Lines Matching refs:is
11 * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
22 MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
23 mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
24 is selected. This may result in an application crash or potentially an
30 when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
36 * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
38 in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
49 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
66 required but discarded. Now, an IV is rejected, as it should be.
67 * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
68 not NULL and val_len is zero.
106 not supported. Two's complement is the only supported representation.
112 with SHA-1 certificates. SHA-1 is considered a weak message digest and
120 * Warn if errors from certain functions are ignored. This is currently
124 value is almost always a bug. Enable the new configuration option
126 is currently implemented in the AES, DES and md modules, and will be
141 oracle vulnerability if the output buffer is in memory that is shared with
164 * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
175 MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
180 * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
192 * Fix the build when no SHA2 module is included. Fixes #4930.
193 * Fix the build when only the bignum module is included. Fixes #4929.
195 pkcs12 functions when the password is empty. Fix the documentation to
206 * Improve the performance of base64 constant-flow code. The result is still
210 ChaCha20-Poly1305 is invalid, and not just unsupported.
215 most of the interface of this module is private and may change at any
255 * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
263 An adversary who is capable of very precise timing measurements could
268 * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
286 lead to seed file corruption in the case where the path to the seed file is
294 to create is not valid, bringing them in line with version 1.0.0 of the
302 * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
304 * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
311 defined to specific values. If the code is used in a context
318 * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
322 * Fix test suite code on platforms where int32_t is not int, such as
330 is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
333 (when the encrypt-then-MAC extension is not in use) with some ALT
350 implementations. This reliance is now removed. Fixes #3990.
360 * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
367 * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
368 in all the right places. Include it from crypto_platform.h, which is
374 * Fix which alert is sent in some cases to conform to the
395 python2, which is no longer supported upstream.
400 * Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
401 When that flag is on, standard GNU C printf format specifiers
407 when their input has length 0. Note that this is an implementation detail
414 PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
415 when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
416 is also applied when loading a key from storage.
431 as always 0. It is now reserved for internal purposes and may take
444 CTR_DRBG is used by default if it is available, but you can override
478 |A| - |B| where |B| is larger than |A| and has more limbs (so the
481 all calls inside the library were safe since this function is
484 mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
489 mbedtls_net_recv_timeout() when given a file descriptor that is
501 is enabled, on platforms where initializing a mutex allocates resources.
505 twice is safe. This happens for RSA when some Mbed TLS library functions
507 enabled on platforms where freeing a mutex twice is not safe.
509 when MBEDTLS_THREADING_C is enabled on platforms where initializing
525 implementation is not included into the library.
535 The underlying stream cipher is determined by the key type
539 as they have no way to check if the output buffer is large enough.
566 This is currently non-standard behaviour, but expected to make it into a
568 * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
571 clashes. The default value of this variable is "", so default target names
575 * In the PSA API, it is no longer necessary to open persistent keys:
576 operations now accept the key identifier. The type psa_key_handle_t is now
579 version 1.0.0. Opening persistent keys is still supported for backward
597 which is how most uses of randomization in asymmetric cryptography
622 * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
623 enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
626 * Fix rsa_prepare_blinding() to retry when the blinding value is not
628 addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
632 * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
647 chars. Fixes a build failure on platforms where char is unsigned. Fixes
654 * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
685 * The PSA persistent storage format is updated to always store the key bits
686 attribute. No automatic upgrade path is provided. Previously stored keys
714 a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
724 subjecAltName extension is present, the expected name was compared to any
743 to extract and check the MAC. This is an improvement to the existing
767 redefinition if the function is inlined.
777 curve is secp192k1. Fixes #2017.
784 * Fix bug in redirection of unit test outputs on platforms where stdout is
793 * Undefine the ASSERT macro before defining it locally, in case it is defined
796 the copyright of contributors other than Arm is now acknowledged, and the
815 instead of the keys' lifetime. If the library is upgraded on an existing
865 pathLenConstraint basic constraint value is equal to INT_MAX.
866 The actual effect with almost every compiler is the intended
867 behavior, so this is unlikely to be exploitable anywhere. #3192
870 * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
897 * Fix warnings about signedness issues in format strings. The build is now
916 buffer is not large enough to hold the ClientHello.
939 fragment length is desired.
947 (which it is by default).
970 * Mbed Crypto is no longer a Git submodule. The crypto part of the library
971 is back directly in the present repository.
975 buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
976 is defined), regardless of what MFL was configured for it.
991 probability (of the order of 2^-n where n is the bitsize of the curve)
992 unless the RNG is broken, and could result in information disclosure or
1009 existing code is that elliptic curve key types no longer encode the
1012 PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
1032 entropy function to obtain entropy for a nonce if the entropy size is less
1041 entropy module formerly only grabbed 32 bytes, which is good enough for
1042 security if the source is genuinely strong, but less than the expected 64
1052 * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
1054 blinded value, factor it (as it is smaller than RSA keys and not guaranteed
1070 initial seeding. The default nonce length is chosen based on the key size
1078 key derivation function, use a buffer instead (this is now always
1108 no known instances where this changes the behavior of the library: this is
1127 mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
1157 an incoming record is valid, authentic and has not been seen before. This
1159 The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
1163 with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
1164 verified and significantly faster, but is only supported on x86 platforms
1178 list all curves for which at least one of ECDH or ECDSA is supported, not
1180 mbedtls_ecdh_can_do() on each result to check whether each algorithm is
1182 * The new function mbedtls_ecdsa_sign_det_ext() is similar to
1190 is now deprecated.
1264 * It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
1268 * It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
1277 RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
1287 changed its IP or port. The feature is enabled at compile-time by setting
1327 This certificate is used in the demo server programs, which lead the
1330 updated to one that is SHA-256 signed. Fix contributed by
1333 provided SSL context is unset.
1375 when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
1376 * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
1433 function to see for which parameter values it is defined. This feature is
1455 changed so that the same level of validation is present in all modules, and
1456 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
1457 is off. That means that checks which were previously present by default
1510 (University of Adelaide, Data61). The attack is described in more detail
1557 some configurable amount of operations. This is intended to be used in
1558 constrained, single-threaded systems where ECC is time consuming and can
1559 block other operations until they complete. This is disabled by default,
1580 a feature that is not supported by underlying alternative
1581 implementations implementing cryptographic primitives. This is useful for
1586 MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
1604 MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
1610 * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
1635 calls, rather than Win32 API calls directly. This is necessary to avoid
1658 MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
1662 * Fix build failures on platforms where only gmtime() is available but
1671 beyond the input buffer is made. Found and analyzed by Nathan Crandall.
1675 is controlled by the maximum fragment length as set locally or negotiated
1699 * Add ecc extensions only if an ecc based ciphersuite is used.
1777 is no functional difference. Contributed by Angus Gratton, and also
1795 * Fix compilation error when MBEDTLS_ARC4_C is disabled and
1796 MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
1807 CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
1813 when the request_size argument is set to 0 as stated in the documentation.
1816 deep copy of the session, and the peer certificate is not lost. Fixes #926.
1870 mbedtls_platform_zeroize(), which is a critical function from a security
1874 Therefore, mbedtls_platform_zeroize() is moved to the platform module to
1899 where an optional signature algorithms list is expected when the signature
1900 algorithms section is too short. In builds with debug output, the overread
1901 data is output with the debug data.
1922 a check for whether more more data is pending to be processed in the
1924 This function is necessary to determine when it is safe to idle on the
1925 underlying transport in case event-driven IO is used.
1967 * Support cmake builds where Mbed TLS is a subproject. Fix contributed
1973 configurations where the feature is disabled. Found and fixed by Gergely
1980 MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
2005 of the corresponding module is activated by defining the corresponding
2059 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
2062 * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
2096 extension. When the truncated HMAC extension is enabled and CBC is used,
2105 * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
2110 default enabled) maximum fragment length extension is disabled in the
2112 is larger than the internal message buffer (16384 bytes by default), the
2187 * Direct manipulation of structure fields of RSA contexts is deprecated.
2191 mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
2239 MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
2261 Note, this padding mode is not used by the TLS protocol. Found and fixed by
2266 mbedtls_sha512_init() is called before operating on the relevant context
2267 structure. Do not assume that zeroizing a context is a correct way to
2281 * Only run AES-192 self-test if AES-192 is available. Fixes #963.
2298 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
2326 * With authmode set to optional, the TLS handshake is now aborted if the
2331 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
2360 64-bit division. This is useful on embedded platforms where 64-bit division
2407 * Fix incorrect sign computation in modular exponentiation when the base is
2439 behaviour has not changed, namely every configured CAs name is included.
2497 renegotiation routines at unexpected times when the protocol is DTLS. Found
2522 number to write in hexadecimal is negative and requires an odd number of
2543 mbedtls_x509write_csr_der() when the signature is copied to the buffer
2544 without checking whether there is enough space in the destination. The
2551 is functioning correctly.
2553 scripts, which is also now called by all.sh.
2569 when GCM is used. Found by udf2457. #441
2581 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
2610 net.c. For consistency, the corresponding header file, net.h, is marked as
2624 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
2685 datagram if a single record in a datagram is unexpected, instead only
2692 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
2696 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
2716 * Fix build error with configurations where ECDHE-PSK is the only key
2734 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
2743 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
2748 mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
2760 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
2762 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
2801 connection, if cookie verification is available
2805 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
2848 * It is now possible to #include a user-provided configuration file at the
2851 * When verifying a certificate chain, if an intermediate certificate is
2852 trusted, no later cert is checked. (suggested by hannes-landeholm)
2940 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
2941 available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
2948 * calloc() is now used instead of malloc() everywhere. API of platform
2957 Their 'port' argument type is changed to a string.
2975 been removed (compiler is required to support 32-bit operations).
2982 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
2983 argument (allowing memory savings if HMAC is not used)
2997 * The default minimum TLS version is now TLS 1.0.
2998 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
3000 * Support for receiving SSLv2 ClientHello is now disabled by default at
3002 * The default authmode for SSL/TLS clients is now REQUIRED.
3003 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
3004 enabled in the default configuration, this is only noticeable if using a
3007 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
3009 * Negotiation of truncated HMAC is now disabled by default on server too.
3018 * The minimum MSVC version required is now 2010 (better C99 support).
3020 * Compiler is required to support C99 types such as long long and uint32_t.
3033 * With UDP sockets, it is no longer necessary to call net_bind() again
3038 thread-safe if MBEDTLS_THREADING_C is enabled.
3079 * Fix bug in entropy.c when THREADING_C is also enabled that caused
3083 * Fix bug in ssl_mail_client when password is longer that username (found
3087 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
3093 ssl_write() is called before the handshake is finished (introduced in
3119 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
3121 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
3122 more flexible (warning: OFLAGS is not used any more) (see the README)
3129 "minimize" others (eg use stddef.h if only size_t is needed).
3136 * NULL pointer dereference in the buffer-based allocator when the buffer is
3137 full and polarssl_free() is called (found by Mark Hasemeyer)
3138 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
3141 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
3144 (TLS server is not affected if it doesn't ask for a client certificate)
3147 (TLS server is not affected if it doesn't ask for a client certificate)
3173 * Stack buffer overflow if ctr_drbg_update() is called with too large
3181 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
3198 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
3202 * A specific error is now returned when there are ciphersuites in common
3203 but none of them is usable due to external factors such as no certificate
3205 * It is now possible to disable negotiation of truncated HMAC server-side
3216 (server is not affected if it doesn't ask for a client certificate)
3244 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
3246 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
3249 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
3277 ciphersuites to use and save some memory if the list is small.
3280 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
3292 * Enforce alignment in the buffer allocator even if buffer is not aligned
3310 * Restore ability to locally trust a self-signed cert that is not a proper
3374 * pk_verify() now returns a specific error code when the signature is valid
3385 it is not affected (ie, its notAfter date is properly checked).
3399 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
3438 "triple handshake" attack when authentication mode is 'optional' (the
3439 attack was already impossible when authentication is required).
3514 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
3564 * config.h is more script-friendly
3608 * Introduced separate SSL Ciphersuites module that is based on
3610 * Internals for SSL module adapted to have separate IV pointer that is
3645 client to crash the server remotely if client authentication is enabled
3664 crafted X.509 certificate (TLS server is not affected if it doesn't ask
3667 (TLS server is not affected if it doesn't ask for a client certificate)
3670 (TLS server is not affected if it doesn't ask for a client certificate)
3673 (TLS server is not affected if it doesn't ask for a client certificate).
3678 * Stack buffer overflow if ctr_drbg_update() is called with too large
3695 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
3703 (server is not affected if it doesn't ask for a client certificate).
3743 "triple handshake" attack when authentication mode is optional (the
3744 attack was already impossible when authentication is required).
3847 * x509parse_crtpath() is now reentrant and uses more portable stat()
3861 * Default Blowfish keysize is now 128-bits
3884 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
3928 * During verify trust-CA is only checked for expiration and CRL presence
3936 * Depth that the certificate verify callback receives is now numbered
3937 bottom-up (Peer cert depth is 0)
3985 to not match CN if subjectAltName extension is present (Closes ticket #56)
3986 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
4135 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
4163 * If certificate serial is longer than 32 octets, serial number is now
4204 is now done with a PLUS instead of an OR as error codes
4210 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
4298 with the generic cipher layer and is better naming
4341 * X509 signature algorithm determination is now
4379 this is mind when checking for errors.
4470 output data is non-aligned by falling back to the software
4480 string is passed as the CN (bug reported by spoofy)
4496 * Updated rsa_gen_key() so that ctx->N is always nbits in size
4585 the bignum code is no longer dependent on long long