff] [blame] | 4388 | * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). |
Manuel Pégourié-Gonnard | 6963ff0 | 2015-04-28 18:02:54 +0200 | [diff] [blame] | 4389 | * The following _init() functions that could return errors have |
Manuel Pégourié-Gonnard | c34e8dd | 2015-04-28 21:42:17 +0200 | [diff] [blame] | 4390 | been split into an _init() that returns void and another function that |
Manuel Pégourié-Gonnard | 2f84e97 | 2015-05-11 09:52:24 +0200 | [diff] [blame] | 4391 | should generally be the first function called on this context after init: |
| 4392 | mbedtls_ssl_init() -> mbedtls_ssl_setup() |
Manuel Pégourié-Gonnard | 06939ce | 2015-05-11 11:25:46 +0200 | [diff] [blame] | 4393 | mbedtls_ccm_init() -> mbedtls_ccm_setkey() |
| 4394 | mbedtls_gcm_init() -> mbedtls_gcm_setkey() |
Manuel Pégourié-Gonnard | 9693668 | 2015-06-02 15:14:15 +0100 | [diff] [blame] | 4395 | mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() |
Manuel Pégourié-Gonnard | caace65 | 2015-05-11 09:57:11 +0200 | [diff] [blame] | 4396 | mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() |
Tillmann Karras | 588ad50 | 2015-09-25 04:27:22 +0200 | [diff] [blame] | 4397 | Note that for mbedtls_ssl_setup(), you need to be done setting up the |
Manuel Pégourié-Gonnard | caace65 | 2015-05-11 09:57:11 +0200 | [diff] [blame] | 4398 | ssl_config structure before calling it. |
| 4399 | * Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(), |
| 4400 | ssl_set_session() and ssl_set_client_transport_id(), plus |
| 4401 | ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() |
Manuel Pégourié-Gonnard | 9a1a4d6 | 2015-05-11 10:35:53 +0200 | [diff] [blame] | 4402 | (see rename.pl and compat-1.3.h above) and their first argument's type |
| 4403 | changed from ssl_context to ssl_config. |
Manuel Pégourié-Gonnard | 9693668 | 2015-06-02 15:14:15 +0100 | [diff] [blame] | 4404 | * ssl_set_bio() changed signature (contexts merged, order switched, one |
| 4405 | additional callback for read-with-timeout). |
Manuel Pégourié-Gonnard | 9a1a4d6 | 2015-05-11 10:35:53 +0200 | [diff] [blame] | 4406 | * The following functions have been introduced and must be used in callback |
| 4407 | implementations (SNI, PSK) instead of their *conf counterparts: |
| 4408 | mbedtls_ssl_set_hs_own_cert() |
| 4409 | mbedtls_ssl_set_hs_ca_chain() |
| 4410 | mbedtls_ssl_set_hs_psk() |
Manuel Pégourié-Gonnard | caace65 | 2015-05-11 09:57:11 +0200 | [diff] [blame] | 4411 | * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set |
Manuel Pégourié-Gonnard | bc2b771 | 2015-05-06 11:14:19 +0100 | [diff] [blame] | 4412 | using mbedtls_ssl_set_hostname(). |
Manuel Pégourié-Gonnard | 01e5e8c | 2015-05-11 10:11:56 +0200 | [diff] [blame] | 4413 | * mbedtls_ssl_conf_session_cache() changed prototype (only one context |
Manuel Pégourié-Gonnard | 5cb3308 | 2015-05-06 18:06:26 +0100 | [diff] [blame] | 4414 | pointer, parameters reordered). |
Manuel Pégourié-Gonnard | 866eb47 | 2015-05-25 19:41:37 +0200 | [diff] [blame] | 4415 | * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in |
| 4416 | place of mbedtls_ssl_conf_session_tickets() to enable session tickets. |
Manuel Pégourié-Gonnard | fd47423 | 2015-06-23 16:34:24 +0200 | [diff] [blame] | 4417 | * The SSL debug callback gained two new arguments (file name, line number). |
| 4418 | * Debug modes were removed. |
Manuel Pégourié-Gonnard | 01e5e8c | 2015-05-11 10:11:56 +0200 | [diff] [blame] | 4419 | * mbedtls_ssl_conf_truncated_hmac() now returns void. |
Manuel Pégourié-Gonnard | 9693668 | 2015-06-02 15:14:15 +0100 | [diff] [blame] | 4420 | * mbedtls_memory_buffer_alloc_init() now returns void. |
Manuel Pégourié-Gonnard | e6ef16f | 2015-05-11 19:54:43 +0200 | [diff] [blame] | 4421 | * X.509 verification flags are now an uint32_t. Affect the signature of: |
| 4422 | mbedtls_ssl_get_verify_result() |
| 4423 | mbedtls_x509_ctr_verify_info() |
Manuel Pégourié-Gonnard | 9693668 | 2015-06-02 15:14:15 +0100 | [diff] [blame] | 4424 | mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated) |
Manuel Pégourié-Gonnard | e6ef16f | 2015-05-11 19:54:43 +0200 | [diff] [blame] | 4425 | mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated) |
Manuel Pégourié-Gonnard | bc6ff23 | 2015-06-02 16:33:08 +0100 | [diff] [blame] | 4426 | * The following functions changed prototype to avoid an in-out length |
| 4427 | parameter: |
| 4428 | mbedtls_base64_encode() |
| 4429 | mbedtls_base64_decode() |
| 4430 | mbedtls_mpi_write_string() |
| 4431 | mbedtls_dhm_calc_secret() |
Manuel Pégourié-Gonnard | 9189585 | 2015-06-30 13:34:45 +0200 | [diff] [blame] | 4432 | * In the NET module, all "int" and "int *" arguments for file descriptors |
| 4433 | changed type to "mbedtls_net_context *". |
Manuel Pégourié-Gonnard | 0b104b0 | 2015-05-14 21:52:40 +0200 | [diff] [blame] | 4434 | * net_accept() gained new arguments for the size of the client_ip buffer. |
Manuel Pégourié-Gonnard | 8f5fd31 | 2015-04-24 14:42:34 +0200 | [diff] [blame] | 4435 | * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now |
| 4436 | return void. |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 4437 | * ecdsa_write_signature() gained an additional md_alg argument and |
Manuel Pégourié-Gonnard | dfdcac9 | 2015-03-31 11:41:42 +0200 | [diff] [blame] | 4438 | ecdsa_write_signature_det() was deprecated. |
Manuel Pégourié-Gonnard | b8cfe3f | 2015-03-31 11:04:45 +0200 | [diff] [blame] | 4439 | * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA. |
Manuel Pégourié-Gonnard | 1cd10ad | 2015-06-23 11:07:37 +0200 | [diff] [blame] | 4440 | * Last argument of x509_crt_check_key_usage() and |
| 4441 | mbedtls_x509write_crt_set_key_usage() changed from int to unsigned. |
Manuel Pégourié-Gonnard | a958d69 | 2015-03-27 10:23:53 +0100 | [diff] [blame] | 4442 | * test_ca_list (from certs.h) is renamed to test_cas_pem and is only |
| 4443 | available if POLARSSL_PEM_PARSE_C is defined (it never worked without). |
| 4444 | * Test certificates in certs.c are no longer guaranteed to be nul-terminated |
Manuel Pégourié-Gonnard | 75f9010 | 2015-03-27 09:56:18 +0100 | [diff] [blame] | 4445 | strings; use the new *_len variables instead of strlen(). |
Manuel Pégourié-Gonnard | 43b37cb | 2015-05-12 11:20:10 +0200 | [diff] [blame] | 4446 | * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(), |
| 4447 | mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the |
| 4448 | length parameter to include the terminating null byte for PEM input. |
Manuel Pégourié-Gonnard | 35f1d7f | 2015-03-19 12:42:40 +0000 | [diff] [blame] | 4449 | * Signature of mpi_mul_mpi() changed to make the last argument unsigned |
Manuel Pégourié-Gonnard | 5b9e5b1 | 2015-05-26 17:46:09 +0200 | [diff] [blame] | 4450 | * calloc() is now used instead of malloc() everywhere. API of platform |
| 4451 | layer and the memory_buffer_alloc module changed accordingly. |
Manuel Pégourié-Gonnard | 1b8de57 | 2015-05-27 16:49:37 +0200 | [diff] [blame] | 4452 | (Thanks to Mansour Moufid for helping with the replacement.) |
Manuel Pégourié-Gonnard | 88bdb0b | 2015-03-10 14:02:33 +0000 | [diff] [blame] | 4453 | * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION |
| 4454 | (support for renegotiation now needs explicit enabling in config.h). |
Manuel Pégourié-Gonnard | 60c793b | 2015-06-18 20:52:58 +0200 | [diff] [blame] | 4455 | * Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE |
| 4456 | in config.h |
Manuel Pégourié-Gonnard | f4acfe1 | 2014-09-17 10:56:54 +0200 | [diff] [blame] | 4457 | * net_connect() and net_bind() have a new 'proto' argument to choose |
| 4458 | between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP. |
Manuel Pégourié-Gonnard | c0d7494 | 2015-06-23 12:30:57 +0200 | [diff] [blame] | 4459 | Their 'port' argument type is changed to a string. |
Manuel Pégourié-Gonnard | d54e617 | 2015-04-28 17:56:12 +0200 | [diff] [blame] | 4460 | * Some constness fixes |
| 4461 | |
| 4462 | Removals |
Manuel Pégourié-Gonnard | aff37e5 | 2015-05-11 18:11:57 +0200 | [diff] [blame] | 4463 | * Removed mbedtls_ecp_group_read_string(). Only named groups are supported. |
Manuel Pégourié-Gonnard | 56cc88a | 2015-05-11 18:40:45 +0200 | [diff] [blame] | 4464 | * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use |
| 4465 | mbedtls_ecp_muladd(). |
Manuel Pégourié-Gonnard | 41b9c2b | 2015-05-28 14:56:20 +0200 | [diff] [blame] | 4466 | * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions |
| 4467 | (use generic functions from md.h) |
| 4468 | * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom |
Manuel Pégourié-Gonnard | a63bc94 | 2015-05-14 18:22:47 +0200 | [diff] [blame] | 4469 | waiting function. |
Manuel Pégourié-Gonnard | 53585ee | 2015-06-25 08:52:25 +0200 | [diff] [blame] | 4470 | * Removed test DHM parameters from the test certs module. |
Manuel Pégourié-Gonnard | d54e617 | 2015-04-28 17:56:12 +0200 | [diff] [blame] | 4471 | * Removed the PBKDF2 module (use PKCS5). |
| 4472 | * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()). |
| 4473 | * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3). |
| 4474 | * Removed openssl.h (very partial OpenSSL compatibility layer). |
| 4475 | * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on). |
| 4476 | * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have |
| 4477 | been removed (compiler is required to support 32-bit operations). |
| 4478 | * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled). |
| 4479 | * Removed test program o_p_test, the script compat.sh does more. |
| 4480 | * Removed test program ssl_test, superseded by ssl-opt.sh. |
| 4481 | * Removed helper script active-config.pl |
Manuel Pégourié-Gonnard | 1022fed | 2015-03-27 16:30:47 +0100 | [diff] [blame] | 4482 | |
| 4483 | New deprecations |
| 4484 | * md_init_ctx() is deprecated in favour of md_setup(), that adds a third |
| 4485 | argument (allowing memory savings if HMAC is not used) |
Manuel Pégourié-Gonnard | f4acfe1 | 2014-09-17 10:56:54 +0200 | [diff] [blame] | 4486 | |
Manuel Pégourié-Gonnard | 1022fed | 2015-03-27 16:30:47 +0100 | [diff] [blame] | 4487 | Semi-API changes (technically public, morally private) |
Manuel Pégourié-Gonnard | 50518f4 | 2015-05-26 11:04:15 +0200 | [diff] [blame] | 4488 | * Renamed a few headers to include _internal in the name. Those headers are |
| 4489 | not supposed to be included by users. |
Manuel Pégourié-Gonnard | c89d6cf | 2015-03-31 14:43:19 +0200 | [diff] [blame] | 4490 | * Changed md_info_t into an opaque structure (use md_get_xxx() accessors). |
| 4491 | * Changed pk_info_t into an opaque structure. |
Manuel Pégourié-Gonnard | 50518f4 | 2015-05-26 11:04:15 +0200 | [diff] [blame] | 4492 | * Changed cipher_base_t into an opaque structure. |
| 4493 | * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl. |
Manuel Pégourié-Gonnard | 1d0ca1a | 2015-03-27 16:50:00 +0100 | [diff] [blame] | 4494 | * x509_crt.key_usage changed from unsigned char to unsigned int. |
Manuel Pégourié-Gonnard | 50518f4 | 2015-05-26 11:04:15 +0200 | [diff] [blame] | 4495 | * Removed r and s from ecdsa_context |
| 4496 | * Removed mode from des_context and des3_context |
Manuel Pégourié-Gonnard | 1022fed | 2015-03-27 16:30:47 +0100 | [diff] [blame] | 4497 | |
Manuel Pégourié-Gonnard | 606df8c | 2015-03-27 17:13:17 +0100 | [diff] [blame] | 4498 | Default behavior changes |
Manuel Pégourié-Gonnard | 8c8be1e | 2015-03-31 14:21:11 +0200 | [diff] [blame] | 4499 | * The default minimum TLS version is now TLS 1.0. |
Manuel Pégourié-Gonnard | 606df8c | 2015-03-27 17:13:17 +0100 | [diff] [blame] | 4500 | * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the |
| 4501 | default ciphersuite list returned by ssl_list_ciphersuites() |
Manuel Pégourié-Gonnard | 88bdb0b | 2015-03-10 14:02:33 +0000 | [diff] [blame] | 4502 | * Support for receiving SSLv2 ClientHello is now disabled by default at |
| 4503 | compile time. |
Manuel Pégourié-Gonnard | fa44f20 | 2015-03-27 17:52:25 +0100 | [diff] [blame] | 4504 | * The default authmode for SSL/TLS clients is now REQUIRED. |
Manuel Pégourié-Gonnard | 348bcb3 | 2015-03-31 14:01:33 +0200 | [diff] [blame] | 4505 | * Support for RSA_ALT contexts in the PK layer is now optional. Since is is |
| 4506 | enabled in the default configuration, this is only noticeable if using a |
| 4507 | custom config.h |
Manuel Pégourié-Gonnard | 1028b74 | 2015-05-06 17:33:07 +0100 | [diff] [blame] | 4508 | * Default DHM parameters server-side upgraded from 1024 to 2048 bits. |
Manuel Pégourié-Gonnard | 88d3785 | 2015-06-17 14:26:49 +0200 | [diff] [blame] | 4509 | * A minimum RSA key size of 2048 bits is now enforced during ceritificate |
| 4510 | chain verification. |
Manuel Pégourié-Gonnard | 662c6e8 | 2015-05-06 17:39:23 +0100 | [diff] [blame] | 4511 | * Negotiation of truncated HMAC is now disabled by default on server too. |
Manuel Pégourié-Gonnard | cb46fd8 | 2015-05-28 17:06:07 +0200 | [diff] [blame] | 4512 | * The following functions are now case-sensitive: |
| 4513 | mbedtls_cipher_info_from_string() |
| 4514 | mbedtls_ecp_curve_info_from_name() |
| 4515 | mbedtls_md_info_from_string() |
| 4516 | mbedtls_ssl_ciphersuite_from_string() |
| 4517 | mbedtls_version_check_feature() |
Manuel Pégourié-Gonnard | 606df8c | 2015-03-27 17:13:17 +0100 | [diff] [blame] | 4518 | |
Manuel Pégourié-Gonnard | aff37e5 | 2015-05-11 18:11:57 +0200 | [diff] [blame] | 4519 | Requirement changes |
Manuel Pégourié-Gonnard | ab22910 | 2015-04-15 11:53:16 +0200 | [diff] [blame] | 4520 | * The minimum MSVC version required is now 2010 (better C99 support). |
Manuel Pégourié-Gonnard | d4f04db | 2015-05-14 18:58:17 +0200 | [diff] [blame] | 4521 | * The NET layer now unconditionnaly relies on getaddrinfo() and select(). |
Manuel Pégourié-Gonnard | 3a3ae3d | 2015-05-06 17:08:54 +0100 | [diff] [blame] | 4522 | * Compiler is required to support C99 types such as long long and uint32_t. |
Manuel Pégourié-Gonnard | 88bdb0b | 2015-03-10 14:02:33 +0000 | [diff] [blame] | 4523 | |
Manuel Pégourié-Gonnard | 01e5e8c | 2015-05-11 10:11:56 +0200 | [diff] [blame] | 4524 | API changes from the 1.4 preview branch |
Manuel Pégourié-Gonnard | 1b511f9 | 2015-05-06 15:54:23 +0100 | [diff] [blame] | 4525 | * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with |
| 4526 | new prototype, and mbedtls_ssl_set_read_timeout(). |
Manuel Pégourié-Gonnard | 01e5e8c | 2015-05-11 10:11:56 +0200 | [diff] [blame] | 4527 | * The following functions now return void: |
| 4528 | mbedtls_ssl_conf_transport() |
| 4529 | mbedtls_ssl_conf_max_version() |
| 4530 | mbedtls_ssl_conf_min_version() |
Manuel Pégourié-Gonnard | 0c89035 | 2015-05-13 10:28:41 +0200 | [diff] [blame] | 4531 | * DTLS no longer hard-depends on TIMING_C, but uses a callback interface |
| 4532 | instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing |
| 4533 | an example implementation, see mbedtls_timing_delay_context and |
| 4534 | mbedtls_timing_set/get_delay(). |
Manuel Pégourié-Gonnard | abc729e | 2015-07-01 01:28:24 +0200 | [diff] [blame] | 4535 | * With UDP sockets, it is no longer necessary to call net_bind() again |
| 4536 | after a successful net_accept(). |
Manuel Pégourié-Gonnard | 1b511f9 | 2015-05-06 15:54:23 +0100 | [diff] [blame] | 4537 | |
Manuel Pégourié-Gonnard | 0a4fb09 | 2015-05-07 12:50:31 +0100 | [diff] [blame] | 4538 | Changes |
| 4539 | * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now |
| 4540 | thread-safe if MBEDTLS_THREADING_C is enabled. |
Manuel Pégourié-Gonnard | 88d3785 | 2015-06-17 14:26:49 +0200 | [diff] [blame] | 4541 | * Reduced ROM fooprint of SHA-256 and added an option to reduce it even |
| 4542 | more (at the expense of performance) MBEDTLS_SHA256_SMALLER. |
Manuel Pégourié-Gonnard | 0a4fb09 | 2015-05-07 12:50:31 +0100 | [diff] [blame] | 4543 | |
Manuel Pégourié-Gonnard | 7bf1976 | 2015-02-10 10:09:37 +0000 | [diff] [blame] | 4544 | = mbed TLS 1.3 branch |
| 4545 | |
| 4546 | Security |
Manuel Pégourié-Gonnard | 9f98251 | 2015-04-17 16:55:53 +0200 | [diff] [blame] | 4547 | * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and |
Manuel Pégourié-Gonnard | e6efa6f | 2015-04-20 11:01:48 +0100 | [diff] [blame] | 4548 | extendedKeyUsage on the leaf certificate was lost (results not accessible |
| 4549 | via ssl_get_verify_results()). |
Manuel Pégourié-Gonnard | 47fede0 | 2015-04-29 01:35:48 +0200 | [diff] [blame] | 4550 | * Add countermeasure against "Lucky 13 strikes back" cache-based attack, |
| 4551 | https://dl.acm.org/citation.cfm?id=2714625 |
Manuel Pégourié-Gonnard | 7bf1976 | 2015-02-10 10:09:37 +0000 | [diff] [blame] | 4552 | |
| 4553 | Features |
Manuel Pégourié-Gonnard | 154b00b | 2015-05-11 21:05:36 +0200 | [diff] [blame] | 4554 | * Improve ECC performance by using more efficient doubling formulas |
| 4555 | (contributed by Peter Dettman). |
Manuel Pégourié-Gonnard | 39a183a | 2015-04-17 16:14:32 +0200 | [diff] [blame] | 4556 | * Add x509_crt_verify_info() to display certificate verification results. |
Manuel Pégourié-Gonnard | 95f0089 | 2015-04-15 14:12:05 +0200 | [diff] [blame] | 4557 | * Add support for reading DH parameters with privateValueLength included |
Manuel Pégourié-Gonnard | ba33420 | 2015-04-17 16:16:52 +0200 | [diff] [blame] | 4558 | (contributed by Daniel Kahn Gillmor). |
Manuel Pégourié-Gonnard | 39ead3e | 2015-03-27 13:09:21 +0100 | [diff] [blame] | 4559 | * Add support for bit strings in X.509 names (request by Fredrik Axelsson). |
| 4560 | * Add support for id-at-uniqueIdentifier in X.509 names. |
Manuel Pégourié-Gonnard | 00c2201 | 2015-02-13 15:14:10 +0000 | [diff] [blame] | 4561 | * Add support for overriding snprintf() (except on Windows) and exit() in |
| 4562 | the platform layer. |
| 4563 | * Add an option to use macros instead of function pointers in the platform |
| 4564 | layer (helps get rid of unwanted references). |
Manuel Pégourié-Gonnard | ea0184b | 2015-02-16 15:42:16 +0000 | [diff] [blame] | 4565 | * Improved Makefiles for Windows targets by fixing library targets and making |
| 4566 | cross-compilation easier (thanks to Alon Bar-Lev). |
Manuel Pégourié-Gonnard | ad350ed | 2015-02-16 17:45:35 +0000 | [diff] [blame] | 4567 | * The benchmark program also prints heap usage for public-key primitives |
| 4568 | if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. |
| 4569 | * New script ecc-heap.sh helps measuring the impact of ECC parameters on |
| 4570 | speed and RAM (heap only for now) usage. |
| 4571 | * New script memory.sh helps measuring the ROM and RAM requirements of two |
| 4572 | reduced configurations (PSK-CCM and NSA suite B). |
Manuel Pégourié-Gonnard | 8c3f0f4 | 2015-04-09 14:10:26 +0200 | [diff] [blame] | 4573 | * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce |
Manuel Pégourié-Gonnard | f7dbedb | 2015-03-23 14:20:04 +0100 | [diff] [blame] | 4574 | warnings on use of deprecated functions (with GCC and Clang only). |
Manuel Pégourié-Gonnard | 8c3f0f4 | 2015-04-09 14:10:26 +0200 | [diff] [blame] | 4575 | * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce |
Manuel Pégourié-Gonnard | f7dbedb | 2015-03-23 14:20:04 +0100 | [diff] [blame] | 4576 | errors on use of deprecated functions. |
Manuel Pégourié-Gonnard | 7bf1976 | 2015-02-10 10:09:37 +0000 | [diff] [blame] | 4577 | |
| 4578 | Bugfix |
Manuel Pégourié-Gonnard | dccb80b | 2015-06-03 10:20:33 +0100 | [diff] [blame] | 4579 | * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. |
Manuel Pégourié-Gonnard | f2ec505 | 2015-06-03 09:50:07 +0100 | [diff] [blame] | 4580 | * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). |
Manuel Pégourié-Gonnard | 3e87a9f | 2015-06-03 09:48:26 +0100 | [diff] [blame] | 4581 | * Fix bug in entropy.c when THREADING_C is also enabled that caused |
| 4582 | entropy_free() to crash (thanks to Rafał Przywara). |
Manuel Pégourié-Gonnard | 2a1524c | 2015-05-27 17:59:46 +0200 | [diff] [blame] | 4583 | * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than |
| 4584 | once on the same context. |
Manuel Pégourié-Gonnard | fa950c9 | 2015-04-30 12:50:22 +0200 | [diff] [blame] | 4585 | * Fix bug in ssl_mail_client when password is longer that username (found |
| 4586 | by Bruno Pape). |
Manuel Pégourié-Gonnard | 159c524 | 2015-04-30 11:15:22 +0200 | [diff] [blame] | 4587 | * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules |
| 4588 | (detected by Clang's 3.6 UBSan). |
Manuel Pégourié-Gonnard | 770b5e1 | 2015-04-29 17:02:01 +0200 | [diff] [blame] | 4589 | * mpi_size() and mpi_msb() would segfault when called on an mpi that is |
| 4590 | initialized but not set (found by pravic). |
Manuel Pégourié-Gonnard | d97828e | 2015-04-29 14:03:28 +0200 | [diff] [blame] | 4591 | * Fix detection of support for getrandom() on Linux (reported by syzzer) by |
| 4592 | doing it at runtime (using uname) rather that compile time. |
Manuel Pégourié-Gonnard | f5203e0 | 2015-04-29 09:58:00 +0200 | [diff] [blame] | 4593 | * Fix handling of symlinks by "make install" (found by Gaël PORTAY). |
Manuel Pégourié-Gonnard | a2fce21 | 2015-04-15 19:09:03 +0200 | [diff] [blame] | 4594 | * Fix potential NULL pointer dereference (not trigerrable remotely) when |
| 4595 | ssl_write() is called before the handshake is finished (introduced in |
| 4596 | 1.3.10) (first reported by Martin Blumenstingl). |
Manuel Pégourié-Gonnard | 924cd10 | 2015-04-14 11:18:04 +0200 | [diff] [blame] | 4597 | * Fix bug in pk_parse_key() that caused some valid private EC keys to be |
| 4598 | rejected. |
Manuel Pégourié-Gonnard | cf20120 | 2015-04-02 10:46:55 +0100 | [diff] [blame] | 4599 | * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). |
Manuel Pégourié-Gonnard | 88fca3e | 2015-03-27 15:06:07 +0100 | [diff] [blame] | 4600 | * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). |
Manuel Pégourié-Gonnard | 3843353 | 2015-02-11 11:35:58 +0000 | [diff] [blame] | 4601 | * Fix hardclock() (only used in the benchmarking program) with some |
| 4602 | versions of mingw64 (found by kxjhlele). |
Manuel Pégourié-Gonnard | dda5213 | 2015-02-11 11:36:31 +0000 | [diff] [blame] | 4603 | * Fix warnings from mingw64 in timing.c (found by kxjklele). |
Manuel Pégourié-Gonnard | 6fdc4ca | 2015-02-13 17:15:18 +0000 | [diff] [blame] | 4604 | * Fix potential unintended sign extension in asn1_get_len() on 64-bit |
| 4605 | platforms. |
Manuel Pégourié-Gonnard | df4e440 | 2015-02-18 10:11:06 +0000 | [diff] [blame] | 4606 | * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). |
Manuel Pégourié-Gonnard | 51bccd3 | 2015-03-10 16:09:08 +0000 | [diff] [blame] | 4607 | * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and |
| 4608 | POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced |
| 4609 | in 1.3.10). |
Manuel Pégourié-Gonnard | 1a90147 | 2015-03-10 16:12:29 +0000 | [diff] [blame] | 4610 | * Add missing extern "C" guard in aesni.h (reported by amir zamani). |
Manuel Pégourié-Gonnard | 0878a0d | 2015-03-31 15:13:29 +0200 | [diff] [blame] | 4611 | * Add missing dependency on SHA-256 in some x509 programs (reported by |
| 4612 | Gergely Budai). |
Manuel Pégourié-Gonnard | 07ec1dd | 2015-04-03 17:26:50 +0200 | [diff] [blame] | 4613 | * Fix bug related to ssl_set_curves(): the client didn't check that the |
| 4614 | curve picked by the server was actually allowed. |
Manuel Pégourié-Gonnard | 7bf1976 | 2015-02-10 10:09:37 +0000 | [diff] [blame] | 4615 | |
| 4616 | Changes |
Manuel Pégourié-Gonnard | 12a8b66 | 2015-04-15 14:20:14 +0200 | [diff] [blame] | 4617 | * Remove bias in mpi_gen_prime (contributed by Pascal Junod). |
| 4618 | * Remove potential sources of timing variations (some contributed by Pascal |
| 4619 | Junod). |
Manuel Pégourié-Gonnard | 23ce09b | 2015-04-09 14:51:51 +0200 | [diff] [blame] | 4620 | * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. |
Manuel Pégourié-Gonnard | a98af5e | 2015-04-09 14:40:46 +0200 | [diff] [blame] | 4621 | * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. |
Manuel Pégourié-Gonnard | 8c3f0f4 | 2015-04-09 14:10:26 +0200 | [diff] [blame] | 4622 | * compat-1.2.h and openssl.h are deprecated. |
Manuel Pégourié-Gonnard | 0645bfa | 2015-04-15 11:14:22 +0200 | [diff] [blame] | 4623 | * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now |
Manuel Pégourié-Gonnard | 40f315a | 2015-03-13 13:49:26 +0000 | [diff] [blame] | 4624 | more flexible (warning: OFLAGS is not used any more) (see the README) |
| 4625 | (contributed by Alon Bar-Lev). |
Manuel Pégourié-Gonnard | 0645bfa | 2015-04-15 11:14:22 +0200 | [diff] [blame] | 4626 | * ssl_set_own_cert() no longer calls pk_check_pair() since the |
Manuel Pégourié-Gonnard | f427f88 | 2015-03-10 15:35:29 +0000 | [diff] [blame] | 4627 | performance impact was bad for some users (this was introduced in 1.3.10). |
Manuel Pégourié-Gonnard | 6f60cd8 | 2015-02-10 10:47:03 +0000 | [diff] [blame] | 4628 | * Move from SHA-1 to SHA-256 in example programs using signatures |
| 4629 | (suggested by Thorsten Mühlfelder). |
Manuel Pégourié-Gonnard | 677af93 | 2015-02-10 11:41:57 +0000 | [diff] [blame] | 4630 | * Remove some unneeded inclusions of header files from the standard library |
| 4631 | "minimize" others (eg use stddef.h if only size_t is needed). |
| 4632 | * Change #include lines in test files to use double quotes instead of angle |
| 4633 | brackets for uniformity with the rest of the code. |
Manuel Pégourié-Gonnard | 00c2201 | 2015-02-13 15:14:10 +0000 | [diff] [blame] | 4634 | * Remove dependency on sscanf() in X.509 parsing modules. |
Manuel Pégourié-Gonnard | 178f9d6 | 2014-10-20 14:56:56 +0200 | [diff] [blame] | 4635 | |
Paul Bakker | daae3b7 | 2015-02-08 15:49:54 +0100 | [diff] [blame] | 4636 | = mbed TLS 1.3.10 released 2015-02-09 |
Manuel Pégourié-Gonnard | 547ff66 | 2014-11-26 15:42:16 +0100 | [diff] [blame] | 4637 | Security |
| 4638 | * NULL pointer dereference in the buffer-based allocator when the buffer is |
Manuel Pégourié-Gonnard | ee7d599 | 2015-01-28 14:02:38 +0000 | [diff] [blame] | 4639 | full and polarssl_free() is called (found by Mark Hasemeyer) |
Manuel Pégourié-Gonnard | 547ff66 | 2014-11-26 15:42:16 +0100 | [diff] [blame] | 4640 | (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is |
| 4641 | not by default). |
Manuel Pégourié-Gonnard | 0369a52 | 2014-11-11 22:17:26 +0100 | [diff] [blame] | 4642 | * Fix remotely-triggerable uninitialised pointer dereference caused by |
Manuel Pégourié-Gonnard | d681443 | 2014-11-12 01:25:31 +0100 | [diff] [blame] | 4643 | crafted X.509 certificate (TLS server is not affected if it doesn't ask for a |
Manuel Pégourié-Gonnard | 0369a52 | 2014-11-11 22:17:26 +0100 | [diff] [blame] | 4644 | client certificate) (found using Codenomicon Defensics). |
Manuel Pégourié-Gonnard | b134060 | 2014-11-11 23:11:16 +0100 | [diff] [blame] | 4645 | * Fix remotely-triggerable memory leak caused by crafted X.509 certificates |
Manuel Pégourié-Gonnard | d681443 | 2014-11-12 01:25:31 +0100 | [diff] [blame] | 4646 | (TLS server is not affected if it doesn't ask for a client certificate) |
| 4647 | (found using Codenomicon Defensics). |
| 4648 | * Fix potential stack overflow while parsing crafted X.509 certificates |
| 4649 | (TLS server is not affected if it doesn't ask for a client certificate) |
Manuel Pégourié-Gonnard | b134060 | 2014-11-11 23:11:16 +0100 | [diff] [blame] | 4650 | (found using Codenomicon Defensics). |
Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 4651 | * Fix timing difference that could theoretically lead to a |
| 4652 | Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges |
| 4653 | (reported by Sebastian Schinzel). |
Manuel Pégourié-Gonnard | 0369a52 | 2014-11-11 22:17:26 +0100 | [diff] [blame] | 4654 | |
Manuel Pégourié-Gonnard | de17125 | 2014-11-08 17:58:24 +0100 | [diff] [blame] | 4655 | Features |
Manuel Pégourié-Gonnard | d1a878c | 2015-01-14 16:59:23 +0100 | [diff] [blame] | 4656 | * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). |
| 4657 | * Add support for Extended Master Secret (draft-ietf-tls-session-hash). |
| 4658 | * Add support for Encrypt-then-MAC (RFC 7366). |
Manuel Pégourié-Gonnard | de17125 | 2014-11-08 17:58:24 +0100 | [diff] [blame] | 4659 | * Add function pk_check_pair() to test if public and private keys match. |
Manuel Pégourié-Gonnard | 426d4ae | 2014-11-19 16:58:28 +0100 | [diff] [blame] | 4660 | * Add x509_crl_parse_der(). |
Manuel Pégourié-Gonnard | fd6c85c | 2014-11-20 16:34:20 +0100 | [diff] [blame] | 4661 | * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the |
| 4662 | length of an X.509 verification chain. |
Manuel Pégourié-Gonnard | fa42388 | 2014-11-04 19:57:55 +0100 | [diff] [blame] | 4663 | * Support for renegotiation can now be disabled at compile-time |
Manuel Pégourié-Gonnard | 3ff7823 | 2015-01-08 11:15:09 +0100 | [diff] [blame] | 4664 | * Support for 1/n-1 record splitting, a countermeasure against BEAST. |
Paul Bakker | 6152b02 | 2015-04-14 15:00:09 +0200 | [diff] [blame] | 4665 | * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 |
Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 4666 | for pre-1.2 clients when multiple certificates are available. |
Manuel Pégourié-Gonnard | 1829245 | 2015-01-09 14:34:13 +0100 | [diff] [blame] | 4667 | * Add support for getrandom() syscall on recent Linux kernels with Glibc or |
| 4668 | a compatible enough libc (eg uClibc). |
Manuel Pégourié-Gonnard | d1a878c | 2015-01-14 16:59:23 +0100 | [diff] [blame] | 4669 | * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime |
Manuel Pégourié-Gonnard | bd47a58 | 2015-01-12 13:43:29 +0100 | [diff] [blame] | 4670 | while using the default ciphersuite list. |
Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 4671 | * Added new error codes and debug messages about selection of |
| 4672 | ciphersuite/certificate. |
Manuel Pégourié-Gonnard | 547ff66 | 2014-11-26 15:42:16 +0100 | [diff] [blame] | 4673 | |
Manuel Pégourié-Gonnard | 5cb4b31 | 2014-11-25 17:41:50 +0100 | [diff] [blame] | 4674 | Bugfix |
| 4675 | * Stack buffer overflow if ctr_drbg_update() is called with too large |
| 4676 | add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). |
Manuel Pégourié-Gonnard | 5dd28ea | 2014-11-27 13:57:42 +0100 | [diff] [blame] | 4677 | * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE |
| 4678 | if memory_buffer_alloc_init() was called with buf not aligned and len not |
Manuel Pégourié-Gonnard | d1a878c | 2015-01-14 16:59:23 +0100 | [diff] [blame] | 4679 | a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). |
| 4680 | * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found |
Manuel Pégourié-Gonnard | 54f6e56 | 2014-11-10 12:15:39 +0100 | [diff] [blame] | 4681 | by Julian Ospald). |
Manuel Pégourié-Gonnard | b31b61b | 2014-11-10 13:05:43 +0100 | [diff] [blame] | 4682 | * Fix potential undefined behaviour in Camellia. |
Manuel Pégourié-Gonnard | e959979 | 2014-11-10 13:43:55 +0100 | [diff] [blame] | 4683 | * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a |
| 4684 | multiple of 8 (found by Gergely Budai). |
Manuel Pégourié-Gonnard | acdb9b9 | 2015-01-23 17:50:34 +0000 | [diff] [blame] | 4685 | * Fix unchecked return code in x509_crt_parse_path() on Windows (found by |
| 4686 | Peter Vaskovic). |
Manuel Pégourié-Gonnard | 9d7fc16 | 2015-01-19 17:16:54 +0000 | [diff] [blame] | 4687 | * Fix assembly selection for MIPS64 (thanks to James Cowgill). |
Manuel Pégourié-Gonnard | e89163c | 2015-01-23 14:30:57 +0000 | [diff] [blame] | 4688 | * ssl_get_verify_result() now works even if the handshake was aborted due |
| 4689 | to a failed verification (found by Fredrik Axelsson). |
Manuel Pégourié-Gonnard | f3046ef | 2015-01-28 14:13:30 +0000 | [diff] [blame] | 4690 | * Skip writing and parsing signature_algorithm extension if none of the |
| 4691 | key exchanges enabled needs certificates. This fixes a possible interop |
| 4692 | issue with some servers when a zero-length extension was sent. (Reported |
| 4693 | by Peter Dettman.) |
Manuel Pégourié-Gonnard | aa422b2 | 2015-02-02 09:30:45 +0000 | [diff] [blame] | 4694 | * On a 0-length input, base64_encode() did not correctly set output length |
| 4695 | (found by Hendrik van den Boogaard). |
Manuel Pégourié-Gonnard | 54f6e56 | 2014-11-10 12:15:39 +0100 | [diff] [blame] | 4696 | |
Manuel Pégourié-Gonnard | d056ce0 | 2014-10-29 22:29:20 +0100 | [diff] [blame] | 4697 | Changes |
| 4698 | * Use deterministic nonces for AEAD ciphers in TLS by default (possible to |
| 4699 | switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). |
Manuel Pégourié-Gonnard | e10e06d | 2014-11-06 18:15:12 +0100 | [diff] [blame] | 4700 | * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. |
Manuel Pégourié-Gonnard | de17125 | 2014-11-08 17:58:24 +0100 | [diff] [blame] | 4701 | * ssl_set_own_cert() now returns an error on key-certificate mismatch. |
Manuel Pégourié-Gonnard | 8a5e3d4 | 2014-11-12 17:47:28 +0100 | [diff] [blame] | 4702 | * Forbid repeated extensions in X.509 certificates. |
Manuel Pégourié-Gonnard | 8c9223d | 2014-11-19 10:17:21 +0100 | [diff] [blame] | 4703 | * debug_print_buf() now prints a text view in addition to hexadecimal. |
Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 4704 | * A specific error is now returned when there are ciphersuites in common |
| 4705 | but none of them is usable due to external factors such as no certificate |
Paul Bakker | e522d0f | 2015-01-14 16:12:48 +0100 | [diff] [blame] | 4706 | with a suitable (extended)KeyUsage or curve or no PSK set. |
Manuel Pégourié-Gonnard | d1a878c | 2015-01-14 16:59:23 +0100 | [diff] [blame] | 4707 | * It is now possible to disable negotiation of truncated HMAC server-side |
Manuel Pégourié-Gonnard | e117a8f | 2015-01-09 12:39:35 +0100 | [diff] [blame] | 4708 | at runtime with ssl_set_truncated_hmac(). |
Paul Bakker | 5b8f7ea | 2015-01-14 16:26:54 +0100 | [diff] [blame] | 4709 | * Example programs for SSL client and server now disable SSLv3 by default. |
| 4710 | * Example programs for SSL client and server now disable RC4 by default. |
Manuel Pégourié-Gonnard | c9e0483 | 2015-01-19 16:24:23 +0000 | [diff] [blame] | 4711 | * Use platform.h in all test suites and programs. |
Manuel Pégourié-Gonnard | 5cb4b31 | 2014-11-25 17:41:50 +0100 | [diff] [blame] | 4712 | |
Paul Bakker | 9eac4f7 | 2014-10-20 13:56:15 +0200 | [diff] [blame] | 4713 | = PolarSSL 1.3.9 released 2014-10-20 |
Manuel Pégourié-Gonnard | 480905d | 2014-08-21 19:38:32 +0200 | [diff] [blame] | 4714 | Security |
| 4715 | * Lowest common hash was selected from signature_algorithms extension in |
| 4716 | TLS 1.2 (found by Darren Bane) (introduced in 1.3.8). |
Manuel Pégourié-Gonnard | 5d86185 | 2014-10-17 12:41:41 +0200 | [diff] [blame] | 4717 | * Remotely-triggerable memory leak when parsing some X.509 certificates |
Paul Bakker | b082bb5 | 2014-10-20 13:37:51 +0200 | [diff] [blame] | 4718 | (server is not affected if it doesn't ask for a client certificate) |
| 4719 | (found using Codenomicon Defensics). |
Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 4720 | * Remotely-triggerable memory leak when parsing crafted ClientHello |
Paul Bakker | b082bb5 | 2014-10-20 13:37:51 +0200 | [diff] [blame] | 4721 | (not affected if ECC support was compiled out) (found using Codenomicon |
| 4722 | Defensics). |
Manuel Pégourié-Gonnard | 480905d | 2014-08-21 19:38:32 +0200 | [diff] [blame] | 4723 | |
Paul Bakker | 8dcb2d7 | 2014-08-08 12:22:30 +0200 | [diff] [blame] | 4724 | Bugfix |
| 4725 | * Support escaping of commas in x509_string_to_names() |
Manuel Pégourié-Gonnard | 955028f | 2014-07-12 01:27:34 +0200 | [diff] [blame] | 4726 | * Fix compile error in ssl_pthread_server (found by Julian Ospald). |
Manuel Pégourié-Gonnard | 9a6b442 | 2014-07-21 13:42:54 +0200 | [diff] [blame] | 4727 | * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). |
Manuel Pégourié-Gonnard | 42cc641 | 2014-07-21 13:55:54 +0200 | [diff] [blame] | 4728 | * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). |
Manuel Pégourié-Gonnard | 868c0ee | 2014-07-21 14:18:17 +0200 | [diff] [blame] | 4729 | * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). |
Manuel Pégourié-Gonnard | 462906f | 2014-07-21 17:37:01 +0200 | [diff] [blame] | 4730 | * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST |
| 4731 | are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito). |
Manuel Pégourié-Gonnard | dca108e | 2014-07-21 18:15:22 +0200 | [diff] [blame] | 4732 | * Remove non-existent file from VS projects (found by Peter Vaskovic). |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 4733 | * ssl_read() could return non-application data records on server while |
| 4734 | renegotation was pending, and on client when a HelloRequest was received. |
Manuel Pégourié-Gonnard | f07f421 | 2014-08-15 19:04:47 +0200 | [diff] [blame] | 4735 | * Server-initiated renegotiation would fail with non-blocking I/O if the |
| 4736 | write callback returned WANT_WRITE when requesting renegotiation. |
Manuel Pégourié-Gonnard | a13500f | 2014-08-19 16:14:04 +0200 | [diff] [blame] | 4737 | * ssl_close_notify() could send more than one message in some circumstances |
| 4738 | with non-blocking I/O. |
Sander Niemeijer | ef5087d | 2014-08-16 12:45:52 +0200 | [diff] [blame] | 4739 | * Fix compiler warnings on iOS (found by Sander Niemeijer). |
Paul Bakker | 5a5fa92 | 2014-09-26 14:53:04 +0200 | [diff] [blame] | 4740 | * x509_crt_parse() did not increase total_failed on PEM error |
Manuel Pégourié-Gonnard | 7f4ed67 | 2014-10-14 20:56:02 +0200 | [diff] [blame] | 4741 | * Fix compile error with armcc in mpi_is_prime() |
Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 4742 | * Fix potential bad read in parsing ServerHello (found by Adrien |
| 4743 | Vialletelle). |
Paul Bakker | 8dcb2d7 | 2014-08-08 12:22:30 +0200 | [diff] [blame] | 4744 | |
Manuel Pégourié-Gonnard | 8d4ad07 | 2014-07-13 14:43:28 +0200 | [diff] [blame] | 4745 | Changes |
| 4746 | * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no |
| 4747 | standard defining how to use SHA-2 with SSL 3.0). |
Manuel Pégourié-Gonnard | a04fa4f | 2014-07-13 16:16:44 +0200 | [diff] [blame] | 4748 | * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is |
| 4749 | ambiguous on how to encode some packets with SSL 3.0). |
Manuel Pégourié-Gonnard | 192253a | 2014-07-21 16:37:15 +0200 | [diff] [blame] | 4750 | * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if |
| 4751 | RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger. |
Manuel Pégourié-Gonnard | f26a1e8 | 2014-08-19 12:28:50 +0200 | [diff] [blame] | 4752 | * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than |
| 4753 | POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. |
Manuel Pégourié-Gonnard | da1b4de | 2014-09-08 17:03:50 +0200 | [diff] [blame] | 4754 | * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits |
| 4755 | RSA keys. |
Manuel Pégourié-Gonnard | 64938c6 | 2014-10-15 21:45:39 +0200 | [diff] [blame] | 4756 | * Accept spaces at end of line or end of buffer in base64_decode(). |
Manuel Pégourié-Gonnard | 5d86185 | 2014-10-17 12:41:41 +0200 | [diff] [blame] | 4757 | * X.509 certificates with more than one AttributeTypeAndValue per |
| 4758 | RelativeDistinguishedName are not accepted any more. |
Manuel Pégourié-Gonnard | 8d4ad07 | 2014-07-13 14:43:28 +0200 | [diff] [blame] | 4759 | |
Paul Bakker | 1910aa7 | 2014-07-11 11:28:56 +0200 | [diff] [blame] | 4760 | = PolarSSL 1.3.8 released 2014-07-11 |
Manuel Pégourié-Gonnard | 0bcc4e1 | 2014-06-17 10:54:17 +0200 | [diff] [blame] | 4761 | Security |
| 4762 | * Fix length checking for AEAD ciphersuites (found by Codenomicon). |
| 4763 | It was possible to crash the server (and client) using crafted messages |
| 4764 | when a GCM suite was chosen. |
| 4765 | |
Paul Bakker | c6ece49 | 2014-05-22 15:45:03 +0200 | [diff] [blame] | 4766 | Features |
| 4767 | * Add CCM module and cipher mode to Cipher Layer |
| 4768 | * Support for CCM and CCM_8 ciphersuites |
Manuel Pégourié-Gonnard | b479871 | 2014-06-06 18:10:44 +0200 | [diff] [blame] | 4769 | * Support for parsing and verifying RSASSA-PSS signatures in the X.509 |
| 4770 | modules (certificates, CRLs and CSRs). |
Manuel Pégourié-Gonnard | 398c57b | 2014-06-23 12:10:59 +0200 | [diff] [blame] | 4771 | * Blowfish in the cipher layer now supports variable length keys. |
Manuel Pégourié-Gonnard | 3579522 | 2014-06-24 17:33:54 +0200 | [diff] [blame] | 4772 | * Add example config.h for PSK with CCM, optimized for low RAM usage. |
| 4773 | * Optimize for RAM usage in example config.h for NSA Suite B profile. |
Manuel Pégourié-Gonnard | 01edb10 | 2014-06-24 22:42:34 +0200 | [diff] [blame] | 4774 | * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites |
| 4775 | from the default list (inactive by default). |
Paul Bakker | 23647b4 | 2014-07-04 15:00:12 +0200 | [diff] [blame] | 4776 | * Add server-side enforcement of sent renegotiation requests |
| 4777 | (ssl_set_renegotiation_enforced()) |
Manuel Pégourié-Gonnard | dfc7df0 | 2014-06-30 17:59:55 +0200 | [diff] [blame] | 4778 | * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of |
| 4779 | ciphersuites to use and save some memory if the list is small. |
Paul Bakker | c6ece49 | 2014-05-22 15:45:03 +0200 | [diff] [blame] | 4780 | |
Paul Bakker | 863989b | 2014-06-12 21:49:01 +0200 | [diff] [blame] | 4781 | Changes |
| 4782 | * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is |
| 4783 | required on some platforms (e.g. OpenBSD) |
Paul Bakker | 3461772 | 2014-06-13 17:20:13 +0200 | [diff] [blame] | 4784 | * Migrate zeroizing of data to polarssl_zeroize() instead of memset() |
| 4785 | against unwanted compiler optimizations |
Manuel Pégourié-Gonnard | bd77254 | 2014-07-07 14:02:33 +0200 | [diff] [blame] | 4786 | * md_list() now returns hashes strongest first |
Manuel Pégourié-Gonnard | 08e81e0 | 2014-07-08 12:56:25 +0200 | [diff] [blame] | 4787 | * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks |
| 4788 | strongest offered by client. |
Paul Bakker | 28476e2 | 2014-07-01 15:59:04 +0200 | [diff] [blame] | 4789 | * All public contexts have _init() and _free() functions now for simpler |
| 4790 | usage pattern |
Paul Bakker | 863989b | 2014-06-12 21:49:01 +0200 | [diff] [blame] | 4791 | |
Paul Bakker | 5593f7c | 2014-05-06 10:29:28 +0200 | [diff] [blame] | 4792 | Bugfix |
| 4793 | * Fix in debug_print_msg() |
Paul Bakker | 1ebc0c5 | 2014-05-22 15:47:58 +0200 | [diff] [blame] | 4794 | * Enforce alignment in the buffer allocator even if buffer is not aligned |
Paul Bakker | dff3139 | 2014-05-22 15:06:41 +0200 | [diff] [blame] | 4795 | * Remove less-than-zero checks on unsigned numbers |
Paul Bakker | 0f651c7 | 2014-05-22 15:12:19 +0200 | [diff] [blame] | 4796 | * Stricter check on SSL ClientHello internal sizes compared to actual packet |
| 4797 | size (found by TrustInSoft) |
Paul Bakker | 49033ba | 2014-06-12 21:46:13 +0200 | [diff] [blame] | 4798 | * Fix WSAStartup() return value check (found by Peter Vaskovic) |
| 4799 | * Other minor issues (found by Peter Vaskovic) |
| 4800 | * Fix symlink command for cross compiling with CMake (found by Andre |
| 4801 | Heinecke) |
Paul Bakker | 3c38f29 | 2014-06-13 17:37:46 +0200 | [diff] [blame] | 4802 | * Fix DER output of gen_key app (found by Gergely Budai) |
Manuel Pégourié-Gonnard | 08485cc | 2014-06-18 23:11:34 +0200 | [diff] [blame] | 4803 | * Very small records were incorrectly rejected when truncated HMAC was in |
Manuel Pégourié-Gonnard | eaa76f7 | 2014-06-18 16:06:02 +0200 | [diff] [blame] | 4804 | use with some ciphersuites and versions (RC4 in all versions, CBC with |
| 4805 | versions < TLS 1.1). |
Manuel Pégourié-Gonnard | 08485cc | 2014-06-18 23:11:34 +0200 | [diff] [blame] | 4806 | * Very large records using more than 224 bytes of padding were incorrectly |
| 4807 | rejected with CBC-based ciphersuites and TLS >= 1.1 |
| 4808 | * Very large records using less padding could cause a buffer overread of up |
| 4809 | to 32 bytes with CBC-based ciphersuites and TLS >= 1.1 |
Manuel Pégourié-Gonnard | c4eff16 | 2014-06-19 12:18:08 +0200 | [diff] [blame] | 4810 | * Restore ability to use a v1 cert as a CA if trusted locally. (This had |
| 4811 | been removed in 1.3.6.) |
Manuel Pégourié-Gonnard | d249b7a | 2014-06-24 11:49:16 +0200 | [diff] [blame] | 4812 | * Restore ability to locally trust a self-signed cert that is not a proper |
| 4813 | CA for use as an end entity certificate. (This had been removed in |
| 4814 | 1.3.6.) |
Barry K. Nathan | 35e7cb9 | 2014-05-05 23:26:13 -0700 | [diff] [blame] | 4815 | * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). |
Manuel Pégourié-Gonnard | acbcbba | 2014-06-19 17:20:43 +0200 | [diff] [blame] | 4816 | * Use \n\t rather than semicolons for bn_mul asm, since some assemblers |
| 4817 | interpret semicolons as comment delimiters (found by Barry K. Nathan). |
Manuel Pégourié-Gonnard | fd35af1 | 2014-06-23 14:10:13 +0200 | [diff] [blame] | 4818 | * Fix off-by-one error in parsing Supported Point Format extension that |
| 4819 | caused some handshakes to fail. |
Manuel Pégourié-Gonnard | 8df6863 | 2014-06-23 17:56:08 +0200 | [diff] [blame] | 4820 | * Fix possible miscomputation of the premaster secret with DHE-PSK key |
| 4821 | exchange that caused some handshakes to fail with other implementations. |
| 4822 | (Failure rate <= 1/255 with common DHM moduli.) |
Manuel Pégourié-Gonnard | 3135725 | 2014-06-24 17:57:57 +0200 | [diff] [blame] | 4823 | * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). |
Paul Bakker | d598318 | 2014-07-04 13:50:31 +0200 | [diff] [blame] | 4824 | * Fix base64_decode() to return and check length correctly (in case of |
| 4825 | tight buffers) |
Paul Bakker | 6c343d7 | 2014-07-10 14:36:19 +0200 | [diff] [blame] | 4826 | * Fix mpi_write_string() to write "00" as hex output for empty MPI (found |
| 4827 | by Hui Dong) |
Paul Bakker | 5593f7c | 2014-05-06 10:29:28 +0200 | [diff] [blame] | 4828 | |
Paul Bakker | 47431b6 | 2014-05-02 13:27:13 +0200 | [diff] [blame] | 4829 | = PolarSSL 1.3.7 released on 2014-05-02 |
Paul Bakker | eaebbd5 | 2014-04-25 15:04:14 +0200 | [diff] [blame] | 4830 | Features |
Paul Bakker | c73079a | 2014-04-25 16:34:30 +0200 | [diff] [blame] | 4831 | * debug_set_log_mode() added to determine raw or full logging |
| 4832 | * debug_set_threshold() added to ignore messages over threshold level |
Paul Bakker | 0f90d7d | 2014-04-30 11:49:44 +0200 | [diff] [blame] | 4833 | * version_check_feature() added to check for compile-time options at |
| 4834 | run-time |
Paul Bakker | 92478c3 | 2014-04-25 15:18:34 +0200 | [diff] [blame] | 4835 | |
Paul Bakker | 088c5c5 | 2014-04-25 11:11:10 +0200 | [diff] [blame] | 4836 | Changes |
| 4837 | * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually |
| 4838 | checked and filled in the relevant module headers |
Paul Bakker | 92478c3 | 2014-04-25 15:18:34 +0200 | [diff] [blame] | 4839 | * Debug module only outputs full lines instead of parts |
Paul Bakker | 6384440 | 2014-04-30 15:34:12 +0200 | [diff] [blame] | 4840 | * Better support for the different Attribute Types from IETF PKIX (RFC 5280) |
Manuel Pégourié-Gonnard | 63a5bfe | 2014-04-26 17:21:07 +0200 | [diff] [blame] | 4841 | * AES-NI now compiles with "old" assemblers too |
Manuel Pégourié-Gonnard | c16f4e1 | 2014-04-29 18:23:07 +0200 | [diff] [blame] | 4842 | * Ciphersuites based on RC4 now have the lowest priority by default |
Paul Bakker | 088c5c5 | 2014-04-25 11:11:10 +0200 | [diff] [blame] | 4843 | |
Paul Bakker | e92f73d | 2014-04-18 14:08:26 +0200 | [diff] [blame] | 4844 | Bugfix |
| 4845 | * Only iterate over actual certificates in ssl_write_certificate_request() |
| 4846 | (found by Matthew Page) |
Paul Bakker | 4ffcd2f | 2014-04-25 11:44:12 +0200 | [diff] [blame] | 4847 | * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan |
| 4848 | Karger) |
Paul Bakker | fdba468 | 2014-04-25 11:48:35 +0200 | [diff] [blame] | 4849 | * cert_write app should use subject of issuer certificate as issuer of cert |
Paul Bakker | 61885c7 | 2014-04-25 12:59:03 +0200 | [diff] [blame] | 4850 | * Fix false reject in padding check in ssl_decrypt_buf() for CBC |
| 4851 | ciphersuites, for full SSL frames of data. |
Paul Bakker | a703663 | 2014-04-30 10:15:38 +0200 | [diff] [blame] | 4852 | * Improve interoperability by not writing extension length in ClientHello / |
| 4853 | ServerHello when no extensions are present (found by Matthew Page) |
Paul Bakker | 24f37cc | 2014-04-30 13:33:35 +0200 | [diff] [blame] | 4854 | * rsa_check_pubkey() now allows an E up to N |
Paul Bakker | f96f7b6 | 2014-04-30 16:02:38 +0200 | [diff] [blame] | 4855 | * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings |
Paul Bakker | 33dc46b | 2014-04-30 16:11:39 +0200 | [diff] [blame] | 4856 | * mpi_fill_random() was creating numbers larger than requested on |
| 4857 | big-endian platform when size was not an integer number of limbs |
Manuel Pégourié-Gonnard | edc81ff | 2014-04-29 15:06:49 +0200 | [diff] [blame] | 4858 | * Fix dependencies issues in X.509 test suite. |
Manuel Pégourié-Gonnard | 3a306b9 | 2014-04-29 15:11:17 +0200 | [diff] [blame] | 4859 | * Some parts of ssl_tls.c were compiled even when the module was disabled. |
Markus Pfeiffer | a26a005 | 2014-04-22 20:16:15 +0000 | [diff] [blame] | 4860 | * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) |
Barry K. Nathan | cf975f5 | 2014-04-23 17:40:25 -0700 | [diff] [blame] | 4861 | * Fix detection of Clang on some Apple platforms with CMake |
| 4862 | (found by Barry K. Nathan) |
Paul Bakker | e92f73d | 2014-04-18 14:08:26 +0200 | [diff] [blame] | 4863 | |
Paul Bakker | 784b04f | 2014-04-11 15:33:59 +0200 | [diff] [blame] | 4864 | = PolarSSL 1.3.6 released on 2014-04-11 |
Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4865 | |
Paul Bakker | 27e36d3 | 2014-04-08 12:33:37 +0200 | [diff] [blame] | 4866 | Features |
| 4867 | * Support for the ALPN SSL extension |
Paul Bakker | 1cfc458 | 2014-04-09 15:25:13 +0200 | [diff] [blame] | 4868 | * Add option 'use_dev_random' to gen_key application |
Manuel Pégourié-Gonnard | b7fff0f | 2014-04-11 11:32:39 +0200 | [diff] [blame] | 4869 | * Enable verification of the keyUsage extension for CA and leaf |
Paul Bakker | 5936621 | 2014-04-09 15:55:20 +0200 | [diff] [blame] | 4870 | certificates (POLARSSL_X509_CHECK_KEY_USAGE) |
Manuel Pégourié-Gonnard | b7fff0f | 2014-04-11 11:32:39 +0200 | [diff] [blame] | 4871 | * Enable verification of the extendedKeyUsage extension |
| 4872 | (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) |
Paul Bakker | 27e36d3 | 2014-04-08 12:33:37 +0200 | [diff] [blame] | 4873 | |
Paul Bakker | 4984d3c | 2014-04-04 15:39:37 +0200 | [diff] [blame] | 4874 | Changes |
| 4875 | * x509_crt_info() now prints information about parsed extensions as well |
Manuel Pégourié-Gonnard | 2abed84 | 2014-04-08 12:40:15 +0200 | [diff] [blame] | 4876 | * pk_verify() now returns a specific error code when the signature is valid |
| 4877 | but shorter than the supplied length. |
Manuel Pégourié-Gonnard | 0776a43 | 2014-04-11 12:25:45 +0200 | [diff] [blame] | 4878 | * Use UTC time to check certificate validity. |
Manuel Pégourié-Gonnard | 9655e45 | 2014-04-11 12:29:49 +0200 | [diff] [blame] | 4879 | * Reject certificates with times not in UTC, per RFC 5280. |
Paul Bakker | 4984d3c | 2014-04-04 15:39:37 +0200 | [diff] [blame] | 4880 | |
Manuel Pégourié-Gonnard | dd75c31 | 2014-03-31 11:55:42 +0200 | [diff] [blame] | 4881 | Security |
| 4882 | * Avoid potential timing leak in ecdsa_sign() by blinding modular division. |
| 4883 | (Found by Watson Ladd.) |
Manuel Pégourié-Gonnard | 8c045ef | 2014-04-08 11:55:03 +0200 | [diff] [blame] | 4884 | * The notAfter date of some certificates was no longer checked since 1.3.5. |
| 4885 | This affects certificates in the user-supplied chain except the top |
| 4886 | certificate. If the user-supplied chain contains only one certificates, |
| 4887 | it is not affected (ie, its notAfter date is properly checked). |
Paul Bakker | 4224bc0 | 2014-04-08 14:36:50 +0200 | [diff] [blame] | 4888 | * Prevent potential NULL pointer dereference in ssl_read_record() (found by |
| 4889 | TrustInSoft) |
Manuel Pégourié-Gonnard | dd75c31 | 2014-03-31 11:55:42 +0200 | [diff] [blame] | 4890 | |
Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4891 | Bugfix |
| 4892 | * The length of various ClientKeyExchange messages was not properly checked. |
Manuel Pégourié-Gonnard | 6b0d268 | 2014-03-25 11:24:43 +0100 | [diff] [blame] | 4893 | * Some example server programs were not sending the close_notify alert. |
Paul Bakker | 75a2860 | 2014-03-31 12:08:17 +0200 | [diff] [blame] | 4894 | * Potential memory leak in mpi_exp_mod() when error occurs during |
| 4895 | calculation of RR. |
Manuel Pégourié-Gonnard | 74bc68a | 2014-04-02 13:20:00 +0200 | [diff] [blame] | 4896 | * Fixed malloc/free default #define in platform.c (found by Gergely Budai). |
Manuel Pégourié-Gonnard | e442111 | 2014-04-02 13:50:05 +0200 | [diff] [blame] | 4897 | * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by |
| 4898 | Gergely Budai). |
Manuel Pégourié-Gonnard | 887aa5b | 2014-04-04 13:57:20 +0200 | [diff] [blame] | 4899 | * Fix #include path in ecdsa.h which wasn't accepted by some compilers. |
| 4900 | (found by Gergely Budai) |
Shuo Chen | 95a0d11 | 2014-04-04 21:04:40 -0700 | [diff] [blame] | 4901 | * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by |
| 4902 | Shuo Chen). |
Manuel Pégourié-Gonnard | 7afdb88 | 2014-03-28 16:06:35 +0100 | [diff] [blame] | 4903 | * oid_get_numeric_string() used to truncate the output without returning an |
| 4904 | error if the output buffer was just 1 byte too small. |
Manuel Pégourié-Gonnard | 3fec220 | 2014-03-29 16:42:38 +0100 | [diff] [blame] | 4905 | * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len. |
Manuel Pégourié-Gonnard | 0148875 | 2014-04-03 22:09:18 +0200 | [diff] [blame] | 4906 | * Calling pk_debug() on an RSA-alt key would segfault. |
| 4907 | * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys. |
Paul Bakker | 1630058 | 2014-04-11 13:28:43 +0200 | [diff] [blame] | 4908 | * Potential buffer overwrite in pem_write_buffer() because of low length |
| 4909 | indication (found by Thijs Alkemade) |
Manuel Pégourié-Gonnard | 7884837 | 2014-04-10 17:45:07 +0200 | [diff] [blame] | 4910 | * EC curves constants, which should be only in ROM since 1.3.3, were also |
| 4911 | stored in RAM due to missing 'const's (found by Gergely Budai). |
Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4912 | |
Paul Bakker | 96d5265 | 2014-03-26 16:55:50 +0100 | [diff] [blame] | 4913 | = PolarSSL 1.3.5 released on 2014-03-26 |
Paul Bakker | 5fb8efe | 2014-02-05 15:54:34 +0100 | [diff] [blame] | 4914 | Features |
| 4915 | * HMAC-DRBG as a separate module |
Manuel Pégourié-Gonnard | 84c30c7 | 2014-02-26 17:38:55 +0100 | [diff] [blame] | 4916 | * Option to set the Curve preference order (disabled by default) |
Paul Bakker | 6a28e72 | 2014-02-06 13:41:55 +0100 | [diff] [blame] | 4917 | * Single Platform compatilibity layer (for memory / printf / fprintf) |
Paul Bakker | f2561b3 | 2014-02-06 15:11:55 +0100 | [diff] [blame] | 4918 | * Ability to provide alternate timing implementation |
Paul Bakker | 2ceda57 | 2014-02-06 15:55:25 +0100 | [diff] [blame] | 4919 | * Ability to force the entropy module to use SHA-256 as its basis |
| 4920 | (POLARSSL_ENTROPY_FORCE_SHA256) |
Paul Bakker | 6a8e7f8 | 2014-03-17 13:45:06 +0100 | [diff] [blame] | 4921 | * Testing script ssl-opt.sh added for testing 'live' ssl option |
| 4922 | interoperability against OpenSSL and PolarSSL |
Manuel Pégourié-Gonnard | 86b400f | 2014-03-19 16:55:29 +0100 | [diff] [blame] | 4923 | * Support for reading EC keys that use SpecifiedECDomain in some cases. |
Paul Bakker | 66ff70d | 2014-03-26 11:54:05 +0100 | [diff] [blame] | 4924 | * Entropy module now supports seed writing and reading |
Paul Bakker | 6a28e72 | 2014-02-06 13:41:55 +0100 | [diff] [blame] | 4925 | |
| 4926 | Changes |
| 4927 | * Deprecated the Memory layer |
Paul Bakker | 47703a0 | 2014-02-06 15:01:20 +0100 | [diff] [blame] | 4928 | * entropy_add_source(), entropy_update_manual() and entropy_gather() |
| 4929 | now thread-safe if POLARSSL_THREADING_C defined |
Manuel Pégourié-Gonnard | 14ed1a2 | 2014-03-11 10:16:25 +0100 | [diff] [blame] | 4930 | * Improvements to the CMake build system, contributed by Julian Ospald. |
Manuel Pégourié-Gonnard | bb8661e | 2014-03-14 09:21:20 +0100 | [diff] [blame] | 4931 | * Work around a bug of the version of Clang shipped by Apple with Mavericks |
| 4932 | that prevented bignum.c from compiling. (Reported by Rafael Baptista.) |
Paul Bakker | 6a8e7f8 | 2014-03-17 13:45:06 +0100 | [diff] [blame] | 4933 | * Revamped the compat.sh interoperatibility script to include support for |
| 4934 | testing against GnuTLS |
Manuel Pégourié-Gonnard | 7a2aba8 | 2014-03-25 16:37:27 +0100 | [diff] [blame] | 4935 | * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt() |
Paul Bakker | 674e0b0 | 2014-03-26 13:26:52 +0100 | [diff] [blame] | 4936 | * Improvements to tests/Makefile, contributed by Oden Eriksson. |
Paul Bakker | 5fb8efe | 2014-02-05 15:54:34 +0100 | [diff] [blame] | 4937 | |
Manuel Pégourié-Gonnard | 796c6f3 | 2014-03-10 09:34:49 +0100 | [diff] [blame] | 4938 | Security |
| 4939 | * Forbid change of server certificate during renegotiation to prevent |
Manuel Pégourié-Gonnard | b2bf5a1 | 2014-03-25 16:28:12 +0100 | [diff] [blame] | 4940 | "triple handshake" attack when authentication mode is 'optional' (the |
Manuel Pégourié-Gonnard | 796c6f3 | 2014-03-10 09:34:49 +0100 | [diff] [blame] | 4941 | attack was already impossible when authentication is required). |
Manuel Pégourié-Gonnard | 9533765 | 2014-03-10 13:15:18 +0100 | [diff] [blame] | 4942 | * Check notBefore timestamp of certificates and CRLs from the future. |
Manuel Pégourié-Gonnard | 83cdffc | 2014-03-10 21:20:29 +0100 | [diff] [blame] | 4943 | * Forbid sequence number wrapping |
Manuel Pégourié-Gonnard | 7a2aba8 | 2014-03-25 16:37:27 +0100 | [diff] [blame] | 4944 | * Fixed possible buffer overflow with overlong PSK |
Paul Bakker | 91c61bc | 2014-03-26 14:06:55 +0100 | [diff] [blame] | 4945 | * Possible remotely-triggered out-of-bounds memory access fixed (found by |
| 4946 | TrustInSoft) |
Manuel Pégourié-Gonnard | 796c6f3 | 2014-03-10 09:34:49 +0100 | [diff] [blame] | 4947 | |
Manuel Pégourié-Gonnard | 6e8e34d | 2014-01-28 19:30:56 +0100 | [diff] [blame] | 4948 | Bugfix |
| 4949 | * ecp_gen_keypair() does more tries to prevent failure because of |
| 4950 | statistics |
Manuel Pégourié-Gonnard | 7a2aba8 | 2014-03-25 16:37:27 +0100 | [diff] [blame] | 4951 | * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations |
Paul Bakker | cd6d69a | 2014-02-06 15:43:21 +0100 | [diff] [blame] | 4952 | * Fixed testing with out-of-source builds using cmake |
Manuel Pégourié-Gonnard | 6b1e207 | 2014-02-12 10:14:54 +0100 | [diff] [blame] | 4953 | * Fixed version-major intolerance in server |
Paul Bakker | 3d52ab7 | 2014-03-07 10:33:55 +0100 | [diff] [blame] | 4954 | * Fixed CMake symlinking on out-of-source builds |
Manuel Pégourié-Gonnard | 29dcc0b | 2014-03-10 11:32:07 +0100 | [diff] [blame] | 4955 | * Fixed dependency issues in test suite |
Manuel Pégourié-Gonnard | 844a4c0 | 2014-03-10 21:55:35 +0100 | [diff] [blame] | 4956 | * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0 |
Alex Wilson | 7349142 | 2014-03-06 00:04:09 +1000 | [diff] [blame] | 4957 | * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by |
| 4958 | Alex Wilson.) |
Manuel Pégourié-Gonnard | 84c30c7 | 2014-02-26 17:38:55 +0100 | [diff] [blame] | 4959 | * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled. |
| 4960 | * m_sleep() was sleeping twice too long on most Unix platforms. |
Manuel Pégourié-Gonnard | 145dfcb | 2014-02-26 14:23:33 +0100 | [diff] [blame] | 4961 | * Fixed bug with session tickets and non-blocking I/O in the unlikely case |
Paul Bakker | b0695ce | 2014-03-17 13:42:23 +0100 | [diff] [blame] | 4962 | send() would return an EAGAIN error when sending the ticket. |
Manuel Pégourié-Gonnard | 84c30c7 | 2014-02-26 17:38:55 +0100 | [diff] [blame] | 4963 | * ssl_cache was leaking memory when reusing a timed out entry containing a |
Paul Bakker | b0695ce | 2014-03-17 13:42:23 +0100 | [diff] [blame] | 4964 | client certificate. |
Manuel Pégourié-Gonnard | d701c9a | 2014-02-26 17:54:07 +0100 | [diff] [blame] | 4965 | * ssl_srv was leaking memory when client presented a timed out ticket |
Paul Bakker | b0695ce | 2014-03-17 13:42:23 +0100 | [diff] [blame] | 4966 | containing a client certificate |
Paul Bakker | 3d6504a | 2014-03-17 13:41:51 +0100 | [diff] [blame] | 4967 | * ssl_init() was leaving a dirty pointer in ssl_context if malloc of |
| 4968 | out_ctr failed |
Paul Bakker | 77f4f39 | 2014-03-26 15:28:55 +0100 | [diff] [blame] | 4969 | * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc |
| 4970 | of one of them failed |
Manuel Pégourié-Gonnard | fdddac9 | 2014-03-25 15:58:35 +0100 | [diff] [blame] | 4971 | * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts |
Paul Bakker | 5fff23b | 2014-03-26 15:34:54 +0100 | [diff] [blame] | 4972 | * x509_get_current_time() uses localtime_r() to prevent thread issues |
Manuel Pégourié-Gonnard | 6e8e34d | 2014-01-28 19:30:56 +0100 | [diff] [blame] | 4973 | |
Paul Bakker | 2aca241 | 2014-01-27 11:49:46 +0100 | [diff] [blame] | 4974 | = PolarSSL 1.3.4 released on 2014-01-27 |
Paul Bakker | 3eb9673 | 2014-01-22 13:08:19 +0100 | [diff] [blame] | 4975 | Features |
Paul Bakker | 0ac99ca | 2014-01-22 13:08:44 +0100 | [diff] [blame] | 4976 | * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1 |
Paul Bakker | 5862eee | 2014-01-22 14:18:03 +0100 | [diff] [blame] | 4977 | * Support for RIPEMD-160 |
Paul Bakker | 556efba | 2014-01-24 15:38:12 +0100 | [diff] [blame] | 4978 | * Support for AES CFB8 mode |
Paul Bakker | e6c2ddb | 2014-01-27 11:47:15 +0100 | [diff] [blame] | 4979 | * Support for deterministic ECDSA (RFC 6979) |
Paul Bakker | 3eb9673 | 2014-01-22 13:08:19 +0100 | [diff] [blame] | 4980 | |
| 4981 | Bugfix |
| 4982 | * Potential memory leak in bignum_selftest() |
| 4983 | * Replaced expired test certificate |
Paul Bakker | d75ba40 | 2014-01-24 16:11:17 +0100 | [diff] [blame] | 4984 | * ssl_mail_client now terminates lines with CRLF, instead of LF |
Paul Bakker | b84582b | 2014-01-27 12:23:43 +0100 | [diff] [blame] | 4985 | * net module handles timeouts on blocking sockets better (found by Tilman |
| 4986 | Sauerbeck) |
Paul Bakker | 2cb1a0c | 2014-01-27 13:36:23 +0100 | [diff] [blame] | 4987 | * Assembly format fixes in bn_mul.h |
| 4988 | |
| 4989 | Security |
Paul Bakker | b84582b | 2014-01-27 12:23:43 +0100 | [diff] [blame] | 4990 | * Missing MPI_CHK calls added around unguarded mpi calls (found by |
| 4991 | TrustInSoft) |
Paul Bakker | 3eb9673 | 2014-01-22 13:08:19 +0100 | [diff] [blame] | 4992 | |
Paul Bakker | 5bc07a3 | 2013-12-31 10:57:44 +0100 | [diff] [blame] | 4993 | = PolarSSL 1.3.3 released on 2013-12-31 |
Paul Bakker | 014f143 | 2013-12-02 14:54:01 +0100 | [diff] [blame] | 4994 | Features |
| 4995 | * EC key generation support in gen_key app |
Paul Bakker | 9dc53a9 | 2013-12-02 14:55:28 +0100 | [diff] [blame] | 4996 | * Support for adhering to client ciphersuite order preference |
| 4997 | (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
Paul Bakker | 48d78a5 | 2013-12-05 16:11:38 +0100 | [diff] [blame] | 4998 | * Support for Curve25519 |
Paul Bakker | fdf9469 | 2013-12-17 13:09:31 +0100 | [diff] [blame] | 4999 | * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites |
Paul Bakker | 5a607d2 | 2013-12-17 14:33:42 +0100 | [diff] [blame] | 5000 | * Support for IPv6 in the NET module |
Paul Bakker | 23116fd | 2013-12-30 14:09:47 +0100 | [diff] [blame] | 5001 | * AES-NI support for AES, AES-GCM and AES key scheduling |
Paul Bakker | f9c4953 | 2013-12-19 15:40:58 +0100 | [diff] [blame] | 5002 | * SSL Pthread-based server example added (ssl_pthread_server) |
Paul Bakker | 014f143 | 2013-12-02 14:54:01 +0100 | [diff] [blame] | 5003 | |
Paul Bakker | 7aa0375 | 2013-11-26 17:37:31 +0100 | [diff] [blame] | 5004 | Changes |
| 5005 | * gen_prime() speedup |
| 5006 | * Speedup of ECP multiplication operation |
| 5007 | * Relaxed some SHA2 ciphersuite's version requirements |
Paul Bakker | c3d0d07 | 2013-12-02 14:50:49 +0100 | [diff] [blame] | 5008 | * Dropped use of readdir_r() instead of readdir() with threading support |
Paul Bakker | 4040d7e | 2013-12-02 14:52:57 +0100 | [diff] [blame] | 5009 | * More constant-time checks in the RSA module |
Paul Bakker | b14817d | 2013-12-02 22:03:23 +0100 | [diff] [blame] | 5010 | * Split off curves from ecp.c into ecp_curves.c |
Paul Bakker | 5ab68ba | 2013-12-17 13:10:48 +0100 | [diff] [blame] | 5011 | * Curves are now stored fully in ROM |
Paul Bakker | c738791 | 2013-12-31 10:32:50 +0100 | [diff] [blame] | 5012 | * Memory usage optimizations in ECP module |
Paul Bakker | a8fd3e3 | 2013-12-31 11:54:08 +0100 | [diff] [blame] | 5013 | * Removed POLARSSL_THREADING_DUMMY |
Paul Bakker | 7aa0375 | 2013-11-26 17:37:31 +0100 | [diff] [blame] | 5014 | |
Paul Bakker | f2b4d86 | 2013-11-20 17:23:53 +0100 | [diff] [blame] | 5015 | Bugfix |
Manuel Pégourié-Gonnard | 9a4a5ac | 2013-12-04 18:05:29 +0100 | [diff] [blame] | 5016 | * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int |
Paul Bakker | f2b4d86 | 2013-11-20 17:23:53 +0100 | [diff] [blame] | 5017 | * Fixed X.509 hostname comparison (with non-regular characters) |
Paul Bakker | a9a028e | 2013-11-21 17:31:06 +0100 | [diff] [blame] | 5018 | * SSL now gracefully handles missing RNG |
Paul Bakker | 7aa0375 | 2013-11-26 17:37:31 +0100 | [diff] [blame] | 5019 | * Missing defines / cases for RSA_PSK key exchange |
| 5020 | * crypt_and_hash app checks MAC before final decryption |
Paul Bakker | 6f0636a | 2013-12-16 15:24:05 +0100 | [diff] [blame] | 5021 | * Potential memory leak in ssl_ticket_keys_init() |
Paul Bakker | f70fe81 | 2013-12-16 16:43:10 +0100 | [diff] [blame] | 5022 | * Memory leak in benchmark application |
Paul Bakker | 1a56fc9 | 2013-12-19 13:51:24 +0100 | [diff] [blame] | 5023 | * Fixed x509_crt_parse_path() bug on Windows platforms |
Paul Bakker | 6ea1a95 | 2013-12-31 11:16:03 +0100 | [diff] [blame] | 5024 | * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by |
| 5025 | TrustInSoft) |
Paul Bakker | 6992eb7 | 2013-12-31 11:35:16 +0100 | [diff] [blame] | 5026 | * Fixed potential overflow in certificate size verification in |
| 5027 | ssl_write_certificate() (found by TrustInSoft) |
Paul Bakker | f2b4d86 | 2013-11-20 17:23:53 +0100 | [diff] [blame] | 5028 | |
Paul Bakker | 956c9e0 | 2013-12-19 14:42:28 +0100 | [diff] [blame] | 5029 | Security |
| 5030 | * Possible remotely-triggered out-of-bounds memory access fixed (found by |
| 5031 | TrustInSoft) |
| 5032 | |
Paul Bakker | f4dc186 | 2013-11-04 17:29:42 +0100 | [diff] [blame] | 5033 | = PolarSSL 1.3.2 released on 2013-11-04 |
Paul Bakker | 08bb187 | 2013-10-28 14:03:26 +0100 | [diff] [blame] | 5034 | Features |
| 5035 | * PK tests added to test framework |
Paul Bakker | 3f917e2 | 2013-10-28 14:16:59 +0100 | [diff] [blame] | 5036 | * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM) |
Paul Bakker | 1642122 | 2013-10-28 14:37:09 +0100 | [diff] [blame] | 5037 | * Support for Camellia-GCM mode and ciphersuites |
Paul Bakker | 08bb187 | 2013-10-28 14:03:26 +0100 | [diff] [blame] | 5038 | |
Paul Bakker | 7bc745b | 2013-10-28 14:39:49 +0100 | [diff] [blame] | 5039 | Changes |
| 5040 | * Padding checks in cipher layer are now constant-time |
Paul Bakker | e1121b6 | 2013-10-31 14:37:37 +0100 | [diff] [blame] | 5041 | * Value comparisons in SSL layer are now constant-time |
Paul Bakker | 7b0be68 | 2013-10-29 14:24:37 +0100 | [diff] [blame] | 5042 | * Support for serialNumber, postalAddress and postalCode in X509 names |
Paul Bakker | e1121b6 | 2013-10-31 14:37:37 +0100 | [diff] [blame] | 5043 | * SSL Renegotiation was refactored |
Paul Bakker | 7bc745b | 2013-10-28 14:39:49 +0100 | [diff] [blame] | 5044 | |
Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 5045 | Bugfix |
Paul Bakker | 1642122 | 2013-10-28 14:37:09 +0100 | [diff] [blame] | 5046 | * More stringent checks in cipher layer |
Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 5047 | * Server does not send out extensions not advertised by client |
Paul Bakker | 45a2c8d | 2013-10-28 12:57:08 +0100 | [diff] [blame] | 5048 | * Prevent possible alignment warnings on casting from char * to 'aligned *' |
Paul Bakker | 68037da | 2013-10-28 14:02:40 +0100 | [diff] [blame] | 5049 | * Misc fixes and additions to dependency checks |
Paul Bakker | 50dc850 | 2013-10-28 21:19:10 +0100 | [diff] [blame] | 5050 | * Const correctness |
Paul Bakker | 93c6aa4 | 2013-10-28 22:28:09 +0100 | [diff] [blame] | 5051 | * cert_write with selfsign should use issuer_name as subject_name |
Manuel Pégourié-Gonnard | 178d9ba | 2013-10-29 10:45:28 +0100 | [diff] [blame] | 5052 | * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon) |
Paul Bakker | fa6a620 | 2013-10-28 18:48:30 +0100 | [diff] [blame] | 5053 | * Defines to handle UEFI environment under MSVC |
Paul Bakker | e1121b6 | 2013-10-31 14:37:37 +0100 | [diff] [blame] | 5054 | * Server-side initiated renegotiations send HelloRequest |
Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 5055 | |
Paul Bakker | 5c17ccd | 2013-10-15 13:12:41 +0200 | [diff] [blame] | 5056 | = PolarSSL 1.3.1 released on 2013-10-15 |
Paul Bakker | b799dec | 2013-10-11 10:03:27 +0200 | [diff] [blame] | 5057 | Features |
| 5058 | * Support for Brainpool curves and TLS ciphersuites (RFC 7027) |
Paul Bakker | 376e815 | 2013-10-15 12:44:23 +0200 | [diff] [blame] | 5059 | * Support for ECDHE-PSK key-exchange and ciphersuites |
Paul Bakker | f34673e | 2013-10-15 12:46:17 +0200 | [diff] [blame] | 5060 | * Support for RSA-PSK key-exchange and ciphersuites |
Paul Bakker | b799dec | 2013-10-11 10:03:27 +0200 | [diff] [blame] | 5061 | |
Paul Bakker | ddba882 | 2013-10-11 09:21:56 +0200 | [diff] [blame] | 5062 | Changes |
| 5063 | * RSA blinding locks for a smaller amount of time |
Paul Bakker | 1677033 | 2013-10-11 09:59:44 +0200 | [diff] [blame] | 5064 | * TLS compression only allocates working buffer once |
Paul Bakker | be089b0 | 2013-10-14 15:51:50 +0200 | [diff] [blame] | 5065 | * Introduced POLARSSL_HAVE_READDIR_R for systems without it |
Paul Bakker | a7ea6a5 | 2013-10-15 11:55:10 +0200 | [diff] [blame] | 5066 | * config.h is more script-friendly |
Paul Bakker | ddba882 | 2013-10-11 09:21:56 +0200 | [diff] [blame] | 5067 | |
| 5068 | Bugfix |
| 5069 | * Missing MSVC defines added |
| 5070 | * Compile errors with POLARSSL_RSA_NO_CRT |
| 5071 | * Header files with 'polarssl/' |
Paul Bakker | fcc1721 | 2013-10-11 09:36:52 +0200 | [diff] [blame] | 5072 | * Const correctness |
Paul Bakker | d61cc3b | 2013-10-11 09:38:49 +0200 | [diff] [blame] | 5073 | * Possible naming collision in dhm_context |
Paul Bakker | 4aa40d4 | 2013-10-11 10:49:24 +0200 | [diff] [blame] | 5074 | * Better support for MSVC |
Paul Bakker | b7c1312 | 2013-10-11 10:51:32 +0200 | [diff] [blame] | 5075 | * threading_set_alt() name |
Paul Bakker | 5191e92 | 2013-10-11 10:54:28 +0200 | [diff] [blame] | 5076 | * Added missing x509write_crt_set_version() |
Paul Bakker | ddba882 | 2013-10-11 09:21:56 +0200 | [diff] [blame] | 5077 | |
Paul Bakker | 5c17ccd | 2013-10-15 13:12:41 +0200 | [diff] [blame] | 5078 | = PolarSSL 1.3.0 released on 2013-10-01 |
Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 5079 | Features |
| 5080 | * Elliptic Curve Cryptography module added |
| 5081 | * Elliptic Curve Diffie Hellman module added |
| 5082 | * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS |
| 5083 | (ECDHE-based ciphersuites) |
Paul Bakker | c867678 | 2013-08-28 12:15:11 +0200 | [diff] [blame] | 5084 | * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS |
| 5085 | (ECDSA-based ciphersuites) |
Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 5086 | * Ability to specify allowed ciphersuites based on the protocol version. |
Paul Bakker | b91c2b5 | 2013-04-19 16:05:16 +0200 | [diff] [blame] | 5087 | * PSK and DHE-PSK based ciphersuites added |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 5088 | * Memory allocation abstraction layer added |
| 5089 | * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) |
Paul Bakker | 2466d93 | 2013-09-28 14:40:38 +0200 | [diff] [blame] | 5090 | * Threading abstraction layer added (dummy / pthread / alternate) |
Paul Bakker | 5ad403f | 2013-09-18 21:21:30 +0200 | [diff] [blame] | 5091 | * Public Key abstraction layer added |
Paul Bakker | f85778e | 2013-07-19 14:55:25 +0200 | [diff] [blame] | 5092 | * Parsing Elliptic Curve keys |
| 5093 | * Parsing Elliptic Curve certificates |
| 5094 | * Support for max_fragment_length extension (RFC 6066) |
| 5095 | * Support for truncated_hmac extension (RFC 6066) |
Paul Bakker | da4d1c3 | 2013-08-14 12:24:34 +0200 | [diff] [blame] | 5096 | * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros |
| 5097 | (ISO/IEC 7816-4) padding and zero padding in the cipher layer |
Paul Bakker | 936539a | 2013-08-14 13:49:20 +0200 | [diff] [blame] | 5098 | * Support for session tickets (RFC 5077) |
Paul Bakker | ca174fe | 2013-08-28 16:31:30 +0200 | [diff] [blame] | 5099 | * Certificate Request (CSR) generation with extensions (key_usage, |
| 5100 | ns_cert_type) |
Paul Bakker | 7fb4a79 | 2013-09-12 12:00:52 +0200 | [diff] [blame] | 5101 | * X509 Certificate writing with extensions (basic_constraints, |
| 5102 | issuer_key_identifier, etc) |
Paul Bakker | 6ec34fb | 2013-09-10 14:53:46 +0200 | [diff] [blame] | 5103 | * Optional blinding for RSA, DHM and EC |
Paul Bakker | 8b817dc | 2013-09-25 18:03:58 +0200 | [diff] [blame] | 5104 | * Support for multiple active certificate / key pairs in SSL servers for |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5105 | the same host (Not to be confused with SNI!) |
Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 5106 | |
Paul Bakker | 9b5798d | 2013-03-13 13:53:00 +0100 | [diff] [blame] | 5107 | Changes |
Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 5108 | * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 |
| 5109 | individually |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 5110 | * Introduced separate SSL Ciphersuites module that is based on |
| 5111 | Cipher and MD information |
Paul Bakker | 9b5798d | 2013-03-13 13:53:00 +0100 | [diff] [blame] | 5112 | * Internals for SSL module adapted to have separate IV pointer that is |
| 5113 | dynamically set (Better support for hardware acceleration) |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 5114 | * Moved all OID functionality to a separate module. RSA function |
| 5115 | prototypes for the RSA sign and verify functions changed as a result |
Paul Bakker | b9d3cfa | 2013-06-26 15:07:16 +0200 | [diff] [blame] | 5116 | * Split up the GCM module into a starts/update/finish cycle |
Paul Bakker | 2fbefde | 2013-06-29 16:01:15 +0200 | [diff] [blame] | 5117 | * Client and server now filter sent and accepted ciphersuites on minimum |
| 5118 | and maximum protocol version |
Paul Bakker | 0be444a | 2013-08-27 21:55:01 +0200 | [diff] [blame] | 5119 | * Ability to disable server_name extension (RFC 6066) |
Paul Bakker | e2ab84f | 2013-06-29 18:24:32 +0200 | [diff] [blame] | 5120 | * Renamed error_strerror() to the less conflicting polarssl_strerror() |
| 5121 | (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC) |
Paul Bakker | 9e36f04 | 2013-06-30 14:34:05 +0200 | [diff] [blame] | 5122 | * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly |
Paul Bakker | 548957d | 2013-08-30 10:30:02 +0200 | [diff] [blame] | 5123 | * All RSA operations require a random generator for blinding purposes |
Paul Bakker | 45f21c7 | 2013-09-18 15:33:49 +0200 | [diff] [blame] | 5124 | * X509 core refactored |
| 5125 | * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4) |
Paul Bakker | 5ad403f | 2013-09-18 21:21:30 +0200 | [diff] [blame] | 5126 | * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME) |
Paul Bakker | c27c4e2 | 2013-09-23 15:01:36 +0200 | [diff] [blame] | 5127 | * Support faulty X509 v1 certificates with extensions |
| 5128 | (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) |
Paul Bakker | 9b5798d | 2013-03-13 13:53:00 +0100 | [diff] [blame] | 5129 | |
Paul Bakker | eff2e6d | 2013-04-11 17:13:22 +0200 | [diff] [blame] | 5130 | Bugfix |
Paul Bakker | 73d4431 | 2013-05-22 13:56:26 +0200 | [diff] [blame] | 5131 | * Fixed parse error in ssl_parse_certificate_request() |
Paul Bakker | abf2f8f | 2013-06-30 14:57:46 +0200 | [diff] [blame] | 5132 | * zlib compression/decompression skipped on empty blocks |
Paul Bakker | 1e6a175 | 2013-07-26 14:10:22 +0200 | [diff] [blame] | 5133 | * Support for AIX header locations in net.c module |
Paul Bakker | 003dbad | 2013-09-09 17:26:14 +0200 | [diff] [blame] | 5134 | * Fixed file descriptor leaks |
Paul Bakker | eff2e6d | 2013-04-11 17:13:22 +0200 | [diff] [blame] | 5135 | |
Paul Bakker | aab30c1 | 2013-08-30 11:00:25 +0200 | [diff] [blame] | 5136 | Security |
| 5137 | * RSA blinding on CRT operations to counter timing attacks |
| 5138 | (found by Cyril Arnaud and Pierre-Alain Fouque) |
| 5139 | |
Manuel Pégourié-Gonnard | 7b12492 | 2015-04-30 10:16:19 +0200 | [diff] [blame] | 5140 | |
| 5141 | = Version 1.2.14 released 2015-05-?? |
| 5142 | |
| 5143 | Security |
| 5144 | * Fix potential invalid memory read in the server, that allows a client to |
| 5145 | crash it remotely (found by Caj Larsson). |
| 5146 | * Fix potential invalid memory read in certificate parsing, that allows a |
| 5147 | client to crash the server remotely if client authentication is enabled |
| 5148 | (found using Codenomicon Defensics). |
| 5149 | * Add countermeasure against "Lucky 13 strikes back" cache-based attack, |
| 5150 | https://dl.acm.org/citation.cfm?id=2714625 |
| 5151 | |
| 5152 | Bugfix |
| 5153 | * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). |
| 5154 | * Fix hardclock() (only used in the benchmarking program) with some |
| 5155 | versions of mingw64 (found by kxjhlele). |
| 5156 | * Fix warnings from mingw64 in timing.c (found by kxjklele). |
| 5157 | * Fix potential unintended sign extension in asn1_get_len() on 64-bit |
| 5158 | platforms (found with Coverity Scan). |
| 5159 | |
| 5160 | = Version 1.2.13 released 2015-02-16 |
| 5161 | Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting |
| 5162 | this will be made in the 1.2 branch at this point. |
| 5163 | |
| 5164 | Security |
| 5165 | * Fix remotely-triggerable uninitialised pointer dereference caused by |
| 5166 | crafted X.509 certificate (TLS server is not affected if it doesn't ask |
| 5167 | for a client certificate) (found using Codenomicon Defensics). |
| 5168 | * Fix remotely-triggerable memory leak caused by crafted X.509 certificates |
| 5169 | (TLS server is not affected if it doesn't ask for a client certificate) |
| 5170 | (found using Codenomicon Defensics). |
| 5171 | * Fix potential stack overflow while parsing crafted X.509 certificates |
| 5172 | (TLS server is not affected if it doesn't ask for a client certificate) |
| 5173 | found using Codenomicon Defensics). |
| 5174 | * Fix buffer overread of size 1 when parsing crafted X.509 certificates |
| 5175 | (TLS server is not affected if it doesn't ask for a client certificate). |
| 5176 | |
| 5177 | Bugfix |
| 5178 | * Fix potential undefined behaviour in Camellia. |
| 5179 | * Fix memory leaks in PKCS#5 and PKCS#12. |
| 5180 | * Stack buffer overflow if ctr_drbg_update() is called with too large |
| 5181 | add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). |
| 5182 | * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced |
| 5183 | in 1.2.12). |
| 5184 | * Fix unchecked return code in x509_crt_parse_path() on Windows (found by |
| 5185 | Peter Vaskovic). |
| 5186 | * Fix assembly selection for MIPS64 (thanks to James Cowgill). |
| 5187 | * ssl_get_verify_result() now works even if the handshake was aborted due |
| 5188 | to a failed verification (found by Fredrik Axelsson). |
| 5189 | * Skip writing and parsing signature_algorithm extension if none of the |
| 5190 | key exchanges enabled needs certificates. This fixes a possible interop |
| 5191 | issue with some servers when a zero-length extension was sent. (Reported |
| 5192 | by Peter Dettman.) |
| 5193 | * On a 0-length input, base64_encode() did not correctly set output length |
| 5194 | (found by Hendrik van den Boogaard). |
| 5195 | |
| 5196 | Changes |
| 5197 | * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. |
| 5198 | * Forbid repeated extensions in X.509 certificates. |
| 5199 | * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the |
| 5200 | length of an X.509 verification chain (default = 8). |
Paul Bakker | a6c5ea2 | 2014-10-24 16:26:29 +0200 | [diff] [blame] | 5201 | = Version 1.2.12 released 2014-10-24 |
| 5202 | |
| 5203 | Security |
| 5204 | * Remotely-triggerable memory leak when parsing some X.509 certificates |
| 5205 | (server is not affected if it doesn't ask for a client certificate). |
| 5206 | (Found using Codenomicon Defensics.) |
| 5207 | |
| 5208 | Bugfix |
| 5209 | * Fix potential bad read in parsing ServerHello (found by Adrien |
| 5210 | Vialletelle). |
| 5211 | * ssl_close_notify() could send more than one message in some circumstances |
| 5212 | with non-blocking I/O. |
| 5213 | * x509_crt_parse() did not increase total_failed on PEM error |
| 5214 | * Fix compiler warnings on iOS (found by Sander Niemeijer). |
| 5215 | * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). |
| 5216 | * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). |
| 5217 | * ssl_read() could return non-application data records on server while |
| 5218 | renegotation was pending, and on client when a HelloRequest was received. |
| 5219 | * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). |
| 5220 | |
| 5221 | Changes |
| 5222 | * X.509 certificates with more than one AttributeTypeAndValue per |
| 5223 | RelativeDistinguishedName are not accepted any more. |
| 5224 | * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than |
| 5225 | POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. |
| 5226 | * Accept spaces at end of line or end of buffer in base64_decode(). |
| 5227 | |
Paul Bakker | 0ae5a3d | 2014-07-11 11:28:30 +0200 | [diff] [blame] | 5228 | = Version 1.2.11 released 2014-07-11 |
| 5229 | Features |
| 5230 | * Entropy module now supports seed writing and reading |
| 5231 | |
| 5232 | Changes |
| 5233 | * Introduced POLARSSL_HAVE_READDIR_R for systems without it |
| 5234 | * Improvements to the CMake build system, contributed by Julian Ospald. |
| 5235 | * Work around a bug of the version of Clang shipped by Apple with Mavericks |
| 5236 | that prevented bignum.c from compiling. (Reported by Rafael Baptista.) |
| 5237 | * Improvements to tests/Makefile, contributed by Oden Eriksson. |
| 5238 | * Use UTC time to check certificate validity. |
| 5239 | * Reject certificates with times not in UTC, per RFC 5280. |
| 5240 | * Migrate zeroizing of data to polarssl_zeroize() instead of memset() |
| 5241 | against unwanted compiler optimizations |
| 5242 | |
| 5243 | Security |
| 5244 | * Forbid change of server certificate during renegotiation to prevent |
| 5245 | "triple handshake" attack when authentication mode is optional (the |
| 5246 | attack was already impossible when authentication is required). |
| 5247 | * Check notBefore timestamp of certificates and CRLs from the future. |
| 5248 | * Forbid sequence number wrapping |
| 5249 | * Prevent potential NULL pointer dereference in ssl_read_record() (found by |
| 5250 | TrustInSoft) |
| 5251 | * Fix length checking for AEAD ciphersuites (found by Codenomicon). |
| 5252 | It was possible to crash the server (and client) using crafted messages |
| 5253 | when a GCM suite was chosen. |
| 5254 | |
| 5255 | Bugfix |
| 5256 | * Fixed X.509 hostname comparison (with non-regular characters) |
| 5257 | * SSL now gracefully handles missing RNG |
| 5258 | * crypt_and_hash app checks MAC before final decryption |
| 5259 | * Fixed x509_crt_parse_path() bug on Windows platforms |
| 5260 | * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by |
| 5261 | TrustInSoft) |
| 5262 | * Fixed potential overflow in certificate size verification in |
| 5263 | ssl_write_certificate() (found by TrustInSoft) |
| 5264 | * Fix ASM format in bn_mul.h |
| 5265 | * Potential memory leak in bignum_selftest() |
| 5266 | * Replaced expired test certificate |
| 5267 | * ssl_mail_client now terminates lines with CRLF, instead of LF |
| 5268 | * Fix bug in RSA PKCS#1 v1.5 "reversed" operations |
| 5269 | * Fixed testing with out-of-source builds using cmake |
| 5270 | * Fixed version-major intolerance in server |
| 5271 | * Fixed CMake symlinking on out-of-source builds |
| 5272 | * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by |
| 5273 | Alex Wilson.) |
| 5274 | * ssl_init() was leaving a dirty pointer in ssl_context if malloc of |
| 5275 | out_ctr failed |
| 5276 | * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc |
| 5277 | of one of them failed |
| 5278 | * x509_get_current_time() uses localtime_r() to prevent thread issues |
| 5279 | * Some example server programs were not sending the close_notify alert. |
| 5280 | * Potential memory leak in mpi_exp_mod() when error occurs during |
| 5281 | calculation of RR. |
| 5282 | * Improve interoperability by not writing extension length in ClientHello |
| 5283 | when no extensions are present (found by Matthew Page) |
| 5284 | * rsa_check_pubkey() now allows an E up to N |
| 5285 | * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings |
| 5286 | * mpi_fill_random() was creating numbers larger than requested on |
| 5287 | big-endian platform when size was not an integer number of limbs |
| 5288 | * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) |
| 5289 | * Stricter check on SSL ClientHello internal sizes compared to actual packet |
| 5290 | size (found by TrustInSoft) |
| 5291 | * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). |
| 5292 | * Use \n\t rather than semicolons for bn_mul asm, since some assemblers |
| 5293 | interpret semicolons as comment delimiters (found by Barry K. Nathan). |
| 5294 | * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). |
| 5295 | * Fix base64_decode() to return and check length correctly (in case of |
| 5296 | tight buffers) |
| 5297 | |
Paul Bakker | 3a2c056 | 2013-10-07 16:22:05 +0200 | [diff] [blame] | 5298 | = Version 1.2.10 released 2013-10-07 |
| 5299 | Changes |
| 5300 | * Changed RSA blinding to a slower but thread-safe version |
| 5301 | |
| 5302 | Bugfix |
| 5303 | * Fixed memory leak in RSA as a result of introduction of blinding |
| 5304 | * Fixed ssl_pkcs11_decrypt() prototype |
| 5305 | * Fixed MSVC project files |
| 5306 | |
Paul Bakker | d93d28e | 2013-10-01 10:12:42 +0200 | [diff] [blame] | 5307 | = Version 1.2.9 released 2013-10-01 |
Paul Bakker | c13aab1 | 2013-09-26 10:12:19 +0200 | [diff] [blame] | 5308 | Changes |
| 5309 | * x509_verify() now case insensitive for cn (RFC 6125 6.4) |
| 5310 | |
| 5311 | Bugfix |
| 5312 | * Fixed potential memory leak when failing to resume a session |
| 5313 | * Fixed potential file descriptor leaks (found by Remi Gacogne) |
| 5314 | * Minor fixes |
| 5315 | |
| 5316 | Security |
| 5317 | * Fixed potential heap buffer overflow on large hostname setting |
| 5318 | * Fixed potential negative value misinterpretation in load_file() |
| 5319 | * RSA blinding on CRT operations to counter timing attacks |
| 5320 | (found by Cyril Arnaud and Pierre-Alain Fouque) |
| 5321 | |
Paul Bakker | de65623 | 2013-06-24 19:07:34 +0200 | [diff] [blame] | 5322 | = Version 1.2.8 released 2013-06-19 |
| 5323 | Features |
| 5324 | * Parsing of PKCS#8 encrypted private key files |
| 5325 | * PKCS#12 PBE and derivation functions |
| 5326 | * Centralized module option values in config.h to allow user-defined |
| 5327 | settings without editing header files by using POLARSSL_CONFIG_OPTIONS |
| 5328 | |
| 5329 | Changes |
| 5330 | * HAVEGE random generator disabled by default |
| 5331 | * Internally split up x509parse_key() into a (PEM) handler function |
| 5332 | and specific DER parser functions for the PKCS#1 and unencrypted |
| 5333 | PKCS#8 private key formats |
| 5334 | * Added mechanism to provide alternative implementations for all |
| 5335 | symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5336 | config.h) |
Paul Bakker | de65623 | 2013-06-24 19:07:34 +0200 | [diff] [blame] | 5337 | * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated |
| 5338 | old PBKDF2 module |
| 5339 | |
| 5340 | Bugfix |
| 5341 | * Secure renegotiation extension should only be sent in case client |
| 5342 | supports secure renegotiation |
| 5343 | * Fixed offset for cert_type list in ssl_parse_certificate_request() |
| 5344 | * Fixed const correctness issues that have no impact on the ABI |
| 5345 | * x509parse_crt() now better handles PEM error situations |
| 5346 | * ssl_parse_certificate() now calls x509parse_crt_der() directly |
| 5347 | instead of the x509parse_crt() wrapper that can also parse PEM |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5348 | certificates |
Paul Bakker | de65623 | 2013-06-24 19:07:34 +0200 | [diff] [blame] | 5349 | * x509parse_crtpath() is now reentrant and uses more portable stat() |
| 5350 | * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler |
| 5351 | * Fixed values for 2-key Triple DES in cipher layer |
| 5352 | * ssl_write_certificate_request() can handle empty ca_chain |
| 5353 | |
| 5354 | Security |
| 5355 | * A possible DoS during the SSL Handshake, due to faulty parsing of |
| 5356 | PEM-encoded certificates has been fixed (found by Jack Lloyd) |
| 5357 | |
| 5358 | = Version 1.2.7 released 2013-04-13 |
| 5359 | Features |
| 5360 | * Ability to specify allowed ciphersuites based on the protocol version. |
| 5361 | |
| 5362 | Changes |
| 5363 | * Default Blowfish keysize is now 128-bits |
| 5364 | * Test suites made smaller to accommodate Raspberry Pi |
| 5365 | |
| 5366 | Bugfix |
| 5367 | * Fix for MPI assembly for ARM |
| 5368 | * GCM adapted to support sizes > 2^29 |
| 5369 | |
Paul Bakker | 90f042d | 2013-03-11 11:38:44 +0100 | [diff] [blame] | 5370 | = Version 1.2.6 released 2013-03-11 |
Paul Bakker | c046350 | 2013-02-14 11:19:38 +0100 | [diff] [blame] | 5371 | Bugfix |
| 5372 | * Fixed memory leak in ssl_free() and ssl_reset() for active session |
Paul Bakker | 3d2dc0f | 2013-02-27 14:52:37 +0100 | [diff] [blame] | 5373 | * Corrected GCM counter incrementation to use only 32-bits instead of |
| 5374 | 128-bits (found by Yawning Angel) |
Paul Bakker | e3e4a59 | 2013-02-28 10:20:53 +0100 | [diff] [blame] | 5375 | * Fixes for 64-bit compilation with MS Visual Studio |
Paul Bakker | 37286a5 | 2013-03-06 16:55:11 +0100 | [diff] [blame] | 5376 | * Fixed net_bind() for specified IP addresses on little endian systems |
Paul Bakker | fb1cbd3 | 2013-03-06 18:14:52 +0100 | [diff] [blame] | 5377 | * Fixed assembly code for ARM (Thumb and regular) for some compilers |
Paul Bakker | c046350 | 2013-02-14 11:19:38 +0100 | [diff] [blame] | 5378 | |
Paul Bakker | b386913 | 2013-02-28 17:21:01 +0100 | [diff] [blame] | 5379 | Changes |
| 5380 | * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(), |
| 5381 | rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and |
| 5382 | PKCS#1 v2.1 functions |
Paul Bakker | a43231c | 2013-02-28 17:33:49 +0100 | [diff] [blame] | 5383 | * Added support for custom labels when using rsa_rsaes_oaep_encrypt() |
| 5384 | or rsa_rsaes_oaep_decrypt() |
Paul Bakker | 78a8c71 | 2013-03-06 17:01:52 +0100 | [diff] [blame] | 5385 | * Re-added handling for SSLv2 Client Hello when the define |
| 5386 | POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set |
Paul Bakker | e81beda | 2013-03-06 17:40:46 +0100 | [diff] [blame] | 5387 | * The SSL session cache module (ssl_cache) now also retains peer_cert |
| 5388 | information (not the entire chain) |
Paul Bakker | b386913 | 2013-02-28 17:21:01 +0100 | [diff] [blame] | 5389 | |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 5390 | Security |
| 5391 | * Removed further timing differences during SSL message decryption in |
| 5392 | ssl_decrypt_buf() |
Paul Bakker | 8804f69 | 2013-02-28 18:06:26 +0100 | [diff] [blame] | 5393 | * Removed timing differences due to bad padding from |
| 5394 | rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 |
| 5395 | operations |
Paul Bakker | e47b34b | 2013-02-27 14:48:00 +0100 | [diff] [blame] | 5396 | |
Paul Bakker | c7a2da4 | 2013-02-02 19:23:57 +0100 | [diff] [blame] | 5397 | = Version 1.2.5 released 2013-02-02 |
Paul Bakker | 8fe40dc | 2013-02-02 12:43:08 +0100 | [diff] [blame] | 5398 | Changes |
| 5399 | * Allow enabling of dummy error_strerror() to support some use-cases |
Paul Bakker | d66f070 | 2013-01-31 16:57:45 +0100 | [diff] [blame] | 5400 | * Debug messages about padding errors during SSL message decryption are |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5401 | disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL |
Paul Bakker | 40865c8 | 2013-01-31 17:13:13 +0100 | [diff] [blame] | 5402 | * Sending of security-relevant alert messages that do not break |
| 5403 | interoperability can be switched on/off with the flag |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5404 | POLARSSL_SSL_ALL_ALERT_MESSAGES |
Paul Bakker | 8fe40dc | 2013-02-02 12:43:08 +0100 | [diff] [blame] | 5405 | |
Paul Bakker | 4582999 | 2013-01-03 14:52:21 +0100 | [diff] [blame] | 5406 | Security |
| 5407 | * Removed timing differences during SSL message decryption in |
| 5408 | ssl_decrypt_buf() due to badly formatted padding |
| 5409 | |
Paul Bakker | 14c56a3 | 2013-01-25 17:11:37 +0100 | [diff] [blame] | 5410 | = Version 1.2.4 released 2013-01-25 |
Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 5411 | Changes |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 5412 | * More advanced SSL ciphersuite representation and moved to more dynamic |
| 5413 | SSL core |
Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 5414 | * Added ssl_handshake_step() to allow single stepping the handshake process |
| 5415 | |
Paul Bakker | 40628ba | 2013-01-03 10:50:31 +0100 | [diff] [blame] | 5416 | Bugfix |
| 5417 | * Memory leak when using RSA_PKCS_V21 operations fixed |
Paul Bakker | 21dca69 | 2013-01-03 11:41:08 +0100 | [diff] [blame] | 5418 | * Handle future version properly in ssl_write_certificate_request() |
Paul Bakker | 9c94cdd | 2013-01-22 13:45:33 +0100 | [diff] [blame] | 5419 | * Correctly handle CertificateRequest message in client for <= TLS 1.1 |
| 5420 | without DN list |
Paul Bakker | 40628ba | 2013-01-03 10:50:31 +0100 | [diff] [blame] | 5421 | |
Paul Bakker | fb1ba78 | 2012-11-26 16:28:25 +0100 | [diff] [blame] | 5422 | = Version 1.2.3 released 2012-11-26 |
| 5423 | Bugfix |
| 5424 | * Server not always sending correct CertificateRequest message |
| 5425 | |
Paul Bakker | df5069c | 2012-11-24 12:20:19 +0100 | [diff] [blame] | 5426 | = Version 1.2.2 released 2012-11-24 |
Paul Bakker | e667c98 | 2012-11-20 13:50:22 +0100 | [diff] [blame] | 5427 | Changes |
| 5428 | * Added p_hw_data to ssl_context for context specific hardware acceleration |
| 5429 | data |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5430 | * During verify trust-CA is only checked for expiration and CRL presence |
Paul Bakker | e667c98 | 2012-11-20 13:50:22 +0100 | [diff] [blame] | 5431 | |
Paul Bakker | 7c90da9 | 2012-11-23 14:02:40 +0100 | [diff] [blame] | 5432 | Bugfixes |
Paul Bakker | df5069c | 2012-11-24 12:20:19 +0100 | [diff] [blame] | 5433 | * Fixed client authentication compatibility |
| 5434 | * Fixed dependency on POLARSSL_SHA4_C in SSL modules |
Paul Bakker | 7c90da9 | 2012-11-23 14:02:40 +0100 | [diff] [blame] | 5435 | |
Paul Bakker | 1492633 | 2012-11-20 10:58:09 +0100 | [diff] [blame] | 5436 | = Version 1.2.1 released 2012-11-20 |
Paul Bakker | 34d8dbc | 2012-11-14 12:11:38 +0000 | [diff] [blame] | 5437 | Changes |
| 5438 | * Depth that the certificate verify callback receives is now numbered |
| 5439 | bottom-up (Peer cert depth is 0) |
| 5440 | |
Paul Bakker | 7a2538e | 2012-11-02 10:59:36 +0000 | [diff] [blame] | 5441 | Bugfixes |
| 5442 | * Fixes for MSVC6 |
Paul Bakker | d9374b0 | 2012-11-02 11:02:58 +0000 | [diff] [blame] | 5443 | * Moved mpi_inv_mod() outside POLARSSL_GENPRIME |
Paul Bakker | f02c564 | 2012-11-13 10:25:21 +0000 | [diff] [blame] | 5444 | * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel |
| 5445 | Pégourié-Gonnard) |
Manuel Pégourié-Gonnard | e44ec10 | 2012-11-17 12:42:51 +0100 | [diff] [blame] | 5446 | * Fixed possible segfault in mpi_shift_r() (found by Manuel |
| 5447 | Pégourié-Gonnard) |
Paul Bakker | 9daf0d0 | 2012-11-13 12:13:27 +0000 | [diff] [blame] | 5448 | * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 |
Paul Bakker | 7a2538e | 2012-11-02 10:59:36 +0000 | [diff] [blame] | 5449 | |
Paul Bakker | c9c5df9 | 2012-10-31 13:55:27 +0000 | [diff] [blame] | 5450 | = Version 1.2.0 released 2012-10-31 |
Paul Bakker | fab5c82 | 2012-02-06 16:45:10 +0000 | [diff] [blame] | 5451 | Features |
| 5452 | * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak |
| 5453 | ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by |
| 5454 | default! |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 5455 | * Added support for wildcard certificates |
| 5456 | * Added support for multi-domain certificates through the X509 Subject |
| 5457 | Alternative Name extension |
Paul Bakker | bdb912d | 2012-02-13 23:11:30 +0000 | [diff] [blame] | 5458 | * Added preliminary ASN.1 buffer writing support |
| 5459 | * Added preliminary X509 Certificate Request writing support |
| 5460 | * Added key_app_writer example application |
| 5461 | * Added cert_req example application |
Paul Bakker | 89e80c9 | 2012-03-20 13:50:09 +0000 | [diff] [blame] | 5462 | * Added base Galois Counter Mode (GCM) for AES |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5463 | * Added TLS 1.2 support (RFC 5246) |
Paul Bakker | ca4ab49 | 2012-04-18 14:23:57 +0000 | [diff] [blame] | 5464 | * Added GCM suites to TLS 1.2 (RFC 5288) |
Paul Bakker | 01cc394 | 2012-05-08 08:36:15 +0000 | [diff] [blame] | 5465 | * Added commandline error code convertor (util/strerror) |
Paul Bakker | 05ef835 | 2012-05-08 09:17:57 +0000 | [diff] [blame] | 5466 | * Added support for Hardware Acceleration hooking in SSL/TLS |
Paul Bakker | e6ee41f | 2012-05-19 08:43:48 +0000 | [diff] [blame] | 5467 | * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and |
Paul Bakker | c9c5df9 | 2012-10-31 13:55:27 +0000 | [diff] [blame] | 5468 | example application (programs/ssl/o_p_test) (requires OpenSSL) |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 5469 | * Added X509 CA Path support |
Paul Bakker | 4f9a7bb | 2012-07-02 08:36:36 +0000 | [diff] [blame] | 5470 | * Added Thumb assembly optimizations |
Paul Bakker | 2770fbd | 2012-07-03 13:30:23 +0000 | [diff] [blame] | 5471 | * Added DEFLATE compression support as per RFC3749 (requires zlib) |
Paul Bakker | 6132d0a | 2012-07-04 17:10:40 +0000 | [diff] [blame] | 5472 | * Added blowfish algorithm (Generic and cipher layer) |
Paul Bakker | f518b16 | 2012-08-23 13:03:18 +0000 | [diff] [blame] | 5473 | * Added PKCS#5 PBKDF2 key derivation function |
Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 5474 | * Added Secure Renegotiation (RFC 5746) |
Paul Bakker | 29b6476 | 2012-09-25 09:36:44 +0000 | [diff] [blame] | 5475 | * Added predefined DHM groups from RFC 5114 |
Paul Bakker | 0a59707 | 2012-09-25 21:55:46 +0000 | [diff] [blame] | 5476 | * Added simple SSL session cache implementation |
Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 5477 | * Added ServerName extension parsing (SNI) at server side |
Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 5478 | * Added option to add minimum accepted SSL/TLS protocol version |
Paul Bakker | fab5c82 | 2012-02-06 16:45:10 +0000 | [diff] [blame] | 5479 | |
Paul Bakker | 1504af5 | 2012-02-11 16:17:43 +0000 | [diff] [blame] | 5480 | Changes |
| 5481 | * Removed redundant POLARSSL_DEBUG_MSG define |
Paul Bakker | 048d04e | 2012-02-12 17:31:04 +0000 | [diff] [blame] | 5482 | * AES code only check for Padlock once |
Paul Bakker | 6b906e5 | 2012-05-08 12:01:43 +0000 | [diff] [blame] | 5483 | * Fixed const-correctness mpi_get_bit() |
| 5484 | * Documentation for mpi_lsb() and mpi_msb() |
Paul Bakker | 186751d | 2012-05-08 13:16:14 +0000 | [diff] [blame] | 5485 | * Moved out_msg to out_hdr + 32 to support hardware acceleration |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 5486 | * Changed certificate verify behaviour to comply with RFC 6125 section 6.3 |
Paul Bakker | 5b37784 | 2012-05-16 07:57:36 +0000 | [diff] [blame] | 5487 | to not match CN if subjectAltName extension is present (Closes ticket #56) |
Paul Bakker | 6132d0a | 2012-07-04 17:10:40 +0000 | [diff] [blame] | 5488 | * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to |
| 5489 | POLARSSL_MODE_CFB, to also handle different block size CFB modes. |
Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 5490 | * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation) |
Paul Bakker | 0a59707 | 2012-09-25 21:55:46 +0000 | [diff] [blame] | 5491 | * Revamped session resumption handling |
Paul Bakker | eb2c658 | 2012-09-27 19:15:01 +0000 | [diff] [blame] | 5492 | * Generalized external private key implementation handling (like PKCS#11) |
| 5493 | in SSL/TLS |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 5494 | * Revamped x509_verify() and the SSL f_vrfy callback implementations |
Paul Bakker | 5c2364c | 2012-10-01 14:41:15 +0000 | [diff] [blame] | 5495 | * Moved from unsigned long to fixed width uint32_t types throughout code |
Paul Bakker | 645ce3a | 2012-10-31 12:32:41 +0000 | [diff] [blame] | 5496 | * Renamed ciphersuites naming scheme to IANA reserved names |
Paul Bakker | 1504af5 | 2012-02-11 16:17:43 +0000 | [diff] [blame] | 5497 | |
Paul Bakker | 3782458 | 2012-03-22 14:10:22 +0000 | [diff] [blame] | 5498 | Bugfix |
Paul Bakker | 7beceb2 | 2012-03-22 14:19:49 +0000 | [diff] [blame] | 5499 | * Fixed handling error in mpi_cmp_mpi() on longer B values (found by |
| 5500 | Hui Dong) |
Paul Bakker | 430ffbe | 2012-05-01 08:14:20 +0000 | [diff] [blame] | 5501 | * Fixed potential heap corruption in x509_name allocation |
Paul Bakker | 5b37784 | 2012-05-16 07:57:36 +0000 | [diff] [blame] | 5502 | * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) |
Paul Bakker | f6198c1 | 2012-05-16 08:02:29 +0000 | [diff] [blame] | 5503 | * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket |
| 5504 | #52) |
Paul Bakker | e6ee41f | 2012-05-19 08:43:48 +0000 | [diff] [blame] | 5505 | * Handle encryption with private key and decryption with public key as per |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5506 | RFC 2313 |
Paul Bakker | cefb396 | 2012-06-27 11:51:09 +0000 | [diff] [blame] | 5507 | * Handle empty certificate subject names |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 5508 | * Prevent reading over buffer boundaries on X509 certificate parsing |
Paul Bakker | d4c2bd7 | 2012-09-16 21:35:30 +0000 | [diff] [blame] | 5509 | * mpi_add_abs() now correctly handles adding short numbers to long numbers |
Paul Bakker | 995a215 | 2012-09-25 08:19:56 +0000 | [diff] [blame] | 5510 | with carry rollover (found by Ruslan Yushchenko) |
Paul Bakker | b00ca42 | 2012-09-25 12:10:00 +0000 | [diff] [blame] | 5511 | * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob |
Paul Bakker | 4f024b7 | 2012-10-30 07:29:57 +0000 | [diff] [blame] | 5512 | * Fixed MPI assembly for SPARC64 platform |
Paul Bakker | 3782458 | 2012-03-22 14:10:22 +0000 | [diff] [blame] | 5513 | |
Paul Bakker | 452d532 | 2012-04-05 12:07:34 +0000 | [diff] [blame] | 5514 | Security |
Paul Bakker | 3c16db9 | 2012-07-05 13:58:08 +0000 | [diff] [blame] | 5515 | * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi |
| 5516 | Vanderbeken) |
Paul Bakker | 452d532 | 2012-04-05 12:07:34 +0000 | [diff] [blame] | 5517 | |
Paul Bakker | d93d28e | 2013-10-01 10:12:42 +0200 | [diff] [blame] | 5518 | = Version 1.1.8 released on 2013-10-01 |
Paul Bakker | c13aab1 | 2013-09-26 10:12:19 +0200 | [diff] [blame] | 5519 | Bugfix |
| 5520 | * Fixed potential memory leak when failing to resume a session |
| 5521 | * Fixed potential file descriptor leaks |
| 5522 | |
| 5523 | Security |
| 5524 | * Potential buffer-overflow for ssl_read_record() (independently found by |
| 5525 | both TrustInSoft and Paul Brodeur of Leviathan Security Group) |
| 5526 | * Potential negative value misinterpretation in load_file() |
| 5527 | * Potential heap buffer overflow on large hostname setting |
| 5528 | |
Paul Bakker | 248fff5 | 2013-06-24 19:08:50 +0200 | [diff] [blame] | 5529 | = Version 1.1.7 released on 2013-06-19 |
| 5530 | Changes |
| 5531 | * HAVEGE random generator disabled by default |
| 5532 | |
| 5533 | Bugfix |
| 5534 | * x509parse_crt() now better handles PEM error situations |
| 5535 | * ssl_parse_certificate() now calls x509parse_crt_der() directly |
| 5536 | instead of the x509parse_crt() wrapper that can also parse PEM |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5537 | certificates |
Paul Bakker | 248fff5 | 2013-06-24 19:08:50 +0200 | [diff] [blame] | 5538 | * Fixed values for 2-key Triple DES in cipher layer |
| 5539 | * ssl_write_certificate_request() can handle empty ca_chain |
| 5540 | |
| 5541 | Security |
| 5542 | * A possible DoS during the SSL Handshake, due to faulty parsing of |
| 5543 | PEM-encoded certificates has been fixed (found by Jack Lloyd) |
| 5544 | |
| 5545 | = Version 1.1.6 released on 2013-03-11 |
| 5546 | Bugfix |
| 5547 | * Fixed net_bind() for specified IP addresses on little endian systems |
| 5548 | |
| 5549 | Changes |
| 5550 | * Allow enabling of dummy error_strerror() to support some use-cases |
| 5551 | * Debug messages about padding errors during SSL message decryption are |
| 5552 | disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL |
| 5553 | |
| 5554 | Security |
| 5555 | * Removed timing differences during SSL message decryption in |
| 5556 | ssl_decrypt_buf() |
| 5557 | * Removed timing differences due to bad padding from |
| 5558 | rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 |
| 5559 | operations |
| 5560 | |
Paul Bakker | 9d2bb65 | 2013-01-25 16:07:49 +0100 | [diff] [blame] | 5561 | = Version 1.1.5 released on 2013-01-16 |
| 5562 | Bugfix |
| 5563 | * Fixed MPI assembly for SPARC64 platform |
| 5564 | * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob |
| 5565 | * mpi_add_abs() now correctly handles adding short numbers to long numbers |
| 5566 | with carry rollover |
| 5567 | * Moved mpi_inv_mod() outside POLARSSL_GENPRIME |
| 5568 | * Prevent reading over buffer boundaries on X509 certificate parsing |
| 5569 | * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket |
| 5570 | #52) |
| 5571 | * Fixed possible segfault in mpi_shift_r() (found by Manuel |
| 5572 | Pégourié-Gonnard) |
| 5573 | * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel |
| 5574 | Pégourié-Gonnard) |
| 5575 | * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 |
| 5576 | * Memory leak when using RSA_PKCS_V21 operations fixed |
| 5577 | * Handle encryption with private key and decryption with public key as per |
| 5578 | RFC 2313 |
| 5579 | * Fixes for MSVC6 |
| 5580 | |
| 5581 | Security |
| 5582 | * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi |
| 5583 | Vanderbeken) |
| 5584 | |
Paul Bakker | d5834bb | 2012-10-02 14:38:56 +0000 | [diff] [blame] | 5585 | = Version 1.1.4 released on 2012-05-31 |
| 5586 | Bugfix |
| 5587 | * Correctly handle empty SSL/TLS packets (Found by James Yonan) |
| 5588 | * Fixed potential heap corruption in x509_name allocation |
| 5589 | * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) |
| 5590 | |
Paul Bakker | fad3893 | 2012-05-08 09:04:04 +0000 | [diff] [blame] | 5591 | = Version 1.1.3 released on 2012-04-29 |
| 5592 | Bugfix |
| 5593 | * Fixed random MPI generation to not generate more size than requested. |
| 5594 | |
| 5595 | = Version 1.1.2 released on 2012-04-26 |
| 5596 | Bugfix |
| 5597 | * Fixed handling error in mpi_cmp_mpi() on longer B values (found by |
| 5598 | Hui Dong) |
| 5599 | |
| 5600 | Security |
| 5601 | * Fixed potential memory corruption on miscrafted client messages (found by |
| 5602 | Frama-C team at CEA LIST) |
| 5603 | * Fixed generation of DHM parameters to correct length (found by Ruslan |
| 5604 | Yushchenko) |
| 5605 | |
Paul Bakker | 99955bf | 2012-01-23 09:31:41 +0000 | [diff] [blame] | 5606 | = Version 1.1.1 released on 2012-01-23 |
Paul Bakker | b15b851 | 2012-01-13 13:44:06 +0000 | [diff] [blame] | 5607 | Bugfix |
| 5608 | * Check for failed malloc() in ssl_set_hostname() and x509_get_entries() |
| 5609 | (Closes ticket #47, found by Hugo Leisink) |
Paul Bakker | 2ec0a56 | 2012-01-21 05:41:23 +0000 | [diff] [blame] | 5610 | * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50) |
Paul Bakker | 99955bf | 2012-01-23 09:31:41 +0000 | [diff] [blame] | 5611 | * Fixed multiple compiler warnings for VS6 and armcc |
| 5612 | * Fixed bug in CTR_CRBG selftest |
Paul Bakker | b15b851 | 2012-01-13 13:44:06 +0000 | [diff] [blame] | 5613 | |
Paul Bakker | 08a5088 | 2011-12-22 09:43:57 +0000 | [diff] [blame] | 5614 | = Version 1.1.0 released on 2011-12-22 |
Paul Bakker | 7eb013f | 2011-10-06 12:37:39 +0000 | [diff] [blame] | 5615 | Features |
| 5616 | * Added ssl_session_reset() to allow better multi-connection pools of |
| 5617 | SSL contexts without needing to set all non-connection-specific |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5618 | data and pointers again. Adapted ssl_server to use this functionality. |
Paul Bakker | 490ecc8 | 2011-10-06 13:04:09 +0000 | [diff] [blame] | 5619 | * Added ssl_set_max_version() to allow clients to offer a lower maximum |
| 5620 | supported version to a server to help buggy server implementations. |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5621 | (Closes ticket #36) |
Paul Bakker | 03a30d3 | 2011-11-11 10:55:02 +0000 | [diff] [blame] | 5622 | * Added cipher_get_cipher_mode() and cipher_get_cipher_operation() |
| 5623 | introspection functions (Closes ticket #40) |
Paul Bakker | 0e04d0e | 2011-11-27 14:46:59 +0000 | [diff] [blame] | 5624 | * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator |
Paul Bakker | 6083fd2 | 2011-12-03 21:45:14 +0000 | [diff] [blame] | 5625 | * Added a generic entropy accumulator that provides support for adding |
| 5626 | custom entropy sources and added some generic and platform dependent |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5627 | entropy sources |
Paul Bakker | 7eb013f | 2011-10-06 12:37:39 +0000 | [diff] [blame] | 5628 | |
Paul Bakker | ca6f3e2 | 2011-10-06 13:11:08 +0000 | [diff] [blame] | 5629 | Changes |
| 5630 | * Documentation for AES and Camellia in modes CTR and CFB128 clarified. |
Paul Bakker | d246ed3 | 2011-10-06 13:18:27 +0000 | [diff] [blame] | 5631 | * Fixed rsa_encrypt and rsa_decrypt examples to use public key for |
| 5632 | encryption and private key for decryption. (Closes ticket #34) |
Paul Bakker | c4909d9 | 2011-10-12 09:52:22 +0000 | [diff] [blame] | 5633 | * Inceased maximum size of ASN1 length reads to 32-bits. |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 5634 | * Added an EXPLICIT tag number parameter to x509_get_ext() |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 5635 | * Added a separate CRL entry extension parsing function |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 5636 | * Separated the ASN.1 parsing code from the X.509 specific parsing code. |
| 5637 | So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C. |
Paul Bakker | 5e18aed | 2011-11-15 15:38:45 +0000 | [diff] [blame] | 5638 | * Changed the defined key-length of DES ciphers in cipher.h to include the |
| 5639 | parity bits, to prevent mistakes in copying data. (Closes ticket #33) |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 5640 | * Loads of minimal changes to better support WINCE as a build target |
Paul Bakker | 2e6d532 | 2011-11-18 14:34:17 +0000 | [diff] [blame] | 5641 | (Credits go to Marco Lizza) |
Paul Bakker | b6d5f08 | 2011-11-25 11:52:11 +0000 | [diff] [blame] | 5642 | * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory |
| 5643 | trade-off |
Paul Bakker | fe3256e | 2011-11-25 12:11:43 +0000 | [diff] [blame] | 5644 | * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size |
| 5645 | management (Closes ticket #44) |
Paul Bakker | a3d195c | 2011-11-27 21:07:34 +0000 | [diff] [blame] | 5646 | * Changed the used random function pointer to more flexible format. Renamed |
| 5647 | havege_rand() to havege_random() to prevent mistakes. Lots of changes as |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5648 | a consequence in library code and programs |
Paul Bakker | 508ad5a | 2011-12-04 17:09:26 +0000 | [diff] [blame] | 5649 | * Moved all examples programs to use the new entropy and CTR_DRBG |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 5650 | * Added permissive certificate parsing to x509parse_crt() and |
| 5651 | x509parse_crtfile(). With permissive parsing the parsing does not stop on |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5652 | encountering a parse-error. Beware that the meaning of return values has |
| 5653 | changed! |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 5654 | * All error codes are now negative. Even on mermory failures and IO errors. |
Paul Bakker | ca6f3e2 | 2011-10-06 13:11:08 +0000 | [diff] [blame] | 5655 | |
Paul Bakker | fa1c592 | 2011-10-06 14:18:49 +0000 | [diff] [blame] | 5656 | Bugfix |
| 5657 | * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes |
| 5658 | ticket #37) |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 5659 | * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag |
| 5660 | before version numbers |
Paul Bakker | cebdf17 | 2011-11-11 15:01:31 +0000 | [diff] [blame] | 5661 | * Allowed X509 key usage parsing to accept 4 byte values instead of the |
| 5662 | standard 1 byte version sometimes used by Microsoft. (Closes ticket #38) |
Paul Bakker | 1fe7d9b | 2011-11-15 15:26:03 +0000 | [diff] [blame] | 5663 | * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length |
| 5664 | smaller than the hash length. (Closes ticket #41) |
Paul Bakker | 03c7c25 | 2011-11-25 12:37:37 +0000 | [diff] [blame] | 5665 | * If certificate serial is longer than 32 octets, serial number is now |
| 5666 | appended with '....' after first 28 octets |
Paul Bakker | 4463740 | 2011-11-26 09:23:07 +0000 | [diff] [blame] | 5667 | * Improved build support for s390x and sparc64 in bignum.h |
Paul Bakker | 4f5ae80 | 2011-12-04 22:10:28 +0000 | [diff] [blame] | 5668 | * Fixed MS Visual C++ name clash with int64 in sha4.h |
Paul Bakker | c50132d | 2011-12-05 14:38:36 +0000 | [diff] [blame] | 5669 | * Corrected removal of leading "00:" in printing serial numbers in |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 5670 | certificates and CRLs |
Paul Bakker | fa1c592 | 2011-10-06 14:18:49 +0000 | [diff] [blame] | 5671 | |
Paul Bakker | 968bc98 | 2011-07-27 17:03:00 +0000 | [diff] [blame] | 5672 | = Version 1.0.0 released on 2011-07-27 |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 5673 | Features |
| 5674 | * Expanded cipher layer with support for CFB128 and CTR mode |
Paul Bakker | 7bc05ff | 2011-08-09 10:30:36 +0000 | [diff] [blame] | 5675 | * Added rsa_encrypt and rsa_decrypt simple example programs. |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 5676 | |
Paul Bakker | 42e5981 | 2011-06-09 15:55:41 +0000 | [diff] [blame] | 5677 | Changes |
| 5678 | * The generic cipher and message digest layer now have normal error |
| 5679 | codes instead of integers |
| 5680 | |
Paul Bakker | 887bd50 | 2011-06-08 13:10:54 +0000 | [diff] [blame] | 5681 | Bugfix |
| 5682 | * Undid faulty bug fix in ssl_write() when flushing old data (Ticket |
| 5683 | #18) |
| 5684 | |
Paul Bakker | 828acb2 | 2011-05-27 09:25:42 +0000 | [diff] [blame] | 5685 | = Version 0.99-pre5 released on 2011-05-26 |
Paul Bakker | b6ecaf5 | 2011-04-19 14:29:23 +0000 | [diff] [blame] | 5686 | Features |
| 5687 | * Added additional Cipher Block Modes to symmetric ciphers |
| 5688 | (AES CTR, Camellia CTR, XTEA CBC) including the option to |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5689 | enable and disable individual modes when needed |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 5690 | * Functions requiring File System functions can now be disabled |
| 5691 | by undefining POLARSSL_FS_IO |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 5692 | * A error_strerror function() has been added to translate between |
| 5693 | error codes and their description. |
Paul Bakker | 2f5947e | 2011-05-18 15:47:11 +0000 | [diff] [blame] | 5694 | * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter |
| 5695 | functions. |
Paul Bakker | 1496d38 | 2011-05-23 12:07:29 +0000 | [diff] [blame] | 5696 | * Added ssl_mail_client and ssl_fork_server as example programs. |
Paul Bakker | b6ecaf5 | 2011-04-19 14:29:23 +0000 | [diff] [blame] | 5697 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 5698 | Changes |
| 5699 | * Major argument / variable rewrite. Introduced use of size_t |
| 5700 | instead of int for buffer lengths and loop variables for |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5701 | better unsigned / signed use. Renamed internal bigint types |
| 5702 | t_int and t_dbl to t_uint and t_udbl in the process |
Paul Bakker | 6c591fa | 2011-05-05 11:49:20 +0000 | [diff] [blame] | 5703 | * mpi_init() and mpi_free() now only accept a single MPI |
| 5704 | argument and do not accept variable argument lists anymore. |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 5705 | * The error codes have been remapped and combining error codes |
| 5706 | is now done with a PLUS instead of an OR as error codes |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5707 | used are negative. |
Paul Bakker | 831a755 | 2011-05-18 13:32:51 +0000 | [diff] [blame] | 5708 | * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv(). |
| 5709 | net_recv() now returns 0 on EOF instead of |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5710 | POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns |
| 5711 | POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. |
| 5712 | ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received |
| 5713 | after the handshake. |
Paul Bakker | 831a755 | 2011-05-18 13:32:51 +0000 | [diff] [blame] | 5714 | * Network functions now return POLARSSL_ERR_NET_WANT_READ or |
| 5715 | POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5716 | POLARSSL_ERR_NET_TRY_AGAIN |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 5717 | |
Paul Bakker | 3efa575 | 2011-04-01 12:23:26 +0000 | [diff] [blame] | 5718 | = Version 0.99-pre4 released on 2011-04-01 |
Paul Bakker | 9dcc322 | 2011-03-08 14:16:06 +0000 | [diff] [blame] | 5719 | Features |
| 5720 | * Added support for PKCS#1 v2.1 encoding and thus support |
| 5721 | for the RSAES-OAEP and RSASSA-PSS operations. |
Paul Bakker | e77db2e | 2011-03-25 14:01:32 +0000 | [diff] [blame] | 5722 | * Reading of Public Key files incorporated into default x509 |
| 5723 | functionality as well. |
Paul Bakker | 287781a | 2011-03-26 13:18:49 +0000 | [diff] [blame] | 5724 | * Added mpi_fill_random() for centralized filling of big numbers |
| 5725 | with random data (Fixed ticket #10) |
Paul Bakker | 9dcc322 | 2011-03-08 14:16:06 +0000 | [diff] [blame] | 5726 | |
Paul Bakker | be4e7dc | 2011-03-14 20:41:31 +0000 | [diff] [blame] | 5727 | Changes |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5728 | * Debug print of MPI now removes leading zero octets and |
Paul Bakker | be4e7dc | 2011-03-14 20:41:31 +0000 | [diff] [blame] | 5729 | displays actual bit size of the value. |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5730 | * x509parse_key() (and as a consequence x509parse_keyfile()) |
Paul Bakker | 9867549 | 2011-03-26 13:17:12 +0000 | [diff] [blame] | 5731 | does not zeroize memory in advance anymore. Use rsa_init() |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5732 | before parsing a key or keyfile! |
Paul Bakker | be4e7dc | 2011-03-14 20:41:31 +0000 | [diff] [blame] | 5733 | |
| 5734 | Bugfix |
| 5735 | * Debug output of MPI's now the same independent of underlying |
| 5736 | platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5737 | Kiilerich and Mihai Militaru) |
Paul Bakker | 1fd00bf | 2011-03-14 20:50:15 +0000 | [diff] [blame] | 5738 | * Fixed bug in ssl_write() when flushing old data (Fixed ticket |
| 5739 | #18, found by Nikolay Epifanov) |
Paul Bakker | e77db2e | 2011-03-25 14:01:32 +0000 | [diff] [blame] | 5740 | * Fixed proper handling of RSASSA-PSS verification with variable |
| 5741 | length salt lengths |
Paul Bakker | be4e7dc | 2011-03-14 20:41:31 +0000 | [diff] [blame] | 5742 | |
Paul Bakker | 345a6fe | 2011-02-28 21:20:02 +0000 | [diff] [blame] | 5743 | = Version 0.99-pre3 released on 2011-02-28 |
| 5744 | This release replaces version 0.99-pre2 which had possible copyright issues. |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 5745 | Features |
| 5746 | * Parsing PEM private keys encrypted with DES and AES |
| 5747 | are now supported as well (Fixes ticket #5) |
Paul Bakker | a9507c0 | 2011-02-12 15:27:28 +0000 | [diff] [blame] | 5748 | * Added crl_app program to allow easy reading and |
| 5749 | printing of X509 CRLs from file |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 5750 | |
| 5751 | Changes |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5752 | * Parsing of PEM files moved to separate module (Fixes |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 5753 | ticket #13). Also possible to remove PEM support for |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5754 | systems only using DER encoding |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 5755 | |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 5756 | Bugfixes |
| 5757 | * Corrected parsing of UTCTime dates before 1990 and |
| 5758 | after 1950 |
| 5759 | * Support more exotic OID's when parsing certificates |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5760 | (found by Mads Kiilerich) |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 5761 | * Support more exotic name representations when parsing |
Paul Bakker | e2a39cc | 2011-02-20 13:49:27 +0000 | [diff] [blame] | 5762 | certificates (found by Mads Kiilerich) |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 5763 | * Replaced the expired test certificates |
Paul Bakker | e2a39cc | 2011-02-20 13:49:27 +0000 | [diff] [blame] | 5764 | * Do not bail out if no client certificate specified. Try |
| 5765 | to negotiate anonymous connection (Fixes ticket #12, |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5766 | found by Boris Krasnovskiy) |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 5767 | |
Paul Bakker | 345a6fe | 2011-02-28 21:20:02 +0000 | [diff] [blame] | 5768 | Security fixes |
| 5769 | * Fixed a possible Man-in-the-Middle attack on the |
| 5770 | Diffie Hellman key exchange (thanks to Larry Highsmith, |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5771 | Subreption LLC) |
Paul Bakker | 345a6fe | 2011-02-28 21:20:02 +0000 | [diff] [blame] | 5772 | |
Paul Bakker | 9fc4659 | 2011-01-30 16:59:02 +0000 | [diff] [blame] | 5773 | = Version 0.99-pre1 released on 2011-01-30 |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 5774 | Features |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 5775 | Note: Most of these features have been donated by Fox-IT |
| 5776 | * Added Doxygen source code documentation parts |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 5777 | * Added reading of DHM context from memory and file |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 5778 | * Improved X509 certificate parsing to include extended |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 5779 | certificate fields, including Key Usage |
| 5780 | * Improved certificate verification and verification |
| 5781 | against the available CRLs |
Paul Bakker | 1f87fb6 | 2011-01-15 17:32:24 +0000 | [diff] [blame] | 5782 | * Detection for DES weak keys and parity bits added |
Paul Bakker | 72f6266 | 2011-01-16 21:27:44 +0000 | [diff] [blame] | 5783 | * Improvements to support integration in other |
| 5784 | applications: |
| 5785 | + Added generic message digest and cipher wrapper |
| 5786 | + Improved information about current capabilities, |
| 5787 | status, objects and configuration |
| 5788 | + Added verification callback on certificate chain |
| 5789 | verification to allow external blacklisting |
Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 5790 | + Additional example programs to show usage |
Paul Bakker | 43b7e35 | 2011-01-18 15:27:19 +0000 | [diff] [blame] | 5791 | * Added support for PKCS#11 through the use of the |
| 5792 | libpkcs11-helper library |
Paul Bakker | 37ca75d | 2011-01-06 12:28:03 +0000 | [diff] [blame] | 5793 | |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 5794 | Changes |
| 5795 | * x509parse_time_expired() checks time in addition to |
| 5796 | the existing date check |
Paul Bakker | e3166ce | 2011-01-27 17:40:50 +0000 | [diff] [blame] | 5797 | * The ciphers member of ssl_context and the cipher member |
| 5798 | of ssl_session have been renamed to ciphersuites and |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5799 | ciphersuite respectively. This clarifies the difference |
| 5800 | with the generic cipher layer and is better naming |
| 5801 | altogether |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 5802 | |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 5803 | = Version 0.14.0 released on 2010-08-16 |
| 5804 | Features |
| 5805 | * Added support for SSL_EDH_RSA_AES_128_SHA and |
| 5806 | SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites |
| 5807 | * Added compile-time and run-time version information |
| 5808 | * Expanded ssl_client2 arguments for more flexibility |
| 5809 | * Added support for TLS v1.1 |
| 5810 | |
| 5811 | Changes |
| 5812 | * Made Makefile cleaner |
| 5813 | * Removed dependency on rand() in rsa_pkcs1_encrypt(). |
| 5814 | Now using random fuction provided to function and |
Paul Bakker | a35aa54 | 2013-03-06 17:06:21 +0100 | [diff] [blame] | 5815 | changed the prototype of rsa_pkcs1_encrypt(), |
| 5816 | rsa_init() and rsa_gen_key(). |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 5817 | * Some SSL defines were renamed in order to avoid |
| 5818 | future confusion |
| 5819 | |
| 5820 | Bug fixes |
| 5821 | * Fixed CMake out of source build for tests (found by |
| 5822 | kkert) |
| 5823 | * rsa_check_private() now supports PKCS1v2 keys as well |
| 5824 | * Fixed deadlock in rsa_pkcs1_encrypt() on failing random |
| 5825 | generator |
| 5826 | |
| 5827 | = Version 0.13.1 released on 2010-03-24 |
| 5828 | Bug fixes |
| 5829 | * Fixed Makefile in library that was mistakenly merged |
| 5830 | * Added missing const string fixes |
| 5831 | |
| 5832 | = Version 0.13.0 released on 2010-03-21 |
| 5833 | Features |
| 5834 | * Added option parsing for host and port selection to |
| 5835 | ssl_client2 |
| 5836 | * Added support for GeneralizedTime in X509 parsing |
| 5837 | * Added cert_app program to allow easy reading and |
| 5838 | printing of X509 certificates from file or SSL |
| 5839 | connection. |
| 5840 | |
| 5841 | Changes |
| 5842 | * Added const correctness for main code base |
| 5843 | * X509 signature algorithm determination is now |
| 5844 | in a function to allow easy future expansion |
| 5845 | * Changed symmetric cipher functions to |
| 5846 | identical interface (returning int result values) |
Paul Bakker | 60b1d10 | 2013-10-29 10:02:51 +0100 | [diff] [blame] | 5847 | * Changed ARC4 to use separate input/output buffer |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 5848 | * Added reset function for HMAC context as speed-up |
| 5849 | for specific use-cases |
| 5850 | |
| 5851 | Bug fixes |
| 5852 | * Fixed bug resulting in failure to send the last |
| 5853 | certificate in the chain in ssl_write_certificate() and |
| 5854 | ssl_write_certificate_request() (found by fatbob) |
| 5855 | * Added small fixes for compiler warnings on a Mac |
| 5856 | (found by Frank de Brabander) |
| 5857 | * Fixed algorithmic bug in mpi_is_prime() (found by |
| 5858 | Smbat Tonoyan) |
| 5859 | |
| 5860 | = Version 0.12.1 released on 2009-10-04 |
| 5861 | Changes |
| 5862 | * Coverage test definitions now support 'depends_on' |
| 5863 | tagging system. |
| 5864 | * Tests requiring specific hashing algorithms now honor |
| 5865 | the defines. |
| 5866 | |
| 5867 | Bug fixes |
| 5868 | * Changed typo in #ifdef in x509parse.c (found |
| 5869 | by Eduardo) |
| 5870 | |
| 5871 | = Version 0.12.0 released on 2009-07-28 |
| 5872 | Features |
| 5873 | * Added CMake makefiles as alternative to regular Makefiles. |
| 5874 | * Added preliminary Code Coverage tests for AES, ARC4, |
| 5875 | Base64, MPI, SHA-family, MD-family, HMAC-SHA-family, |
| 5876 | Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman |
| 5877 | and X509parse. |
| 5878 | |
| 5879 | Changes |
| 5880 | * Error codes are not (necessarily) negative. Keep |
| 5881 | this is mind when checking for errors. |
| 5882 | * RSA_RAW renamed to SIG_RSA_RAW for consistency. |
| 5883 | * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE. |
| 5884 | * Changed interface for AES and Camellia setkey functions |
| 5885 | to indicate invalid key lengths. |
| 5886 | |
| 5887 | Bug fixes |
| 5888 | * Fixed include location of endian.h on FreeBSD (found by |
| 5889 | Gabriel) |
| 5890 | * Fixed include location of endian.h and name clash on |
| 5891 | Apples (found by Martin van Hensbergen) |
| 5892 | * Fixed HMAC-MD2 by modifying md2_starts(), so that the |
| 5893 | required HMAC ipad and opad variables are not cleared. |
| 5894 | (found by code coverage tests) |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5895 | * Prevented use of long long in bignum if |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 5896 | POLARSSL_HAVE_LONGLONG not defined (found by Giles |
| 5897 | Bathgate). |
| 5898 | * Fixed incorrect handling of negative strings in |
| 5899 | mpi_read_string() (found by code coverage tests). |
| 5900 | * Fixed segfault on handling empty rsa_context in |
| 5901 | rsa_check_pubkey() and rsa_check_privkey() (found by |
| 5902 | code coverage tests). |
| 5903 | * Fixed incorrect handling of one single negative input |
| 5904 | value in mpi_add_abs() (found by code coverage tests). |
| 5905 | * Fixed incorrect handling of negative first input |
| 5906 | value in mpi_sub_abs() (found by code coverage tests). |
| 5907 | * Fixed incorrect handling of negative first input |
| 5908 | value in mpi_mod_mpi() and mpi_mod_int(). Resulting |
| 5909 | change also affects mpi_write_string() (found by code |
| 5910 | coverage tests). |
| 5911 | * Corrected is_prime() results for 0, 1 and 2 (found by |
| 5912 | code coverage tests). |
| 5913 | * Fixed Camellia and XTEA for 64-bit Windows systems. |
| 5914 | |
| 5915 | = Version 0.11.1 released on 2009-05-17 |
| 5916 | * Fixed missing functionality for SHA-224, SHA-256, SHA384, |
| 5917 | SHA-512 in rsa_pkcs1_sign() |
| 5918 | |
| 5919 | = Version 0.11.0 released on 2009-05-03 |
| 5920 | * Fixed a bug in mpi_gcd() so that it also works when both |
| 5921 | input numbers are even and added testcases to check |
| 5922 | (found by Pierre Habouzit). |
| 5923 | * Added support for SHA-224, SHA-256, SHA-384 and SHA-512 |
| 5924 | one way hash functions with the PKCS#1 v1.5 signing and |
| 5925 | verification. |
| 5926 | * Fixed minor bug regarding mpi_gcd located within the |
| 5927 | POLARSSL_GENPRIME block. |
| 5928 | * Fixed minor memory leak in x509parse_crt() and added better |
| 5929 | handling of 'full' certificate chains (found by Mathias |
| 5930 | Olsson). |
| 5931 | * Centralized file opening and reading for x509 files into |
| 5932 | load_file() |
| 5933 | * Made definition of net_htons() endian-clean for big endian |
| 5934 | systems (Found by Gernot). |
| 5935 | * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in |
Hanno Becker | 01a0e07 | 2017-07-26 11:49:40 +0100 | [diff] [blame] | 5936 | padlock and timing code. |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 5937 | * Fixed an off-by-one buffer allocation in ssl_set_hostname() |
| 5938 | responsible for crashes and unwanted behaviour. |
| 5939 | * Added support for Certificate Revocation List (CRL) parsing. |
| 5940 | * Added support for CRL revocation to x509parse_verify() and |
| 5941 | SSL/TLS code. |
| 5942 | * Fixed compatibility of XTEA and Camellia on a 64-bit system |
| 5943 | (found by Felix von Leitner). |
| 5944 | |
| 5945 | = Version 0.10.0 released on 2009-01-12 |
| 5946 | * Migrated XySSL to PolarSSL |
| 5947 | * Added XTEA symmetric cipher |
| 5948 | * Added Camellia symmetric cipher |
| 5949 | * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA, |
| 5950 | SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA |
| 5951 | * Fixed dangerous bug that can cause a heap overflow in |
| 5952 | rsa_pkcs1_decrypt (found by Christophe Devine) |
| 5953 | |
| 5954 | ================================================================ |
| 5955 | XySSL ChangeLog |
| 5956 | |
| 5957 | = Version 0.9 released on 2008-03-16 |
| 5958 | |
| 5959 | * Added support for ciphersuite: SSL_RSA_AES_128_SHA |
| 5960 | * Enabled support for large files by default in aescrypt2.c |
| 5961 | * Preliminary openssl wrapper contributed by David Barrett |
| 5962 | * Fixed a bug in ssl_write() that caused the same payload to |
| 5963 | be sent twice in non-blocking mode when send returns EAGAIN |
| 5964 | * Fixed ssl_parse_client_hello(): session id and challenge must |
| 5965 | not be swapped in the SSLv2 ClientHello (found by Greg Robson) |
| 5966 | * Added user-defined callback debug function (Krystian Kolodziej) |
| 5967 | * Before freeing a certificate, properly zero out all cert. data |
| 5968 | * Fixed the "mode" parameter so that encryption/decryption are |
| 5969 | not swapped on PadLock; also fixed compilation on older versions |
| 5970 | of gcc (bug reported by David Barrett) |
| 5971 | * Correctly handle the case in padlock_xcryptcbc() when input or |
Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 5972 | output data is non-aligned by falling back to the software |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 5973 | implementation, as VIA Nehemiah cannot handle non-aligned buffers |
| 5974 | * Fixed a memory leak in x509parse_crt() which was reported by Greg |
| 5975 | Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to |
| 5976 | Matthew Page who reported several bugs |
| 5977 | * Fixed x509_get_ext() to accept some rare certificates which have |
| 5978 | an INTEGER instead of a BOOLEAN for BasicConstraints::cA. |
| 5979 | * Added support on the client side for the TLS "hostname" extension |
| 5980 | (patch contributed by David Patino) |
| 5981 | * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty |
| 5982 | string is passed as the CN (bug reported by spoofy) |
| 5983 | * Added an option to enable/disable the BN assembly code |
| 5984 | * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1) |
| 5985 | * Disabled obsolete hash functions by default (MD2, MD4); updated |
| 5986 | selftest and benchmark to not test ciphers that have been disabled |
| 5987 | * Updated x509parse_cert_info() to correctly display byte 0 of the |
| 5988 | serial number, setup correct server port in the ssl client example |
| 5989 | * Fixed a critical denial-of-service with X.509 cert. verification: |
| 5990 | peer may cause xyssl to loop indefinitely by sending a certificate |
| 5991 | for which the RSA signature check fails (bug reported by Benoit) |
| 5992 | * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC, |
| 5993 | HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 |
| 5994 | * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin) |
| 5995 | * Modified ssl_parse_client_key_exchange() to protect against |
| 5996 | Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well |
| 5997 | as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack |
| 5998 | * Updated rsa_gen_key() so that ctx->N is always nbits in size |
| 5999 | * Fixed assembly PPC compilation errors on Mac OS X, thanks to |
| 6000 | David Barrett and Dusan Semen |
| 6001 | |
| 6002 | = Version 0.8 released on 2007-10-20 |
| 6003 | |
| 6004 | * Modified the HMAC functions to handle keys larger |
| 6005 | than 64 bytes, thanks to Stephane Desneux and gary ng |
| 6006 | * Fixed ssl_read_record() to properly update the handshake |
| 6007 | message digests, which fixes IE6/IE7 client authentication |
| 6008 | * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten |
| 6009 | * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan |
| 6010 | * Added user-defined callbacks for handling I/O and sessions |
| 6011 | * Added lots of debugging output in the SSL/TLS functions |
| 6012 | * Added preliminary X.509 cert. writing by Pascal Vizeli |
| 6013 | * Added preliminary support for the VIA PadLock routines |
| 6014 | * Added AES-CFB mode of operation, contributed by chmike |
| 6015 | * Added an SSL/TLS stress testing program (ssl_test.c) |
| 6016 | * Updated the RSA PKCS#1 code to allow choosing between |
| 6017 | RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett |
| 6018 | * Updated ssl_read() to skip 0-length records from OpenSSL |
| 6019 | * Fixed the make install target to comply with *BSD make |
| 6020 | * Fixed a bug in mpi_read_binary() on 64-bit platforms |
| 6021 | * mpi_is_prime() speedups, thanks to Kevin McLaughlin |
| 6022 | * Fixed a long standing memory leak in mpi_is_prime() |
| 6023 | * Replaced realloc with malloc in mpi_grow(), and set |
| 6024 | the sign of zero as positive in mpi_init() (reported |
| 6025 | by Jonathan M. McCune) |
| 6026 | |
| 6027 | = Version 0.7 released on 2007-07-07 |
| 6028 | |
| 6029 | * Added support for the MicroBlaze soft-core processor |
| 6030 | * Fixed a bug in ssl_tls.c which sometimes prevented SSL |
| 6031 | connections from being established with non-blocking I/O |
| 6032 | * Fixed a couple bugs in the VS6 and UNIX Makefiles |
| 6033 | * Fixed the "PIC register ebx clobbered in asm" bug |
| 6034 | * Added HMAC starts/update/finish support functions |
| 6035 | * Added the SHA-224, SHA-384 and SHA-512 hash functions |
| 6036 | * Fixed the net_set_*block routines, thanks to Andreas |
| 6037 | * Added a few demonstration programs: md5sum, sha1sum, |
| 6038 | dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify |
| 6039 | * Added new bignum import and export helper functions |
| 6040 | * Rewrote README.txt in program/ssl/ca to better explain |
| 6041 | how to create a test PKI |
| 6042 | |
| 6043 | = Version 0.6 released on 2007-04-01 |
| 6044 | |
| 6045 | * Ciphers used in SSL/TLS can now be disabled at compile |
| 6046 | time, to reduce the memory footprint on embedded systems |
| 6047 | * Added multiply assembly code for the TriCore and modified |
| 6048 | havege_struct for this processor, thanks to David Patiño |
| 6049 | * Added multiply assembly code for 64-bit PowerPCs, |
| 6050 | thanks to Peking University and the OSU Open Source Lab |
| 6051 | * Added experimental support of Quantum Cryptography |
| 6052 | * Added support for autoconf, contributed by Arnaud Cornet |
| 6053 | * Fixed "long long" compilation issues on IA-64 and PPC64 |
| 6054 | * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock |
| 6055 | was not being correctly defined on ARM and MIPS |
| 6056 | |
| 6057 | = Version 0.5 released on 2007-03-01 |
| 6058 | |
| 6059 | * Added multiply assembly code for SPARC and Alpha |
| 6060 | * Added (beta) support for non-blocking I/O operations |
| 6061 | * Implemented session resuming and client authentication |
| 6062 | * Fixed some portability issues on WinCE, MINIX 3, Plan9 |
| 6063 | (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris |
| 6064 | * Improved the performance of the EDH key exchange |
| 6065 | * Fixed a bug that caused valid packets with a payload |
| 6066 | size of 16384 bytes to be rejected |
| 6067 | |
| 6068 | = Version 0.4 released on 2007-02-01 |
| 6069 | |
| 6070 | * Added support for Ephemeral Diffie-Hellman key exchange |
| 6071 | * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K |
| 6072 | * Various improvement to the modular exponentiation code |
| 6073 | * Rewrote the headers to generate the API docs with doxygen |
| 6074 | * Fixed a bug in ssl_encrypt_buf (incorrect padding was |
| 6075 | generated) and in ssl_parse_client_hello (max. client |
| 6076 | version was not properly set), thanks to Didier Rebeix |
| 6077 | * Fixed another bug in ssl_parse_client_hello: clients with |
| 6078 | cipherlists larger than 96 bytes were incorrectly rejected |
| 6079 | * Fixed a couple memory leak in x509_read.c |
| 6080 | |
| 6081 | = Version 0.3 released on 2007-01-01 |
| 6082 | |
| 6083 | * Added server-side SSLv3 and TLSv1.0 support |
| 6084 | * Multiple fixes to enhance the compatibility with g++, |
| 6085 | thanks to Xosé Antón Otero Ferreira |
| 6086 | * Fixed a bug in the CBC code, thanks to dowst; also, |
Paul Bakker | 60b1d10 | 2013-10-29 10:02:51 +0100 | [diff] [blame] | 6087 | the bignum code is no longer dependent on long long |
Paul Bakker | 99ed678 | 2011-01-05 14:48:42 +0000 | [diff] [blame] | 6088 | * Updated rsa_pkcs1_sign to handle arbitrary large inputs |
| 6089 | * Updated timing.c for improved compatibility with i386 |
| 6090 | and 486 processors, thanks to Arnaud Cornet |
| 6091 | |
| 6092 | = Version 0.2 released on 2006-12-01 |
| 6093 | |
| 6094 | * Updated timing.c to support ARM and MIPS arch |
| 6095 | * Updated the MPI code to support 8086 on MSVC 1.5 |
| 6096 | * Added the copyright notice at the top of havege.h |
| 6097 | * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang |
| 6098 | * Fixed a bug reported by Adrian Rüegsegger in x509_read_key |
| 6099 | * Fixed a bug reported by Torsten Lauter in ssl_read_record |
| 6100 | * Fixed a bug in rsa_check_privkey that would wrongly cause |
| 6101 | valid RSA keys to be dismissed (thanks to oldwolf) |
| 6102 | * Fixed a bug in mpi_is_prime that caused some primes to fail |
| 6103 | the Miller-Rabin primality test |
| 6104 | |
| 6105 | I'd also like to thank Younès Hafri for the CRUX linux port, |
| 6106 | Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet |
| 6107 | who maintains the Debian package :-) |
| 6108 | |
| 6109 | = Version 0.1 released on 2006-11-01 |