Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
concurrently added errors; made the new error a full sentence per
current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
* ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
was due to style corrections in development
(4cb1f4d49cff999d0c853bc696ad7eea68888c35) which I merged with
my refactoring.
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first case, variable declarations: merged line
by line:
* dig_signed_len: added in async
* signature_len: removed in async
* hashlen: type changed to size_t in development
* hash: size changed to MBEDTLS_MD_MAX_SIZE in async
* ret: added in async
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first cae comment: the conflict was due to style
corrections in development (4cb1f4d49cff999d0c853bc696ad7eea68888c35)
which I merged with my comment changes made as part of refactoring
the function.
* ssl_prepare_server_key_exchange "Compute the hash to be signed" if
`md_alg != MBEDTLS_MD_NONE`: conflict between
ebd652fe2dfc2c82d774bfd334398279d9027492
"ssl_write_server_key_exchange: calculate hashlen explicitly" and
46f5a3e9b4d5db3cacfe2ba33480a27317c62d46 "Check return codes from
MD in ssl code". I took the code from commit
ca1d74290439ec9e2723a911657fd96aa320e219 made on top of development
which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
definitions for async support, and the introduction of idle().
* definitions before main: concurrent additions, kept both.
* main, just after `handshake:`: in the loop around
mbedtls_ssl_handshake(), merge the addition of support for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
with the addition of the idle() call.
* main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
* main, loop around mbedtls_ssl_read() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
* main, loop around mbedtls_ssl_write() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
diff --git a/ChangeLog b/ChangeLog
index 888ee2e..8155182 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,14 +3,229 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
Security
- * Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by
+ * Fix a bug in the X.509 module potentially leading to a buffer overread
+ during CRT verification or to invalid or omitted checks for certificate
+ validity. The former can be triggered remotely, while the latter requires
+ a non DER-compliant certificate correctly signed by a trusted CA, or a
+ trusted CA with a non DER-compliant certificate. Found by luocm on GitHub.
+ Fixes #825.
+
+Features
+ * Add option MBEDTLS_AES_FEWER_TABLES to dynamically compute 3/4 of the AES tables
+ during runtime, thereby reducing the RAM/ROM footprint by ~6kb. Suggested
+ and contributed by jkivilin in #394.
+ * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
+ ECDH primitive functions (mbedtls_ecdh_gen_public(),
+ mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
+ Nicholas Wilson (#348).
+ * In TLS servers, support offloading private key operations to an external
+ cryptoprocessor. Private key operations can be asynchronous to allow
+ non-blocking operation of the TLS server stack.
+
+API Changes
+ * Add function mbedtls_net_poll to public API allowing to wait for a
+ network context to become ready for reading or writing.
+ * Add function mbedtls_ssl_check_pending to public API allowing to check
+ if more data is pending to be processed in the internal message buffers.
+ This function is necessary to determine when it is safe to idle on the
+ underlying transport in case event-driven IO is used.
+
+Bugfix
+ * Fix spurious uninitialized variable warning in cmac.c. Fix independently
+ contributed by Brian J Murray and David Brown.
+ * Add missing dependencies in test suites that led to build failures
+ in configurations that omit certain hashes or public-key algorithms.
+ Fixes #1040.
+ * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
+ #1353
+ * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
+ MBEDTLS_VERSION_FEATURES in test suites. Contributed by Deomid Ryabkov.
+ Fixes #1299, #1475.
+ * Fix dynamic library building process with Makefile on Mac OS X. Fixed by
+ mnacamura.
+ * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
+ unable to parse keys with only the optional parameters field of the
+ ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
+ * Return plaintext data sooner on unpadded CBC decryption, as stated in
+ the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson.
+ * Fix overriding and ignoring return values when parsing and writing to
+ a file in pk_sign program. Found by kevlut in #1142.
+ * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
+ where data needs to be fetched from the underlying transport in order
+ to make progress. Previously, this error code was also occasionally
+ returned when unexpected messages were being discarded, ignoring that
+ further messages could potentially already be pending to be processed
+ in the internal buffers; these cases lead to deadlocks in case
+ event-driven I/O was used.
+ Found and reported by Hubert Mis in #772.
+
+Changes
+ * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
+ * Support cmake build where Mbed TLS is a subproject. Fix
+ contributed independently by Matthieu Volat and Arne Schwabe.
+ * Improve testing in configurations that omit certain hashes or
+ public-key algorithms. Includes contributions by Gert van Dijk.
+ * Improve negative testing of X.509 parsing.
+ * Do not define global mutexes around readdir() and gmtime() in
+ configurations where the feature is disabled. Found and fixed by Gergely
+ Budai.
+ * Harden mbedtls_ssl_config_free() against misuse, so that it doesn't
+ leak memory in case the user doesn't use mbedtls_ssl_conf_psk() and
+ instead incorrectly manipulates conf->psk and/or conf->psk_identity
+ directly. Found and fix submitted by junyeonLEE in #1220.
+ * Provide an empty implementation of mbedtls_pkcs5_pbes2() when
+ MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
+ without PBES2. Fixed by Marcos Del Sol Vives.
+ * Add the order of the base point as N in the mbedtls_ecp_group structure
+ for Curve25519 (other curves had it already). Contributed by Nicholas
+ Wilson #481
+ * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
+ Krylov.
+ * Improve the documentation of mbedtls_ssl_write(). Suggested by
+ Paul Sokolovsky in #1356.
+ * Add an option in the makefile to support ar utilities where the operation
+ letter must not be prefixed by '-', such as LLVM. Found and fixed by
+ Alex Hixon.
+ * Allow configuring the shared library extension by setting the DLEXT
+ environment variable when using the project makefiles.
+ * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
+ by Alexey Skalozub in #405.
+ * In the SSL module, when f_send, f_recv or f_recv_timeout report
+ transmitting more than the required length, return an error. Raised by
+ Sam O'Connor in #1245.
+ * Improve robustness of mbedtls_ssl_derive_keys against the use of
+ HMAC functions with non-HMAC ciphersuites. Independently contributed
+ by Jiayuan Chen in #1377. Fixes #1437.
+ * Improve security of RSA key generation by including criteria from FIPS
+ 186-4. Contributed by Jethro Beekman. #1380
+
+= mbed TLS 2.8.0 branch released 2018-03-16
+
+Default behavior changes
+ * The truncated HMAC extension now conforms to RFC 6066. This means
+ that when both sides of a TLS connection negotiate the truncated
+ HMAC extension, Mbed TLS can now interoperate with other
+ compliant implementations, but this breaks interoperability with
+ prior versions of Mbed TLS. To restore the old behavior, enable
+ the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
+ config.h. Found by Andreas Walz (ivESK, Offenburg University of
+ Applied Sciences).
+
+Security
+ * Fix implementation of the truncated HMAC extension. The previous
+ implementation allowed an offline 2^80 brute force attack on the
+ HMAC key of a single, uninterrupted connection (with no
+ resumption of the session).
+ * Verify results of RSA private key operations to defend
+ against Bellcore glitch attack.
+ * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
+ a crash on invalid input.
+ * Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
+ crash on invalid input.
+ * Fix CRL parsing to reject CRLs containing unsupported critical
+ extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
+
+Features
+ * Extend PKCS#8 interface by introducing support for the entire SHA
+ algorithms family when encrypting private keys using PKCS#5 v2.0.
+ This allows reading encrypted PEM files produced by software that
+ uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
+ OpenVPN Inc. Fixes #1339
+ * Add support for public keys encoded in PKCS#1 format. #1122
+
+New deprecations
+ * Deprecate support for record compression (configuration option
+ MBEDTLS_ZLIB_SUPPORT).
+
+Bugfix
+ * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
+ Fixes #1358.
+ * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
+ * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
+ with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
+ In the context of SSL, this resulted in handshake failure. Reported by
+ daniel in the Mbed TLS forum. #1351
+ * Fix Windows x64 builds with the included mbedTLS.sln file. #1347
+ * Fix setting version TLSv1 as minimal version, even if TLS 1
+ is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
+ and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
+ MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+ * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
+ only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
+ Nick Wilson on issue #355
+ * In test_suite_pk, pass valid parameters when testing for hash length
+ overflow. #1179
+ * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
+ by Guido Vranken. #639
+ * Log correct number of ciphersuites used in Client Hello message. #918
+ * Fix X509 CRT parsing that would potentially accept an invalid tag when
+ parsing the subject alternative names.
+ * Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
+ that could cause a key exchange to fail on valid data.
+ * Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
+ could cause a key exchange to fail on valid data.
+ * Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under
+ MBEDTLS_DEPRECATED_REMOVED. #1388
+ * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
+ Found through fuzz testing.
+
+Changes
+ * Fix tag lengths and value ranges in the documentation of CCM encryption.
+ Contributed by Mathieu Briand.
+ * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
+ * Remove support for the library reference configuration for picocoin.
+ * MD functions deprecated in 2.7.0 are no longer inline, to provide
+ a migration path for those depending on the library's ABI.
+ * Clarify the documentation of mbedtls_ssl_setup.
+ * Use (void) when defining functions with no parameters. Contributed by
+ Joris Aerts. #678
+
+= mbed TLS 2.7.0 branch released 2018-02-03
+
+Security
+ * Fix a heap corruption issue in the implementation of the truncated HMAC
+ extension. When the truncated HMAC extension is enabled and CBC is used,
+ sending a malicious application packet could be used to selectively corrupt
+ 6 bytes on the peer's heap, which could potentially lead to crash or remote
+ code execution. The issue could be triggered remotely from either side in
+ both TLS and DTLS. CVE-2018-0488
+ * Fix a buffer overflow in RSA-PSS verification when the hash was too large
+ for the key size, which could potentially lead to crash or remote code
+ execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
+ Qualcomm Technologies Inc. CVE-2018-0487
+ * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
+ zeros.
+ * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
+ 64 KiB to the address of the SSL buffer and causing a wrap around.
+ * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
default enabled) maximum fragment length extension is disabled in the
config and the application data buffer passed to mbedtls_ssl_write
is larger than the internal message buffer (16384 bytes by default), the
latter overflows. The exploitability of this issue depends on whether the
application layer can be forced into sending such large packets. The issue
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
- and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707.
+ and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
+ Fixes #707.
+ * Add a provision to prevent compiler optimizations breaking the time
+ constancy of mbedtls_ssl_safer_memcmp().
+ * Ensure that buffers are cleared after use if they contain sensitive data.
+ Changes were introduced in multiple places in the library.
+ * Set PEM buffer to zero before freeing it, to avoid decoded private keys
+ being leaked to memory after release.
+ * Fix dhm_check_range() failing to detect trivial subgroups and potentially
+ leaking 1 bit of the private key. Reported by prashantkspatil.
+ * Make mbedtls_mpi_read_binary() constant-time with respect to the input
+ data. Previously, trailing zero bytes were detected and omitted for the
+ sake of saving memory, but potentially leading to slight timing
+ differences. Reported by Marco Macchetti, Kudelski Group.
+ * Wipe stack buffer temporarily holding EC private exponent
+ after keypair generation.
+ * Fix a potential heap buffer over-read in ALPN extension parsing
+ (server-side). Could result in application crash, but only if an ALPN
+ name larger than 16 bytes had been configured on the server.
+ * Change default choice of DHE parameters from untrustworthy RFC 5114
+ to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+ manner.
Features
* Allow comments in test data files.
@@ -19,16 +234,62 @@
* New unit tests for timing. Improve the self-test to be more robust
when run on a heavily-loaded machine.
* Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
- MBEDTLS_CMAC_ALT). Submitted by Steve Cooreman, Silicon Labs.
+ MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs.
* Add support for alternative implementations of GCM, selected by the
configuration flag MBEDTLS_GCM_ALT.
- * In TLS servers, support offloading private key operations to an external
- cryptoprocessor. Private key operations can be asynchronous to allow
- non-blocking operation of the TLS server stack.
+ * Add support for alternative implementations for ECDSA, controlled by new
+ configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and
+ MBEDTLS_ECDSDA_GENKEY_AT in config.h.
+ The following functions from the ECDSA module can be replaced
+ with alternative implementation:
+ mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey().
+ * Add support for alternative implementation of ECDH, controlled by the
+ new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and
+ MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
+ The following functions from the ECDH module can be replaced
+ with an alternative implementation:
+ mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
+ * Add support for alternative implementation of ECJPAKE, controlled by
+ the new configuration flag MBEDTLS_ECJPAKE_ALT.
+ * Add mechanism to provide alternative implementation of the DHM module.
+
+API Changes
+ * Extend RSA interface by multiple functions allowing structure-
+ independent setup and export of RSA contexts. Most notably,
+ mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
+ up RSA contexts from partial key material and having them completed to the
+ needs of the implementation automatically. This allows to setup private RSA
+ contexts from keys consisting of N,D,E only, even if P,Q are needed for the
+ purpose or CRT and/or blinding.
+ * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
+ implementations of the RSA interface declared in rsa.h.
+ * The following functions in the message digest modules (MD2, MD4, MD5,
+ SHA1, SHA256, SHA512) have been deprecated and replaced as shown below.
+ The new functions change the return type from void to int to allow
+ returning error codes when using MBEDTLS_<MODULE>_ALT.
+ mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
+ mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
+ mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
+ mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
New deprecations
* Deprecate usage of RSA primitives with non-matching key-type
- (e.g., signing with a public key).
+ (e.g. signing with a public key).
+ * Direct manipulation of structure fields of RSA contexts is deprecated.
+ Users are advised to use the extended RSA API instead.
+ * Deprecate usage of message digest functions that return void
+ (mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update,
+ mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
+ any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
+ that can return an error code.
+ * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by
+ parameters from RFC 3526 or the newly added parameters from RFC 7919.
+ * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
+ Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
+ etc.
+ * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
+ from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin()
+ accepting DHM parameters in binary form, matching the new constants.
Bugfix
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
@@ -42,6 +303,8 @@
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
dates on leap years with 100 and 400 intervals are handled correctly. Found
by Nicholas Wilson. #694
+ * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
+ accepted. Generating these signatures required the private key.
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
Found independently by Florian in the mbed TLS forum and by Mishamax.
#878, #1019.
@@ -61,26 +324,64 @@
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
non-v3 CRT's.
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
- * Fix net_would_block to avoid modification by errno through fcntl call.
+ * Fix net_would_block() to avoid modification by errno through fcntl() call.
Found by nkolban. Fixes #845.
- * Fix handling of handshake messages in mbedtls_ssl_read in case
+ * Fix handling of handshake messages in mbedtls_ssl_read() in case
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
- * Add a check for invalid private parameters in mbedtls_ecdsa_sign.
+ * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
Reported by Yolan Romailler.
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
* Fix incorrect unit in benchmark output. #850
+ * Add size-checks for record and handshake message content, securing
+ fragile yet non-exploitable code-paths.
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
MilenkoMitrovic, #1104
- * Fix mbedtls_timing_alarm(0) on Unix.
- * Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1.
+ * Fix mbedtls_timing_alarm(0) on Unix and MinGW.
+ * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
* Fix possible memory leaks in mbedtls_gcm_self_test().
* Added missing return code checks in mbedtls_aes_self_test().
+ * Fix issues in RSA key generation program programs/x509/rsa_genkey and the
+ RSA test suite where the failure of CTR DRBG initialization lead to
+ freeing an RSA context and several MPI's without proper initialization
+ beforehand.
+ * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
+ * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
+ Found and fixed by Martijn de Milliano.
+ * Fix an issue in the cipher decryption with the mode
+ MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
+ Note, this padding mode is not used by the TLS protocol. Found and fixed by
+ Micha Kraus.
+ * Fix the entropy.c module to not call mbedtls_sha256_starts() or
+ mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
+ * Fix the entropy.c module to ensure that mbedtls_sha256_init() or
+ mbedtls_sha512_init() is called before operating on the relevant context
+ structure. Do not assume that zeroizing a context is a correct way to
+ reset it. Found independently by ccli8 on Github.
+ * In mbedtls_entropy_free(), properly free the message digest context.
+ * Fix status handshake status message in programs/ssl/dtls_client.c. Found
+ and fixed by muddog.
Changes
- * Extend cert_write example program by options to set the CRT version
+ * Extend cert_write example program by options to set the certificate version
and the message digest. Further, allow enabling/disabling of authority
identifier, subject identifier and basic constraints extensions.
+ * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
+ particular, don't require P,Q if neither CRT nor blinding are
+ used. Reported and fix proposed independently by satur9nine and sliai
+ on GitHub.
* Only run AES-192 self-test if AES-192 is available. Fixes #963.
+ * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
+ undeclared dependency of the RSA module on the ASN.1 module.
+ * Update all internal usage of deprecated message digest functions to the
+ new ones with return codes. In particular, this modifies the
+ mbedtls_md_info_t structure. Propagate errors from these functions
+ everywhere except some locations in the ssl_tls.c module.
+ * Improve CTR_DRBG error handling by propagating underlying AES errors.
+ * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
+ modules where the software implementation can be replaced by a hardware
+ implementation.
+ * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
+ throughout the library.
= mbed TLS 2.6.0 branch released 2017-08-10
