avs_commons 5.5.0

BREAKING CHANGES

• Stopped passing the Trust Store to the Mbed TLS backend for Certificate Usage
  2 (DANE-TA) and 3 (DANE-EE) during Server verification.

Features

• Added support for generating (Pre-)Master-Secret logs for Mbed TLS backend.

Bugfixes

• Fixed TLS 1.3 PSK-mode vulnerability in the Mbed TLS backend where a client
  configured for PSK could connect to a server that did not know the PSK, due to
  advertising non-PSK key exchange and skipping certificate verification.

  This vulnerability affects only Mbed TLS 3.6.1 and later.

  When acting as a TLS client configured for PSK, the library advertised non-PSK key
  exchange, allowing the server to select a certificate-based (EC)DHE handshake
  instead of PSK. As a result, the client could successfully establish a connection
  with a server that did not possess the PSK, because PSK authentication was not
  enforced for that handshake and certificate vertification was skipped.
  The client now restricts TLS 1.3 exchange modes to PSK and PSK-(EC)DHE when
  PSK is configured.

avs_commons 5.4.7

Improvements

• Improved the coverage script and switched to lcov.

Bugfixes

• Fixed command passed to popen() call in MbedTLS + TLS 1.3 tests to make it work on macOS

avs_commons 5.4.5

Improvements

• Added support for Mbed TLS 3.6

avs_commons 5.4.4

Features

• Added custom base64 encoding without null terminating
• Added API to modify extended attributes in Certificate Signing Request

avs_commons 5.4.3

Improvements

• Optimized "Out of memory" logs in favor of a smaller flash memory footprint

Bugfixes

• Fixed "unused assignment" warning generated by static analyzers when compiling
  against Mbed TLS 3.x

avs_commons 5.4.2

Features

• Refactored the PRNG integration in the Mbed TLS backend so that the PSA RNG
  API can be used if CTR-DRBG and/or entropy APIs are disabled

Bugfixes

• Additional validation in avs_persistence_string() to avoid restoring a
  string with superfluous data after the nullbyte

avs_commons 5.4.1

Bugfixes

• Fixes in CMake scripts when searching for mbed TLS in the case when MBEDTLS_ROOT_DIR, CMAKE_FIND_ROOT_PATH and CMAKE_FIND_ROOT_PATH_MODE_* are all specified explicitly
• Fixes in some #ifdef directives that caused compilation failures when AVS_COMMONS_WITH_AVS_CRYPTO_PSK was disabled

avs_commons 5.4.0

BREAKING CHANGES

• Default POSIX socket implementation now doesn't include errno.h if
  definition of EDOM (available by e.g. including lwIP's lwip/errno.h)
  is included in AVS_COMMONS_POSIX_COMPAT_HEADER.

Improvements

• Made MD5 length define publicly visible (for easier avs_stream_md5 usage)
• Made (D)TLS session resumption and persistence possible on Mbed TLS 3.0+ even
  when MBEDTLS_SSL_SRV_C is disabled

Bugfixes

• Added missing null guards in (D)TLS socket implementations so that all methods
  are now safe to call in any state
• When using lwIP, default POSIX socket implementation and appropriate compat
  header now include lwIP's lwip/errno.h instead of system errno.h

avs_commons 5.3.1

Features

• Added AVS_NET_SOCKET_OPT_PREFERRED_ADDR_FAMILY and
  AVS_NET_SOCKET_OPT_FORCED_ADDR_FAMILY options that allow setting address
  family configuration of an already created socket
• Automatically upgrading IPv4 sockets to IPv6 when connecting is now possible
• Added AVS_UNIT_MOCK_DECLARE() and AVS_UNIT_MOCK_DEFINE() to facilitate
  declaring mocked functions with external linkage

Improvements

• Slightly changed the semantics of avs_sched_run(), to fix erroneous
  behavior on platforms with low-resolution system clocks

avs_commons 5.3.0

Features

• Added the AVS_COMMONS_NET_POSIX_AVS_SOCKET_WITHOUT_IN6_V4MAPPED_SUPPORT
  configuration option that improves dual-stack IPv4+IPv6 connectivity on
  platforms that do not support IPv4-mapped IPv6 addresses (::ffff:0:0/96)

Improvements

• Trivial fixes to silence warnings on certain commercial compilers
  (contributed by Flonidan A/S)
• Removed usages of most deprecated Mbed TLS and OpenSSL APIs