Assemble Changelog for 3.4.0 release
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
This commit is contained in:
Paul Elliott
parent
4903139bc4
commit
dbe435cda0
50 changed files with 211 additions and 258 deletions
211
ChangeLog
211
ChangeLog
|
|
@ -1,5 +1,216 @@
|
|||
Mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= Mbed TLS 3.4.0 branch released 2023-03-28
|
||||
|
||||
Default behavior changes
|
||||
* The default priority order of TLS 1.3 cipher suites has been modified to
|
||||
follow the same rules as the TLS 1.2 cipher suites (see
|
||||
ssl_ciphersuites.c). The preferred cipher suite is now
|
||||
TLS_CHACHA20_POLY1305_SHA256.
|
||||
|
||||
New deprecations
|
||||
* mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
|
||||
mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
|
||||
direct dependency of X509 on BIGNUM_C.
|
||||
* PSA to mbedtls error translation is now unified in psa_util.h,
|
||||
deprecating mbedtls_md_error_from_psa. Each file that performs error
|
||||
translation should define its own version of PSA_TO_MBEDTLS_ERR,
|
||||
optionally providing file-specific error pairs. Please see psa_util.h for
|
||||
more details.
|
||||
|
||||
Features
|
||||
* Added partial support for parsing the PKCS #7 Cryptographic Message
|
||||
Syntax, as defined in RFC 2315. Currently, support is limited to the
|
||||
following:
|
||||
- Only the signed-data content type, version 1 is supported.
|
||||
- Only DER encoding is supported.
|
||||
- Only a single digest algorithm per message is supported.
|
||||
- Certificates must be in X.509 format. A message must have either 0
|
||||
or 1 certificates.
|
||||
- There is no support for certificate revocation lists.
|
||||
- The authenticated and unauthenticated attribute fields of SignerInfo
|
||||
must be empty.
|
||||
Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
|
||||
contributing this feature, and to Demi-Marie Obenour for contributing
|
||||
various improvements, tests and bug fixes.
|
||||
* General performance improvements by accessing multiple bytes at a time.
|
||||
Fixes #1666.
|
||||
* Improvements to use of unaligned and byte-swapped memory, reducing code
|
||||
size and improving performance (depending on compiler and target
|
||||
architecture).
|
||||
* Add support for reading points in compressed format
|
||||
(MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
|
||||
(and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
|
||||
(all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
|
||||
except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
|
||||
* SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
|
||||
This helps in saving code size when some of the above hashes are not
|
||||
required.
|
||||
* Add parsing of V3 extensions (key usage, Netscape cert-type,
|
||||
Subject Alternative Names) in x509 Certificate Sign Requests.
|
||||
* Use HOSTCC (if it is set) when compiling C code during generation of the
|
||||
configuration-independent files. This allows them to be generated when
|
||||
CC is set for cross compilation.
|
||||
* Add parsing of uniformResourceIdentifier subtype for subjectAltName
|
||||
extension in x509 certificates.
|
||||
* Add an interruptible version of sign and verify hash to the PSA interface,
|
||||
backed by internal library support for ECDSA signing and verification.
|
||||
* Add parsing of rfc822Name subtype for subjectAltName
|
||||
extension in x509 certificates.
|
||||
* The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
|
||||
MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
|
||||
the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
|
||||
* When a PSA driver for ECDSA is present, it is now possible to disable
|
||||
MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
|
||||
and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
|
||||
Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
|
||||
supported in those builds yet, as driver support for interruptible ECDSA
|
||||
operations is not present yet.
|
||||
* Add a driver dispatch layer for EC J-PAKE, enabling alternative
|
||||
implementations of EC J-PAKE through the driver entry points.
|
||||
* Add new API mbedtls_ssl_cache_remove for cache entry removal by
|
||||
its session id.
|
||||
* Add support to include the SubjectAltName extension to a CSR.
|
||||
* Add support for AES with the Armv8-A Cryptographic Extension on
|
||||
64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
|
||||
be used to enable this feature. Run-time detection is supported
|
||||
under Linux only.
|
||||
* When a PSA driver for EC J-PAKE is present, it is now possible to disable
|
||||
MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
|
||||
corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
|
||||
to be enabled.
|
||||
* Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
|
||||
to read non-public fields for padding mode and hash id from
|
||||
an mbedtls_rsa_context, as requested in #6917.
|
||||
* AES-NI is now supported with Visual Studio.
|
||||
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
|
||||
is disabled, when compiling with GCC or Clang or a compatible compiler
|
||||
for a target CPU that supports the requisite instructions (for example
|
||||
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
|
||||
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
|
||||
* It is now possible to use a PSA-held (opaque) password with the TLS 1.2
|
||||
ECJPAKE key exchange, using the new API function
|
||||
mbedtls_ssl_set_hs_ecjpake_password_opaque().
|
||||
|
||||
Security
|
||||
* Use platform-provided secure zeroization function where possible, such as
|
||||
explicit_bzero().
|
||||
* Zeroize SSL cache entries when they are freed.
|
||||
* Fix a potential heap buffer overread in TLS 1.3 client-side when
|
||||
MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
|
||||
* Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
|
||||
Arm, so that these systems are no longer vulnerable to timing side-channel
|
||||
attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
|
||||
Reported by Demi Marie Obenour.
|
||||
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
|
||||
builds that couldn't compile the GCC-style assembly implementation
|
||||
(most notably builds with Visual Studio), leaving them vulnerable to
|
||||
timing side-channel attacks. There is now an intrinsics-based AES-NI
|
||||
implementation as a fallback for when the assembly one cannot be used.
|
||||
|
||||
Bugfix
|
||||
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
|
||||
could cause a crash in programs/test/benchmark.
|
||||
* Fix IAR compiler warnings. Fixes #6924.
|
||||
* Fix a bug in the build where directory names containing spaces were
|
||||
causing generate_errors.pl to error out resulting in a build failure.
|
||||
Fixes issue #6879.
|
||||
* In TLS 1.3, when using a ticket for session resumption, tweak its age
|
||||
calculation on the client side. It prevents a server with more accurate
|
||||
ticket timestamps (typically timestamps in milliseconds) compared to the
|
||||
Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
|
||||
than the age computed and transmitted by the client and thus potentially
|
||||
reject the ticket. Fix #6623.
|
||||
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
|
||||
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
|
||||
* List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
|
||||
be toggled with config.py.
|
||||
* The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
|
||||
used on a shared secret from a key agreement since its input must be
|
||||
an ECC public key. Reject this properly.
|
||||
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
|
||||
whose binary representation is longer than 20 bytes. This was already
|
||||
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
|
||||
enforced also at code level.
|
||||
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
|
||||
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
|
||||
Aaron Ucko under Valgrind.
|
||||
* Fix behavior of certain sample programs which could, when run with no
|
||||
arguments, access uninitialized memory in some cases. Fixes #6700 (which
|
||||
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
|
||||
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
|
||||
malformed alternative name components were not caught during initial
|
||||
certificate parsing, but only on subsequent calls to
|
||||
mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
|
||||
* Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
|
||||
possible to verify RSA PSS signatures with the pk module, which was
|
||||
inadvertently broken since Mbed TLS 3.0.
|
||||
* Fix bug in conversion from OID to string in
|
||||
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
|
||||
correctly.
|
||||
* Reject OIDs with overlong-encoded subidentifiers when converting
|
||||
them to a string.
|
||||
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
|
||||
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
|
||||
* Reject OIDs that have unterminated subidentifiers, or (equivalently)
|
||||
have the most-significant bit set in their last byte.
|
||||
* Silence warnings from clang -Wdocumentation about empty \retval
|
||||
descriptions, which started appearing with Clang 15. Fixes #6960.
|
||||
* Fix the handling of renegotiation attempts in TLS 1.3. They are now
|
||||
systematically rejected.
|
||||
* Fix an unused-variable warning in TLS 1.3-only builds if
|
||||
MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
|
||||
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
|
||||
len argument is 0 and buffer is NULL.
|
||||
* Allow setting user and peer identifiers for EC J-PAKE operation
|
||||
instead of role in PAKE PSA Crypto API as described in the specification.
|
||||
This is a partial fix that allows only "client" and "server" identifiers.
|
||||
* Fix a compilation error when PSA Crypto is built with support for
|
||||
TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
|
||||
* In the TLS 1.3 server, select the preferred client cipher suite, not the
|
||||
least preferred. The selection error was introduced in Mbed TLS 3.3.0.
|
||||
* Fix TLS 1.3 session resumption when the established pre-shared key is
|
||||
384 bits long. That is the length of pre-shared keys created under a
|
||||
session where the cipher suite is TLS_AES_256_GCM_SHA384.
|
||||
* Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
|
||||
enabled, which required specifying compiler flags enabling SHA3 Crypto
|
||||
Extensions, where some compilers would emit EOR3 instructions in other
|
||||
modules, which would then fail if run on a CPU without the SHA3
|
||||
extensions. Fixes #5758.
|
||||
|
||||
Changes
|
||||
* Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
|
||||
typically /usr/lib/cmake/MbedTLS.
|
||||
* Mixed-endian systems are explicitly not supported any more.
|
||||
* When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
|
||||
defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
|
||||
signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
|
||||
the behaviour without it, where deterministic ECDSA was already used.
|
||||
* Visual Studio: Rename the directory containing Visual Studio files from
|
||||
visualc/VS2010 to visualc/VS2013 as we do not support building with versions
|
||||
older than 2013. Update the solution file to specify VS2013 as a minimum.
|
||||
* programs/x509/cert_write:
|
||||
- now it accepts the serial number in 2 different formats: decimal and
|
||||
hex. They cannot be used simultaneously
|
||||
- "serial" is used for the decimal format and it's limted in size to
|
||||
unsigned long long int
|
||||
- "serial_hex" is used for the hex format; max length here is
|
||||
MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
|
||||
* The C code follows a new coding style. This is transparent for users but
|
||||
affects contributors and maintainers of local patches. For more
|
||||
information, see
|
||||
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
|
||||
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
|
||||
As tested in issue 6790, the correlation between this define and
|
||||
RSA decryption performance has changed lately due to security fixes.
|
||||
To fix the performance degradation when using default values the
|
||||
window was reduced from 6 to 2, a value that gives the best or close
|
||||
to best results when tested on Cortex-M4 and Intel i7.
|
||||
* When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
|
||||
MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
|
||||
compiler target flags on the command line; the library now sets target
|
||||
options within the appropriate modules.
|
||||
|
||||
= Mbed TLS 3.3.0 branch released 2022-12-14
|
||||
|
||||
Default behavior changes
|
||||
|
|
|
|||
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* Add new API mbedtls_ssl_cache_remove for cache entry removal by
|
||||
its session id.
|
||||
Security
|
||||
* Zeroize SSL cache entries when they are freed.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add parsing of uniformResourceIdentifier subtype for subjectAltName
|
||||
extension in x509 certificates.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* Add an interruptible version of sign and verify hash to the PSA interface,
|
||||
backed by internal library support for ECDSA signing and verification.
|
||||
|
||||
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Security
|
||||
* Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
|
||||
Arm, so that these systems are no longer vulnerable to timing side-channel
|
||||
attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
|
||||
Reported by Demi Marie Obenour.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Security
|
||||
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
|
||||
builds that couldn't compile the GCC-style assembly implementation
|
||||
(most notably builds with Visual Studio), leaving them vulnerable to
|
||||
timing side-channel attacks. There is now an intrinsics-based AES-NI
|
||||
implementation as a fallback for when the assembly one cannot be used.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
Features
|
||||
* AES-NI is now supported with Visual Studio.
|
||||
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
|
||||
is disabled, when compiling with GCC or Clang or a compatible compiler
|
||||
for a target CPU that supports the requisite instructions (for example
|
||||
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
|
||||
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
Features
|
||||
* General performance improvements by accessing multiple bytes at a time.
|
||||
Fixes #1666.
|
||||
* Improvements to use of unaligned and byte-swapped memory, reducing code
|
||||
size and improving performance (depending on compiler and target
|
||||
architecture).
|
||||
Changes
|
||||
* Mixed-endian systems are explicitly not supported any more.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* Add support for AES with the Armv8-A Cryptographic Extension on
|
||||
64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
|
||||
be used to enable this feature. Run-time detection is supported
|
||||
under Linux only.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* Use HOSTCC (if it is set) when compiling C code during generation of the
|
||||
configuration-independent files. This allows them to be generated when
|
||||
CC is set for cross compilation.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a compilation error when PSA Crypto is built with support for
|
||||
TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Changes
|
||||
* Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
|
||||
typically /usr/lib/cmake/MbedTLS.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Changes
|
||||
* The C code follows a new coding style. This is transparent for users but
|
||||
affects contributors and maintainers of local patches. For more
|
||||
information, see
|
||||
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
|
||||
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
|
||||
Aaron Ucko under Valgrind.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
|
||||
be toggled with config.py.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add parsing of V3 extensions (key usage, Netscape cert-type,
|
||||
Subject Alternative Names) in x509 Certificate Sign Requests.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
Features
|
||||
* When a PSA driver for ECDSA is present, it is now possible to disable
|
||||
MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
|
||||
and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
|
||||
Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
|
||||
supported in those builds yet, as driver support for interruptible ECDSA
|
||||
operations is not present yet.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* When a PSA driver for EC J-PAKE is present, it is now possible to disable
|
||||
MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
|
||||
corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
|
||||
to be enabled.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add a driver dispatch layer for EC J-PAKE, enabling alternative
|
||||
implementations of EC J-PAKE through the driver entry points.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Silence warnings from clang -Wdocumentation about empty \retval
|
||||
descriptions, which started appearing with Clang 15. Fixes #6960.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* It is now possible to use a PSA-held (opaque) password with the TLS 1.2
|
||||
ECJPAKE key exchange, using the new API function
|
||||
mbedtls_ssl_set_hs_ecjpake_password_opaque().
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix behavior of certain sample programs which could, when run with no
|
||||
arguments, access uninitialized memory in some cases. Fixes #6700 (which
|
||||
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
|
||||
could cause a crash in programs/test/benchmark.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
Bugfix
|
||||
* Fix IAR compiler warnings. Fixes #6924.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Allow setting user and peer identifiers for EC J-PAKE operation
|
||||
instead of role in PAKE PSA Crypto API as described in the specification.
|
||||
This is a partial fix that allows only "client" and "server" identifiers.
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
Bugfix
|
||||
* Fix bug in conversion from OID to string in
|
||||
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
|
||||
correctly.
|
||||
* Reject OIDs with overlong-encoded subidentifiers when converting
|
||||
them to a string.
|
||||
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
|
||||
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
|
||||
* Reject OIDs that have unterminated subidentifiers, or (equivalently)
|
||||
have the most-significant bit set in their last byte.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Security
|
||||
* Fix a potential heap buffer overread in TLS 1.3 client-side when
|
||||
MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
|
||||
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a bug in the build where directory names containing spaces were
|
||||
causing generate_errors.pl to error out resulting in a build failure.
|
||||
Fixes issue #6879.
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
Bugfix
|
||||
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
|
||||
whose binary representation is longer than 20 bytes. This was already
|
||||
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
|
||||
enforced also at code level.
|
||||
|
||||
New deprecations
|
||||
* mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
|
||||
mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
|
||||
direct dependency of X509 on BIGNUM_C.
|
||||
|
||||
Changes
|
||||
* programs/x509/cert_write:
|
||||
- now it accepts the serial number in 2 different formats: decimal and
|
||||
hex. They cannot be used simultaneously
|
||||
- "serial" is used for the decimal format and it's limted in size to
|
||||
unsigned long long int
|
||||
- "serial_hex" is used for the hex format; max length here is
|
||||
MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
|
||||
This helps in saving code size when some of the above hashes are not
|
||||
required.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
Features
|
||||
* Add support for reading points in compressed format
|
||||
(MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
|
||||
(and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
|
||||
(all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
|
||||
except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
|
||||
len argument is 0 and buffer is NULL.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
Changes
|
||||
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
|
||||
As tested in issue 6790, the correlation between this define and
|
||||
RSA decryption performance has changed lately due to security fixes.
|
||||
To fix the performance degradation when using default values the
|
||||
window was reduced from 6 to 2, a value that gives the best or close
|
||||
to best results when tested on Cortex-M4 and Intel i7.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Changes
|
||||
* When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
|
||||
defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
|
||||
signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
|
||||
the behaviour without it, where deterministic ECDSA was already used.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
|
||||
possible to verify RSA PSS signatures with the pk module, which was
|
||||
inadvertently broken since Mbed TLS 3.0.
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
Features
|
||||
* Added partial support for parsing the PKCS #7 Cryptographic Message
|
||||
Syntax, as defined in RFC 2315. Currently, support is limited to the
|
||||
following:
|
||||
- Only the signed-data content type, version 1 is supported.
|
||||
- Only DER encoding is supported.
|
||||
- Only a single digest algorithm per message is supported.
|
||||
- Certificates must be in X.509 format. A message must have either 0
|
||||
or 1 certificates.
|
||||
- There is no support for certificate revocation lists.
|
||||
- The authenticated and unauthenticated attribute fields of SignerInfo
|
||||
must be empty.
|
||||
Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
|
||||
contributing this feature, and to Demi-Marie Obenour for contributing
|
||||
various improvements, tests and bug fixes.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Security
|
||||
* Use platform-provided secure zeroization function where possible, such as
|
||||
explicit_bzero().
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
|
||||
MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
|
||||
the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
New deprecations
|
||||
* PSA to mbedtls error translation is now unified in psa_util.h,
|
||||
deprecating mbedtls_md_error_from_psa. Each file that performs error
|
||||
translation should define its own version of PSA_TO_MBEDTLS_ERR,
|
||||
optionally providing file-specific error pairs. Please see psa_util.h for
|
||||
more details.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
|
||||
used on a shared secret from a key agreement since its input must be
|
||||
an ECC public key. Reject this properly.
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
Bugfix
|
||||
* Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
|
||||
enabled, which required specifying compiler flags enabling SHA3 Crypto
|
||||
Extensions, where some compilers would emit EOR3 instructions in other
|
||||
modules, which would then fail if run on a CPU without the SHA3
|
||||
extensions. Fixes #5758.
|
||||
|
||||
Changes
|
||||
* When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
|
||||
MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
|
||||
compiler target flags on the command line; the library now sets target
|
||||
options within the appropriate modules.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
|
||||
to read non-public fields for padding mode and hash id from
|
||||
an mbedtls_rsa_context, as requested in #6917.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
Features
|
||||
* Add support to include the SubjectAltName extension to a CSR.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add parsing of rfc822Name subtype for subjectAltName
|
||||
extension in x509 certificates.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* Fix the handling of renegotiation attempts in TLS 1.3. They are now
|
||||
systematically rejected.
|
||||
* Fix an unused-variable warning in TLS 1.3-only builds if
|
||||
MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
Default behavior changes
|
||||
* The default priority order of TLS 1.3 cipher suites has been modified to
|
||||
follow the same rules as the TLS 1.2 cipher suites (see
|
||||
ssl_ciphersuites.c). The preferred cipher suite is now
|
||||
TLS_CHACHA20_POLY1305_SHA256.
|
||||
|
||||
Bugfix
|
||||
* In the TLS 1.3 server, select the preferred client cipher suite, not the
|
||||
least preferred. The selection error was introduced in Mbed TLS 3.3.0.
|
||||
* Fix TLS 1.3 session resumption when the established pre-shared key is
|
||||
384 bits long. That is the length of pre-shared keys created under a
|
||||
session where the cipher suite is TLS_AES_256_GCM_SHA384.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Changes
|
||||
* Visual Studio: Rename the directory containing Visual Studio files from
|
||||
visualc/VS2010 to visualc/VS2013 as we do not support building with versions
|
||||
older than 2013. Update the solution file to specify VS2013 as a minimum.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
Bugfix
|
||||
* In TLS 1.3, when using a ticket for session resumption, tweak its age
|
||||
calculation on the client side. It prevents a server with more accurate
|
||||
ticket timestamps (typically timestamps in milliseconds) compared to the
|
||||
Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
|
||||
than the age computed and transmitted by the client and thus potentially
|
||||
reject the ticket. Fix #6623.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
|
||||
malformed alternative name components were not caught during initial
|
||||
certificate parsing, but only on subsequent calls to
|
||||
mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
|
||||
Loading…
Reference in a new issue