mbed TLS ChangeLog (Sorted per branch, date) = PolarSSL 2.0 branch Features * Support for DTLS 1.0 and 1.2 (RFC 6347). * Ability to override core functions from MDx, SHAx, AES and DES modules with custom implementation (eg hardware accelerated), complementing the ability to override the whole module. * New server-side implementation of session tickets that rotate keys to preserve forward secrecy, and allows sharing across multiple contexts. * Reduced ROM fooprint of SHA-256 and added an option to reduce it even more (at the expense of performance) MBEDTLS_SHA256_SMALLER. API Changes * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace. Some names have been further changed to make them more consistent. Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). * The following _init() functions that could return errors have been split into an _init() that returns void and another function that should generally be the first function called on this context after init: mbedtls_ssl_init() -> mbedtls_ssl_setup() mbedtls_ccm_init() -> mbedtls_ccm_setkey() mbedtls_gcm_init() -> mbedtls_gcm_setkey() mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() Note that for mbetls_ssl_setup(), you need to be done setting up the ssl_config structure before calling it. * Most ssl_set_xxx() functions (all except ssl_set_hostname(), ssl_set_session() and ssl_set_client_transport_id(), plus ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() (see rename.pl and compat-1.3.h above) and their first argument's type changed from ssl_context to ssl_config. * The following functions have been introduced and must be used in callback implementations (SNI, PSK) instead of their *conf counterparts: mbedtls_ssl_set_hs_own_cert() mbedtls_ssl_set_hs_ca_chain() mbedtls_ssl_set_hs_psk() * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). * mbedtls_ssl_conf_session_cache() changed prototype (only one context pointer, parameters reordered). * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in place of mbedtls_ssl_conf_session_tickets() to enable session tickets. * mbedtls_ssl_conf_truncated_hmac() now returns void. * mbedtls_memory_bufer_alloc_init() now returns void. * X.509 verification flags are now an uint32_t. Affect the signature of: mbedtls_ssl_get_verify_result() mbedtls_x509_ctr_verify_info() mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be update) mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated) * net_accept() gained new arguments for the size of the client_ip buffer. * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now return void. * ecdsa_write_signature() gained an addtional md_alg argument and ecdsa_write_signature_det() was deprecated. * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA. * Last argument of x509_crt_check_key_usage() changed from int to unsigned. * test_ca_list (from certs.h) is renamed to test_cas_pem and is only available if POLARSSL_PEM_PARSE_C is defined (it never worked without). * Test certificates in certs.c are no longer guaranteed to be nul-terminated strings; use the new *_len variables instead of strlen(). * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(), mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the length parameter to include the terminating null byte for PEM input. * Signature of mpi_mul_mpi() changed to make the last argument unsigned * calloc() is now used instead of malloc() everywhere. API of platform layer and the memory_buffer_alloc module changed accordingly. (Thanks to Mansour Moufid for helping with the replacement.) * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION (support for renegotiation now needs explicit enabling in config.h). * net_connect() and net_bind() have a new 'proto' argument to choose between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP. * ssl_set_bio() changed signature (contexts merged, order switched, one additional callback for read-with-timeout). * Some constness fixes Removals * Removed mbedtls_ecp_group_read_string(). Only named groups are supported. * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use mbedtls_ecp_muladd(). * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions (use generic functions from md.h) * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom waiting function. * Removed the PBKDF2 module (use PKCS5). * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()). * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3). * Removed openssl.h (very partial OpenSSL compatibility layer). * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on). * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have been removed (compiler is required to support 32-bit operations). * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled). * Removed test program o_p_test, the script compat.sh does more. * Removed test program ssl_test, superseded by ssl-opt.sh. * Removed helper script active-config.pl New deprecations * md_init_ctx() is deprecated in favour of md_setup(), that adds a third argument (allowing memory savings if HMAC is not used) Semi-API changes (technically public, morally private) * Renamed a few headers to include _internal in the name. Those headers are not supposed to be included by users. * Changed md_info_t into an opaque structure (use md_get_xxx() accessors). * Changed pk_info_t into an opaque structure. * Changed cipher_base_t into an opaque structure. * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl. * x509_crt.key_usage changed from unsigned char to unsigned int. * Removed r and s from ecdsa_context * Removed mode from des_context and des3_context Default behavior changes * The default minimum TLS version is now TLS 1.0. * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the default ciphersuite list returned by ssl_list_ciphersuites() * Support for receiving SSLv2 ClientHello is now disabled by default at compile time. * The default authmode for SSL/TLS clients is now REQUIRED. * Support for RSA_ALT contexts in the PK layer is now optional. Since is is enabled in the default configuration, this is only noticeable if using a custom config.h * Default DHM parameters server-side upgraded from 1024 to 2048 bits. * Negotiation of truncated HMAC is now disabled by default on server too. Requirement changes * The minimum MSVC version required is now 2010 (better C99 support). * The NET layer now unconditionnaly relies on getaddrinfo() and select(). * Compiler is required to support C99 types such as long long and uint32_t. API changes from the 1.4 preview branch * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with new prototype, and mbedtls_ssl_set_read_timeout(). * The following functions now return void: mbedtls_ssl_conf_transport() mbedtls_ssl_conf_max_version() mbedtls_ssl_conf_min_version() * DTLS no longer hard-depends on TIMING_C, but uses a callback interface instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing an example implementation, see mbedtls_timing_delay_context and mbedtls_timing_set/get_delay(). Changes * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now thread-safe if MBEDTLS_THREADING_C is enabled. = mbed TLS 1.3 branch Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side at runtime with ssl_set_truncated_hmac(). * Example programs for SSL client and server now disable SSLv3 by default. * Example programs for SSL client and server now disable RC4 by default. * Use platform.h in all test suites and programs. = PolarSSL 1.3.9 released 2014-10-20 Security * Lowest common hash was selected from signature_algorithms extension in TLS 1.2 (found by Darren Bane) (introduced in 1.3.8). * Remotely-triggerable memory leak when parsing some X.509 certificates (server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Remotely-triggerable memory leak when parsing crafted ClientHello (not affected if ECC support was compiled out) (found using Codenomicon Defensics). Bugfix * Support escaping of commas in x509_string_to_names() * Fix compile error in ssl_pthread_server (found by Julian Ospald). * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito). * Remove non-existent file from VS projects (found by Peter Vaskovic). * ssl_read() could return non-application data records on server while renegotation was pending, and on client when a HelloRequest was received. * Server-initiated renegotiation would fail with non-blocking I/O if the write callback returned WANT_WRITE when requesting renegotiation. * ssl_close_notify() could send more than one message in some circumstances with non-blocking I/O. * Fix compiler warnings on iOS (found by Sander Niemeijer). * x509_crt_parse() did not increase total_failed on PEM error * Fix compile error with armcc in mpi_is_prime() * Fix potential bad read in parsing ServerHello (found by Adrien Vialletelle). Changes * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no standard defining how to use SHA-2 with SSL 3.0). * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is ambiguous on how to encode some packets with SSL 3.0). * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger. * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA keys. * Accept spaces at end of line or end of buffer in base64_decode(). * X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more. = PolarSSL 1.3.8 released 2014-07-11 Security * Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen. Features * Add CCM module and cipher mode to Cipher Layer * Support for CCM and CCM_8 ciphersuites * Support for parsing and verifying RSASSA-PSS signatures in the X.509 modules (certificates, CRLs and CSRs). * Blowfish in the cipher layer now supports variable length keys. * Add example config.h for PSK with CCM, optimized for low RAM usage. * Optimize for RAM usage in example config.h for NSA Suite B profile. * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites from the default list (inactive by default). * Add server-side enforcement of sent renegotiation requests (ssl_set_renegotiation_enforced()) * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of ciphersuites to use and save some memory if the list is small. Changes * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is required on some platforms (e.g. OpenBSD) * Migrate zeroizing of data to polarssl_zeroize() instead of memset() against unwanted compiler optimizations * md_list() now returns hashes strongest first * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks strongest offered by client. * All public contexts have _init() and _free() functions now for simpler usage pattern Bugfix * Fix in debug_print_msg() * Enforce alignment in the buffer allocator even if buffer is not aligned * Remove less-than-zero checks on unsigned numbers * Stricter check on SSL ClientHello internal sizes compared to actual packet size (found by TrustInSoft) * Fix WSAStartup() return value check (found by Peter Vaskovic) * Other minor issues (found by Peter Vaskovic) * Fix symlink command for cross compiling with CMake (found by Andre Heinecke) * Fix DER output of gen_key app (found by Gergely Budai) * Very small records were incorrectly rejected when truncated HMAC was in use with some ciphersuites and versions (RC4 in all versions, CBC with versions < TLS 1.1). * Very large records using more than 224 bytes of padding were incorrectly rejected with CBC-based ciphersuites and TLS >= 1.1 * Very large records using less padding could cause a buffer overread of up to 32 bytes with CBC-based ciphersuites and TLS >= 1.1 * Restore ability to use a v1 cert as a CA if trusted locally. (This had been removed in 1.3.6.) * Restore ability to locally trust a self-signed cert that is not a proper CA for use as an end entity certificate. (This had been removed in 1.3.6.) * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). * Use \n\t rather than semicolons for bn_mul asm, since some assemblers interpret semicolons as comment delimiters (found by Barry K. Nathan). * Fix off-by-one error in parsing Supported Point Format extension that caused some handshakes to fail. * Fix possible miscomputation of the premaster secret with DHE-PSK key exchange that caused some handshakes to fail with other implementations. (Failure rate <= 1/255 with common DHM moduli.) * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). * Fix base64_decode() to return and check length correctly (in case of tight buffers) * Fix mpi_write_string() to write "00" as hex output for empty MPI (found by Hui Dong) = PolarSSL 1.3.7 released on 2014-05-02 Features * debug_set_log_mode() added to determine raw or full logging * debug_set_threshold() added to ignore messages over threshold level * version_check_feature() added to check for compile-time options at run-time Changes * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually checked and filled in the relevant module headers * Debug module only outputs full lines instead of parts * Better support for the different Attribute Types from IETF PKIX (RFC 5280) * AES-NI now compiles with "old" assemblers too * Ciphersuites based on RC4 now have the lowest priority by default Bugfix * Only iterate over actual certificates in ssl_write_certificate_request() (found by Matthew Page) * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan Karger) * cert_write app should use subject of issuer certificate as issuer of cert * Fix false reject in padding check in ssl_decrypt_buf() for CBC ciphersuites, for full SSL frames of data. * Improve interoperability by not writing extension length in ClientHello / ServerHello when no extensions are present (found by Matthew Page) * rsa_check_pubkey() now allows an E up to N * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings * mpi_fill_random() was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs * Fix dependencies issues in X.509 test suite. * Some parts of ssl_tls.c were compiled even when the module was disabled. * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) * Fix detection of Clang on some Apple platforms with CMake (found by Barry K. Nathan) = PolarSSL 1.3.6 released on 2014-04-11 Features * Support for the ALPN SSL extension * Add option 'use_dev_random' to gen_key application * Enable verification of the keyUsage extension for CA and leaf certificates (POLARSSL_X509_CHECK_KEY_USAGE) * Enable verification of the extendedKeyUsage extension (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) Changes * x509_crt_info() now prints information about parsed extensions as well * pk_verify() now returns a specific error code when the signature is valid but shorter than the supplied length. * Use UTC time to check certificate validity. * Reject certificates with times not in UTC, per RFC 5280. Security * Avoid potential timing leak in ecdsa_sign() by blinding modular division. (Found by Watson Ladd.) * The notAfter date of some certificates was no longer checked since 1.3.5. This affects certificates in the user-supplied chain except the top certificate. If the user-supplied chain contains only one certificates, it is not affected (ie, its notAfter date is properly checked). * Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft) Bugfix * The length of various ClientKeyExchange messages was not properly checked. * Some example server programs were not sending the close_notify alert. * Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR. * Fixed malloc/free default #define in platform.c (found by Gergely Budai). * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by Gergely Budai). * Fix #include path in ecdsa.h which wasn't accepted by some compilers. (found by Gergely Budai) * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by Shuo Chen). * oid_get_numeric_string() used to truncate the output without returning an error if the output buffer was just 1 byte too small. * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len. * Calling pk_debug() on an RSA-alt key would segfault. * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys. * Potential buffer overwrite in pem_write_buffer() because of low length indication (found by Thijs Alkemade) * EC curves constants, which should be only in ROM since 1.3.3, were also stored in RAM due to missing 'const's (found by Gergely Budai). = PolarSSL 1.3.5 released on 2014-03-26 Features * HMAC-DRBG as a separate module * Option to set the Curve preference order (disabled by default) * Single Platform compatilibity layer (for memory / printf / fprintf) * Ability to provide alternate timing implementation * Ability to force the entropy module to use SHA-256 as its basis (POLARSSL_ENTROPY_FORCE_SHA256) * Testing script ssl-opt.sh added for testing 'live' ssl option interoperability against OpenSSL and PolarSSL * Support for reading EC keys that use SpecifiedECDomain in some cases. * Entropy module now supports seed writing and reading Changes * Deprecated the Memory layer * entropy_add_source(), entropy_update_manual() and entropy_gather() now thread-safe if POLARSSL_THREADING_C defined * Improvements to the CMake build system, contributed by Julian Ospald. * Work around a bug of the version of Clang shipped by Apple with Mavericks that prevented bignum.c from compiling. (Reported by Rafael Baptista.) * Revamped the compat.sh interoperatibility script to include support for testing against GnuTLS * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt() * Improvements to tests/Makefile, contributed by Oden Eriksson. Security * Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is 'optional' (the attack was already impossible when authentication is required). * Check notBefore timestamp of certificates and CRLs from the future. * Forbid sequence number wrapping * Fixed possible buffer overflow with overlong PSK * Possible remotely-triggered out-of-bounds memory access fixed (found by TrustInSoft) Bugfix * ecp_gen_keypair() does more tries to prevent failure because of statistics * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations * Fixed testing with out-of-source builds using cmake * Fixed version-major intolerance in server * Fixed CMake symlinking on out-of-source builds * Fixed dependency issues in test suite * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.) * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled. * m_sleep() was sleeping twice too long on most Unix platforms. * Fixed bug with session tickets and non-blocking I/O in the unlikely case send() would return an EAGAIN error when sending the ticket. * ssl_cache was leaking memory when reusing a timed out entry containing a client certificate. * ssl_srv was leaking memory when client presented a timed out ticket containing a client certificate * ssl_init() was leaving a dirty pointer in ssl_context if malloc of out_ctr failed * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc of one of them failed * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts * x509_get_current_time() uses localtime_r() to prevent thread issues = PolarSSL 1.3.4 released on 2014-01-27 Features * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1 * Support for RIPEMD-160 * Support for AES CFB8 mode * Support for deterministic ECDSA (RFC 6979) Bugfix * Potential memory leak in bignum_selftest() * Replaced expired test certificate * ssl_mail_client now terminates lines with CRLF, instead of LF * net module handles timeouts on blocking sockets better (found by Tilman Sauerbeck) * Assembly format fixes in bn_mul.h Security * Missing MPI_CHK calls added around unguarded mpi calls (found by TrustInSoft) = PolarSSL 1.3.3 released on 2013-12-31 Features * EC key generation support in gen_key app * Support for adhering to client ciphersuite order preference (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) * Support for Curve25519 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites * Support for IPv6 in the NET module * AES-NI support for AES, AES-GCM and AES key scheduling * SSL Pthread-based server example added (ssl_pthread_server) Changes * gen_prime() speedup * Speedup of ECP multiplication operation * Relaxed some SHA2 ciphersuite's version requirements * Dropped use of readdir_r() instead of readdir() with threading support * More constant-time checks in the RSA module * Split off curves from ecp.c into ecp_curves.c * Curves are now stored fully in ROM * Memory usage optimizations in ECP module * Removed POLARSSL_THREADING_DUMMY Bugfix * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int * Fixed X.509 hostname comparison (with non-regular characters) * SSL now gracefully handles missing RNG * Missing defines / cases for RSA_PSK key exchange * crypt_and_hash app checks MAC before final decryption * Potential memory leak in ssl_ticket_keys_init() * Memory leak in benchmark application * Fixed x509_crt_parse_path() bug on Windows platforms * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by TrustInSoft) * Fixed potential overflow in certificate size verification in ssl_write_certificate() (found by TrustInSoft) Security * Possible remotely-triggered out-of-bounds memory access fixed (found by TrustInSoft) = PolarSSL 1.3.2 released on 2013-11-04 Features * PK tests added to test framework * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM) * Support for Camellia-GCM mode and ciphersuites Changes * Padding checks in cipher layer are now constant-time * Value comparisons in SSL layer are now constant-time * Support for serialNumber, postalAddress and postalCode in X509 names * SSL Renegotiation was refactored Bugfix * More stringent checks in cipher layer * Server does not send out extensions not advertised by client * Prevent possible alignment warnings on casting from char * to 'aligned *' * Misc fixes and additions to dependency checks * Const correctness * cert_write with selfsign should use issuer_name as subject_name * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon) * Defines to handle UEFI environment under MSVC * Server-side initiated renegotiations send HelloRequest = PolarSSL 1.3.1 released on 2013-10-15 Features * Support for Brainpool curves and TLS ciphersuites (RFC 7027) * Support for ECDHE-PSK key-exchange and ciphersuites * Support for RSA-PSK key-exchange and ciphersuites Changes * RSA blinding locks for a smaller amount of time * TLS compression only allocates working buffer once * Introduced POLARSSL_HAVE_READDIR_R for systems without it * config.h is more script-friendly Bugfix * Missing MSVC defines added * Compile errors with POLARSSL_RSA_NO_CRT * Header files with 'polarssl/' * Const correctness * Possible naming collision in dhm_context * Better support for MSVC * threading_set_alt() name * Added missing x509write_crt_set_version() = PolarSSL 1.3.0 released on 2013-10-01 Features * Elliptic Curve Cryptography module added * Elliptic Curve Diffie Hellman module added * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS (ECDHE-based ciphersuites) * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS (ECDSA-based ciphersuites) * Ability to specify allowed ciphersuites based on the protocol version. * PSK and DHE-PSK based ciphersuites added * Memory allocation abstraction layer added * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) * Threading abstraction layer added (dummy / pthread / alternate) * Public Key abstraction layer added * Parsing Elliptic Curve keys * Parsing Elliptic Curve certificates * Support for max_fragment_length extension (RFC 6066) * Support for truncated_hmac extension (RFC 6066) * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros (ISO/IEC 7816-4) padding and zero padding in the cipher layer * Support for session tickets (RFC 5077) * Certificate Request (CSR) generation with extensions (key_usage, ns_cert_type) * X509 Certificate writing with extensions (basic_constraints, issuer_key_identifier, etc) * Optional blinding for RSA, DHM and EC * Support for multiple active certificate / key pairs in SSL servers for the same host (Not to be confused with SNI!) Changes * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 individually * Introduced separate SSL Ciphersuites module that is based on Cipher and MD information * Internals for SSL module adapted to have separate IV pointer that is dynamically set (Better support for hardware acceleration) * Moved all OID functionality to a separate module. RSA function prototypes for the RSA sign and verify functions changed as a result * Split up the GCM module into a starts/update/finish cycle * Client and server now filter sent and accepted ciphersuites on minimum and maximum protocol version * Ability to disable server_name extension (RFC 6066) * Renamed error_strerror() to the less conflicting polarssl_strerror() (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC) * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly * All RSA operations require a random generator for blinding purposes * X509 core refactored * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4) * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME) * Support faulty X509 v1 certificates with extensions (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) Bugfix * Fixed parse error in ssl_parse_certificate_request() * zlib compression/decompression skipped on empty blocks * Support for AIX header locations in net.c module * Fixed file descriptor leaks Security * RSA blinding on CRT operations to counter timing attacks (found by Cyril Arnaud and Pierre-Alain Fouque) = Version 1.2.14 released 2015-05-?? Security * Fix potential invalid memory read in the server, that allows a client to crash it remotely (found by Caj Larsson). * Fix potential invalid memory read in certificate parsing, that allows a client to crash the server remotely if client authentication is enabled (found using Codenomicon Defensics). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Bugfix * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms (found with Coverity Scan). = Version 1.2.13 released 2015-02-16 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting this will be made in the 1.2 branch at this point. Security * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) found using Codenomicon Defensics). * Fix buffer overread of size 1 when parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate). Bugfix * Fix potential undefined behaviour in Camellia. * Fix memory leaks in PKCS#5 and PKCS#12. * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced in 1.2.12). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * Forbid repeated extensions in X.509 certificates. * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain (default = 8). = Version 1.2.12 released 2014-10-24 Security * Remotely-triggerable memory leak when parsing some X.509 certificates (server is not affected if it doesn't ask for a client certificate). (Found using Codenomicon Defensics.) Bugfix * Fix potential bad read in parsing ServerHello (found by Adrien Vialletelle). * ssl_close_notify() could send more than one message in some circumstances with non-blocking I/O. * x509_crt_parse() did not increase total_failed on PEM error * Fix compiler warnings on iOS (found by Sander Niemeijer). * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). * ssl_read() could return non-application data records on server while renegotation was pending, and on client when a HelloRequest was received. * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). Changes * X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more. * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. * Accept spaces at end of line or end of buffer in base64_decode(). = Version 1.2.11 released 2014-07-11 Features * Entropy module now supports seed writing and reading Changes * Introduced POLARSSL_HAVE_READDIR_R for systems without it * Improvements to the CMake build system, contributed by Julian Ospald. * Work around a bug of the version of Clang shipped by Apple with Mavericks that prevented bignum.c from compiling. (Reported by Rafael Baptista.) * Improvements to tests/Makefile, contributed by Oden Eriksson. * Use UTC time to check certificate validity. * Reject certificates with times not in UTC, per RFC 5280. * Migrate zeroizing of data to polarssl_zeroize() instead of memset() against unwanted compiler optimizations Security * Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is optional (the attack was already impossible when authentication is required). * Check notBefore timestamp of certificates and CRLs from the future. * Forbid sequence number wrapping * Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft) * Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen. Bugfix * Fixed X.509 hostname comparison (with non-regular characters) * SSL now gracefully handles missing RNG * crypt_and_hash app checks MAC before final decryption * Fixed x509_crt_parse_path() bug on Windows platforms * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by TrustInSoft) * Fixed potential overflow in certificate size verification in ssl_write_certificate() (found by TrustInSoft) * Fix ASM format in bn_mul.h * Potential memory leak in bignum_selftest() * Replaced expired test certificate * ssl_mail_client now terminates lines with CRLF, instead of LF * Fix bug in RSA PKCS#1 v1.5 "reversed" operations * Fixed testing with out-of-source builds using cmake * Fixed version-major intolerance in server * Fixed CMake symlinking on out-of-source builds * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.) * ssl_init() was leaving a dirty pointer in ssl_context if malloc of out_ctr failed * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc of one of them failed * x509_get_current_time() uses localtime_r() to prevent thread issues * Some example server programs were not sending the close_notify alert. * Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR. * Improve interoperability by not writing extension length in ClientHello when no extensions are present (found by Matthew Page) * rsa_check_pubkey() now allows an E up to N * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings * mpi_fill_random() was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) * Stricter check on SSL ClientHello internal sizes compared to actual packet size (found by TrustInSoft) * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). * Use \n\t rather than semicolons for bn_mul asm, since some assemblers interpret semicolons as comment delimiters (found by Barry K. Nathan). * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). * Fix base64_decode() to return and check length correctly (in case of tight buffers) = Version 1.2.10 released 2013-10-07 Changes * Changed RSA blinding to a slower but thread-safe version Bugfix * Fixed memory leak in RSA as a result of introduction of blinding * Fixed ssl_pkcs11_decrypt() prototype * Fixed MSVC project files = Version 1.2.9 released 2013-10-01 Changes * x509_verify() now case insensitive for cn (RFC 6125 6.4) Bugfix * Fixed potential memory leak when failing to resume a session * Fixed potential file descriptor leaks (found by Remi Gacogne) * Minor fixes Security * Fixed potential heap buffer overflow on large hostname setting * Fixed potential negative value misinterpretation in load_file() * RSA blinding on CRT operations to counter timing attacks (found by Cyril Arnaud and Pierre-Alain Fouque) = Version 1.2.8 released 2013-06-19 Features * Parsing of PKCS#8 encrypted private key files * PKCS#12 PBE and derivation functions * Centralized module option values in config.h to allow user-defined settings without editing header files by using POLARSSL_CONFIG_OPTIONS Changes * HAVEGE random generator disabled by default * Internally split up x509parse_key() into a (PEM) handler function and specific DER parser functions for the PKCS#1 and unencrypted PKCS#8 private key formats * Added mechanism to provide alternative implementations for all symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in config.h) * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated old PBKDF2 module Bugfix * Secure renegotiation extension should only be sent in case client supports secure renegotiation * Fixed offset for cert_type list in ssl_parse_certificate_request() * Fixed const correctness issues that have no impact on the ABI * x509parse_crt() now better handles PEM error situations * ssl_parse_certificate() now calls x509parse_crt_der() directly instead of the x509parse_crt() wrapper that can also parse PEM certificates * x509parse_crtpath() is now reentrant and uses more portable stat() * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler * Fixed values for 2-key Triple DES in cipher layer * ssl_write_certificate_request() can handle empty ca_chain Security * A possible DoS during the SSL Handshake, due to faulty parsing of PEM-encoded certificates has been fixed (found by Jack Lloyd) = Version 1.2.7 released 2013-04-13 Features * Ability to specify allowed ciphersuites based on the protocol version. Changes * Default Blowfish keysize is now 128-bits * Test suites made smaller to accommodate Raspberry Pi Bugfix * Fix for MPI assembly for ARM * GCM adapted to support sizes > 2^29 = Version 1.2.6 released 2013-03-11 Bugfix * Fixed memory leak in ssl_free() and ssl_reset() for active session * Corrected GCM counter incrementation to use only 32-bits instead of 128-bits (found by Yawning Angel) * Fixes for 64-bit compilation with MS Visual Studio * Fixed net_bind() for specified IP addresses on little endian systems * Fixed assembly code for ARM (Thumb and regular) for some compilers Changes * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(), rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and PKCS#1 v2.1 functions * Added support for custom labels when using rsa_rsaes_oaep_encrypt() or rsa_rsaes_oaep_decrypt() * Re-added handling for SSLv2 Client Hello when the define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set * The SSL session cache module (ssl_cache) now also retains peer_cert information (not the entire chain) Security * Removed further timing differences during SSL message decryption in ssl_decrypt_buf() * Removed timing differences due to bad padding from rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 operations = Version 1.2.5 released 2013-02-02 Changes * Allow enabling of dummy error_strerror() to support some use-cases * Debug messages about padding errors during SSL message decryption are disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL * Sending of security-relevant alert messages that do not break interoperability can be switched on/off with the flag POLARSSL_SSL_ALL_ALERT_MESSAGES Security * Removed timing differences during SSL message decryption in ssl_decrypt_buf() due to badly formatted padding = Version 1.2.4 released 2013-01-25 Changes * More advanced SSL ciphersuite representation and moved to more dynamic SSL core * Added ssl_handshake_step() to allow single stepping the handshake process Bugfix * Memory leak when using RSA_PKCS_V21 operations fixed * Handle future version properly in ssl_write_certificate_request() * Correctly handle CertificateRequest message in client for <= TLS 1.1 without DN list = Version 1.2.3 released 2012-11-26 Bugfix * Server not always sending correct CertificateRequest message = Version 1.2.2 released 2012-11-24 Changes * Added p_hw_data to ssl_context for context specific hardware acceleration data * During verify trust-CA is only checked for expiration and CRL presence Bugfixes * Fixed client authentication compatibility * Fixed dependency on POLARSSL_SHA4_C in SSL modules = Version 1.2.1 released 2012-11-20 Changes * Depth that the certificate verify callback receives is now numbered bottom-up (Peer cert depth is 0) Bugfixes * Fixes for MSVC6 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel Pégourié-Gonnard) * Fixed possible segfault in mpi_shift_r() (found by Manuel Pégourié-Gonnard) * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 = Version 1.2.0 released 2012-10-31 Features * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by default! * Added support for wildcard certificates * Added support for multi-domain certificates through the X509 Subject Alternative Name extension * Added preliminary ASN.1 buffer writing support * Added preliminary X509 Certificate Request writing support * Added key_app_writer example application * Added cert_req example application * Added base Galois Counter Mode (GCM) for AES * Added TLS 1.2 support (RFC 5246) * Added GCM suites to TLS 1.2 (RFC 5288) * Added commandline error code convertor (util/strerror) * Added support for Hardware Acceleration hooking in SSL/TLS * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and example application (programs/ssl/o_p_test) (requires OpenSSL) * Added X509 CA Path support * Added Thumb assembly optimizations * Added DEFLATE compression support as per RFC3749 (requires zlib) * Added blowfish algorithm (Generic and cipher layer) * Added PKCS#5 PBKDF2 key derivation function * Added Secure Renegotiation (RFC 5746) * Added predefined DHM groups from RFC 5114 * Added simple SSL session cache implementation * Added ServerName extension parsing (SNI) at server side * Added option to add minimum accepted SSL/TLS protocol version Changes * Removed redundant POLARSSL_DEBUG_MSG define * AES code only check for Padlock once * Fixed const-correctness mpi_get_bit() * Documentation for mpi_lsb() and mpi_msb() * Moved out_msg to out_hdr + 32 to support hardware acceleration * Changed certificate verify behaviour to comply with RFC 6125 section 6.3 to not match CN if subjectAltName extension is present (Closes ticket #56) * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to POLARSSL_MODE_CFB, to also handle different block size CFB modes. * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation) * Revamped session resumption handling * Generalized external private key implementation handling (like PKCS#11) in SSL/TLS * Revamped x509_verify() and the SSL f_vrfy callback implementations * Moved from unsigned long to fixed width uint32_t types throughout code * Renamed ciphersuites naming scheme to IANA reserved names Bugfix * Fixed handling error in mpi_cmp_mpi() on longer B values (found by Hui Dong) * Fixed potential heap corruption in x509_name allocation * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket #52) * Handle encryption with private key and decryption with public key as per RFC 2313 * Handle empty certificate subject names * Prevent reading over buffer boundaries on X509 certificate parsing * mpi_add_abs() now correctly handles adding short numbers to long numbers with carry rollover (found by Ruslan Yushchenko) * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob * Fixed MPI assembly for SPARC64 platform Security * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi Vanderbeken) = Version 1.1.8 released on 2013-10-01 Bugfix * Fixed potential memory leak when failing to resume a session * Fixed potential file descriptor leaks Security * Potential buffer-overflow for ssl_read_record() (independently found by both TrustInSoft and Paul Brodeur of Leviathan Security Group) * Potential negative value misinterpretation in load_file() * Potential heap buffer overflow on large hostname setting = Version 1.1.7 released on 2013-06-19 Changes * HAVEGE random generator disabled by default Bugfix * x509parse_crt() now better handles PEM error situations * ssl_parse_certificate() now calls x509parse_crt_der() directly instead of the x509parse_crt() wrapper that can also parse PEM certificates * Fixed values for 2-key Triple DES in cipher layer * ssl_write_certificate_request() can handle empty ca_chain Security * A possible DoS during the SSL Handshake, due to faulty parsing of PEM-encoded certificates has been fixed (found by Jack Lloyd) = Version 1.1.6 released on 2013-03-11 Bugfix * Fixed net_bind() for specified IP addresses on little endian systems Changes * Allow enabling of dummy error_strerror() to support some use-cases * Debug messages about padding errors during SSL message decryption are disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL Security * Removed timing differences during SSL message decryption in ssl_decrypt_buf() * Removed timing differences due to bad padding from rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 operations = Version 1.1.5 released on 2013-01-16 Bugfix * Fixed MPI assembly for SPARC64 platform * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob * mpi_add_abs() now correctly handles adding short numbers to long numbers with carry rollover * Moved mpi_inv_mod() outside POLARSSL_GENPRIME * Prevent reading over buffer boundaries on X509 certificate parsing * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket #52) * Fixed possible segfault in mpi_shift_r() (found by Manuel Pégourié-Gonnard) * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel Pégourié-Gonnard) * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 * Memory leak when using RSA_PKCS_V21 operations fixed * Handle encryption with private key and decryption with public key as per RFC 2313 * Fixes for MSVC6 Security * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi Vanderbeken) = Version 1.1.4 released on 2012-05-31 Bugfix * Correctly handle empty SSL/TLS packets (Found by James Yonan) * Fixed potential heap corruption in x509_name allocation * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) = Version 1.1.3 released on 2012-04-29 Bugfix * Fixed random MPI generation to not generate more size than requested. = Version 1.1.2 released on 2012-04-26 Bugfix * Fixed handling error in mpi_cmp_mpi() on longer B values (found by Hui Dong) Security * Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST) * Fixed generation of DHM parameters to correct length (found by Ruslan Yushchenko) = Version 1.1.1 released on 2012-01-23 Bugfix * Check for failed malloc() in ssl_set_hostname() and x509_get_entries() (Closes ticket #47, found by Hugo Leisink) * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50) * Fixed multiple compiler warnings for VS6 and armcc * Fixed bug in CTR_CRBG selftest = Version 1.1.0 released on 2011-12-22 Features * Added ssl_session_reset() to allow better multi-connection pools of SSL contexts without needing to set all non-connection-specific data and pointers again. Adapted ssl_server to use this functionality. * Added ssl_set_max_version() to allow clients to offer a lower maximum supported version to a server to help buggy server implementations. (Closes ticket #36) * Added cipher_get_cipher_mode() and cipher_get_cipher_operation() introspection functions (Closes ticket #40) * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator * Added a generic entropy accumulator that provides support for adding custom entropy sources and added some generic and platform dependent entropy sources Changes * Documentation for AES and Camellia in modes CTR and CFB128 clarified. * Fixed rsa_encrypt and rsa_decrypt examples to use public key for encryption and private key for decryption. (Closes ticket #34) * Inceased maximum size of ASN1 length reads to 32-bits. * Added an EXPLICIT tag number parameter to x509_get_ext() * Added a separate CRL entry extension parsing function * Separated the ASN.1 parsing code from the X.509 specific parsing code. So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C. * Changed the defined key-length of DES ciphers in cipher.h to include the parity bits, to prevent mistakes in copying data. (Closes ticket #33) * Loads of minimal changes to better support WINCE as a build target (Credits go to Marco Lizza) * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory trade-off * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size management (Closes ticket #44) * Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs * Moved all examples programs to use the new entropy and CTR_DRBG * Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error. Beware that the meaning of return values has changed! * All error codes are now negative. Even on mermory failures and IO errors. Bugfix * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes ticket #37) * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag before version numbers * Allowed X509 key usage parsing to accept 4 byte values instead of the standard 1 byte version sometimes used by Microsoft. (Closes ticket #38) * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length smaller than the hash length. (Closes ticket #41) * If certificate serial is longer than 32 octets, serial number is now appended with '....' after first 28 octets * Improved build support for s390x and sparc64 in bignum.h * Fixed MS Visual C++ name clash with int64 in sha4.h * Corrected removal of leading "00:" in printing serial numbers in certificates and CRLs = Version 1.0.0 released on 2011-07-27 Features * Expanded cipher layer with support for CFB128 and CTR mode * Added rsa_encrypt and rsa_decrypt simple example programs. Changes * The generic cipher and message digest layer now have normal error codes instead of integers Bugfix * Undid faulty bug fix in ssl_write() when flushing old data (Ticket #18) = Version 0.99-pre5 released on 2011-05-26 Features * Added additional Cipher Block Modes to symmetric ciphers (AES CTR, Camellia CTR, XTEA CBC) including the option to enable and disable individual modes when needed * Functions requiring File System functions can now be disabled by undefining POLARSSL_FS_IO * A error_strerror function() has been added to translate between error codes and their description. * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter functions. * Added ssl_mail_client and ssl_fork_server as example programs. Changes * Major argument / variable rewrite. Introduced use of size_t instead of int for buffer lengths and loop variables for better unsigned / signed use. Renamed internal bigint types t_int and t_dbl to t_uint and t_udbl in the process * mpi_init() and mpi_free() now only accept a single MPI argument and do not accept variable argument lists anymore. * The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative. * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv(). net_recv() now returns 0 on EOF instead of POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received after the handshake. * Network functions now return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous POLARSSL_ERR_NET_TRY_AGAIN = Version 0.99-pre4 released on 2011-04-01 Features * Added support for PKCS#1 v2.1 encoding and thus support for the RSAES-OAEP and RSASSA-PSS operations. * Reading of Public Key files incorporated into default x509 functionality as well. * Added mpi_fill_random() for centralized filling of big numbers with random data (Fixed ticket #10) Changes * Debug print of MPI now removes leading zero octets and displays actual bit size of the value. * x509parse_key() (and as a consequence x509parse_keyfile()) does not zeroize memory in advance anymore. Use rsa_init() before parsing a key or keyfile! Bugfix * Debug output of MPI's now the same independent of underlying platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads Kiilerich and Mihai Militaru) * Fixed bug in ssl_write() when flushing old data (Fixed ticket #18, found by Nikolay Epifanov) * Fixed proper handling of RSASSA-PSS verification with variable length salt lengths = Version 0.99-pre3 released on 2011-02-28 This release replaces version 0.99-pre2 which had possible copyright issues. Features * Parsing PEM private keys encrypted with DES and AES are now supported as well (Fixes ticket #5) * Added crl_app program to allow easy reading and printing of X509 CRLs from file Changes * Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding Bugfixes * Corrected parsing of UTCTime dates before 1990 and after 1950 * Support more exotic OID's when parsing certificates (found by Mads Kiilerich) * Support more exotic name representations when parsing certificates (found by Mads Kiilerich) * Replaced the expired test certificates * Do not bail out if no client certificate specified. Try to negotiate anonymous connection (Fixes ticket #12, found by Boris Krasnovskiy) Security fixes * Fixed a possible Man-in-the-Middle attack on the Diffie Hellman key exchange (thanks to Larry Highsmith, Subreption LLC) = Version 0.99-pre1 released on 2011-01-30 Features Note: Most of these features have been donated by Fox-IT * Added Doxygen source code documentation parts * Added reading of DHM context from memory and file * Improved X509 certificate parsing to include extended certificate fields, including Key Usage * Improved certificate verification and verification against the available CRLs * Detection for DES weak keys and parity bits added * Improvements to support integration in other applications: + Added generic message digest and cipher wrapper + Improved information about current capabilities, status, objects and configuration + Added verification callback on certificate chain verification to allow external blacklisting + Additional example programs to show usage * Added support for PKCS#11 through the use of the libpkcs11-helper library Changes * x509parse_time_expired() checks time in addition to the existing date check * The ciphers member of ssl_context and the cipher member of ssl_session have been renamed to ciphersuites and ciphersuite respectively. This clarifies the difference with the generic cipher layer and is better naming altogether = Version 0.14.0 released on 2010-08-16 Features * Added support for SSL_EDH_RSA_AES_128_SHA and SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites * Added compile-time and run-time version information * Expanded ssl_client2 arguments for more flexibility * Added support for TLS v1.1 Changes * Made Makefile cleaner * Removed dependency on rand() in rsa_pkcs1_encrypt(). Now using random fuction provided to function and changed the prototype of rsa_pkcs1_encrypt(), rsa_init() and rsa_gen_key(). * Some SSL defines were renamed in order to avoid future confusion Bug fixes * Fixed CMake out of source build for tests (found by kkert) * rsa_check_private() now supports PKCS1v2 keys as well * Fixed deadlock in rsa_pkcs1_encrypt() on failing random generator = Version 0.13.1 released on 2010-03-24 Bug fixes * Fixed Makefile in library that was mistakenly merged * Added missing const string fixes = Version 0.13.0 released on 2010-03-21 Features * Added option parsing for host and port selection to ssl_client2 * Added support for GeneralizedTime in X509 parsing * Added cert_app program to allow easy reading and printing of X509 certificates from file or SSL connection. Changes * Added const correctness for main code base * X509 signature algorithm determination is now in a function to allow easy future expansion * Changed symmetric cipher functions to identical interface (returning int result values) * Changed ARC4 to use separate input/output buffer * Added reset function for HMAC context as speed-up for specific use-cases Bug fixes * Fixed bug resulting in failure to send the last certificate in the chain in ssl_write_certificate() and ssl_write_certificate_request() (found by fatbob) * Added small fixes for compiler warnings on a Mac (found by Frank de Brabander) * Fixed algorithmic bug in mpi_is_prime() (found by Smbat Tonoyan) = Version 0.12.1 released on 2009-10-04 Changes * Coverage test definitions now support 'depends_on' tagging system. * Tests requiring specific hashing algorithms now honor the defines. Bug fixes * Changed typo in #ifdef in x509parse.c (found by Eduardo) = Version 0.12.0 released on 2009-07-28 Features * Added CMake makefiles as alternative to regular Makefiles. * Added preliminary Code Coverage tests for AES, ARC4, Base64, MPI, SHA-family, MD-family, HMAC-SHA-family, Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman and X509parse. Changes * Error codes are not (necessarily) negative. Keep this is mind when checking for errors. * RSA_RAW renamed to SIG_RSA_RAW for consistency. * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE. * Changed interface for AES and Camellia setkey functions to indicate invalid key lengths. Bug fixes * Fixed include location of endian.h on FreeBSD (found by Gabriel) * Fixed include location of endian.h and name clash on Apples (found by Martin van Hensbergen) * Fixed HMAC-MD2 by modifying md2_starts(), so that the required HMAC ipad and opad variables are not cleared. (found by code coverage tests) * Prevented use of long long in bignum if POLARSSL_HAVE_LONGLONG not defined (found by Giles Bathgate). * Fixed incorrect handling of negative strings in mpi_read_string() (found by code coverage tests). * Fixed segfault on handling empty rsa_context in rsa_check_pubkey() and rsa_check_privkey() (found by code coverage tests). * Fixed incorrect handling of one single negative input value in mpi_add_abs() (found by code coverage tests). * Fixed incorrect handling of negative first input value in mpi_sub_abs() (found by code coverage tests). * Fixed incorrect handling of negative first input value in mpi_mod_mpi() and mpi_mod_int(). Resulting change also affects mpi_write_string() (found by code coverage tests). * Corrected is_prime() results for 0, 1 and 2 (found by code coverage tests). * Fixed Camellia and XTEA for 64-bit Windows systems. = Version 0.11.1 released on 2009-05-17 * Fixed missing functionality for SHA-224, SHA-256, SHA384, SHA-512 in rsa_pkcs1_sign() = Version 0.11.0 released on 2009-05-03 * Fixed a bug in mpi_gcd() so that it also works when both input numbers are even and added testcases to check (found by Pierre Habouzit). * Added support for SHA-224, SHA-256, SHA-384 and SHA-512 one way hash functions with the PKCS#1 v1.5 signing and verification. * Fixed minor bug regarding mpi_gcd located within the POLARSSL_GENPRIME block. * Fixed minor memory leak in x509parse_crt() and added better handling of 'full' certificate chains (found by Mathias Olsson). * Centralized file opening and reading for x509 files into load_file() * Made definition of net_htons() endian-clean for big endian systems (Found by Gernot). * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in padlock and timing code. * Fixed an off-by-one buffer allocation in ssl_set_hostname() responsible for crashes and unwanted behaviour. * Added support for Certificate Revocation List (CRL) parsing. * Added support for CRL revocation to x509parse_verify() and SSL/TLS code. * Fixed compatibility of XTEA and Camellia on a 64-bit system (found by Felix von Leitner). = Version 0.10.0 released on 2009-01-12 * Migrated XySSL to PolarSSL * Added XTEA symmetric cipher * Added Camellia symmetric cipher * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA, SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA * Fixed dangerous bug that can cause a heap overflow in rsa_pkcs1_decrypt (found by Christophe Devine) ================================================================ XySSL ChangeLog = Version 0.9 released on 2008-03-16 * Added support for ciphersuite: SSL_RSA_AES_128_SHA * Enabled support for large files by default in aescrypt2.c * Preliminary openssl wrapper contributed by David Barrett * Fixed a bug in ssl_write() that caused the same payload to be sent twice in non-blocking mode when send returns EAGAIN * Fixed ssl_parse_client_hello(): session id and challenge must not be swapped in the SSLv2 ClientHello (found by Greg Robson) * Added user-defined callback debug function (Krystian Kolodziej) * Before freeing a certificate, properly zero out all cert. data * Fixed the "mode" parameter so that encryption/decryption are not swapped on PadLock; also fixed compilation on older versions of gcc (bug reported by David Barrett) * Correctly handle the case in padlock_xcryptcbc() when input or ouput data is non-aligned by falling back to the software implementation, as VIA Nehemiah cannot handle non-aligned buffers * Fixed a memory leak in x509parse_crt() which was reported by Greg Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to Matthew Page who reported several bugs * Fixed x509_get_ext() to accept some rare certificates which have an INTEGER instead of a BOOLEAN for BasicConstraints::cA. * Added support on the client side for the TLS "hostname" extension (patch contributed by David Patino) * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty string is passed as the CN (bug reported by spoofy) * Added an option to enable/disable the BN assembly code * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1) * Disabled obsolete hash functions by default (MD2, MD4); updated selftest and benchmark to not test ciphers that have been disabled * Updated x509parse_cert_info() to correctly display byte 0 of the serial number, setup correct server port in the ssl client example * Fixed a critical denial-of-service with X.509 cert. verification: peer may cause xyssl to loop indefinitely by sending a certificate for which the RSA signature check fails (bug reported by Benoit) * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC, HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin) * Modified ssl_parse_client_key_exchange() to protect against Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack * Updated rsa_gen_key() so that ctx->N is always nbits in size * Fixed assembly PPC compilation errors on Mac OS X, thanks to David Barrett and Dusan Semen = Version 0.8 released on 2007-10-20 * Modified the HMAC functions to handle keys larger than 64 bytes, thanks to Stephane Desneux and gary ng * Fixed ssl_read_record() to properly update the handshake message digests, which fixes IE6/IE7 client authentication * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan * Added user-defined callbacks for handling I/O and sessions * Added lots of debugging output in the SSL/TLS functions * Added preliminary X.509 cert. writing by Pascal Vizeli * Added preliminary support for the VIA PadLock routines * Added AES-CFB mode of operation, contributed by chmike * Added an SSL/TLS stress testing program (ssl_test.c) * Updated the RSA PKCS#1 code to allow choosing between RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett * Updated ssl_read() to skip 0-length records from OpenSSL * Fixed the make install target to comply with *BSD make * Fixed a bug in mpi_read_binary() on 64-bit platforms * mpi_is_prime() speedups, thanks to Kevin McLaughlin * Fixed a long standing memory leak in mpi_is_prime() * Replaced realloc with malloc in mpi_grow(), and set the sign of zero as positive in mpi_init() (reported by Jonathan M. McCune) = Version 0.7 released on 2007-07-07 * Added support for the MicroBlaze soft-core processor * Fixed a bug in ssl_tls.c which sometimes prevented SSL connections from being established with non-blocking I/O * Fixed a couple bugs in the VS6 and UNIX Makefiles * Fixed the "PIC register ebx clobbered in asm" bug * Added HMAC starts/update/finish support functions * Added the SHA-224, SHA-384 and SHA-512 hash functions * Fixed the net_set_*block routines, thanks to Andreas * Added a few demonstration programs: md5sum, sha1sum, dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify * Added new bignum import and export helper functions * Rewrote README.txt in program/ssl/ca to better explain how to create a test PKI = Version 0.6 released on 2007-04-01 * Ciphers used in SSL/TLS can now be disabled at compile time, to reduce the memory footprint on embedded systems * Added multiply assembly code for the TriCore and modified havege_struct for this processor, thanks to David Patiño * Added multiply assembly code for 64-bit PowerPCs, thanks to Peking University and the OSU Open Source Lab * Added experimental support of Quantum Cryptography * Added support for autoconf, contributed by Arnaud Cornet * Fixed "long long" compilation issues on IA-64 and PPC64 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock was not being correctly defined on ARM and MIPS = Version 0.5 released on 2007-03-01 * Added multiply assembly code for SPARC and Alpha * Added (beta) support for non-blocking I/O operations * Implemented session resuming and client authentication * Fixed some portability issues on WinCE, MINIX 3, Plan9 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris * Improved the performance of the EDH key exchange * Fixed a bug that caused valid packets with a payload size of 16384 bytes to be rejected = Version 0.4 released on 2007-02-01 * Added support for Ephemeral Diffie-Hellman key exchange * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K * Various improvement to the modular exponentiation code * Rewrote the headers to generate the API docs with doxygen * Fixed a bug in ssl_encrypt_buf (incorrect padding was generated) and in ssl_parse_client_hello (max. client version was not properly set), thanks to Didier Rebeix * Fixed another bug in ssl_parse_client_hello: clients with cipherlists larger than 96 bytes were incorrectly rejected * Fixed a couple memory leak in x509_read.c = Version 0.3 released on 2007-01-01 * Added server-side SSLv3 and TLSv1.0 support * Multiple fixes to enhance the compatibility with g++, thanks to Xosé Antón Otero Ferreira * Fixed a bug in the CBC code, thanks to dowst; also, the bignum code is no longer dependent on long long * Updated rsa_pkcs1_sign to handle arbitrary large inputs * Updated timing.c for improved compatibility with i386 and 486 processors, thanks to Arnaud Cornet = Version 0.2 released on 2006-12-01 * Updated timing.c to support ARM and MIPS arch * Updated the MPI code to support 8086 on MSVC 1.5 * Added the copyright notice at the top of havege.h * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang * Fixed a bug reported by Adrian Rüegsegger in x509_read_key * Fixed a bug reported by Torsten Lauter in ssl_read_record * Fixed a bug in rsa_check_privkey that would wrongly cause valid RSA keys to be dismissed (thanks to oldwolf) * Fixed a bug in mpi_is_prime that caused some primes to fail the Miller-Rabin primality test I'd also like to thank Younès Hafri for the CRUX linux port, Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet who maintains the Debian package :-) = Version 0.1 released on 2006-11-01