mbedtls/ChangeLog
2015-07-10 14:09:43 +01:00

1752 lines
82 KiB
Text

mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.0.0 released 2015-07-13
Features
* Support for DTLS 1.0 and 1.2 (RFC 6347).
* Ability to override core functions from MDx, SHAx, AES and DES modules
with custom implementation (eg hardware accelerated), complementing the
ability to override the whole module.
* New server-side implementation of session tickets that rotate keys to
preserve forward secrecy, and allows sharing across multiple contexts.
* Added a concept of X.509 cerificate verification profile that controls
which algorithms and key sizes (curves for ECDSA) are acceptable.
* Expanded configurability of security parameters in the SSL module with
mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
* Introduced a concept of presets for SSL security-relevant configuration
parameters.
API Changes
* The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
You now need to link to all of them if you use TLS for example.
* All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
Some names have been further changed to make them more consistent.
Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
* Renamings of fields inside structures, not covered by the previous list:
mbedtls_cipher_info_t.key_length -> key_bitlen
mbedtls_cipher_context_t.key_length -> key_bitlen
mbedtls_ecp_curve_info.size -> bit_size
* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
* The following _init() functions that could return errors have
been split into an _init() that returns void and another function that
should generally be the first function called on this context after init:
mbedtls_ssl_init() -> mbedtls_ssl_setup()
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
Note that for mbetls_ssl_setup(), you need to be done setting up the
ssl_config structure before calling it.
* Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
ssl_set_session() and ssl_set_client_transport_id(), plus
ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
(see rename.pl and compat-1.3.h above) and their first argument's type
changed from ssl_context to ssl_config.
* ssl_set_bio() changed signature (contexts merged, order switched, one
additional callback for read-with-timeout).
* The following functions have been introduced and must be used in callback
implementations (SNI, PSK) instead of their *conf counterparts:
mbedtls_ssl_set_hs_own_cert()
mbedtls_ssl_set_hs_ca_chain()
mbedtls_ssl_set_hs_psk()
* mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
using mbedtls_ssl_set_hostname().
* mbedtls_ssl_conf_session_cache() changed prototype (only one context
pointer, parameters reordered).
* On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
* The SSL debug callback gained two new arguments (file name, line number).
* Debug modes were removed.
* mbedtls_ssl_conf_truncated_hmac() now returns void.
* mbedtls_memory_buffer_alloc_init() now returns void.
* X.509 verification flags are now an uint32_t. Affect the signature of:
mbedtls_ssl_get_verify_result()
mbedtls_x509_ctr_verify_info()
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
* The following functions changed prototype to avoid an in-out length
parameter:
mbedtls_base64_encode()
mbedtls_base64_decode()
mbedtls_mpi_write_string()
mbedtls_dhm_calc_secret()
* In the NET module, all "int" and "int *" arguments for file descriptors
changed type to "mbedtls_net_context *".
* net_accept() gained new arguments for the size of the client_ip buffer.
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
return void.
* ecdsa_write_signature() gained an addtional md_alg argument and
ecdsa_write_signature_det() was deprecated.
* pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
* Last argument of x509_crt_check_key_usage() and
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
* test_ca_list (from certs.h) is renamed to test_cas_pem and is only
available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
* Test certificates in certs.c are no longer guaranteed to be nul-terminated
strings; use the new *_len variables instead of strlen().
* Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
length parameter to include the terminating null byte for PEM input.
* Signature of mpi_mul_mpi() changed to make the last argument unsigned
* calloc() is now used instead of malloc() everywhere. API of platform
layer and the memory_buffer_alloc module changed accordingly.
(Thanks to Mansour Moufid for helping with the replacement.)
* Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
(support for renegotiation now needs explicit enabling in config.h).
* Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
in config.h
* net_connect() and net_bind() have a new 'proto' argument to choose
between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
Their 'port' argument type is changed to a string.
* Some constness fixes
Removals
* Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
* Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
mbedtls_ecp_muladd().
* Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
(use generic functions from md.h)
* Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
waiting function.
* Removed test DHM parameters from the test certs module.
* Removed the PBKDF2 module (use PKCS5).
* Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
* Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
* Removed openssl.h (very partial OpenSSL compatibility layer).
* Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
* Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
been removed (compiler is required to support 32-bit operations).
* Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
* Removed test program o_p_test, the script compat.sh does more.
* Removed test program ssl_test, superseded by ssl-opt.sh.
* Removed helper script active-config.pl
New deprecations
* md_init_ctx() is deprecated in favour of md_setup(), that adds a third
argument (allowing memory savings if HMAC is not used)
Semi-API changes (technically public, morally private)
* Renamed a few headers to include _internal in the name. Those headers are
not supposed to be included by users.
* Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
* Changed pk_info_t into an opaque structure.
* Changed cipher_base_t into an opaque structure.
* Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
* x509_crt.key_usage changed from unsigned char to unsigned int.
* Removed r and s from ecdsa_context
* Removed mode from des_context and des3_context
Default behavior changes
* The default minimum TLS version is now TLS 1.0.
* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
default ciphersuite list returned by ssl_list_ciphersuites()
* Support for receiving SSLv2 ClientHello is now disabled by default at
compile time.
* The default authmode for SSL/TLS clients is now REQUIRED.
* Support for RSA_ALT contexts in the PK layer is now optional. Since is is
enabled in the default configuration, this is only noticeable if using a
custom config.h
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
* A minimum RSA key size of 2048 bits is now enforced during ceritificate
chain verification.
* Negotiation of truncated HMAC is now disabled by default on server too.
* The following functions are now case-sensitive:
mbedtls_cipher_info_from_string()
mbedtls_ecp_curve_info_from_name()
mbedtls_md_info_from_string()
mbedtls_ssl_ciphersuite_from_string()
mbedtls_version_check_feature()
Requirement changes
* The minimum MSVC version required is now 2010 (better C99 support).
* The NET layer now unconditionnaly relies on getaddrinfo() and select().
* Compiler is required to support C99 types such as long long and uint32_t.
API changes from the 1.4 preview branch
* ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
new prototype, and mbedtls_ssl_set_read_timeout().
* The following functions now return void:
mbedtls_ssl_conf_transport()
mbedtls_ssl_conf_max_version()
mbedtls_ssl_conf_min_version()
* DTLS no longer hard-depends on TIMING_C, but uses a callback interface
instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
an example implementation, see mbedtls_timing_delay_context and
mbedtls_timing_set/get_delay().
* With UDP sockets, it is no longer necessary to call net_bind() again
after a successful net_accept().
Changes
* mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
thread-safe if MBEDTLS_THREADING_C is enabled.
* Reduced ROM fooprint of SHA-256 and added an option to reduce it even
more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
= mbed TLS 1.3 branch
Security
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
extendedKeyUsage on the leaf certificate was lost (results not accessible
via ssl_get_verify_results()).
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
https://dl.acm.org/citation.cfm?id=2714625
Features
* Improve ECC performance by using more efficient doubling formulas
(contributed by Peter Dettman).
* Add x509_crt_verify_info() to display certificate verification results.
* Add support for reading DH parameters with privateValueLength included
(contributed by Daniel Kahn Gillmor).
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
* Add support for id-at-uniqueIdentifier in X.509 names.
* Add support for overriding snprintf() (except on Windows) and exit() in
the platform layer.
* Add an option to use macros instead of function pointers in the platform
layer (helps get rid of unwanted references).
* Improved Makefiles for Windows targets by fixing library targets and making
cross-compilation easier (thanks to Alon Bar-Lev).
* The benchmark program also prints heap usage for public-key primitives
if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
* New script ecc-heap.sh helps measuring the impact of ECC parameters on
speed and RAM (heap only for now) usage.
* New script memory.sh helps measuring the ROM and RAM requirements of two
reduced configurations (PSK-CCM and NSA suite B).
* Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
warnings on use of deprecated functions (with GCC and Clang only).
* Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
errors on use of deprecated functions.
Bugfix
* Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
* Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
* Fix bug in entropy.c when THREADING_C is also enabled that caused
entropy_free() to crash (thanks to Rafał Przywara).
* Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
once on the same context.
* Fix bug in ssl_mail_client when password is longer that username (found
by Bruno Pape).
* Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
(detected by Clang's 3.6 UBSan).
* mpi_size() and mpi_msb() would segfault when called on an mpi that is
initialized but not set (found by pravic).
* Fix detection of support for getrandom() on Linux (reported by syzzer) by
doing it at runtime (using uname) rather that compile time.
* Fix handling of symlinks by "make install" (found by Gaël PORTAY).
* Fix potential NULL pointer dereference (not trigerrable remotely) when
ssl_write() is called before the handshake is finished (introduced in
1.3.10) (first reported by Martin Blumenstingl).
* Fix bug in pk_parse_key() that caused some valid private EC keys to be
rejected.
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
* Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
* Fix hardclock() (only used in the benchmarking program) with some
versions of mingw64 (found by kxjhlele).
* Fix warnings from mingw64 in timing.c (found by kxjklele).
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
platforms.
* Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
* Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
in 1.3.10).
* Add missing extern "C" guard in aesni.h (reported by amir zamani).
* Add missing dependency on SHA-256 in some x509 programs (reported by
Gergely Budai).
* Fix bug related to ssl_set_curves(): the client didn't check that the
curve picked by the server was actually allowed.
Changes
* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
* Remove potential sources of timing variations (some contributed by Pascal
Junod).
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
* compat-1.2.h and openssl.h are deprecated.
* Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
more flexible (warning: OFLAGS is not used any more) (see the README)
(contributed by Alon Bar-Lev).
* ssl_set_own_cert() no longer calls pk_check_pair() since the
performance impact was bad for some users (this was introduced in 1.3.10).
* Move from SHA-1 to SHA-256 in example programs using signatures
(suggested by Thorsten Mühlfelder).
* Remove some unneeded inclusions of header files from the standard library
"minimize" others (eg use stddef.h if only size_t is needed).
* Change #include lines in test files to use double quotes instead of angle
brackets for uniformity with the rest of the code.
* Remove dependency on sscanf() in X.509 parsing modules.
= mbed TLS 1.3.10 released 2015-02-09
Security
* NULL pointer dereference in the buffer-based allocator when the buffer is
full and polarssl_free() is called (found by Mark Hasemeyer)
(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
not by default).
* Fix remotely-triggerable uninitialised pointer dereference caused by
crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
client certificate) (found using Codenomicon Defensics).
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix timing difference that could theoretically lead to a
Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
(reported by Sebastian Schinzel).
Features
* Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
* Add support for Extended Master Secret (draft-ietf-tls-session-hash).
* Add support for Encrypt-then-MAC (RFC 7366).
* Add function pk_check_pair() to test if public and private keys match.
* Add x509_crl_parse_der().
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
length of an X.509 verification chain.
* Support for renegotiation can now be disabled at compile-time
* Support for 1/n-1 record splitting, a countermeasure against BEAST.
* Certificate selection based on signature hash, preferring SHA-1 over SHA-2
for pre-1.2 clients when multiple certificates are available.
* Add support for getrandom() syscall on recent Linux kernels with Glibc or
a compatible enough libc (eg uClibc).
* Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
while using the default ciphersuite list.
* Added new error codes and debug messages about selection of
ciphersuite/certificate.
Bugfix
* Stack buffer overflow if ctr_drbg_update() is called with too large
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
if memory_buffer_alloc_init() was called with buf not aligned and len not
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
* User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
by Julian Ospald).
* Fix potential undefined behaviour in Camellia.
* Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
multiple of 8 (found by Gergely Budai).
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
Peter Vaskovic).
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
* ssl_get_verify_result() now works even if the handshake was aborted due
to a failed verification (found by Fredrik Axelsson).
* Skip writing and parsing signature_algorithm extension if none of the
key exchanges enabled needs certificates. This fixes a possible interop
issue with some servers when a zero-length extension was sent. (Reported
by Peter Dettman.)
* On a 0-length input, base64_encode() did not correctly set output length
(found by Hendrik van den Boogaard).
Changes
* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
* Forbid repeated extensions in X.509 certificates.
* debug_print_buf() now prints a text view in addition to hexadecimal.
* A specific error is now returned when there are ciphersuites in common
but none of them is usable due to external factors such as no certificate
with a suitable (extended)KeyUsage or curve or no PSK set.
* It is now possible to disable negotiation of truncated HMAC server-side
at runtime with ssl_set_truncated_hmac().
* Example programs for SSL client and server now disable SSLv3 by default.
* Example programs for SSL client and server now disable RC4 by default.
* Use platform.h in all test suites and programs.
= PolarSSL 1.3.9 released 2014-10-20
Security
* Lowest common hash was selected from signature_algorithms extension in
TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
* Remotely-triggerable memory leak when parsing some X.509 certificates
(server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Remotely-triggerable memory leak when parsing crafted ClientHello
(not affected if ECC support was compiled out) (found using Codenomicon
Defensics).
Bugfix
* Support escaping of commas in x509_string_to_names()
* Fix compile error in ssl_pthread_server (found by Julian Ospald).
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
* Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
* Remove non-existent file from VS projects (found by Peter Vaskovic).
* ssl_read() could return non-application data records on server while
renegotation was pending, and on client when a HelloRequest was received.
* Server-initiated renegotiation would fail with non-blocking I/O if the
write callback returned WANT_WRITE when requesting renegotiation.
* ssl_close_notify() could send more than one message in some circumstances
with non-blocking I/O.
* Fix compiler warnings on iOS (found by Sander Niemeijer).
* x509_crt_parse() did not increase total_failed on PEM error
* Fix compile error with armcc in mpi_is_prime()
* Fix potential bad read in parsing ServerHello (found by Adrien
Vialletelle).
Changes
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
standard defining how to use SHA-2 with SSL 3.0).
* Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
ambiguous on how to encode some packets with SSL 3.0).
* Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
* POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
RSA keys.
* Accept spaces at end of line or end of buffer in base64_decode().
* X.509 certificates with more than one AttributeTypeAndValue per
RelativeDistinguishedName are not accepted any more.
= PolarSSL 1.3.8 released 2014-07-11
Security
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
It was possible to crash the server (and client) using crafted messages
when a GCM suite was chosen.
Features
* Add CCM module and cipher mode to Cipher Layer
* Support for CCM and CCM_8 ciphersuites
* Support for parsing and verifying RSASSA-PSS signatures in the X.509
modules (certificates, CRLs and CSRs).
* Blowfish in the cipher layer now supports variable length keys.
* Add example config.h for PSK with CCM, optimized for low RAM usage.
* Optimize for RAM usage in example config.h for NSA Suite B profile.
* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
from the default list (inactive by default).
* Add server-side enforcement of sent renegotiation requests
(ssl_set_renegotiation_enforced())
* Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
ciphersuites to use and save some memory if the list is small.
Changes
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
required on some platforms (e.g. OpenBSD)
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
against unwanted compiler optimizations
* md_list() now returns hashes strongest first
* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
strongest offered by client.
* All public contexts have _init() and _free() functions now for simpler
usage pattern
Bugfix
* Fix in debug_print_msg()
* Enforce alignment in the buffer allocator even if buffer is not aligned
* Remove less-than-zero checks on unsigned numbers
* Stricter check on SSL ClientHello internal sizes compared to actual packet
size (found by TrustInSoft)
* Fix WSAStartup() return value check (found by Peter Vaskovic)
* Other minor issues (found by Peter Vaskovic)
* Fix symlink command for cross compiling with CMake (found by Andre
Heinecke)
* Fix DER output of gen_key app (found by Gergely Budai)
* Very small records were incorrectly rejected when truncated HMAC was in
use with some ciphersuites and versions (RC4 in all versions, CBC with
versions < TLS 1.1).
* Very large records using more than 224 bytes of padding were incorrectly
rejected with CBC-based ciphersuites and TLS >= 1.1
* Very large records using less padding could cause a buffer overread of up
to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
* Restore ability to use a v1 cert as a CA if trusted locally. (This had
been removed in 1.3.6.)
* Restore ability to locally trust a self-signed cert that is not a proper
CA for use as an end entity certificate. (This had been removed in
1.3.6.)
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
interpret semicolons as comment delimiters (found by Barry K. Nathan).
* Fix off-by-one error in parsing Supported Point Format extension that
caused some handshakes to fail.
* Fix possible miscomputation of the premaster secret with DHE-PSK key
exchange that caused some handshakes to fail with other implementations.
(Failure rate <= 1/255 with common DHM moduli.)
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
* Fix base64_decode() to return and check length correctly (in case of
tight buffers)
* Fix mpi_write_string() to write "00" as hex output for empty MPI (found
by Hui Dong)
= PolarSSL 1.3.7 released on 2014-05-02
Features
* debug_set_log_mode() added to determine raw or full logging
* debug_set_threshold() added to ignore messages over threshold level
* version_check_feature() added to check for compile-time options at
run-time
Changes
* POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
checked and filled in the relevant module headers
* Debug module only outputs full lines instead of parts
* Better support for the different Attribute Types from IETF PKIX (RFC 5280)
* AES-NI now compiles with "old" assemblers too
* Ciphersuites based on RC4 now have the lowest priority by default
Bugfix
* Only iterate over actual certificates in ssl_write_certificate_request()
(found by Matthew Page)
* Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
Karger)
* cert_write app should use subject of issuer certificate as issuer of cert
* Fix false reject in padding check in ssl_decrypt_buf() for CBC
ciphersuites, for full SSL frames of data.
* Improve interoperability by not writing extension length in ClientHello /
ServerHello when no extensions are present (found by Matthew Page)
* rsa_check_pubkey() now allows an E up to N
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
* mpi_fill_random() was creating numbers larger than requested on
big-endian platform when size was not an integer number of limbs
* Fix dependencies issues in X.509 test suite.
* Some parts of ssl_tls.c were compiled even when the module was disabled.
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
* Fix detection of Clang on some Apple platforms with CMake
(found by Barry K. Nathan)
= PolarSSL 1.3.6 released on 2014-04-11
Features
* Support for the ALPN SSL extension
* Add option 'use_dev_random' to gen_key application
* Enable verification of the keyUsage extension for CA and leaf
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
* Enable verification of the extendedKeyUsage extension
(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
Changes
* x509_crt_info() now prints information about parsed extensions as well
* pk_verify() now returns a specific error code when the signature is valid
but shorter than the supplied length.
* Use UTC time to check certificate validity.
* Reject certificates with times not in UTC, per RFC 5280.
Security
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
(Found by Watson Ladd.)
* The notAfter date of some certificates was no longer checked since 1.3.5.
This affects certificates in the user-supplied chain except the top
certificate. If the user-supplied chain contains only one certificates,
it is not affected (ie, its notAfter date is properly checked).
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
TrustInSoft)
Bugfix
* The length of various ClientKeyExchange messages was not properly checked.
* Some example server programs were not sending the close_notify alert.
* Potential memory leak in mpi_exp_mod() when error occurs during
calculation of RR.
* Fixed malloc/free default #define in platform.c (found by Gergely Budai).
* Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
Gergely Budai).
* Fix #include path in ecdsa.h which wasn't accepted by some compilers.
(found by Gergely Budai)
* Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
Shuo Chen).
* oid_get_numeric_string() used to truncate the output without returning an
error if the output buffer was just 1 byte too small.
* dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
* Calling pk_debug() on an RSA-alt key would segfault.
* pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
* Potential buffer overwrite in pem_write_buffer() because of low length
indication (found by Thijs Alkemade)
* EC curves constants, which should be only in ROM since 1.3.3, were also
stored in RAM due to missing 'const's (found by Gergely Budai).
= PolarSSL 1.3.5 released on 2014-03-26
Features
* HMAC-DRBG as a separate module
* Option to set the Curve preference order (disabled by default)
* Single Platform compatilibity layer (for memory / printf / fprintf)
* Ability to provide alternate timing implementation
* Ability to force the entropy module to use SHA-256 as its basis
(POLARSSL_ENTROPY_FORCE_SHA256)
* Testing script ssl-opt.sh added for testing 'live' ssl option
interoperability against OpenSSL and PolarSSL
* Support for reading EC keys that use SpecifiedECDomain in some cases.
* Entropy module now supports seed writing and reading
Changes
* Deprecated the Memory layer
* entropy_add_source(), entropy_update_manual() and entropy_gather()
now thread-safe if POLARSSL_THREADING_C defined
* Improvements to the CMake build system, contributed by Julian Ospald.
* Work around a bug of the version of Clang shipped by Apple with Mavericks
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
* Revamped the compat.sh interoperatibility script to include support for
testing against GnuTLS
* Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
* Improvements to tests/Makefile, contributed by Oden Eriksson.
Security
* Forbid change of server certificate during renegotiation to prevent
"triple handshake" attack when authentication mode is 'optional' (the
attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future.
* Forbid sequence number wrapping
* Fixed possible buffer overflow with overlong PSK
* Possible remotely-triggered out-of-bounds memory access fixed (found by
TrustInSoft)
Bugfix
* ecp_gen_keypair() does more tries to prevent failure because of
statistics
* Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
* Fixed testing with out-of-source builds using cmake
* Fixed version-major intolerance in server
* Fixed CMake symlinking on out-of-source builds
* Fixed dependency issues in test suite
* Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
Alex Wilson.)
* ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
* m_sleep() was sleeping twice too long on most Unix platforms.
* Fixed bug with session tickets and non-blocking I/O in the unlikely case
send() would return an EAGAIN error when sending the ticket.
* ssl_cache was leaking memory when reusing a timed out entry containing a
client certificate.
* ssl_srv was leaking memory when client presented a timed out ticket
containing a client certificate
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
out_ctr failed
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
of one of them failed
* Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
* x509_get_current_time() uses localtime_r() to prevent thread issues
= PolarSSL 1.3.4 released on 2014-01-27
Features
* Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
* Support for RIPEMD-160
* Support for AES CFB8 mode
* Support for deterministic ECDSA (RFC 6979)
Bugfix
* Potential memory leak in bignum_selftest()
* Replaced expired test certificate
* ssl_mail_client now terminates lines with CRLF, instead of LF
* net module handles timeouts on blocking sockets better (found by Tilman
Sauerbeck)
* Assembly format fixes in bn_mul.h
Security
* Missing MPI_CHK calls added around unguarded mpi calls (found by
TrustInSoft)
= PolarSSL 1.3.3 released on 2013-12-31
Features
* EC key generation support in gen_key app
* Support for adhering to client ciphersuite order preference
(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
* Support for Curve25519
* Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
* Support for IPv6 in the NET module
* AES-NI support for AES, AES-GCM and AES key scheduling
* SSL Pthread-based server example added (ssl_pthread_server)
Changes
* gen_prime() speedup
* Speedup of ECP multiplication operation
* Relaxed some SHA2 ciphersuite's version requirements
* Dropped use of readdir_r() instead of readdir() with threading support
* More constant-time checks in the RSA module
* Split off curves from ecp.c into ecp_curves.c
* Curves are now stored fully in ROM
* Memory usage optimizations in ECP module
* Removed POLARSSL_THREADING_DUMMY
Bugfix
* Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
* Fixed X.509 hostname comparison (with non-regular characters)
* SSL now gracefully handles missing RNG
* Missing defines / cases for RSA_PSK key exchange
* crypt_and_hash app checks MAC before final decryption
* Potential memory leak in ssl_ticket_keys_init()
* Memory leak in benchmark application
* Fixed x509_crt_parse_path() bug on Windows platforms
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
TrustInSoft)
* Fixed potential overflow in certificate size verification in
ssl_write_certificate() (found by TrustInSoft)
Security
* Possible remotely-triggered out-of-bounds memory access fixed (found by
TrustInSoft)
= PolarSSL 1.3.2 released on 2013-11-04
Features
* PK tests added to test framework
* Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
* Support for Camellia-GCM mode and ciphersuites
Changes
* Padding checks in cipher layer are now constant-time
* Value comparisons in SSL layer are now constant-time
* Support for serialNumber, postalAddress and postalCode in X509 names
* SSL Renegotiation was refactored
Bugfix
* More stringent checks in cipher layer
* Server does not send out extensions not advertised by client
* Prevent possible alignment warnings on casting from char * to 'aligned *'
* Misc fixes and additions to dependency checks
* Const correctness
* cert_write with selfsign should use issuer_name as subject_name
* Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
* Defines to handle UEFI environment under MSVC
* Server-side initiated renegotiations send HelloRequest
= PolarSSL 1.3.1 released on 2013-10-15
Features
* Support for Brainpool curves and TLS ciphersuites (RFC 7027)
* Support for ECDHE-PSK key-exchange and ciphersuites
* Support for RSA-PSK key-exchange and ciphersuites
Changes
* RSA blinding locks for a smaller amount of time
* TLS compression only allocates working buffer once
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
* config.h is more script-friendly
Bugfix
* Missing MSVC defines added
* Compile errors with POLARSSL_RSA_NO_CRT
* Header files with 'polarssl/'
* Const correctness
* Possible naming collision in dhm_context
* Better support for MSVC
* threading_set_alt() name
* Added missing x509write_crt_set_version()
= PolarSSL 1.3.0 released on 2013-10-01
Features
* Elliptic Curve Cryptography module added
* Elliptic Curve Diffie Hellman module added
* Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
(ECDHE-based ciphersuites)
* Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
(ECDSA-based ciphersuites)
* Ability to specify allowed ciphersuites based on the protocol version.
* PSK and DHE-PSK based ciphersuites added
* Memory allocation abstraction layer added
* Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
* Threading abstraction layer added (dummy / pthread / alternate)
* Public Key abstraction layer added
* Parsing Elliptic Curve keys
* Parsing Elliptic Curve certificates
* Support for max_fragment_length extension (RFC 6066)
* Support for truncated_hmac extension (RFC 6066)
* Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
(ISO/IEC 7816-4) padding and zero padding in the cipher layer
* Support for session tickets (RFC 5077)
* Certificate Request (CSR) generation with extensions (key_usage,
ns_cert_type)
* X509 Certificate writing with extensions (basic_constraints,
issuer_key_identifier, etc)
* Optional blinding for RSA, DHM and EC
* Support for multiple active certificate / key pairs in SSL servers for
the same host (Not to be confused with SNI!)
Changes
* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
individually
* Introduced separate SSL Ciphersuites module that is based on
Cipher and MD information
* Internals for SSL module adapted to have separate IV pointer that is
dynamically set (Better support for hardware acceleration)
* Moved all OID functionality to a separate module. RSA function
prototypes for the RSA sign and verify functions changed as a result
* Split up the GCM module into a starts/update/finish cycle
* Client and server now filter sent and accepted ciphersuites on minimum
and maximum protocol version
* Ability to disable server_name extension (RFC 6066)
* Renamed error_strerror() to the less conflicting polarssl_strerror()
(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
* All RSA operations require a random generator for blinding purposes
* X509 core refactored
* x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
* Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
* Support faulty X509 v1 certificates with extensions
(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
Bugfix
* Fixed parse error in ssl_parse_certificate_request()
* zlib compression/decompression skipped on empty blocks
* Support for AIX header locations in net.c module
* Fixed file descriptor leaks
Security
* RSA blinding on CRT operations to counter timing attacks
(found by Cyril Arnaud and Pierre-Alain Fouque)
= Version 1.2.14 released 2015-05-??
Security
* Fix potential invalid memory read in the server, that allows a client to
crash it remotely (found by Caj Larsson).
* Fix potential invalid memory read in certificate parsing, that allows a
client to crash the server remotely if client authentication is enabled
(found using Codenomicon Defensics).
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
https://dl.acm.org/citation.cfm?id=2714625
Bugfix
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
* Fix hardclock() (only used in the benchmarking program) with some
versions of mingw64 (found by kxjhlele).
* Fix warnings from mingw64 in timing.c (found by kxjklele).
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
platforms (found with Coverity Scan).
= Version 1.2.13 released 2015-02-16
Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
this will be made in the 1.2 branch at this point.
Security
* Fix remotely-triggerable uninitialised pointer dereference caused by
crafted X.509 certificate (TLS server is not affected if it doesn't ask
for a client certificate) (found using Codenomicon Defensics).
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
found using Codenomicon Defensics).
* Fix buffer overread of size 1 when parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate).
Bugfix
* Fix potential undefined behaviour in Camellia.
* Fix memory leaks in PKCS#5 and PKCS#12.
* Stack buffer overflow if ctr_drbg_update() is called with too large
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
* Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
in 1.2.12).
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
Peter Vaskovic).
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
* ssl_get_verify_result() now works even if the handshake was aborted due
to a failed verification (found by Fredrik Axelsson).
* Skip writing and parsing signature_algorithm extension if none of the
key exchanges enabled needs certificates. This fixes a possible interop
issue with some servers when a zero-length extension was sent. (Reported
by Peter Dettman.)
* On a 0-length input, base64_encode() did not correctly set output length
(found by Hendrik van den Boogaard).
Changes
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
* Forbid repeated extensions in X.509 certificates.
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
length of an X.509 verification chain (default = 8).
= Version 1.2.12 released 2014-10-24
Security
* Remotely-triggerable memory leak when parsing some X.509 certificates
(server is not affected if it doesn't ask for a client certificate).
(Found using Codenomicon Defensics.)
Bugfix
* Fix potential bad read in parsing ServerHello (found by Adrien
Vialletelle).
* ssl_close_notify() could send more than one message in some circumstances
with non-blocking I/O.
* x509_crt_parse() did not increase total_failed on PEM error
* Fix compiler warnings on iOS (found by Sander Niemeijer).
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
* ssl_read() could return non-application data records on server while
renegotation was pending, and on client when a HelloRequest was received.
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
Changes
* X.509 certificates with more than one AttributeTypeAndValue per
RelativeDistinguishedName are not accepted any more.
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
* Accept spaces at end of line or end of buffer in base64_decode().
= Version 1.2.11 released 2014-07-11
Features
* Entropy module now supports seed writing and reading
Changes
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
* Improvements to the CMake build system, contributed by Julian Ospald.
* Work around a bug of the version of Clang shipped by Apple with Mavericks
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
* Improvements to tests/Makefile, contributed by Oden Eriksson.
* Use UTC time to check certificate validity.
* Reject certificates with times not in UTC, per RFC 5280.
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
against unwanted compiler optimizations
Security
* Forbid change of server certificate during renegotiation to prevent
"triple handshake" attack when authentication mode is optional (the
attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future.
* Forbid sequence number wrapping
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
TrustInSoft)
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
It was possible to crash the server (and client) using crafted messages
when a GCM suite was chosen.
Bugfix
* Fixed X.509 hostname comparison (with non-regular characters)
* SSL now gracefully handles missing RNG
* crypt_and_hash app checks MAC before final decryption
* Fixed x509_crt_parse_path() bug on Windows platforms
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
TrustInSoft)
* Fixed potential overflow in certificate size verification in
ssl_write_certificate() (found by TrustInSoft)
* Fix ASM format in bn_mul.h
* Potential memory leak in bignum_selftest()
* Replaced expired test certificate
* ssl_mail_client now terminates lines with CRLF, instead of LF
* Fix bug in RSA PKCS#1 v1.5 "reversed" operations
* Fixed testing with out-of-source builds using cmake
* Fixed version-major intolerance in server
* Fixed CMake symlinking on out-of-source builds
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
Alex Wilson.)
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
out_ctr failed
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
of one of them failed
* x509_get_current_time() uses localtime_r() to prevent thread issues
* Some example server programs were not sending the close_notify alert.
* Potential memory leak in mpi_exp_mod() when error occurs during
calculation of RR.
* Improve interoperability by not writing extension length in ClientHello
when no extensions are present (found by Matthew Page)
* rsa_check_pubkey() now allows an E up to N
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
* mpi_fill_random() was creating numbers larger than requested on
big-endian platform when size was not an integer number of limbs
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
* Stricter check on SSL ClientHello internal sizes compared to actual packet
size (found by TrustInSoft)
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
interpret semicolons as comment delimiters (found by Barry K. Nathan).
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
* Fix base64_decode() to return and check length correctly (in case of
tight buffers)
= Version 1.2.10 released 2013-10-07
Changes
* Changed RSA blinding to a slower but thread-safe version
Bugfix
* Fixed memory leak in RSA as a result of introduction of blinding
* Fixed ssl_pkcs11_decrypt() prototype
* Fixed MSVC project files
= Version 1.2.9 released 2013-10-01
Changes
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
Bugfix
* Fixed potential memory leak when failing to resume a session
* Fixed potential file descriptor leaks (found by Remi Gacogne)
* Minor fixes
Security
* Fixed potential heap buffer overflow on large hostname setting
* Fixed potential negative value misinterpretation in load_file()
* RSA blinding on CRT operations to counter timing attacks
(found by Cyril Arnaud and Pierre-Alain Fouque)
= Version 1.2.8 released 2013-06-19
Features
* Parsing of PKCS#8 encrypted private key files
* PKCS#12 PBE and derivation functions
* Centralized module option values in config.h to allow user-defined
settings without editing header files by using POLARSSL_CONFIG_OPTIONS
Changes
* HAVEGE random generator disabled by default
* Internally split up x509parse_key() into a (PEM) handler function
and specific DER parser functions for the PKCS#1 and unencrypted
PKCS#8 private key formats
* Added mechanism to provide alternative implementations for all
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
config.h)
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
old PBKDF2 module
Bugfix
* Secure renegotiation extension should only be sent in case client
supports secure renegotiation
* Fixed offset for cert_type list in ssl_parse_certificate_request()
* Fixed const correctness issues that have no impact on the ABI
* x509parse_crt() now better handles PEM error situations
* ssl_parse_certificate() now calls x509parse_crt_der() directly
instead of the x509parse_crt() wrapper that can also parse PEM
certificates
* x509parse_crtpath() is now reentrant and uses more portable stat()
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
* Fixed values for 2-key Triple DES in cipher layer
* ssl_write_certificate_request() can handle empty ca_chain
Security
* A possible DoS during the SSL Handshake, due to faulty parsing of
PEM-encoded certificates has been fixed (found by Jack Lloyd)
= Version 1.2.7 released 2013-04-13
Features
* Ability to specify allowed ciphersuites based on the protocol version.
Changes
* Default Blowfish keysize is now 128-bits
* Test suites made smaller to accommodate Raspberry Pi
Bugfix
* Fix for MPI assembly for ARM
* GCM adapted to support sizes > 2^29
= Version 1.2.6 released 2013-03-11
Bugfix
* Fixed memory leak in ssl_free() and ssl_reset() for active session
* Corrected GCM counter incrementation to use only 32-bits instead of
128-bits (found by Yawning Angel)
* Fixes for 64-bit compilation with MS Visual Studio
* Fixed net_bind() for specified IP addresses on little endian systems
* Fixed assembly code for ARM (Thumb and regular) for some compilers
Changes
* Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
PKCS#1 v2.1 functions
* Added support for custom labels when using rsa_rsaes_oaep_encrypt()
or rsa_rsaes_oaep_decrypt()
* Re-added handling for SSLv2 Client Hello when the define
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
* The SSL session cache module (ssl_cache) now also retains peer_cert
information (not the entire chain)
Security
* Removed further timing differences during SSL message decryption in
ssl_decrypt_buf()
* Removed timing differences due to bad padding from
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
operations
= Version 1.2.5 released 2013-02-02
Changes
* Allow enabling of dummy error_strerror() to support some use-cases
* Debug messages about padding errors during SSL message decryption are
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
* Sending of security-relevant alert messages that do not break
interoperability can be switched on/off with the flag
POLARSSL_SSL_ALL_ALERT_MESSAGES
Security
* Removed timing differences during SSL message decryption in
ssl_decrypt_buf() due to badly formatted padding
= Version 1.2.4 released 2013-01-25
Changes
* More advanced SSL ciphersuite representation and moved to more dynamic
SSL core
* Added ssl_handshake_step() to allow single stepping the handshake process
Bugfix
* Memory leak when using RSA_PKCS_V21 operations fixed
* Handle future version properly in ssl_write_certificate_request()
* Correctly handle CertificateRequest message in client for <= TLS 1.1
without DN list
= Version 1.2.3 released 2012-11-26
Bugfix
* Server not always sending correct CertificateRequest message
= Version 1.2.2 released 2012-11-24
Changes
* Added p_hw_data to ssl_context for context specific hardware acceleration
data
* During verify trust-CA is only checked for expiration and CRL presence
Bugfixes
* Fixed client authentication compatibility
* Fixed dependency on POLARSSL_SHA4_C in SSL modules
= Version 1.2.1 released 2012-11-20
Changes
* Depth that the certificate verify callback receives is now numbered
bottom-up (Peer cert depth is 0)
Bugfixes
* Fixes for MSVC6
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard)
* Fixed possible segfault in mpi_shift_r() (found by Manuel
Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
= Version 1.2.0 released 2012-10-31
Features
* Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
default!
* Added support for wildcard certificates
* Added support for multi-domain certificates through the X509 Subject
Alternative Name extension
* Added preliminary ASN.1 buffer writing support
* Added preliminary X509 Certificate Request writing support
* Added key_app_writer example application
* Added cert_req example application
* Added base Galois Counter Mode (GCM) for AES
* Added TLS 1.2 support (RFC 5246)
* Added GCM suites to TLS 1.2 (RFC 5288)
* Added commandline error code convertor (util/strerror)
* Added support for Hardware Acceleration hooking in SSL/TLS
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
example application (programs/ssl/o_p_test) (requires OpenSSL)
* Added X509 CA Path support
* Added Thumb assembly optimizations
* Added DEFLATE compression support as per RFC3749 (requires zlib)
* Added blowfish algorithm (Generic and cipher layer)
* Added PKCS#5 PBKDF2 key derivation function
* Added Secure Renegotiation (RFC 5746)
* Added predefined DHM groups from RFC 5114
* Added simple SSL session cache implementation
* Added ServerName extension parsing (SNI) at server side
* Added option to add minimum accepted SSL/TLS protocol version
Changes
* Removed redundant POLARSSL_DEBUG_MSG define
* AES code only check for Padlock once
* Fixed const-correctness mpi_get_bit()
* Documentation for mpi_lsb() and mpi_msb()
* Moved out_msg to out_hdr + 32 to support hardware acceleration
* Changed certificate verify behaviour to comply with RFC 6125 section 6.3
to not match CN if subjectAltName extension is present (Closes ticket #56)
* Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
POLARSSL_MODE_CFB, to also handle different block size CFB modes.
* Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
* Revamped session resumption handling
* Generalized external private key implementation handling (like PKCS#11)
in SSL/TLS
* Revamped x509_verify() and the SSL f_vrfy callback implementations
* Moved from unsigned long to fixed width uint32_t types throughout code
* Renamed ciphersuites naming scheme to IANA reserved names
Bugfix
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
Hui Dong)
* Fixed potential heap corruption in x509_name allocation
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
#52)
* Handle encryption with private key and decryption with public key as per
RFC 2313
* Handle empty certificate subject names
* Prevent reading over buffer boundaries on X509 certificate parsing
* mpi_add_abs() now correctly handles adding short numbers to long numbers
with carry rollover (found by Ruslan Yushchenko)
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
* Fixed MPI assembly for SPARC64 platform
Security
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
Vanderbeken)
= Version 1.1.8 released on 2013-10-01
Bugfix
* Fixed potential memory leak when failing to resume a session
* Fixed potential file descriptor leaks
Security
* Potential buffer-overflow for ssl_read_record() (independently found by
both TrustInSoft and Paul Brodeur of Leviathan Security Group)
* Potential negative value misinterpretation in load_file()
* Potential heap buffer overflow on large hostname setting
= Version 1.1.7 released on 2013-06-19
Changes
* HAVEGE random generator disabled by default
Bugfix
* x509parse_crt() now better handles PEM error situations
* ssl_parse_certificate() now calls x509parse_crt_der() directly
instead of the x509parse_crt() wrapper that can also parse PEM
certificates
* Fixed values for 2-key Triple DES in cipher layer
* ssl_write_certificate_request() can handle empty ca_chain
Security
* A possible DoS during the SSL Handshake, due to faulty parsing of
PEM-encoded certificates has been fixed (found by Jack Lloyd)
= Version 1.1.6 released on 2013-03-11
Bugfix
* Fixed net_bind() for specified IP addresses on little endian systems
Changes
* Allow enabling of dummy error_strerror() to support some use-cases
* Debug messages about padding errors during SSL message decryption are
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
Security
* Removed timing differences during SSL message decryption in
ssl_decrypt_buf()
* Removed timing differences due to bad padding from
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
operations
= Version 1.1.5 released on 2013-01-16
Bugfix
* Fixed MPI assembly for SPARC64 platform
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
* mpi_add_abs() now correctly handles adding short numbers to long numbers
with carry rollover
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Prevent reading over buffer boundaries on X509 certificate parsing
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
#52)
* Fixed possible segfault in mpi_shift_r() (found by Manuel
Pégourié-Gonnard)
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
* Memory leak when using RSA_PKCS_V21 operations fixed
* Handle encryption with private key and decryption with public key as per
RFC 2313
* Fixes for MSVC6
Security
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
Vanderbeken)
= Version 1.1.4 released on 2012-05-31
Bugfix
* Correctly handle empty SSL/TLS packets (Found by James Yonan)
* Fixed potential heap corruption in x509_name allocation
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
= Version 1.1.3 released on 2012-04-29
Bugfix
* Fixed random MPI generation to not generate more size than requested.
= Version 1.1.2 released on 2012-04-26
Bugfix
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
Hui Dong)
Security
* Fixed potential memory corruption on miscrafted client messages (found by
Frama-C team at CEA LIST)
* Fixed generation of DHM parameters to correct length (found by Ruslan
Yushchenko)
= Version 1.1.1 released on 2012-01-23
Bugfix
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
(Closes ticket #47, found by Hugo Leisink)
* Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
* Fixed multiple compiler warnings for VS6 and armcc
* Fixed bug in CTR_CRBG selftest
= Version 1.1.0 released on 2011-12-22
Features
* Added ssl_session_reset() to allow better multi-connection pools of
SSL contexts without needing to set all non-connection-specific
data and pointers again. Adapted ssl_server to use this functionality.
* Added ssl_set_max_version() to allow clients to offer a lower maximum
supported version to a server to help buggy server implementations.
(Closes ticket #36)
* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
introspection functions (Closes ticket #40)
* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
* Added a generic entropy accumulator that provides support for adding
custom entropy sources and added some generic and platform dependent
entropy sources
Changes
* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
* Fixed rsa_encrypt and rsa_decrypt examples to use public key for
encryption and private key for decryption. (Closes ticket #34)
* Inceased maximum size of ASN1 length reads to 32-bits.
* Added an EXPLICIT tag number parameter to x509_get_ext()
* Added a separate CRL entry extension parsing function
* Separated the ASN.1 parsing code from the X.509 specific parsing code.
So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
* Changed the defined key-length of DES ciphers in cipher.h to include the
parity bits, to prevent mistakes in copying data. (Closes ticket #33)
* Loads of minimal changes to better support WINCE as a build target
(Credits go to Marco Lizza)
* Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
trade-off
* Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
management (Closes ticket #44)
* Changed the used random function pointer to more flexible format. Renamed
havege_rand() to havege_random() to prevent mistakes. Lots of changes as
a consequence in library code and programs
* Moved all examples programs to use the new entropy and CTR_DRBG
* Added permissive certificate parsing to x509parse_crt() and
x509parse_crtfile(). With permissive parsing the parsing does not stop on
encountering a parse-error. Beware that the meaning of return values has
changed!
* All error codes are now negative. Even on mermory failures and IO errors.
Bugfix
* Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
ticket #37)
* Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
before version numbers
* Allowed X509 key usage parsing to accept 4 byte values instead of the
standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
* Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
smaller than the hash length. (Closes ticket #41)
* If certificate serial is longer than 32 octets, serial number is now
appended with '....' after first 28 octets
* Improved build support for s390x and sparc64 in bignum.h
* Fixed MS Visual C++ name clash with int64 in sha4.h
* Corrected removal of leading "00:" in printing serial numbers in
certificates and CRLs
= Version 1.0.0 released on 2011-07-27
Features
* Expanded cipher layer with support for CFB128 and CTR mode
* Added rsa_encrypt and rsa_decrypt simple example programs.
Changes
* The generic cipher and message digest layer now have normal error
codes instead of integers
Bugfix
* Undid faulty bug fix in ssl_write() when flushing old data (Ticket
#18)
= Version 0.99-pre5 released on 2011-05-26
Features
* Added additional Cipher Block Modes to symmetric ciphers
(AES CTR, Camellia CTR, XTEA CBC) including the option to
enable and disable individual modes when needed
* Functions requiring File System functions can now be disabled
by undefining POLARSSL_FS_IO
* A error_strerror function() has been added to translate between
error codes and their description.
* Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
functions.
* Added ssl_mail_client and ssl_fork_server as example programs.
Changes
* Major argument / variable rewrite. Introduced use of size_t
instead of int for buffer lengths and loop variables for
better unsigned / signed use. Renamed internal bigint types
t_int and t_dbl to t_uint and t_udbl in the process
* mpi_init() and mpi_free() now only accept a single MPI
argument and do not accept variable argument lists anymore.
* The error codes have been remapped and combining error codes
is now done with a PLUS instead of an OR as error codes
used are negative.
* Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
net_recv() now returns 0 on EOF instead of
POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
after the handshake.
* Network functions now return POLARSSL_ERR_NET_WANT_READ or
POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
POLARSSL_ERR_NET_TRY_AGAIN
= Version 0.99-pre4 released on 2011-04-01
Features
* Added support for PKCS#1 v2.1 encoding and thus support
for the RSAES-OAEP and RSASSA-PSS operations.
* Reading of Public Key files incorporated into default x509
functionality as well.
* Added mpi_fill_random() for centralized filling of big numbers
with random data (Fixed ticket #10)
Changes
* Debug print of MPI now removes leading zero octets and
displays actual bit size of the value.
* x509parse_key() (and as a consequence x509parse_keyfile())
does not zeroize memory in advance anymore. Use rsa_init()
before parsing a key or keyfile!
Bugfix
* Debug output of MPI's now the same independent of underlying
platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
Kiilerich and Mihai Militaru)
* Fixed bug in ssl_write() when flushing old data (Fixed ticket
#18, found by Nikolay Epifanov)
* Fixed proper handling of RSASSA-PSS verification with variable
length salt lengths
= Version 0.99-pre3 released on 2011-02-28
This release replaces version 0.99-pre2 which had possible copyright issues.
Features
* Parsing PEM private keys encrypted with DES and AES
are now supported as well (Fixes ticket #5)
* Added crl_app program to allow easy reading and
printing of X509 CRLs from file
Changes
* Parsing of PEM files moved to separate module (Fixes
ticket #13). Also possible to remove PEM support for
systems only using DER encoding
Bugfixes
* Corrected parsing of UTCTime dates before 1990 and
after 1950
* Support more exotic OID's when parsing certificates
(found by Mads Kiilerich)
* Support more exotic name representations when parsing
certificates (found by Mads Kiilerich)
* Replaced the expired test certificates
* Do not bail out if no client certificate specified. Try
to negotiate anonymous connection (Fixes ticket #12,
found by Boris Krasnovskiy)
Security fixes
* Fixed a possible Man-in-the-Middle attack on the
Diffie Hellman key exchange (thanks to Larry Highsmith,
Subreption LLC)
= Version 0.99-pre1 released on 2011-01-30
Features
Note: Most of these features have been donated by Fox-IT
* Added Doxygen source code documentation parts
* Added reading of DHM context from memory and file
* Improved X509 certificate parsing to include extended
certificate fields, including Key Usage
* Improved certificate verification and verification
against the available CRLs
* Detection for DES weak keys and parity bits added
* Improvements to support integration in other
applications:
+ Added generic message digest and cipher wrapper
+ Improved information about current capabilities,
status, objects and configuration
+ Added verification callback on certificate chain
verification to allow external blacklisting
+ Additional example programs to show usage
* Added support for PKCS#11 through the use of the
libpkcs11-helper library
Changes
* x509parse_time_expired() checks time in addition to
the existing date check
* The ciphers member of ssl_context and the cipher member
of ssl_session have been renamed to ciphersuites and
ciphersuite respectively. This clarifies the difference
with the generic cipher layer and is better naming
altogether
= Version 0.14.0 released on 2010-08-16
Features
* Added support for SSL_EDH_RSA_AES_128_SHA and
SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
* Added compile-time and run-time version information
* Expanded ssl_client2 arguments for more flexibility
* Added support for TLS v1.1
Changes
* Made Makefile cleaner
* Removed dependency on rand() in rsa_pkcs1_encrypt().
Now using random fuction provided to function and
changed the prototype of rsa_pkcs1_encrypt(),
rsa_init() and rsa_gen_key().
* Some SSL defines were renamed in order to avoid
future confusion
Bug fixes
* Fixed CMake out of source build for tests (found by
kkert)
* rsa_check_private() now supports PKCS1v2 keys as well
* Fixed deadlock in rsa_pkcs1_encrypt() on failing random
generator
= Version 0.13.1 released on 2010-03-24
Bug fixes
* Fixed Makefile in library that was mistakenly merged
* Added missing const string fixes
= Version 0.13.0 released on 2010-03-21
Features
* Added option parsing for host and port selection to
ssl_client2
* Added support for GeneralizedTime in X509 parsing
* Added cert_app program to allow easy reading and
printing of X509 certificates from file or SSL
connection.
Changes
* Added const correctness for main code base
* X509 signature algorithm determination is now
in a function to allow easy future expansion
* Changed symmetric cipher functions to
identical interface (returning int result values)
* Changed ARC4 to use separate input/output buffer
* Added reset function for HMAC context as speed-up
for specific use-cases
Bug fixes
* Fixed bug resulting in failure to send the last
certificate in the chain in ssl_write_certificate() and
ssl_write_certificate_request() (found by fatbob)
* Added small fixes for compiler warnings on a Mac
(found by Frank de Brabander)
* Fixed algorithmic bug in mpi_is_prime() (found by
Smbat Tonoyan)
= Version 0.12.1 released on 2009-10-04
Changes
* Coverage test definitions now support 'depends_on'
tagging system.
* Tests requiring specific hashing algorithms now honor
the defines.
Bug fixes
* Changed typo in #ifdef in x509parse.c (found
by Eduardo)
= Version 0.12.0 released on 2009-07-28
Features
* Added CMake makefiles as alternative to regular Makefiles.
* Added preliminary Code Coverage tests for AES, ARC4,
Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
and X509parse.
Changes
* Error codes are not (necessarily) negative. Keep
this is mind when checking for errors.
* RSA_RAW renamed to SIG_RSA_RAW for consistency.
* Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
* Changed interface for AES and Camellia setkey functions
to indicate invalid key lengths.
Bug fixes
* Fixed include location of endian.h on FreeBSD (found by
Gabriel)
* Fixed include location of endian.h and name clash on
Apples (found by Martin van Hensbergen)
* Fixed HMAC-MD2 by modifying md2_starts(), so that the
required HMAC ipad and opad variables are not cleared.
(found by code coverage tests)
* Prevented use of long long in bignum if
POLARSSL_HAVE_LONGLONG not defined (found by Giles
Bathgate).
* Fixed incorrect handling of negative strings in
mpi_read_string() (found by code coverage tests).
* Fixed segfault on handling empty rsa_context in
rsa_check_pubkey() and rsa_check_privkey() (found by
code coverage tests).
* Fixed incorrect handling of one single negative input
value in mpi_add_abs() (found by code coverage tests).
* Fixed incorrect handling of negative first input
value in mpi_sub_abs() (found by code coverage tests).
* Fixed incorrect handling of negative first input
value in mpi_mod_mpi() and mpi_mod_int(). Resulting
change also affects mpi_write_string() (found by code
coverage tests).
* Corrected is_prime() results for 0, 1 and 2 (found by
code coverage tests).
* Fixed Camellia and XTEA for 64-bit Windows systems.
= Version 0.11.1 released on 2009-05-17
* Fixed missing functionality for SHA-224, SHA-256, SHA384,
SHA-512 in rsa_pkcs1_sign()
= Version 0.11.0 released on 2009-05-03
* Fixed a bug in mpi_gcd() so that it also works when both
input numbers are even and added testcases to check
(found by Pierre Habouzit).
* Added support for SHA-224, SHA-256, SHA-384 and SHA-512
one way hash functions with the PKCS#1 v1.5 signing and
verification.
* Fixed minor bug regarding mpi_gcd located within the
POLARSSL_GENPRIME block.
* Fixed minor memory leak in x509parse_crt() and added better
handling of 'full' certificate chains (found by Mathias
Olsson).
* Centralized file opening and reading for x509 files into
load_file()
* Made definition of net_htons() endian-clean for big endian
systems (Found by Gernot).
* Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
padlock and timing code.
* Fixed an off-by-one buffer allocation in ssl_set_hostname()
responsible for crashes and unwanted behaviour.
* Added support for Certificate Revocation List (CRL) parsing.
* Added support for CRL revocation to x509parse_verify() and
SSL/TLS code.
* Fixed compatibility of XTEA and Camellia on a 64-bit system
(found by Felix von Leitner).
= Version 0.10.0 released on 2009-01-12
* Migrated XySSL to PolarSSL
* Added XTEA symmetric cipher
* Added Camellia symmetric cipher
* Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
* Fixed dangerous bug that can cause a heap overflow in
rsa_pkcs1_decrypt (found by Christophe Devine)
================================================================
XySSL ChangeLog
= Version 0.9 released on 2008-03-16
* Added support for ciphersuite: SSL_RSA_AES_128_SHA
* Enabled support for large files by default in aescrypt2.c
* Preliminary openssl wrapper contributed by David Barrett
* Fixed a bug in ssl_write() that caused the same payload to
be sent twice in non-blocking mode when send returns EAGAIN
* Fixed ssl_parse_client_hello(): session id and challenge must
not be swapped in the SSLv2 ClientHello (found by Greg Robson)
* Added user-defined callback debug function (Krystian Kolodziej)
* Before freeing a certificate, properly zero out all cert. data
* Fixed the "mode" parameter so that encryption/decryption are
not swapped on PadLock; also fixed compilation on older versions
of gcc (bug reported by David Barrett)
* Correctly handle the case in padlock_xcryptcbc() when input or
ouput data is non-aligned by falling back to the software
implementation, as VIA Nehemiah cannot handle non-aligned buffers
* Fixed a memory leak in x509parse_crt() which was reported by Greg
Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
Matthew Page who reported several bugs
* Fixed x509_get_ext() to accept some rare certificates which have
an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
* Added support on the client side for the TLS "hostname" extension
(patch contributed by David Patino)
* Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
string is passed as the CN (bug reported by spoofy)
* Added an option to enable/disable the BN assembly code
* Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
* Disabled obsolete hash functions by default (MD2, MD4); updated
selftest and benchmark to not test ciphers that have been disabled
* Updated x509parse_cert_info() to correctly display byte 0 of the
serial number, setup correct server port in the ssl client example
* Fixed a critical denial-of-service with X.509 cert. verification:
peer may cause xyssl to loop indefinitely by sending a certificate
for which the RSA signature check fails (bug reported by Benoit)
* Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
* Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
* Modified ssl_parse_client_key_exchange() to protect against
Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
* Updated rsa_gen_key() so that ctx->N is always nbits in size
* Fixed assembly PPC compilation errors on Mac OS X, thanks to
David Barrett and Dusan Semen
= Version 0.8 released on 2007-10-20
* Modified the HMAC functions to handle keys larger
than 64 bytes, thanks to Stephane Desneux and gary ng
* Fixed ssl_read_record() to properly update the handshake
message digests, which fixes IE6/IE7 client authentication
* Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
* Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
* Added user-defined callbacks for handling I/O and sessions
* Added lots of debugging output in the SSL/TLS functions
* Added preliminary X.509 cert. writing by Pascal Vizeli
* Added preliminary support for the VIA PadLock routines
* Added AES-CFB mode of operation, contributed by chmike
* Added an SSL/TLS stress testing program (ssl_test.c)
* Updated the RSA PKCS#1 code to allow choosing between
RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
* Updated ssl_read() to skip 0-length records from OpenSSL
* Fixed the make install target to comply with *BSD make
* Fixed a bug in mpi_read_binary() on 64-bit platforms
* mpi_is_prime() speedups, thanks to Kevin McLaughlin
* Fixed a long standing memory leak in mpi_is_prime()
* Replaced realloc with malloc in mpi_grow(), and set
the sign of zero as positive in mpi_init() (reported
by Jonathan M. McCune)
= Version 0.7 released on 2007-07-07
* Added support for the MicroBlaze soft-core processor
* Fixed a bug in ssl_tls.c which sometimes prevented SSL
connections from being established with non-blocking I/O
* Fixed a couple bugs in the VS6 and UNIX Makefiles
* Fixed the "PIC register ebx clobbered in asm" bug
* Added HMAC starts/update/finish support functions
* Added the SHA-224, SHA-384 and SHA-512 hash functions
* Fixed the net_set_*block routines, thanks to Andreas
* Added a few demonstration programs: md5sum, sha1sum,
dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
* Added new bignum import and export helper functions
* Rewrote README.txt in program/ssl/ca to better explain
how to create a test PKI
= Version 0.6 released on 2007-04-01
* Ciphers used in SSL/TLS can now be disabled at compile
time, to reduce the memory footprint on embedded systems
* Added multiply assembly code for the TriCore and modified
havege_struct for this processor, thanks to David Patiño
* Added multiply assembly code for 64-bit PowerPCs,
thanks to Peking University and the OSU Open Source Lab
* Added experimental support of Quantum Cryptography
* Added support for autoconf, contributed by Arnaud Cornet
* Fixed "long long" compilation issues on IA-64 and PPC64
* Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
was not being correctly defined on ARM and MIPS
= Version 0.5 released on 2007-03-01
* Added multiply assembly code for SPARC and Alpha
* Added (beta) support for non-blocking I/O operations
* Implemented session resuming and client authentication
* Fixed some portability issues on WinCE, MINIX 3, Plan9
(thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
* Improved the performance of the EDH key exchange
* Fixed a bug that caused valid packets with a payload
size of 16384 bytes to be rejected
= Version 0.4 released on 2007-02-01
* Added support for Ephemeral Diffie-Hellman key exchange
* Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
* Various improvement to the modular exponentiation code
* Rewrote the headers to generate the API docs with doxygen
* Fixed a bug in ssl_encrypt_buf (incorrect padding was
generated) and in ssl_parse_client_hello (max. client
version was not properly set), thanks to Didier Rebeix
* Fixed another bug in ssl_parse_client_hello: clients with
cipherlists larger than 96 bytes were incorrectly rejected
* Fixed a couple memory leak in x509_read.c
= Version 0.3 released on 2007-01-01
* Added server-side SSLv3 and TLSv1.0 support
* Multiple fixes to enhance the compatibility with g++,
thanks to Xosé Antón Otero Ferreira
* Fixed a bug in the CBC code, thanks to dowst; also,
the bignum code is no longer dependent on long long
* Updated rsa_pkcs1_sign to handle arbitrary large inputs
* Updated timing.c for improved compatibility with i386
and 486 processors, thanks to Arnaud Cornet
= Version 0.2 released on 2006-12-01
* Updated timing.c to support ARM and MIPS arch
* Updated the MPI code to support 8086 on MSVC 1.5
* Added the copyright notice at the top of havege.h
* Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
* Fixed a bug reported by Adrian Rüegsegger in x509_read_key
* Fixed a bug reported by Torsten Lauter in ssl_read_record
* Fixed a bug in rsa_check_privkey that would wrongly cause
valid RSA keys to be dismissed (thanks to oldwolf)
* Fixed a bug in mpi_is_prime that caused some primes to fail
the Miller-Rabin primality test
I'd also like to thank Younès Hafri for the CRUX linux port,
Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
who maintains the Debian package :-)
= Version 0.1 released on 2006-11-01