Annotation of acopm/mbedtls/ChangeLog, Revision 1.1.1.1
1.1 bountyht 1: mbed TLS ChangeLog (Sorted per branch, date)
2:
3: = mbed TLS 2.5.1 released 2017-06-21
4:
5: Security
6: * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
7: The issue could only happen client-side with renegotiation enabled.
8: Could result in DoS (application crash) or information leak
9: (if the application layer sent data read from mbedtls_ssl_read()
10: back to the server or to a third party). Can be triggered remotely.
11: * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
12: certificate verification. SHA-1 can be turned back on with a compile-time
13: option if needed.
14: * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
15: detect it sometimes. Reported by Hugo Leisink. #810
16: * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
17: potential Bleichenbacher/BERserk-style attack.
18:
19: Bugfix
20: * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
21: valid C and they prevented the test from compiling in Visual Studio 2015
22: and with GCC using the -Wpedantic compilation option.
23: * Fix insufficient support for signature-hash-algorithm extension,
24: resulting in compatibility problems with Chrome. Found by hfloyrd. #823
25: * Fix behaviour that hid the original cause of fatal alerts in some cases
26: when sending the alert failed. The fix makes sure not to hide the error
27: that triggered the alert.
28: * Fix SSLv3 renegotiation behaviour and stop processing data received from
29: peer after sending a fatal alert to refuse a renegotiation attempt.
30: Previous behaviour was to keep processing data even after the alert has
31: been sent.
32: * Accept empty trusted CA chain in authentication mode
33: MBEDTLS_SSL_VERIFY_OPTIONAL.
34: Found by jethrogb. #864
35: * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
36: fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
37: reflect bad EC curves within verification result.
38: * Fix bug that caused the modular inversion function to accept the invalid
39: modulus 1 and therefore to hang. Found by blaufish. #641.
40: * Fix incorrect sign computation in modular exponentiation when the base is
41: a negative MPI. Previously the result was always negative. Found by Guido
42: Vranken.
43: * Fix a numerical underflow leading to stack overflow in mpi_read_file()
44: that was triggered uppon reading an empty line. Found by Guido Vranken.
45:
46: Changes
47: * Send fatal alerts in more cases. The previous behaviour was to skip
48: sending the fatal alert and just drop the connection.
49: * Clarify ECDSA documentation and improve the sample code to avoid
50: misunderstanding and potentially dangerous use of the API. Pointed out
51: by Jean-Philippe Aumasson.
52:
53: = mbed TLS 2.5.0 branch released 2017-05-17
54:
55: Security
56: * Wipe stack buffers in RSA private key operations
57: (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
58: Simon.
59: * Add exponent blinding to RSA private operations as a countermeasure
60: against side-channel attacks like the cache attack described in
61: https://arxiv.org/abs/1702.08719v2.
62: Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
63: Clémentine Maurice and Stefan Mangard.
64:
65: Features
66: * Add hardware acceleration support for the Elliptic Curve Point module.
67: This involved exposing parts of the internal interface to enable
68: replacing the core functions and adding and alternative, module level
69: replacement support for enabling the extension of the interface.
70: * Add a new configuration option to 'mbedtls_ssl_config' to enable
71: suppressing the CA list in Certificate Request messages. The default
72: behaviour has not changed, namely every configured CAs name is included.
73:
74: API Changes
75: * The following functions in the AES module have been deprecated and replaced
76: by the functions shown below. The new functions change the return type from
77: void to int to allow returning error codes when using MBEDTLS_AES_ALT,
78: MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT.
79: mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
80: mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
81:
82: Bugfix
83: * Remove macros from compat-1.3.h that correspond to deleted items from most
84: recent versions of the library. Found by Kyle Keen.
85: * Fixed issue in the Threading module that prevented mutexes from
86: initialising. Found by sznaider. #667 #843
87: * Add checks in the PK module for the RSA functions on 64-bit systems.
88: The PK and RSA modules use different types for passing hash length and
89: without these checks the type cast could lead to data loss. Found by Guido
90: Vranken.
91:
92: = mbed TLS 2.4.2 branch released 2017-03-08
93:
94: Security
95: * Add checks to prevent signature forgeries for very large messages while
96: using RSA through the PK module in 64-bit systems. The issue was caused by
97: some data loss when casting a size_t to an unsigned int value in the
98: functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
99: mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
100: * Fixed potential livelock during the parsing of a CRL in PEM format in
101: mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
102: characters after the footer could result in the execution of an infinite
103: loop. The issue can be triggered remotely. Found by Greg Zaverucha,
104: Microsoft.
105: * Removed MD5 from the allowed hash algorithms for CertificateRequest and
106: CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
107: Introduced by interoperability fix for #513.
108: * Fixed a bug that caused freeing a buffer that was allocated on the stack,
109: when verifying the validity of a key on secp224k1. This could be
110: triggered remotely for example with a maliciously constructed certificate
111: and potentially could lead to remote code execution on some platforms.
112: Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
113: team. #569 CVE-2017-2784
114:
115: Bugfix
116: * Fix output certificate verification flags set by x509_crt_verify_top() when
117: traversing a chain of trusted CA. The issue would cause both flags,
118: MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
119: set when the verification conditions are not met regardless of the cause.
120: Found by Harm Verhagen and inestlerode. #665 #561
121: * Fix the redefinition of macro ssl_set_bio to an undefined symbol
122: mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
123: Found by omlib-lin. #673
124: * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
125: x509_csr.c that are reported when building mbed TLS with a config.h that
126: does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
127: * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
128: would compare 64 bits of the record counter instead of 48 bits as indicated
129: in RFC 6347 Section 4.3.1. This could cause the execution of the
130: renegotiation routines at unexpected times when the protocol is DTLS. Found
131: by wariua. #687
132: * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
133: the input string in PEM format to extract the different components. Found
134: by Eyal Itkin.
135: * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
136: cause buffer bound checks to be bypassed. Found by Eyal Itkin.
137: * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
138: cause buffer bound checks to be bypassed. Found by Eyal Itkin.
139: * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
140: cause buffer bound checks to be bypassed. Found by Eyal Itkin.
141: * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
142: cause buffer bound checks to be bypassed. Found by Eyal Itkin.
143: * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
144: Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
145: * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
146: by missing calls to mbedtls_pem_free() in cases when a
147: MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
148: fix proposed by Guido Vranken. #722
149: * Fixed the templates used to generate project and solution files for Visual
150: Studio 2015 as well as the files themselves, to remove a build warning
151: generated in Visual Studio 2015. Reported by Steve Valliere. #742
152: * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
153: Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
154: * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
155: number to write in hexadecimal is negative and requires an odd number of
156: digits. Found and fixed by Guido Vranken.
157: * Fix unlisted DES configuration dependency in some pkparse test cases. Found
158: by inestlerode. #555
159:
160: = mbed TLS 2.4.1 branch released 2016-12-13
161:
162: Changes
163: * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
164: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
165: Authentication – October 2016
166:
167: = mbed TLS 2.4.0 branch released 2016-10-17
168:
169: Security
170: * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
171: with RFC-5116 and could lead to session key recovery in very long TLS
172: sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
173: TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
174: https://eprint.iacr.org/2016/475.pdf
175: * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
176: mbedtls_x509write_csr_der() when the signature is copied to the buffer
177: without checking whether there is enough space in the destination. The
178: issue cannot be triggered remotely. Found by Jethro Beekman.
179:
180: Features
181: * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
182: NIST SP 800-38B, RFC-4493 and RFC-4615.
183: * Added hardware entropy selftest to verify that the hardware entropy source
184: is functioning correctly.
185: * Added a script to print build environment info for diagnostic use in test
186: scripts, which is also now called by all.sh.
187: * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
188: configure the maximum length of a file path that can be buffered when
189: calling mbedtls_x509_crt_parse_path().
190: * Added a configuration file config-no-entropy.h that configures the subset of
191: library features that do not require an entropy source.
192: * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
193: to configure the minimum number of bytes for entropy sources using the
194: mbedtls_hardware_poll() function.
195:
196: Bugfix
197: * Fix for platform time abstraction to avoid dependency issues where a build
198: may need time but not the standard C library abstraction, and added
199: configuration consistency checks to check_config.h
200: * Fix dependency issue in Makefile to allow parallel builds.
201: * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
202: when GCM is used. Found by udf2457. #441
203: * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
204: enabled unless others were also present. Found by David Fernandez. #428
205: * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
206: a contribution from Tobias Tangemann. #541
207: * Fixed cert_app.c sample program for debug output and for use when no root
208: certificates are provided.
209: * Fix conditional statement that would cause a 1 byte overread in
210: mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
211: * Fixed pthread implementation to avoid unintended double initialisations
212: and double frees. Found by Niklas Amnebratt.
213: * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
214: builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
215: by inestlerode. #559.
216: * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
217: data structure until after error checks are successful. Found by
218: subramanyam-c. #622
219: * Fix documentation and implementation missmatch for function arguments of
220: mbedtls_gcm_finish(). Found by cmiatpaar. #602
221: * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
222: * Fix potential byte overread when verifying malformed SERVER_HELLO in
223: ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
224: * Fix check for validity of date when parsing in mbedtls_x509_get_time().
225: Found by subramanyam-c. #626
226: * Fix compatibility issue with Internet Explorer client authentication,
227: where the limited hash choices prevented the client from sending its
228: certificate. Found by teumas. #513
229: * Fix compilation without MBEDTLS_SELF_TEST enabled.
230:
231: Changes
232: * Extended test coverage of special cases, and added new timing test suite.
233: * Removed self-tests from the basic-built-test.sh script, and added all
234: missing self-tests to the test suites, to ensure self-tests are only
235: executed once.
236: * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
237: * Added support for a Yotta specific configuration file -
238: through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
239: * Added optimization for code space for X.509/OID based on configured
240: features. Contributed by Aviv Palivoda.
241: * Renamed source file library/net.c to library/net_sockets.c to avoid
242: naming collision in projects which also have files with the common name
243: net.c. For consistency, the corresponding header file, net.h, is marked as
244: deprecated, and its contents moved to net_sockets.h.
245: * Changed the strategy for X.509 certificate parsing and validation, to no
246: longer disregard certificates with unrecognised fields.
247:
248: = mbed TLS 2.3.0 branch released 2016-06-28
249:
250: Security
251: * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
252: required by PKCS1 v2.2
253: * Fix potential integer overflow to buffer overflow in
254: mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
255: (not triggerable remotely in (D)TLS).
256: * Fix a potential integer underflow to buffer overread in
257: mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
258: SSL/TLS.
259:
260: Features
261: * Support for platform abstraction of the standard C library time()
262: function.
263:
264: Bugfix
265: * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
266: arguments where the same (in-place doubling). Found and fixed by Janos
267: Follath. #309
268: * Fix potential build failures related to the 'apidoc' target, introduced
269: in the previous patch release. Found by Robert Scheck. #390 #391
270: * Fix issue in Makefile that prevented building using armar. #386
271: * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
272: ECDSA was disabled in config.h . The leak didn't occur by default.
273: * Fix an issue that caused valid certificates to be rejected whenever an
274: expired or not yet valid certificate was parsed before a valid certificate
275: in the trusted certificate list.
276: * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
277: buffer after DER certificates to be included in the raw representation.
278: * Fix issue that caused a hang when generating RSA keys of odd bitlength
279: * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
280: dereference possible.
281: * Fix issue that caused a crash if invalid curves were passed to
282: mbedtls_ssl_conf_curves. #373
283: * Fix issue in ssl_fork_server which was preventing it from functioning. #429
284: * Fix memory leaks in test framework
285: * Fix test in ssl-opt.sh that does not run properly with valgrind
286: * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
287:
288: Changes
289: * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
290: don't use the optimized assembly for bignum multiplication. This removes
291: the need to pass -fomit-frame-pointer to avoid a build error with -O0.
292: * Disabled SSLv3 in the default configuration.
293: * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
294: Skalozub).
295: * Fix non-compliance server extension handling. Extensions for SSLv3 are now
296: ignored, as required by RFC6101.
297:
298: = mbed TLS 2.2.1 released 2016-01-05
299:
300: Security
301: * Fix potential double free when mbedtls_asn1_store_named_data() fails to
302: allocate memory. Only used for certificate generation, not triggerable
303: remotely in SSL/TLS. Found by Rafał Przywara. #367
304: * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
305: SLOTH attack on TLS 1.2 server authentication (other attacks from the
306: SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
307: https://www.mitls.org/pages/attacks/SLOTH
308:
309: Bugfix
310: * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
311: * Fix bug in certificate validation that caused valid chains to be rejected
312: when the first intermediate certificate has pathLenConstraint=0. Found by
313: Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
314: * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
315: JayaraghavendranK. #372
316: * Fix suboptimal handling of unexpected records that caused interop issues
317: with some peers over unreliable links. Avoid dropping an entire DTLS
318: datagram if a single record in a datagram is unexpected, instead only
319: drop the record and look at subsequent records (if any are present) in
320: the same datagram. Found by jeannotlapin. #345
321:
322: = mbed TLS 2.2.0 released 2015-11-04
323:
324: Security
325: * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
326: once and some allocation fails. Cannot be forced remotely. Found by Guido
327: Vranken, Intelworks.
328: * Fix potential heap corruption on Windows when
329: mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
330: triggered remotely. Found by Guido Vranken, Intelworks.
331: * Fix potential buffer overflow in some asn1_write_xxx() functions.
332: Cannot be triggered remotely unless you create X.509 certificates based
333: on untrusted input or write keys of untrusted origin. Found by Guido
334: Vranken, Intelworks.
335: * The X509 max_pathlen constraint was not enforced on intermediate
336: certificates. Found by Nicholas Wilson, fix and tests provided by
337: Janos Follath. #280 and #319
338:
339: Features
340: * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
341: Disabled by default as the specification might still change.
342: * Added a key extraction callback to accees the master secret and key
343: block. (Potential uses include EAP-TLS and Thread.)
344:
345: Bugfix
346: * Self-signed certificates were not excluded from pathlen counting,
347: resulting in some valid X.509 being incorrectly rejected. Found and fix
348: provided by Janos Follath. #319
349: * Fix build error with configurations where ECDHE-PSK is the only key
350: exchange. Found and fix provided by Chris Hammond. #270
351: * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
352: ECHD-ECDSA if the only key exchange. Multiple reports. #310
353: * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
354: not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
355: * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
356: size/curve against the profile. Before that, there was no way to set a
357: minimum key size for end-entity certificates with RSA keys. Found by
358: Matthew Page of Scannex Electronics Ltd.
359: * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
360: Found by Kurt Danielson. #292
361: * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
362: * Fix bug in ASN.1 encoding of booleans that caused generated CA
363: certificates to be rejected by some applications, including OS X
364: Keychain. Found and fixed by Jonathan Leroy, Inikup.
365:
366: Changes
367: * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
368: or -1.
369:
370: = mbed TLS 2.1.2 released 2015-10-06
371:
372: Security
373: * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
374: overflow of the hostname or session ticket. Found by Guido Vranken,
375: Intelworks.
376: * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
377: once in the same handhake and mbedtls_ssl_conf_psk() was used.
378: Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
379: remotely.
380: * Fix stack buffer overflow in pkcs12 decryption (used by
381: mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
382: Found by Guido Vranken, Intelworks. Not triggerable remotely.
383: * Fix potential buffer overflow in mbedtls_mpi_read_string().
384: Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
385: of TLS, but might be in other uses. On 32 bit machines, requires reading a
386: string of close to or larger than 1GB to exploit; on 64 bit machines, would
387: require reading a string of close to or larger than 2^62 bytes.
388: * Fix potential random memory allocation in mbedtls_pem_read_buffer()
389: on crafted PEM input data. Found and fix provided by Guido Vranken,
390: Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
391: accept PEM data from an untrusted source.
392: * Fix possible heap buffer overflow in base64_encoded() when the input
393: buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
394: Intelworks. Not trigerrable remotely in TLS.
395: * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
396: the same mbedtls_ssl_config object and memory allocation fails. Found by
397: Guido Vranken, Intelworks. Cannot be forced remotely.
398: * Fix potential heap buffer overflow in servers that perform client
399: authentication against a crafted CA cert. Cannot be triggered remotely
400: unless you allow third parties to pick trust CAs for client auth.
401: Found by Guido Vranken, Intelworks.
402:
403: Bugfix
404: * Fix compile error in net.c with musl libc. Found and patch provided by
405: zhasha (#278).
406: * Fix macroization of 'inline' keyword when building as C++. (#279)
407:
408: Changes
409: * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
410: domain names are compliant with RFC 1035.
411: * Fixed paths for check_config.h in example config files. (Found by bachp)
412: (#291)
413:
414: = mbed TLS 2.1.1 released 2015-09-17
415:
416: Security
417: * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
418: signatures. (Found by Florian Weimer, Red Hat.)
419: https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
420: * Fix possible client-side NULL pointer dereference (read) when the client
421: tries to continue the handshake after it failed (a misuse of the API).
422: (Found and patch provided by Fabian Foerg, Gotham Digital Science using
423: afl-fuzz.)
424:
425: Bugfix
426: * Fix warning when using a 64bit platform. (found by embedthis) (#275)
427: * Fix off-by-one error in parsing Supported Point Format extension that
428: caused some handshakes to fail.
429:
430: Changes
431: * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
432: use of mbedtls_x509_crt_profile_next. (found by NWilson)
433: * When a client initiates a reconnect from the same port as a live
434: connection, if cookie verification is available
435: (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
436: callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
437: detected and mbedtls_ssl_read() will return
438: MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
439: handshake with the same context. (See RFC 6347 section 4.2.8.)
440:
441: = mbed TLS 2.1.0 released 2015-09-04
442:
443: Features
444: * Added support for yotta as a build system.
445: * Primary open source license changed to Apache 2.0 license.
446:
447: Bugfix
448: * Fix segfault in the benchmark program when benchmarking DHM.
449: * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
450: Leisink).
451: * Fix bug when parsing a ServerHello without extensions (found by David
452: Sears).
453: * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
454: (found by Benoit Lecocq).
455: * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
456: installed (found by Rawi666).
457: * Fix compile error with armcc 5 with --gnu option.
458: * Fix bug in Makefile that caused programs not to be installed correctly
459: (found by robotanarchy) (#232).
460: * Fix bug in Makefile that prevented from installing without building the
461: tests (found by robotanarchy) (#232).
462: * Fix missing -static-libgcc when building shared libraries for Windows
463: with make.
464: * Fix link error when building shared libraries for Windows with make.
465: * Fix error when loading libmbedtls.so.
466: * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
467: be always used (found by dcb314) (#235)
468: * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
469: result trying to unlock an unlocked mutex on invalid input (found by
470: Fredrik Axelsson) (#257)
471: * Fix -Wshadow warnings (found by hnrkp) (#240)
472: * Fix memory corruption on client with overlong PSK identity, around
473: SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
474: Aleksandrs Saveljevs) (#238)
475: * Fix unused function warning when using MBEDTLS_MDx_ALT or
476: MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
477: * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
478:
479: Changes
480: * The PEM parser now accepts a trailing space at end of lines (#226).
481: * It is now possible to #include a user-provided configuration file at the
482: end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
483: compiler's command line.
484: * When verifying a certificate chain, if an intermediate certificate is
485: trusted, no later cert is checked. (suggested by hannes-landeholm)
486: (#220).
487: * Prepend a "thread identifier" to debug messages (issue pointed out by
488: Hugo Leisink) (#210).
489: * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
490: length.
491:
492: = mbed TLS 2.0.0 released 2015-07-13
493:
494: Features
495: * Support for DTLS 1.0 and 1.2 (RFC 6347).
496: * Ability to override core functions from MDx, SHAx, AES and DES modules
497: with custom implementation (eg hardware accelerated), complementing the
498: ability to override the whole module.
499: * New server-side implementation of session tickets that rotate keys to
500: preserve forward secrecy, and allows sharing across multiple contexts.
501: * Added a concept of X.509 cerificate verification profile that controls
502: which algorithms and key sizes (curves for ECDSA) are acceptable.
503: * Expanded configurability of security parameters in the SSL module with
504: mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
505: * Introduced a concept of presets for SSL security-relevant configuration
506: parameters.
507:
508: API Changes
509: * The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
510: You now need to link to all of them if you use TLS for example.
511: * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
512: Some names have been further changed to make them more consistent.
513: Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
514: provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
515: * Renamings of fields inside structures, not covered by the previous list:
516: mbedtls_cipher_info_t.key_length -> key_bitlen
517: mbedtls_cipher_context_t.key_length -> key_bitlen
518: mbedtls_ecp_curve_info.size -> bit_size
519: * Headers are now found in the 'mbedtls' directory (previously 'polarssl').
520: * The following _init() functions that could return errors have
521: been split into an _init() that returns void and another function that
522: should generally be the first function called on this context after init:
523: mbedtls_ssl_init() -> mbedtls_ssl_setup()
524: mbedtls_ccm_init() -> mbedtls_ccm_setkey()
525: mbedtls_gcm_init() -> mbedtls_gcm_setkey()
526: mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
527: mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
528: Note that for mbedtls_ssl_setup(), you need to be done setting up the
529: ssl_config structure before calling it.
530: * Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
531: ssl_set_session() and ssl_set_client_transport_id(), plus
532: ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
533: (see rename.pl and compat-1.3.h above) and their first argument's type
534: changed from ssl_context to ssl_config.
535: * ssl_set_bio() changed signature (contexts merged, order switched, one
536: additional callback for read-with-timeout).
537: * The following functions have been introduced and must be used in callback
538: implementations (SNI, PSK) instead of their *conf counterparts:
539: mbedtls_ssl_set_hs_own_cert()
540: mbedtls_ssl_set_hs_ca_chain()
541: mbedtls_ssl_set_hs_psk()
542: * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
543: using mbedtls_ssl_set_hostname().
544: * mbedtls_ssl_conf_session_cache() changed prototype (only one context
545: pointer, parameters reordered).
546: * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
547: place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
548: * The SSL debug callback gained two new arguments (file name, line number).
549: * Debug modes were removed.
550: * mbedtls_ssl_conf_truncated_hmac() now returns void.
551: * mbedtls_memory_buffer_alloc_init() now returns void.
552: * X.509 verification flags are now an uint32_t. Affect the signature of:
553: mbedtls_ssl_get_verify_result()
554: mbedtls_x509_ctr_verify_info()
555: mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
556: mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
557: * The following functions changed prototype to avoid an in-out length
558: parameter:
559: mbedtls_base64_encode()
560: mbedtls_base64_decode()
561: mbedtls_mpi_write_string()
562: mbedtls_dhm_calc_secret()
563: * In the NET module, all "int" and "int *" arguments for file descriptors
564: changed type to "mbedtls_net_context *".
565: * net_accept() gained new arguments for the size of the client_ip buffer.
566: * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
567: return void.
568: * ecdsa_write_signature() gained an addtional md_alg argument and
569: ecdsa_write_signature_det() was deprecated.
570: * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
571: * Last argument of x509_crt_check_key_usage() and
572: mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
573: * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
574: available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
575: * Test certificates in certs.c are no longer guaranteed to be nul-terminated
576: strings; use the new *_len variables instead of strlen().
577: * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
578: mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
579: length parameter to include the terminating null byte for PEM input.
580: * Signature of mpi_mul_mpi() changed to make the last argument unsigned
581: * calloc() is now used instead of malloc() everywhere. API of platform
582: layer and the memory_buffer_alloc module changed accordingly.
583: (Thanks to Mansour Moufid for helping with the replacement.)
584: * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
585: (support for renegotiation now needs explicit enabling in config.h).
586: * Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
587: in config.h
588: * net_connect() and net_bind() have a new 'proto' argument to choose
589: between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
590: Their 'port' argument type is changed to a string.
591: * Some constness fixes
592:
593: Removals
594: * Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
595: * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
596: mbedtls_ecp_muladd().
597: * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
598: (use generic functions from md.h)
599: * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
600: waiting function.
601: * Removed test DHM parameters from the test certs module.
602: * Removed the PBKDF2 module (use PKCS5).
603: * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
604: * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
605: * Removed openssl.h (very partial OpenSSL compatibility layer).
606: * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
607: * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
608: been removed (compiler is required to support 32-bit operations).
609: * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
610: * Removed test program o_p_test, the script compat.sh does more.
611: * Removed test program ssl_test, superseded by ssl-opt.sh.
612: * Removed helper script active-config.pl
613:
614: New deprecations
615: * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
616: argument (allowing memory savings if HMAC is not used)
617:
618: Semi-API changes (technically public, morally private)
619: * Renamed a few headers to include _internal in the name. Those headers are
620: not supposed to be included by users.
621: * Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
622: * Changed pk_info_t into an opaque structure.
623: * Changed cipher_base_t into an opaque structure.
624: * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
625: * x509_crt.key_usage changed from unsigned char to unsigned int.
626: * Removed r and s from ecdsa_context
627: * Removed mode from des_context and des3_context
628:
629: Default behavior changes
630: * The default minimum TLS version is now TLS 1.0.
631: * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
632: default ciphersuite list returned by ssl_list_ciphersuites()
633: * Support for receiving SSLv2 ClientHello is now disabled by default at
634: compile time.
635: * The default authmode for SSL/TLS clients is now REQUIRED.
636: * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
637: enabled in the default configuration, this is only noticeable if using a
638: custom config.h
639: * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
640: * A minimum RSA key size of 2048 bits is now enforced during ceritificate
641: chain verification.
642: * Negotiation of truncated HMAC is now disabled by default on server too.
643: * The following functions are now case-sensitive:
644: mbedtls_cipher_info_from_string()
645: mbedtls_ecp_curve_info_from_name()
646: mbedtls_md_info_from_string()
647: mbedtls_ssl_ciphersuite_from_string()
648: mbedtls_version_check_feature()
649:
650: Requirement changes
651: * The minimum MSVC version required is now 2010 (better C99 support).
652: * The NET layer now unconditionnaly relies on getaddrinfo() and select().
653: * Compiler is required to support C99 types such as long long and uint32_t.
654:
655: API changes from the 1.4 preview branch
656: * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
657: new prototype, and mbedtls_ssl_set_read_timeout().
658: * The following functions now return void:
659: mbedtls_ssl_conf_transport()
660: mbedtls_ssl_conf_max_version()
661: mbedtls_ssl_conf_min_version()
662: * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
663: instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
664: an example implementation, see mbedtls_timing_delay_context and
665: mbedtls_timing_set/get_delay().
666: * With UDP sockets, it is no longer necessary to call net_bind() again
667: after a successful net_accept().
668:
669: Changes
670: * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
671: thread-safe if MBEDTLS_THREADING_C is enabled.
672: * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
673: more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
674:
675: = mbed TLS 1.3 branch
676:
677: Security
678: * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
679: extendedKeyUsage on the leaf certificate was lost (results not accessible
680: via ssl_get_verify_results()).
681: * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
682: https://dl.acm.org/citation.cfm?id=2714625
683:
684: Features
685: * Improve ECC performance by using more efficient doubling formulas
686: (contributed by Peter Dettman).
687: * Add x509_crt_verify_info() to display certificate verification results.
688: * Add support for reading DH parameters with privateValueLength included
689: (contributed by Daniel Kahn Gillmor).
690: * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
691: * Add support for id-at-uniqueIdentifier in X.509 names.
692: * Add support for overriding snprintf() (except on Windows) and exit() in
693: the platform layer.
694: * Add an option to use macros instead of function pointers in the platform
695: layer (helps get rid of unwanted references).
696: * Improved Makefiles for Windows targets by fixing library targets and making
697: cross-compilation easier (thanks to Alon Bar-Lev).
698: * The benchmark program also prints heap usage for public-key primitives
699: if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
700: * New script ecc-heap.sh helps measuring the impact of ECC parameters on
701: speed and RAM (heap only for now) usage.
702: * New script memory.sh helps measuring the ROM and RAM requirements of two
703: reduced configurations (PSK-CCM and NSA suite B).
704: * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
705: warnings on use of deprecated functions (with GCC and Clang only).
706: * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
707: errors on use of deprecated functions.
708:
709: Bugfix
710: * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
711: * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
712: * Fix bug in entropy.c when THREADING_C is also enabled that caused
713: entropy_free() to crash (thanks to Rafał Przywara).
714: * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
715: once on the same context.
716: * Fix bug in ssl_mail_client when password is longer that username (found
717: by Bruno Pape).
718: * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
719: (detected by Clang's 3.6 UBSan).
720: * mpi_size() and mpi_msb() would segfault when called on an mpi that is
721: initialized but not set (found by pravic).
722: * Fix detection of support for getrandom() on Linux (reported by syzzer) by
723: doing it at runtime (using uname) rather that compile time.
724: * Fix handling of symlinks by "make install" (found by Gaël PORTAY).
725: * Fix potential NULL pointer dereference (not trigerrable remotely) when
726: ssl_write() is called before the handshake is finished (introduced in
727: 1.3.10) (first reported by Martin Blumenstingl).
728: * Fix bug in pk_parse_key() that caused some valid private EC keys to be
729: rejected.
730: * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
731: * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
732: * Fix hardclock() (only used in the benchmarking program) with some
733: versions of mingw64 (found by kxjhlele).
734: * Fix warnings from mingw64 in timing.c (found by kxjklele).
735: * Fix potential unintended sign extension in asn1_get_len() on 64-bit
736: platforms.
737: * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
738: * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
739: POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
740: in 1.3.10).
741: * Add missing extern "C" guard in aesni.h (reported by amir zamani).
742: * Add missing dependency on SHA-256 in some x509 programs (reported by
743: Gergely Budai).
744: * Fix bug related to ssl_set_curves(): the client didn't check that the
745: curve picked by the server was actually allowed.
746:
747: Changes
748: * Remove bias in mpi_gen_prime (contributed by Pascal Junod).
749: * Remove potential sources of timing variations (some contributed by Pascal
750: Junod).
751: * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
752: * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
753: * compat-1.2.h and openssl.h are deprecated.
754: * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
755: more flexible (warning: OFLAGS is not used any more) (see the README)
756: (contributed by Alon Bar-Lev).
757: * ssl_set_own_cert() no longer calls pk_check_pair() since the
758: performance impact was bad for some users (this was introduced in 1.3.10).
759: * Move from SHA-1 to SHA-256 in example programs using signatures
760: (suggested by Thorsten Mühlfelder).
761: * Remove some unneeded inclusions of header files from the standard library
762: "minimize" others (eg use stddef.h if only size_t is needed).
763: * Change #include lines in test files to use double quotes instead of angle
764: brackets for uniformity with the rest of the code.
765: * Remove dependency on sscanf() in X.509 parsing modules.
766:
767: = mbed TLS 1.3.10 released 2015-02-09
768: Security
769: * NULL pointer dereference in the buffer-based allocator when the buffer is
770: full and polarssl_free() is called (found by Mark Hasemeyer)
771: (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
772: not by default).
773: * Fix remotely-triggerable uninitialised pointer dereference caused by
774: crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
775: client certificate) (found using Codenomicon Defensics).
776: * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
777: (TLS server is not affected if it doesn't ask for a client certificate)
778: (found using Codenomicon Defensics).
779: * Fix potential stack overflow while parsing crafted X.509 certificates
780: (TLS server is not affected if it doesn't ask for a client certificate)
781: (found using Codenomicon Defensics).
782: * Fix timing difference that could theoretically lead to a
783: Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
784: (reported by Sebastian Schinzel).
785:
786: Features
787: * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
788: * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
789: * Add support for Encrypt-then-MAC (RFC 7366).
790: * Add function pk_check_pair() to test if public and private keys match.
791: * Add x509_crl_parse_der().
792: * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
793: length of an X.509 verification chain.
794: * Support for renegotiation can now be disabled at compile-time
795: * Support for 1/n-1 record splitting, a countermeasure against BEAST.
796: * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
797: for pre-1.2 clients when multiple certificates are available.
798: * Add support for getrandom() syscall on recent Linux kernels with Glibc or
799: a compatible enough libc (eg uClibc).
800: * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
801: while using the default ciphersuite list.
802: * Added new error codes and debug messages about selection of
803: ciphersuite/certificate.
804:
805: Bugfix
806: * Stack buffer overflow if ctr_drbg_update() is called with too large
807: add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
808: * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
809: if memory_buffer_alloc_init() was called with buf not aligned and len not
810: a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
811: * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
812: by Julian Ospald).
813: * Fix potential undefined behaviour in Camellia.
814: * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
815: multiple of 8 (found by Gergely Budai).
816: * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
817: Peter Vaskovic).
818: * Fix assembly selection for MIPS64 (thanks to James Cowgill).
819: * ssl_get_verify_result() now works even if the handshake was aborted due
820: to a failed verification (found by Fredrik Axelsson).
821: * Skip writing and parsing signature_algorithm extension if none of the
822: key exchanges enabled needs certificates. This fixes a possible interop
823: issue with some servers when a zero-length extension was sent. (Reported
824: by Peter Dettman.)
825: * On a 0-length input, base64_encode() did not correctly set output length
826: (found by Hendrik van den Boogaard).
827:
828: Changes
829: * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
830: switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
831: * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
832: * ssl_set_own_cert() now returns an error on key-certificate mismatch.
833: * Forbid repeated extensions in X.509 certificates.
834: * debug_print_buf() now prints a text view in addition to hexadecimal.
835: * A specific error is now returned when there are ciphersuites in common
836: but none of them is usable due to external factors such as no certificate
837: with a suitable (extended)KeyUsage or curve or no PSK set.
838: * It is now possible to disable negotiation of truncated HMAC server-side
839: at runtime with ssl_set_truncated_hmac().
840: * Example programs for SSL client and server now disable SSLv3 by default.
841: * Example programs for SSL client and server now disable RC4 by default.
842: * Use platform.h in all test suites and programs.
843:
844: = PolarSSL 1.3.9 released 2014-10-20
845: Security
846: * Lowest common hash was selected from signature_algorithms extension in
847: TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
848: * Remotely-triggerable memory leak when parsing some X.509 certificates
849: (server is not affected if it doesn't ask for a client certificate)
850: (found using Codenomicon Defensics).
851: * Remotely-triggerable memory leak when parsing crafted ClientHello
852: (not affected if ECC support was compiled out) (found using Codenomicon
853: Defensics).
854:
855: Bugfix
856: * Support escaping of commas in x509_string_to_names()
857: * Fix compile error in ssl_pthread_server (found by Julian Ospald).
858: * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
859: * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
860: * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
861: * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
862: are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
863: * Remove non-existent file from VS projects (found by Peter Vaskovic).
864: * ssl_read() could return non-application data records on server while
865: renegotation was pending, and on client when a HelloRequest was received.
866: * Server-initiated renegotiation would fail with non-blocking I/O if the
867: write callback returned WANT_WRITE when requesting renegotiation.
868: * ssl_close_notify() could send more than one message in some circumstances
869: with non-blocking I/O.
870: * Fix compiler warnings on iOS (found by Sander Niemeijer).
871: * x509_crt_parse() did not increase total_failed on PEM error
872: * Fix compile error with armcc in mpi_is_prime()
873: * Fix potential bad read in parsing ServerHello (found by Adrien
874: Vialletelle).
875:
876: Changes
877: * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
878: standard defining how to use SHA-2 with SSL 3.0).
879: * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
880: ambiguous on how to encode some packets with SSL 3.0).
881: * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
882: RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
883: * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
884: POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
885: * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
886: RSA keys.
887: * Accept spaces at end of line or end of buffer in base64_decode().
888: * X.509 certificates with more than one AttributeTypeAndValue per
889: RelativeDistinguishedName are not accepted any more.
890:
891: = PolarSSL 1.3.8 released 2014-07-11
892: Security
893: * Fix length checking for AEAD ciphersuites (found by Codenomicon).
894: It was possible to crash the server (and client) using crafted messages
895: when a GCM suite was chosen.
896:
897: Features
898: * Add CCM module and cipher mode to Cipher Layer
899: * Support for CCM and CCM_8 ciphersuites
900: * Support for parsing and verifying RSASSA-PSS signatures in the X.509
901: modules (certificates, CRLs and CSRs).
902: * Blowfish in the cipher layer now supports variable length keys.
903: * Add example config.h for PSK with CCM, optimized for low RAM usage.
904: * Optimize for RAM usage in example config.h for NSA Suite B profile.
905: * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
906: from the default list (inactive by default).
907: * Add server-side enforcement of sent renegotiation requests
908: (ssl_set_renegotiation_enforced())
909: * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
910: ciphersuites to use and save some memory if the list is small.
911:
912: Changes
913: * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
914: required on some platforms (e.g. OpenBSD)
915: * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
916: against unwanted compiler optimizations
917: * md_list() now returns hashes strongest first
918: * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
919: strongest offered by client.
920: * All public contexts have _init() and _free() functions now for simpler
921: usage pattern
922:
923: Bugfix
924: * Fix in debug_print_msg()
925: * Enforce alignment in the buffer allocator even if buffer is not aligned
926: * Remove less-than-zero checks on unsigned numbers
927: * Stricter check on SSL ClientHello internal sizes compared to actual packet
928: size (found by TrustInSoft)
929: * Fix WSAStartup() return value check (found by Peter Vaskovic)
930: * Other minor issues (found by Peter Vaskovic)
931: * Fix symlink command for cross compiling with CMake (found by Andre
932: Heinecke)
933: * Fix DER output of gen_key app (found by Gergely Budai)
934: * Very small records were incorrectly rejected when truncated HMAC was in
935: use with some ciphersuites and versions (RC4 in all versions, CBC with
936: versions < TLS 1.1).
937: * Very large records using more than 224 bytes of padding were incorrectly
938: rejected with CBC-based ciphersuites and TLS >= 1.1
939: * Very large records using less padding could cause a buffer overread of up
940: to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
941: * Restore ability to use a v1 cert as a CA if trusted locally. (This had
942: been removed in 1.3.6.)
943: * Restore ability to locally trust a self-signed cert that is not a proper
944: CA for use as an end entity certificate. (This had been removed in
945: 1.3.6.)
946: * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
947: * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
948: interpret semicolons as comment delimiters (found by Barry K. Nathan).
949: * Fix off-by-one error in parsing Supported Point Format extension that
950: caused some handshakes to fail.
951: * Fix possible miscomputation of the premaster secret with DHE-PSK key
952: exchange that caused some handshakes to fail with other implementations.
953: (Failure rate <= 1/255 with common DHM moduli.)
954: * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
955: * Fix base64_decode() to return and check length correctly (in case of
956: tight buffers)
957: * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
958: by Hui Dong)
959:
960: = PolarSSL 1.3.7 released on 2014-05-02
961: Features
962: * debug_set_log_mode() added to determine raw or full logging
963: * debug_set_threshold() added to ignore messages over threshold level
964: * version_check_feature() added to check for compile-time options at
965: run-time
966:
967: Changes
968: * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
969: checked and filled in the relevant module headers
970: * Debug module only outputs full lines instead of parts
971: * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
972: * AES-NI now compiles with "old" assemblers too
973: * Ciphersuites based on RC4 now have the lowest priority by default
974:
975: Bugfix
976: * Only iterate over actual certificates in ssl_write_certificate_request()
977: (found by Matthew Page)
978: * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
979: Karger)
980: * cert_write app should use subject of issuer certificate as issuer of cert
981: * Fix false reject in padding check in ssl_decrypt_buf() for CBC
982: ciphersuites, for full SSL frames of data.
983: * Improve interoperability by not writing extension length in ClientHello /
984: ServerHello when no extensions are present (found by Matthew Page)
985: * rsa_check_pubkey() now allows an E up to N
986: * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
987: * mpi_fill_random() was creating numbers larger than requested on
988: big-endian platform when size was not an integer number of limbs
989: * Fix dependencies issues in X.509 test suite.
990: * Some parts of ssl_tls.c were compiled even when the module was disabled.
991: * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
992: * Fix detection of Clang on some Apple platforms with CMake
993: (found by Barry K. Nathan)
994:
995: = PolarSSL 1.3.6 released on 2014-04-11
996:
997: Features
998: * Support for the ALPN SSL extension
999: * Add option 'use_dev_random' to gen_key application
1000: * Enable verification of the keyUsage extension for CA and leaf
1001: certificates (POLARSSL_X509_CHECK_KEY_USAGE)
1002: * Enable verification of the extendedKeyUsage extension
1003: (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
1004:
1005: Changes
1006: * x509_crt_info() now prints information about parsed extensions as well
1007: * pk_verify() now returns a specific error code when the signature is valid
1008: but shorter than the supplied length.
1009: * Use UTC time to check certificate validity.
1010: * Reject certificates with times not in UTC, per RFC 5280.
1011:
1012: Security
1013: * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
1014: (Found by Watson Ladd.)
1015: * The notAfter date of some certificates was no longer checked since 1.3.5.
1016: This affects certificates in the user-supplied chain except the top
1017: certificate. If the user-supplied chain contains only one certificates,
1018: it is not affected (ie, its notAfter date is properly checked).
1019: * Prevent potential NULL pointer dereference in ssl_read_record() (found by
1020: TrustInSoft)
1021:
1022: Bugfix
1023: * The length of various ClientKeyExchange messages was not properly checked.
1024: * Some example server programs were not sending the close_notify alert.
1025: * Potential memory leak in mpi_exp_mod() when error occurs during
1026: calculation of RR.
1027: * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
1028: * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
1029: Gergely Budai).
1030: * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
1031: (found by Gergely Budai)
1032: * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
1033: Shuo Chen).
1034: * oid_get_numeric_string() used to truncate the output without returning an
1035: error if the output buffer was just 1 byte too small.
1036: * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
1037: * Calling pk_debug() on an RSA-alt key would segfault.
1038: * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
1039: * Potential buffer overwrite in pem_write_buffer() because of low length
1040: indication (found by Thijs Alkemade)
1041: * EC curves constants, which should be only in ROM since 1.3.3, were also
1042: stored in RAM due to missing 'const's (found by Gergely Budai).
1043:
1044: = PolarSSL 1.3.5 released on 2014-03-26
1045: Features
1046: * HMAC-DRBG as a separate module
1047: * Option to set the Curve preference order (disabled by default)
1048: * Single Platform compatilibity layer (for memory / printf / fprintf)
1049: * Ability to provide alternate timing implementation
1050: * Ability to force the entropy module to use SHA-256 as its basis
1051: (POLARSSL_ENTROPY_FORCE_SHA256)
1052: * Testing script ssl-opt.sh added for testing 'live' ssl option
1053: interoperability against OpenSSL and PolarSSL
1054: * Support for reading EC keys that use SpecifiedECDomain in some cases.
1055: * Entropy module now supports seed writing and reading
1056:
1057: Changes
1058: * Deprecated the Memory layer
1059: * entropy_add_source(), entropy_update_manual() and entropy_gather()
1060: now thread-safe if POLARSSL_THREADING_C defined
1061: * Improvements to the CMake build system, contributed by Julian Ospald.
1062: * Work around a bug of the version of Clang shipped by Apple with Mavericks
1063: that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
1064: * Revamped the compat.sh interoperatibility script to include support for
1065: testing against GnuTLS
1066: * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
1067: * Improvements to tests/Makefile, contributed by Oden Eriksson.
1068:
1069: Security
1070: * Forbid change of server certificate during renegotiation to prevent
1071: "triple handshake" attack when authentication mode is 'optional' (the
1072: attack was already impossible when authentication is required).
1073: * Check notBefore timestamp of certificates and CRLs from the future.
1074: * Forbid sequence number wrapping
1075: * Fixed possible buffer overflow with overlong PSK
1076: * Possible remotely-triggered out-of-bounds memory access fixed (found by
1077: TrustInSoft)
1078:
1079: Bugfix
1080: * ecp_gen_keypair() does more tries to prevent failure because of
1081: statistics
1082: * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
1083: * Fixed testing with out-of-source builds using cmake
1084: * Fixed version-major intolerance in server
1085: * Fixed CMake symlinking on out-of-source builds
1086: * Fixed dependency issues in test suite
1087: * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
1088: * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
1089: Alex Wilson.)
1090: * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
1091: * m_sleep() was sleeping twice too long on most Unix platforms.
1092: * Fixed bug with session tickets and non-blocking I/O in the unlikely case
1093: send() would return an EAGAIN error when sending the ticket.
1094: * ssl_cache was leaking memory when reusing a timed out entry containing a
1095: client certificate.
1096: * ssl_srv was leaking memory when client presented a timed out ticket
1097: containing a client certificate
1098: * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
1099: out_ctr failed
1100: * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
1101: of one of them failed
1102: * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
1103: * x509_get_current_time() uses localtime_r() to prevent thread issues
1104:
1105: = PolarSSL 1.3.4 released on 2014-01-27
1106: Features
1107: * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
1108: * Support for RIPEMD-160
1109: * Support for AES CFB8 mode
1110: * Support for deterministic ECDSA (RFC 6979)
1111:
1112: Bugfix
1113: * Potential memory leak in bignum_selftest()
1114: * Replaced expired test certificate
1115: * ssl_mail_client now terminates lines with CRLF, instead of LF
1116: * net module handles timeouts on blocking sockets better (found by Tilman
1117: Sauerbeck)
1118: * Assembly format fixes in bn_mul.h
1119:
1120: Security
1121: * Missing MPI_CHK calls added around unguarded mpi calls (found by
1122: TrustInSoft)
1123:
1124: = PolarSSL 1.3.3 released on 2013-12-31
1125: Features
1126: * EC key generation support in gen_key app
1127: * Support for adhering to client ciphersuite order preference
1128: (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1129: * Support for Curve25519
1130: * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
1131: * Support for IPv6 in the NET module
1132: * AES-NI support for AES, AES-GCM and AES key scheduling
1133: * SSL Pthread-based server example added (ssl_pthread_server)
1134:
1135: Changes
1136: * gen_prime() speedup
1137: * Speedup of ECP multiplication operation
1138: * Relaxed some SHA2 ciphersuite's version requirements
1139: * Dropped use of readdir_r() instead of readdir() with threading support
1140: * More constant-time checks in the RSA module
1141: * Split off curves from ecp.c into ecp_curves.c
1142: * Curves are now stored fully in ROM
1143: * Memory usage optimizations in ECP module
1144: * Removed POLARSSL_THREADING_DUMMY
1145:
1146: Bugfix
1147: * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
1148: * Fixed X.509 hostname comparison (with non-regular characters)
1149: * SSL now gracefully handles missing RNG
1150: * Missing defines / cases for RSA_PSK key exchange
1151: * crypt_and_hash app checks MAC before final decryption
1152: * Potential memory leak in ssl_ticket_keys_init()
1153: * Memory leak in benchmark application
1154: * Fixed x509_crt_parse_path() bug on Windows platforms
1155: * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
1156: TrustInSoft)
1157: * Fixed potential overflow in certificate size verification in
1158: ssl_write_certificate() (found by TrustInSoft)
1159:
1160: Security
1161: * Possible remotely-triggered out-of-bounds memory access fixed (found by
1162: TrustInSoft)
1163:
1164: = PolarSSL 1.3.2 released on 2013-11-04
1165: Features
1166: * PK tests added to test framework
1167: * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
1168: * Support for Camellia-GCM mode and ciphersuites
1169:
1170: Changes
1171: * Padding checks in cipher layer are now constant-time
1172: * Value comparisons in SSL layer are now constant-time
1173: * Support for serialNumber, postalAddress and postalCode in X509 names
1174: * SSL Renegotiation was refactored
1175:
1176: Bugfix
1177: * More stringent checks in cipher layer
1178: * Server does not send out extensions not advertised by client
1179: * Prevent possible alignment warnings on casting from char * to 'aligned *'
1180: * Misc fixes and additions to dependency checks
1181: * Const correctness
1182: * cert_write with selfsign should use issuer_name as subject_name
1183: * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
1184: * Defines to handle UEFI environment under MSVC
1185: * Server-side initiated renegotiations send HelloRequest
1186:
1187: = PolarSSL 1.3.1 released on 2013-10-15
1188: Features
1189: * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
1190: * Support for ECDHE-PSK key-exchange and ciphersuites
1191: * Support for RSA-PSK key-exchange and ciphersuites
1192:
1193: Changes
1194: * RSA blinding locks for a smaller amount of time
1195: * TLS compression only allocates working buffer once
1196: * Introduced POLARSSL_HAVE_READDIR_R for systems without it
1197: * config.h is more script-friendly
1198:
1199: Bugfix
1200: * Missing MSVC defines added
1201: * Compile errors with POLARSSL_RSA_NO_CRT
1202: * Header files with 'polarssl/'
1203: * Const correctness
1204: * Possible naming collision in dhm_context
1205: * Better support for MSVC
1206: * threading_set_alt() name
1207: * Added missing x509write_crt_set_version()
1208:
1209: = PolarSSL 1.3.0 released on 2013-10-01
1210: Features
1211: * Elliptic Curve Cryptography module added
1212: * Elliptic Curve Diffie Hellman module added
1213: * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
1214: (ECDHE-based ciphersuites)
1215: * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
1216: (ECDSA-based ciphersuites)
1217: * Ability to specify allowed ciphersuites based on the protocol version.
1218: * PSK and DHE-PSK based ciphersuites added
1219: * Memory allocation abstraction layer added
1220: * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
1221: * Threading abstraction layer added (dummy / pthread / alternate)
1222: * Public Key abstraction layer added
1223: * Parsing Elliptic Curve keys
1224: * Parsing Elliptic Curve certificates
1225: * Support for max_fragment_length extension (RFC 6066)
1226: * Support for truncated_hmac extension (RFC 6066)
1227: * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
1228: (ISO/IEC 7816-4) padding and zero padding in the cipher layer
1229: * Support for session tickets (RFC 5077)
1230: * Certificate Request (CSR) generation with extensions (key_usage,
1231: ns_cert_type)
1232: * X509 Certificate writing with extensions (basic_constraints,
1233: issuer_key_identifier, etc)
1234: * Optional blinding for RSA, DHM and EC
1235: * Support for multiple active certificate / key pairs in SSL servers for
1236: the same host (Not to be confused with SNI!)
1237:
1238: Changes
1239: * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
1240: individually
1241: * Introduced separate SSL Ciphersuites module that is based on
1242: Cipher and MD information
1243: * Internals for SSL module adapted to have separate IV pointer that is
1244: dynamically set (Better support for hardware acceleration)
1245: * Moved all OID functionality to a separate module. RSA function
1246: prototypes for the RSA sign and verify functions changed as a result
1247: * Split up the GCM module into a starts/update/finish cycle
1248: * Client and server now filter sent and accepted ciphersuites on minimum
1249: and maximum protocol version
1250: * Ability to disable server_name extension (RFC 6066)
1251: * Renamed error_strerror() to the less conflicting polarssl_strerror()
1252: (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
1253: * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
1254: * All RSA operations require a random generator for blinding purposes
1255: * X509 core refactored
1256: * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
1257: * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
1258: * Support faulty X509 v1 certificates with extensions
1259: (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
1260:
1261: Bugfix
1262: * Fixed parse error in ssl_parse_certificate_request()
1263: * zlib compression/decompression skipped on empty blocks
1264: * Support for AIX header locations in net.c module
1265: * Fixed file descriptor leaks
1266:
1267: Security
1268: * RSA blinding on CRT operations to counter timing attacks
1269: (found by Cyril Arnaud and Pierre-Alain Fouque)
1270:
1271:
1272: = Version 1.2.14 released 2015-05-??
1273:
1274: Security
1275: * Fix potential invalid memory read in the server, that allows a client to
1276: crash it remotely (found by Caj Larsson).
1277: * Fix potential invalid memory read in certificate parsing, that allows a
1278: client to crash the server remotely if client authentication is enabled
1279: (found using Codenomicon Defensics).
1280: * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
1281: https://dl.acm.org/citation.cfm?id=2714625
1282:
1283: Bugfix
1284: * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
1285: * Fix hardclock() (only used in the benchmarking program) with some
1286: versions of mingw64 (found by kxjhlele).
1287: * Fix warnings from mingw64 in timing.c (found by kxjklele).
1288: * Fix potential unintended sign extension in asn1_get_len() on 64-bit
1289: platforms (found with Coverity Scan).
1290:
1291: = Version 1.2.13 released 2015-02-16
1292: Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
1293: this will be made in the 1.2 branch at this point.
1294:
1295: Security
1296: * Fix remotely-triggerable uninitialised pointer dereference caused by
1297: crafted X.509 certificate (TLS server is not affected if it doesn't ask
1298: for a client certificate) (found using Codenomicon Defensics).
1299: * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
1300: (TLS server is not affected if it doesn't ask for a client certificate)
1301: (found using Codenomicon Defensics).
1302: * Fix potential stack overflow while parsing crafted X.509 certificates
1303: (TLS server is not affected if it doesn't ask for a client certificate)
1304: found using Codenomicon Defensics).
1305: * Fix buffer overread of size 1 when parsing crafted X.509 certificates
1306: (TLS server is not affected if it doesn't ask for a client certificate).
1307:
1308: Bugfix
1309: * Fix potential undefined behaviour in Camellia.
1310: * Fix memory leaks in PKCS#5 and PKCS#12.
1311: * Stack buffer overflow if ctr_drbg_update() is called with too large
1312: add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
1313: * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
1314: in 1.2.12).
1315: * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
1316: Peter Vaskovic).
1317: * Fix assembly selection for MIPS64 (thanks to James Cowgill).
1318: * ssl_get_verify_result() now works even if the handshake was aborted due
1319: to a failed verification (found by Fredrik Axelsson).
1320: * Skip writing and parsing signature_algorithm extension if none of the
1321: key exchanges enabled needs certificates. This fixes a possible interop
1322: issue with some servers when a zero-length extension was sent. (Reported
1323: by Peter Dettman.)
1324: * On a 0-length input, base64_encode() did not correctly set output length
1325: (found by Hendrik van den Boogaard).
1326:
1327: Changes
1328: * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
1329: * Forbid repeated extensions in X.509 certificates.
1330: * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
1331: length of an X.509 verification chain (default = 8).
1332: = Version 1.2.12 released 2014-10-24
1333:
1334: Security
1335: * Remotely-triggerable memory leak when parsing some X.509 certificates
1336: (server is not affected if it doesn't ask for a client certificate).
1337: (Found using Codenomicon Defensics.)
1338:
1339: Bugfix
1340: * Fix potential bad read in parsing ServerHello (found by Adrien
1341: Vialletelle).
1342: * ssl_close_notify() could send more than one message in some circumstances
1343: with non-blocking I/O.
1344: * x509_crt_parse() did not increase total_failed on PEM error
1345: * Fix compiler warnings on iOS (found by Sander Niemeijer).
1346: * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
1347: * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
1348: * ssl_read() could return non-application data records on server while
1349: renegotation was pending, and on client when a HelloRequest was received.
1350: * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
1351:
1352: Changes
1353: * X.509 certificates with more than one AttributeTypeAndValue per
1354: RelativeDistinguishedName are not accepted any more.
1355: * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
1356: POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
1357: * Accept spaces at end of line or end of buffer in base64_decode().
1358:
1359: = Version 1.2.11 released 2014-07-11
1360: Features
1361: * Entropy module now supports seed writing and reading
1362:
1363: Changes
1364: * Introduced POLARSSL_HAVE_READDIR_R for systems without it
1365: * Improvements to the CMake build system, contributed by Julian Ospald.
1366: * Work around a bug of the version of Clang shipped by Apple with Mavericks
1367: that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
1368: * Improvements to tests/Makefile, contributed by Oden Eriksson.
1369: * Use UTC time to check certificate validity.
1370: * Reject certificates with times not in UTC, per RFC 5280.
1371: * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
1372: against unwanted compiler optimizations
1373:
1374: Security
1375: * Forbid change of server certificate during renegotiation to prevent
1376: "triple handshake" attack when authentication mode is optional (the
1377: attack was already impossible when authentication is required).
1378: * Check notBefore timestamp of certificates and CRLs from the future.
1379: * Forbid sequence number wrapping
1380: * Prevent potential NULL pointer dereference in ssl_read_record() (found by
1381: TrustInSoft)
1382: * Fix length checking for AEAD ciphersuites (found by Codenomicon).
1383: It was possible to crash the server (and client) using crafted messages
1384: when a GCM suite was chosen.
1385:
1386: Bugfix
1387: * Fixed X.509 hostname comparison (with non-regular characters)
1388: * SSL now gracefully handles missing RNG
1389: * crypt_and_hash app checks MAC before final decryption
1390: * Fixed x509_crt_parse_path() bug on Windows platforms
1391: * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
1392: TrustInSoft)
1393: * Fixed potential overflow in certificate size verification in
1394: ssl_write_certificate() (found by TrustInSoft)
1395: * Fix ASM format in bn_mul.h
1396: * Potential memory leak in bignum_selftest()
1397: * Replaced expired test certificate
1398: * ssl_mail_client now terminates lines with CRLF, instead of LF
1399: * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
1400: * Fixed testing with out-of-source builds using cmake
1401: * Fixed version-major intolerance in server
1402: * Fixed CMake symlinking on out-of-source builds
1403: * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
1404: Alex Wilson.)
1405: * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
1406: out_ctr failed
1407: * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
1408: of one of them failed
1409: * x509_get_current_time() uses localtime_r() to prevent thread issues
1410: * Some example server programs were not sending the close_notify alert.
1411: * Potential memory leak in mpi_exp_mod() when error occurs during
1412: calculation of RR.
1413: * Improve interoperability by not writing extension length in ClientHello
1414: when no extensions are present (found by Matthew Page)
1415: * rsa_check_pubkey() now allows an E up to N
1416: * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
1417: * mpi_fill_random() was creating numbers larger than requested on
1418: big-endian platform when size was not an integer number of limbs
1419: * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
1420: * Stricter check on SSL ClientHello internal sizes compared to actual packet
1421: size (found by TrustInSoft)
1422: * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
1423: * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
1424: interpret semicolons as comment delimiters (found by Barry K. Nathan).
1425: * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
1426: * Fix base64_decode() to return and check length correctly (in case of
1427: tight buffers)
1428:
1429: = Version 1.2.10 released 2013-10-07
1430: Changes
1431: * Changed RSA blinding to a slower but thread-safe version
1432:
1433: Bugfix
1434: * Fixed memory leak in RSA as a result of introduction of blinding
1435: * Fixed ssl_pkcs11_decrypt() prototype
1436: * Fixed MSVC project files
1437:
1438: = Version 1.2.9 released 2013-10-01
1439: Changes
1440: * x509_verify() now case insensitive for cn (RFC 6125 6.4)
1441:
1442: Bugfix
1443: * Fixed potential memory leak when failing to resume a session
1444: * Fixed potential file descriptor leaks (found by Remi Gacogne)
1445: * Minor fixes
1446:
1447: Security
1448: * Fixed potential heap buffer overflow on large hostname setting
1449: * Fixed potential negative value misinterpretation in load_file()
1450: * RSA blinding on CRT operations to counter timing attacks
1451: (found by Cyril Arnaud and Pierre-Alain Fouque)
1452:
1453: = Version 1.2.8 released 2013-06-19
1454: Features
1455: * Parsing of PKCS#8 encrypted private key files
1456: * PKCS#12 PBE and derivation functions
1457: * Centralized module option values in config.h to allow user-defined
1458: settings without editing header files by using POLARSSL_CONFIG_OPTIONS
1459:
1460: Changes
1461: * HAVEGE random generator disabled by default
1462: * Internally split up x509parse_key() into a (PEM) handler function
1463: and specific DER parser functions for the PKCS#1 and unencrypted
1464: PKCS#8 private key formats
1465: * Added mechanism to provide alternative implementations for all
1466: symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
1467: config.h)
1468: * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
1469: old PBKDF2 module
1470:
1471: Bugfix
1472: * Secure renegotiation extension should only be sent in case client
1473: supports secure renegotiation
1474: * Fixed offset for cert_type list in ssl_parse_certificate_request()
1475: * Fixed const correctness issues that have no impact on the ABI
1476: * x509parse_crt() now better handles PEM error situations
1477: * ssl_parse_certificate() now calls x509parse_crt_der() directly
1478: instead of the x509parse_crt() wrapper that can also parse PEM
1479: certificates
1480: * x509parse_crtpath() is now reentrant and uses more portable stat()
1481: * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
1482: * Fixed values for 2-key Triple DES in cipher layer
1483: * ssl_write_certificate_request() can handle empty ca_chain
1484:
1485: Security
1486: * A possible DoS during the SSL Handshake, due to faulty parsing of
1487: PEM-encoded certificates has been fixed (found by Jack Lloyd)
1488:
1489: = Version 1.2.7 released 2013-04-13
1490: Features
1491: * Ability to specify allowed ciphersuites based on the protocol version.
1492:
1493: Changes
1494: * Default Blowfish keysize is now 128-bits
1495: * Test suites made smaller to accommodate Raspberry Pi
1496:
1497: Bugfix
1498: * Fix for MPI assembly for ARM
1499: * GCM adapted to support sizes > 2^29
1500:
1501: = Version 1.2.6 released 2013-03-11
1502: Bugfix
1503: * Fixed memory leak in ssl_free() and ssl_reset() for active session
1504: * Corrected GCM counter incrementation to use only 32-bits instead of
1505: 128-bits (found by Yawning Angel)
1506: * Fixes for 64-bit compilation with MS Visual Studio
1507: * Fixed net_bind() for specified IP addresses on little endian systems
1508: * Fixed assembly code for ARM (Thumb and regular) for some compilers
1509:
1510: Changes
1511: * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
1512: rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
1513: PKCS#1 v2.1 functions
1514: * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
1515: or rsa_rsaes_oaep_decrypt()
1516: * Re-added handling for SSLv2 Client Hello when the define
1517: POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
1518: * The SSL session cache module (ssl_cache) now also retains peer_cert
1519: information (not the entire chain)
1520:
1521: Security
1522: * Removed further timing differences during SSL message decryption in
1523: ssl_decrypt_buf()
1524: * Removed timing differences due to bad padding from
1525: rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
1526: operations
1527:
1528: = Version 1.2.5 released 2013-02-02
1529: Changes
1530: * Allow enabling of dummy error_strerror() to support some use-cases
1531: * Debug messages about padding errors during SSL message decryption are
1532: disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
1533: * Sending of security-relevant alert messages that do not break
1534: interoperability can be switched on/off with the flag
1535: POLARSSL_SSL_ALL_ALERT_MESSAGES
1536:
1537: Security
1538: * Removed timing differences during SSL message decryption in
1539: ssl_decrypt_buf() due to badly formatted padding
1540:
1541: = Version 1.2.4 released 2013-01-25
1542: Changes
1543: * More advanced SSL ciphersuite representation and moved to more dynamic
1544: SSL core
1545: * Added ssl_handshake_step() to allow single stepping the handshake process
1546:
1547: Bugfix
1548: * Memory leak when using RSA_PKCS_V21 operations fixed
1549: * Handle future version properly in ssl_write_certificate_request()
1550: * Correctly handle CertificateRequest message in client for <= TLS 1.1
1551: without DN list
1552:
1553: = Version 1.2.3 released 2012-11-26
1554: Bugfix
1555: * Server not always sending correct CertificateRequest message
1556:
1557: = Version 1.2.2 released 2012-11-24
1558: Changes
1559: * Added p_hw_data to ssl_context for context specific hardware acceleration
1560: data
1561: * During verify trust-CA is only checked for expiration and CRL presence
1562:
1563: Bugfixes
1564: * Fixed client authentication compatibility
1565: * Fixed dependency on POLARSSL_SHA4_C in SSL modules
1566:
1567: = Version 1.2.1 released 2012-11-20
1568: Changes
1569: * Depth that the certificate verify callback receives is now numbered
1570: bottom-up (Peer cert depth is 0)
1571:
1572: Bugfixes
1573: * Fixes for MSVC6
1574: * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
1575: * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
1576: Pégourié-Gonnard)
1577: * Fixed possible segfault in mpi_shift_r() (found by Manuel
1578: Pégourié-Gonnard)
1579: * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
1580:
1581: = Version 1.2.0 released 2012-10-31
1582: Features
1583: * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
1584: ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
1585: default!
1586: * Added support for wildcard certificates
1587: * Added support for multi-domain certificates through the X509 Subject
1588: Alternative Name extension
1589: * Added preliminary ASN.1 buffer writing support
1590: * Added preliminary X509 Certificate Request writing support
1591: * Added key_app_writer example application
1592: * Added cert_req example application
1593: * Added base Galois Counter Mode (GCM) for AES
1594: * Added TLS 1.2 support (RFC 5246)
1595: * Added GCM suites to TLS 1.2 (RFC 5288)
1596: * Added commandline error code convertor (util/strerror)
1597: * Added support for Hardware Acceleration hooking in SSL/TLS
1598: * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
1599: example application (programs/ssl/o_p_test) (requires OpenSSL)
1600: * Added X509 CA Path support
1601: * Added Thumb assembly optimizations
1602: * Added DEFLATE compression support as per RFC3749 (requires zlib)
1603: * Added blowfish algorithm (Generic and cipher layer)
1604: * Added PKCS#5 PBKDF2 key derivation function
1605: * Added Secure Renegotiation (RFC 5746)
1606: * Added predefined DHM groups from RFC 5114
1607: * Added simple SSL session cache implementation
1608: * Added ServerName extension parsing (SNI) at server side
1609: * Added option to add minimum accepted SSL/TLS protocol version
1610:
1611: Changes
1612: * Removed redundant POLARSSL_DEBUG_MSG define
1613: * AES code only check for Padlock once
1614: * Fixed const-correctness mpi_get_bit()
1615: * Documentation for mpi_lsb() and mpi_msb()
1616: * Moved out_msg to out_hdr + 32 to support hardware acceleration
1617: * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
1618: to not match CN if subjectAltName extension is present (Closes ticket #56)
1619: * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
1620: POLARSSL_MODE_CFB, to also handle different block size CFB modes.
1621: * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
1622: * Revamped session resumption handling
1623: * Generalized external private key implementation handling (like PKCS#11)
1624: in SSL/TLS
1625: * Revamped x509_verify() and the SSL f_vrfy callback implementations
1626: * Moved from unsigned long to fixed width uint32_t types throughout code
1627: * Renamed ciphersuites naming scheme to IANA reserved names
1628:
1629: Bugfix
1630: * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
1631: Hui Dong)
1632: * Fixed potential heap corruption in x509_name allocation
1633: * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
1634: * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
1635: #52)
1636: * Handle encryption with private key and decryption with public key as per
1637: RFC 2313
1638: * Handle empty certificate subject names
1639: * Prevent reading over buffer boundaries on X509 certificate parsing
1640: * mpi_add_abs() now correctly handles adding short numbers to long numbers
1641: with carry rollover (found by Ruslan Yushchenko)
1642: * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
1643: * Fixed MPI assembly for SPARC64 platform
1644:
1645: Security
1646: * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
1647: Vanderbeken)
1648:
1649: = Version 1.1.8 released on 2013-10-01
1650: Bugfix
1651: * Fixed potential memory leak when failing to resume a session
1652: * Fixed potential file descriptor leaks
1653:
1654: Security
1655: * Potential buffer-overflow for ssl_read_record() (independently found by
1656: both TrustInSoft and Paul Brodeur of Leviathan Security Group)
1657: * Potential negative value misinterpretation in load_file()
1658: * Potential heap buffer overflow on large hostname setting
1659:
1660: = Version 1.1.7 released on 2013-06-19
1661: Changes
1662: * HAVEGE random generator disabled by default
1663:
1664: Bugfix
1665: * x509parse_crt() now better handles PEM error situations
1666: * ssl_parse_certificate() now calls x509parse_crt_der() directly
1667: instead of the x509parse_crt() wrapper that can also parse PEM
1668: certificates
1669: * Fixed values for 2-key Triple DES in cipher layer
1670: * ssl_write_certificate_request() can handle empty ca_chain
1671:
1672: Security
1673: * A possible DoS during the SSL Handshake, due to faulty parsing of
1674: PEM-encoded certificates has been fixed (found by Jack Lloyd)
1675:
1676: = Version 1.1.6 released on 2013-03-11
1677: Bugfix
1678: * Fixed net_bind() for specified IP addresses on little endian systems
1679:
1680: Changes
1681: * Allow enabling of dummy error_strerror() to support some use-cases
1682: * Debug messages about padding errors during SSL message decryption are
1683: disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
1684:
1685: Security
1686: * Removed timing differences during SSL message decryption in
1687: ssl_decrypt_buf()
1688: * Removed timing differences due to bad padding from
1689: rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
1690: operations
1691:
1692: = Version 1.1.5 released on 2013-01-16
1693: Bugfix
1694: * Fixed MPI assembly for SPARC64 platform
1695: * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
1696: * mpi_add_abs() now correctly handles adding short numbers to long numbers
1697: with carry rollover
1698: * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
1699: * Prevent reading over buffer boundaries on X509 certificate parsing
1700: * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
1701: #52)
1702: * Fixed possible segfault in mpi_shift_r() (found by Manuel
1703: Pégourié-Gonnard)
1704: * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
1705: Pégourié-Gonnard)
1706: * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
1707: * Memory leak when using RSA_PKCS_V21 operations fixed
1708: * Handle encryption with private key and decryption with public key as per
1709: RFC 2313
1710: * Fixes for MSVC6
1711:
1712: Security
1713: * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
1714: Vanderbeken)
1715:
1716: = Version 1.1.4 released on 2012-05-31
1717: Bugfix
1718: * Correctly handle empty SSL/TLS packets (Found by James Yonan)
1719: * Fixed potential heap corruption in x509_name allocation
1720: * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
1721:
1722: = Version 1.1.3 released on 2012-04-29
1723: Bugfix
1724: * Fixed random MPI generation to not generate more size than requested.
1725:
1726: = Version 1.1.2 released on 2012-04-26
1727: Bugfix
1728: * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
1729: Hui Dong)
1730:
1731: Security
1732: * Fixed potential memory corruption on miscrafted client messages (found by
1733: Frama-C team at CEA LIST)
1734: * Fixed generation of DHM parameters to correct length (found by Ruslan
1735: Yushchenko)
1736:
1737: = Version 1.1.1 released on 2012-01-23
1738: Bugfix
1739: * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
1740: (Closes ticket #47, found by Hugo Leisink)
1741: * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
1742: * Fixed multiple compiler warnings for VS6 and armcc
1743: * Fixed bug in CTR_CRBG selftest
1744:
1745: = Version 1.1.0 released on 2011-12-22
1746: Features
1747: * Added ssl_session_reset() to allow better multi-connection pools of
1748: SSL contexts without needing to set all non-connection-specific
1749: data and pointers again. Adapted ssl_server to use this functionality.
1750: * Added ssl_set_max_version() to allow clients to offer a lower maximum
1751: supported version to a server to help buggy server implementations.
1752: (Closes ticket #36)
1753: * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
1754: introspection functions (Closes ticket #40)
1755: * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
1756: * Added a generic entropy accumulator that provides support for adding
1757: custom entropy sources and added some generic and platform dependent
1758: entropy sources
1759:
1760: Changes
1761: * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
1762: * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
1763: encryption and private key for decryption. (Closes ticket #34)
1764: * Inceased maximum size of ASN1 length reads to 32-bits.
1765: * Added an EXPLICIT tag number parameter to x509_get_ext()
1766: * Added a separate CRL entry extension parsing function
1767: * Separated the ASN.1 parsing code from the X.509 specific parsing code.
1768: So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
1769: * Changed the defined key-length of DES ciphers in cipher.h to include the
1770: parity bits, to prevent mistakes in copying data. (Closes ticket #33)
1771: * Loads of minimal changes to better support WINCE as a build target
1772: (Credits go to Marco Lizza)
1773: * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
1774: trade-off
1775: * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
1776: management (Closes ticket #44)
1777: * Changed the used random function pointer to more flexible format. Renamed
1778: havege_rand() to havege_random() to prevent mistakes. Lots of changes as
1779: a consequence in library code and programs
1780: * Moved all examples programs to use the new entropy and CTR_DRBG
1781: * Added permissive certificate parsing to x509parse_crt() and
1782: x509parse_crtfile(). With permissive parsing the parsing does not stop on
1783: encountering a parse-error. Beware that the meaning of return values has
1784: changed!
1785: * All error codes are now negative. Even on mermory failures and IO errors.
1786:
1787: Bugfix
1788: * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
1789: ticket #37)
1790: * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
1791: before version numbers
1792: * Allowed X509 key usage parsing to accept 4 byte values instead of the
1793: standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
1794: * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
1795: smaller than the hash length. (Closes ticket #41)
1796: * If certificate serial is longer than 32 octets, serial number is now
1797: appended with '....' after first 28 octets
1798: * Improved build support for s390x and sparc64 in bignum.h
1799: * Fixed MS Visual C++ name clash with int64 in sha4.h
1800: * Corrected removal of leading "00:" in printing serial numbers in
1801: certificates and CRLs
1802:
1803: = Version 1.0.0 released on 2011-07-27
1804: Features
1805: * Expanded cipher layer with support for CFB128 and CTR mode
1806: * Added rsa_encrypt and rsa_decrypt simple example programs.
1807:
1808: Changes
1809: * The generic cipher and message digest layer now have normal error
1810: codes instead of integers
1811:
1812: Bugfix
1813: * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
1814: #18)
1815:
1816: = Version 0.99-pre5 released on 2011-05-26
1817: Features
1818: * Added additional Cipher Block Modes to symmetric ciphers
1819: (AES CTR, Camellia CTR, XTEA CBC) including the option to
1820: enable and disable individual modes when needed
1821: * Functions requiring File System functions can now be disabled
1822: by undefining POLARSSL_FS_IO
1823: * A error_strerror function() has been added to translate between
1824: error codes and their description.
1825: * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
1826: functions.
1827: * Added ssl_mail_client and ssl_fork_server as example programs.
1828:
1829: Changes
1830: * Major argument / variable rewrite. Introduced use of size_t
1831: instead of int for buffer lengths and loop variables for
1832: better unsigned / signed use. Renamed internal bigint types
1833: t_int and t_dbl to t_uint and t_udbl in the process
1834: * mpi_init() and mpi_free() now only accept a single MPI
1835: argument and do not accept variable argument lists anymore.
1836: * The error codes have been remapped and combining error codes
1837: is now done with a PLUS instead of an OR as error codes
1838: used are negative.
1839: * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
1840: net_recv() now returns 0 on EOF instead of
1841: POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
1842: POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
1843: ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
1844: after the handshake.
1845: * Network functions now return POLARSSL_ERR_NET_WANT_READ or
1846: POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
1847: POLARSSL_ERR_NET_TRY_AGAIN
1848:
1849: = Version 0.99-pre4 released on 2011-04-01
1850: Features
1851: * Added support for PKCS#1 v2.1 encoding and thus support
1852: for the RSAES-OAEP and RSASSA-PSS operations.
1853: * Reading of Public Key files incorporated into default x509
1854: functionality as well.
1855: * Added mpi_fill_random() for centralized filling of big numbers
1856: with random data (Fixed ticket #10)
1857:
1858: Changes
1859: * Debug print of MPI now removes leading zero octets and
1860: displays actual bit size of the value.
1861: * x509parse_key() (and as a consequence x509parse_keyfile())
1862: does not zeroize memory in advance anymore. Use rsa_init()
1863: before parsing a key or keyfile!
1864:
1865: Bugfix
1866: * Debug output of MPI's now the same independent of underlying
1867: platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
1868: Kiilerich and Mihai Militaru)
1869: * Fixed bug in ssl_write() when flushing old data (Fixed ticket
1870: #18, found by Nikolay Epifanov)
1871: * Fixed proper handling of RSASSA-PSS verification with variable
1872: length salt lengths
1873:
1874: = Version 0.99-pre3 released on 2011-02-28
1875: This release replaces version 0.99-pre2 which had possible copyright issues.
1876: Features
1877: * Parsing PEM private keys encrypted with DES and AES
1878: are now supported as well (Fixes ticket #5)
1879: * Added crl_app program to allow easy reading and
1880: printing of X509 CRLs from file
1881:
1882: Changes
1883: * Parsing of PEM files moved to separate module (Fixes
1884: ticket #13). Also possible to remove PEM support for
1885: systems only using DER encoding
1886:
1887: Bugfixes
1888: * Corrected parsing of UTCTime dates before 1990 and
1889: after 1950
1890: * Support more exotic OID's when parsing certificates
1891: (found by Mads Kiilerich)
1892: * Support more exotic name representations when parsing
1893: certificates (found by Mads Kiilerich)
1894: * Replaced the expired test certificates
1895: * Do not bail out if no client certificate specified. Try
1896: to negotiate anonymous connection (Fixes ticket #12,
1897: found by Boris Krasnovskiy)
1898:
1899: Security fixes
1900: * Fixed a possible Man-in-the-Middle attack on the
1901: Diffie Hellman key exchange (thanks to Larry Highsmith,
1902: Subreption LLC)
1903:
1904: = Version 0.99-pre1 released on 2011-01-30
1905: Features
1906: Note: Most of these features have been donated by Fox-IT
1907: * Added Doxygen source code documentation parts
1908: * Added reading of DHM context from memory and file
1909: * Improved X509 certificate parsing to include extended
1910: certificate fields, including Key Usage
1911: * Improved certificate verification and verification
1912: against the available CRLs
1913: * Detection for DES weak keys and parity bits added
1914: * Improvements to support integration in other
1915: applications:
1916: + Added generic message digest and cipher wrapper
1917: + Improved information about current capabilities,
1918: status, objects and configuration
1919: + Added verification callback on certificate chain
1920: verification to allow external blacklisting
1921: + Additional example programs to show usage
1922: * Added support for PKCS#11 through the use of the
1923: libpkcs11-helper library
1924:
1925: Changes
1926: * x509parse_time_expired() checks time in addition to
1927: the existing date check
1928: * The ciphers member of ssl_context and the cipher member
1929: of ssl_session have been renamed to ciphersuites and
1930: ciphersuite respectively. This clarifies the difference
1931: with the generic cipher layer and is better naming
1932: altogether
1933:
1934: = Version 0.14.0 released on 2010-08-16
1935: Features
1936: * Added support for SSL_EDH_RSA_AES_128_SHA and
1937: SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
1938: * Added compile-time and run-time version information
1939: * Expanded ssl_client2 arguments for more flexibility
1940: * Added support for TLS v1.1
1941:
1942: Changes
1943: * Made Makefile cleaner
1944: * Removed dependency on rand() in rsa_pkcs1_encrypt().
1945: Now using random fuction provided to function and
1946: changed the prototype of rsa_pkcs1_encrypt(),
1947: rsa_init() and rsa_gen_key().
1948: * Some SSL defines were renamed in order to avoid
1949: future confusion
1950:
1951: Bug fixes
1952: * Fixed CMake out of source build for tests (found by
1953: kkert)
1954: * rsa_check_private() now supports PKCS1v2 keys as well
1955: * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
1956: generator
1957:
1958: = Version 0.13.1 released on 2010-03-24
1959: Bug fixes
1960: * Fixed Makefile in library that was mistakenly merged
1961: * Added missing const string fixes
1962:
1963: = Version 0.13.0 released on 2010-03-21
1964: Features
1965: * Added option parsing for host and port selection to
1966: ssl_client2
1967: * Added support for GeneralizedTime in X509 parsing
1968: * Added cert_app program to allow easy reading and
1969: printing of X509 certificates from file or SSL
1970: connection.
1971:
1972: Changes
1973: * Added const correctness for main code base
1974: * X509 signature algorithm determination is now
1975: in a function to allow easy future expansion
1976: * Changed symmetric cipher functions to
1977: identical interface (returning int result values)
1978: * Changed ARC4 to use separate input/output buffer
1979: * Added reset function for HMAC context as speed-up
1980: for specific use-cases
1981:
1982: Bug fixes
1983: * Fixed bug resulting in failure to send the last
1984: certificate in the chain in ssl_write_certificate() and
1985: ssl_write_certificate_request() (found by fatbob)
1986: * Added small fixes for compiler warnings on a Mac
1987: (found by Frank de Brabander)
1988: * Fixed algorithmic bug in mpi_is_prime() (found by
1989: Smbat Tonoyan)
1990:
1991: = Version 0.12.1 released on 2009-10-04
1992: Changes
1993: * Coverage test definitions now support 'depends_on'
1994: tagging system.
1995: * Tests requiring specific hashing algorithms now honor
1996: the defines.
1997:
1998: Bug fixes
1999: * Changed typo in #ifdef in x509parse.c (found
2000: by Eduardo)
2001:
2002: = Version 0.12.0 released on 2009-07-28
2003: Features
2004: * Added CMake makefiles as alternative to regular Makefiles.
2005: * Added preliminary Code Coverage tests for AES, ARC4,
2006: Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
2007: Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
2008: and X509parse.
2009:
2010: Changes
2011: * Error codes are not (necessarily) negative. Keep
2012: this is mind when checking for errors.
2013: * RSA_RAW renamed to SIG_RSA_RAW for consistency.
2014: * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
2015: * Changed interface for AES and Camellia setkey functions
2016: to indicate invalid key lengths.
2017:
2018: Bug fixes
2019: * Fixed include location of endian.h on FreeBSD (found by
2020: Gabriel)
2021: * Fixed include location of endian.h and name clash on
2022: Apples (found by Martin van Hensbergen)
2023: * Fixed HMAC-MD2 by modifying md2_starts(), so that the
2024: required HMAC ipad and opad variables are not cleared.
2025: (found by code coverage tests)
2026: * Prevented use of long long in bignum if
2027: POLARSSL_HAVE_LONGLONG not defined (found by Giles
2028: Bathgate).
2029: * Fixed incorrect handling of negative strings in
2030: mpi_read_string() (found by code coverage tests).
2031: * Fixed segfault on handling empty rsa_context in
2032: rsa_check_pubkey() and rsa_check_privkey() (found by
2033: code coverage tests).
2034: * Fixed incorrect handling of one single negative input
2035: value in mpi_add_abs() (found by code coverage tests).
2036: * Fixed incorrect handling of negative first input
2037: value in mpi_sub_abs() (found by code coverage tests).
2038: * Fixed incorrect handling of negative first input
2039: value in mpi_mod_mpi() and mpi_mod_int(). Resulting
2040: change also affects mpi_write_string() (found by code
2041: coverage tests).
2042: * Corrected is_prime() results for 0, 1 and 2 (found by
2043: code coverage tests).
2044: * Fixed Camellia and XTEA for 64-bit Windows systems.
2045:
2046: = Version 0.11.1 released on 2009-05-17
2047: * Fixed missing functionality for SHA-224, SHA-256, SHA384,
2048: SHA-512 in rsa_pkcs1_sign()
2049:
2050: = Version 0.11.0 released on 2009-05-03
2051: * Fixed a bug in mpi_gcd() so that it also works when both
2052: input numbers are even and added testcases to check
2053: (found by Pierre Habouzit).
2054: * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
2055: one way hash functions with the PKCS#1 v1.5 signing and
2056: verification.
2057: * Fixed minor bug regarding mpi_gcd located within the
2058: POLARSSL_GENPRIME block.
2059: * Fixed minor memory leak in x509parse_crt() and added better
2060: handling of 'full' certificate chains (found by Mathias
2061: Olsson).
2062: * Centralized file opening and reading for x509 files into
2063: load_file()
2064: * Made definition of net_htons() endian-clean for big endian
2065: systems (Found by Gernot).
2066: * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
2067: padlock and timing code.
2068: * Fixed an off-by-one buffer allocation in ssl_set_hostname()
2069: responsible for crashes and unwanted behaviour.
2070: * Added support for Certificate Revocation List (CRL) parsing.
2071: * Added support for CRL revocation to x509parse_verify() and
2072: SSL/TLS code.
2073: * Fixed compatibility of XTEA and Camellia on a 64-bit system
2074: (found by Felix von Leitner).
2075:
2076: = Version 0.10.0 released on 2009-01-12
2077: * Migrated XySSL to PolarSSL
2078: * Added XTEA symmetric cipher
2079: * Added Camellia symmetric cipher
2080: * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
2081: SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
2082: * Fixed dangerous bug that can cause a heap overflow in
2083: rsa_pkcs1_decrypt (found by Christophe Devine)
2084:
2085: ================================================================
2086: XySSL ChangeLog
2087:
2088: = Version 0.9 released on 2008-03-16
2089:
2090: * Added support for ciphersuite: SSL_RSA_AES_128_SHA
2091: * Enabled support for large files by default in aescrypt2.c
2092: * Preliminary openssl wrapper contributed by David Barrett
2093: * Fixed a bug in ssl_write() that caused the same payload to
2094: be sent twice in non-blocking mode when send returns EAGAIN
2095: * Fixed ssl_parse_client_hello(): session id and challenge must
2096: not be swapped in the SSLv2 ClientHello (found by Greg Robson)
2097: * Added user-defined callback debug function (Krystian Kolodziej)
2098: * Before freeing a certificate, properly zero out all cert. data
2099: * Fixed the "mode" parameter so that encryption/decryption are
2100: not swapped on PadLock; also fixed compilation on older versions
2101: of gcc (bug reported by David Barrett)
2102: * Correctly handle the case in padlock_xcryptcbc() when input or
2103: ouput data is non-aligned by falling back to the software
2104: implementation, as VIA Nehemiah cannot handle non-aligned buffers
2105: * Fixed a memory leak in x509parse_crt() which was reported by Greg
2106: Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
2107: Matthew Page who reported several bugs
2108: * Fixed x509_get_ext() to accept some rare certificates which have
2109: an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
2110: * Added support on the client side for the TLS "hostname" extension
2111: (patch contributed by David Patino)
2112: * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
2113: string is passed as the CN (bug reported by spoofy)
2114: * Added an option to enable/disable the BN assembly code
2115: * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
2116: * Disabled obsolete hash functions by default (MD2, MD4); updated
2117: selftest and benchmark to not test ciphers that have been disabled
2118: * Updated x509parse_cert_info() to correctly display byte 0 of the
2119: serial number, setup correct server port in the ssl client example
2120: * Fixed a critical denial-of-service with X.509 cert. verification:
2121: peer may cause xyssl to loop indefinitely by sending a certificate
2122: for which the RSA signature check fails (bug reported by Benoit)
2123: * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
2124: HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
2125: * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
2126: * Modified ssl_parse_client_key_exchange() to protect against
2127: Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
2128: as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
2129: * Updated rsa_gen_key() so that ctx->N is always nbits in size
2130: * Fixed assembly PPC compilation errors on Mac OS X, thanks to
2131: David Barrett and Dusan Semen
2132:
2133: = Version 0.8 released on 2007-10-20
2134:
2135: * Modified the HMAC functions to handle keys larger
2136: than 64 bytes, thanks to Stephane Desneux and gary ng
2137: * Fixed ssl_read_record() to properly update the handshake
2138: message digests, which fixes IE6/IE7 client authentication
2139: * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
2140: * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
2141: * Added user-defined callbacks for handling I/O and sessions
2142: * Added lots of debugging output in the SSL/TLS functions
2143: * Added preliminary X.509 cert. writing by Pascal Vizeli
2144: * Added preliminary support for the VIA PadLock routines
2145: * Added AES-CFB mode of operation, contributed by chmike
2146: * Added an SSL/TLS stress testing program (ssl_test.c)
2147: * Updated the RSA PKCS#1 code to allow choosing between
2148: RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
2149: * Updated ssl_read() to skip 0-length records from OpenSSL
2150: * Fixed the make install target to comply with *BSD make
2151: * Fixed a bug in mpi_read_binary() on 64-bit platforms
2152: * mpi_is_prime() speedups, thanks to Kevin McLaughlin
2153: * Fixed a long standing memory leak in mpi_is_prime()
2154: * Replaced realloc with malloc in mpi_grow(), and set
2155: the sign of zero as positive in mpi_init() (reported
2156: by Jonathan M. McCune)
2157:
2158: = Version 0.7 released on 2007-07-07
2159:
2160: * Added support for the MicroBlaze soft-core processor
2161: * Fixed a bug in ssl_tls.c which sometimes prevented SSL
2162: connections from being established with non-blocking I/O
2163: * Fixed a couple bugs in the VS6 and UNIX Makefiles
2164: * Fixed the "PIC register ebx clobbered in asm" bug
2165: * Added HMAC starts/update/finish support functions
2166: * Added the SHA-224, SHA-384 and SHA-512 hash functions
2167: * Fixed the net_set_*block routines, thanks to Andreas
2168: * Added a few demonstration programs: md5sum, sha1sum,
2169: dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
2170: * Added new bignum import and export helper functions
2171: * Rewrote README.txt in program/ssl/ca to better explain
2172: how to create a test PKI
2173:
2174: = Version 0.6 released on 2007-04-01
2175:
2176: * Ciphers used in SSL/TLS can now be disabled at compile
2177: time, to reduce the memory footprint on embedded systems
2178: * Added multiply assembly code for the TriCore and modified
2179: havege_struct for this processor, thanks to David Patiño
2180: * Added multiply assembly code for 64-bit PowerPCs,
2181: thanks to Peking University and the OSU Open Source Lab
2182: * Added experimental support of Quantum Cryptography
2183: * Added support for autoconf, contributed by Arnaud Cornet
2184: * Fixed "long long" compilation issues on IA-64 and PPC64
2185: * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
2186: was not being correctly defined on ARM and MIPS
2187:
2188: = Version 0.5 released on 2007-03-01
2189:
2190: * Added multiply assembly code for SPARC and Alpha
2191: * Added (beta) support for non-blocking I/O operations
2192: * Implemented session resuming and client authentication
2193: * Fixed some portability issues on WinCE, MINIX 3, Plan9
2194: (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
2195: * Improved the performance of the EDH key exchange
2196: * Fixed a bug that caused valid packets with a payload
2197: size of 16384 bytes to be rejected
2198:
2199: = Version 0.4 released on 2007-02-01
2200:
2201: * Added support for Ephemeral Diffie-Hellman key exchange
2202: * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
2203: * Various improvement to the modular exponentiation code
2204: * Rewrote the headers to generate the API docs with doxygen
2205: * Fixed a bug in ssl_encrypt_buf (incorrect padding was
2206: generated) and in ssl_parse_client_hello (max. client
2207: version was not properly set), thanks to Didier Rebeix
2208: * Fixed another bug in ssl_parse_client_hello: clients with
2209: cipherlists larger than 96 bytes were incorrectly rejected
2210: * Fixed a couple memory leak in x509_read.c
2211:
2212: = Version 0.3 released on 2007-01-01
2213:
2214: * Added server-side SSLv3 and TLSv1.0 support
2215: * Multiple fixes to enhance the compatibility with g++,
2216: thanks to Xosé Antón Otero Ferreira
2217: * Fixed a bug in the CBC code, thanks to dowst; also,
2218: the bignum code is no longer dependent on long long
2219: * Updated rsa_pkcs1_sign to handle arbitrary large inputs
2220: * Updated timing.c for improved compatibility with i386
2221: and 486 processors, thanks to Arnaud Cornet
2222:
2223: = Version 0.2 released on 2006-12-01
2224:
2225: * Updated timing.c to support ARM and MIPS arch
2226: * Updated the MPI code to support 8086 on MSVC 1.5
2227: * Added the copyright notice at the top of havege.h
2228: * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
2229: * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
2230: * Fixed a bug reported by Torsten Lauter in ssl_read_record
2231: * Fixed a bug in rsa_check_privkey that would wrongly cause
2232: valid RSA keys to be dismissed (thanks to oldwolf)
2233: * Fixed a bug in mpi_is_prime that caused some primes to fail
2234: the Miller-Rabin primality test
2235:
2236: I'd also like to thank Younès Hafri for the CRUX linux port,
2237: Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
2238: who maintains the Debian package :-)
2239:
2240: = Version 0.1 released on 2006-11-01
2241:
CVSweb