mbed TLS upgraded to 2.6.0

Fork of mbedtls by Mark Radbourne

Committer:
Jasper Wallace
Date:
Fri Sep 29 19:50:30 2017 +0100
Revision:
2:bbdeda018a3c
Parent:
1:9ebc941037d5
Update to mbedtls 2.6.0, many changes.

Changes to mbedtls sources made:

in include/mbedtls/config.h comment out:

#define MBEDTLS_FS_IO
#define MBEDTLS_NET_C
#define MBEDTLS_TIMING_C

uncomment:

#define MBEDTLS_NO_PLATFORM_ENTROPY

remove the following directorys:

programs
yotta
visualc

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 mbed TLS ChangeLog (Sorted per branch, date)
markrad 0:cdf462088d13 2
Jasper Wallace 2:bbdeda018a3c 3 = mbed TLS 2.6.0 branch released 2017-08-10
Jasper Wallace 2:bbdeda018a3c 4
Jasper Wallace 2:bbdeda018a3c 5 Security
Jasper Wallace 2:bbdeda018a3c 6 * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
Jasper Wallace 2:bbdeda018a3c 7 mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
Jasper Wallace 2:bbdeda018a3c 8 X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
Jasper Wallace 2:bbdeda018a3c 9 (default: 8) intermediates, even when it was not trusted. This could be
Jasper Wallace 2:bbdeda018a3c 10 triggered remotely from either side. (With authmode set to 'required'
Jasper Wallace 2:bbdeda018a3c 11 (the default), the handshake was correctly aborted).
Jasper Wallace 2:bbdeda018a3c 12 * Reliably wipe sensitive data after use in the AES example applications
Jasper Wallace 2:bbdeda018a3c 13 programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
Jasper Wallace 2:bbdeda018a3c 14 Found by Laurent Simon.
Jasper Wallace 2:bbdeda018a3c 15
Jasper Wallace 2:bbdeda018a3c 16 Features
Jasper Wallace 2:bbdeda018a3c 17 * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
Jasper Wallace 2:bbdeda018a3c 18 and the context struct mbedtls_platform_context to perform
Jasper Wallace 2:bbdeda018a3c 19 platform-specific setup and teardown operations. The macro
Jasper Wallace 2:bbdeda018a3c 20 MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
Jasper Wallace 2:bbdeda018a3c 21 by the user in a platform_alt.h file. These new functions are required in
Jasper Wallace 2:bbdeda018a3c 22 some embedded environments to provide a means of initialising underlying
Jasper Wallace 2:bbdeda018a3c 23 cryptographic acceleration hardware.
Jasper Wallace 2:bbdeda018a3c 24
Jasper Wallace 2:bbdeda018a3c 25 API Changes
Jasper Wallace 2:bbdeda018a3c 26 * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
Jasper Wallace 2:bbdeda018a3c 27 API consistent with mbed TLS 2.5.0. Specifically removed the inline
Jasper Wallace 2:bbdeda018a3c 28 qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
Jasper Wallace 2:bbdeda018a3c 29 mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found
Jasper Wallace 2:bbdeda018a3c 30 by James Cowgill. #978
Jasper Wallace 2:bbdeda018a3c 31 * Certificate verification functions now set flags to -1 in case the full
Jasper Wallace 2:bbdeda018a3c 32 chain was not verified due to an internal error (including in the verify
Jasper Wallace 2:bbdeda018a3c 33 callback) or chain length limitations.
Jasper Wallace 2:bbdeda018a3c 34 * With authmode set to optional, the TLS handshake is now aborted if the
Jasper Wallace 2:bbdeda018a3c 35 verification of the peer's certificate failed due to an overlong chain or
Jasper Wallace 2:bbdeda018a3c 36 a fatal error in the verify callback.
Jasper Wallace 2:bbdeda018a3c 37
Jasper Wallace 2:bbdeda018a3c 38 Bugfix
Jasper Wallace 2:bbdeda018a3c 39 * Add a check if iv_len is zero in GCM, and return an error if it is zero.
Jasper Wallace 2:bbdeda018a3c 40 Reported by roberto. #716
Jasper Wallace 2:bbdeda018a3c 41 * Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
Jasper Wallace 2:bbdeda018a3c 42 to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
Jasper Wallace 2:bbdeda018a3c 43 always be implemented by pthread support. #696
Jasper Wallace 2:bbdeda018a3c 44 * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
Jasper Wallace 2:bbdeda018a3c 45 in the case of an error. Found by redplait. #590
Jasper Wallace 2:bbdeda018a3c 46 * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Jasper Wallace 2:bbdeda018a3c 47 Reported and fix suggested by guidovranken. #740
Jasper Wallace 2:bbdeda018a3c 48 * Fix conditional preprocessor directives in bignum.h to enable 64-bit
Jasper Wallace 2:bbdeda018a3c 49 compilation when using ARM Compiler 6.
Jasper Wallace 2:bbdeda018a3c 50 * Fix a potential integer overflow in the version verification for DER
Jasper Wallace 2:bbdeda018a3c 51 encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs
Jasper Wallace 2:bbdeda018a3c 52 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
Jasper Wallace 2:bbdeda018a3c 53 KNOX Security, Samsung Research America
Jasper Wallace 2:bbdeda018a3c 54 * Fix potential integer overflow in the version verification for DER
Jasper Wallace 2:bbdeda018a3c 55 encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs
Jasper Wallace 2:bbdeda018a3c 56 to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
Jasper Wallace 2:bbdeda018a3c 57 KNOX Security, Samsung Research America
Jasper Wallace 2:bbdeda018a3c 58 * Fix a potential integer overflow in the version verification for DER
Jasper Wallace 2:bbdeda018a3c 59 encoded X.509 certificates. The overflow could enable maliciously
Jasper Wallace 2:bbdeda018a3c 60 constructed certificates to bypass the certificate verification check.
Jasper Wallace 2:bbdeda018a3c 61 * Fix a call to the libc function time() to call the platform abstraction
Jasper Wallace 2:bbdeda018a3c 62 function mbedtls_time() instead. Found by wairua. #666
Jasper Wallace 2:bbdeda018a3c 63 * Avoid shadowing of time and index functions through mbed TLS function
Jasper Wallace 2:bbdeda018a3c 64 arguments. Found by inestlerode. #557.
Jasper Wallace 2:bbdeda018a3c 65
Jasper Wallace 2:bbdeda018a3c 66 Changes
Jasper Wallace 2:bbdeda018a3c 67 * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
Jasper Wallace 2:bbdeda018a3c 68 64-bit division. This is useful on embedded platforms where 64-bit division
Jasper Wallace 2:bbdeda018a3c 69 created a dependency on external libraries. #708
Jasper Wallace 2:bbdeda018a3c 70 * Removed mutexes from ECP hardware accelerator code. Now all hardware
Jasper Wallace 2:bbdeda018a3c 71 accelerator code in the library leaves concurrency handling to the
Jasper Wallace 2:bbdeda018a3c 72 platform. Reported by Steven Cooreman. #863
Jasper Wallace 2:bbdeda018a3c 73 * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
Jasper Wallace 2:bbdeda018a3c 74 config-no-entropy.h to reduce the RAM footprint.
Jasper Wallace 2:bbdeda018a3c 75 * Added a test script that can be hooked into git that verifies commits
Jasper Wallace 2:bbdeda018a3c 76 before they are pushed.
Jasper Wallace 2:bbdeda018a3c 77 * Improve documentation of PKCS1 decryption functions.
Jasper Wallace 2:bbdeda018a3c 78
Jasper Wallace 2:bbdeda018a3c 79 = mbed TLS 2.5.1 released 2017-06-21
Jasper Wallace 2:bbdeda018a3c 80
Jasper Wallace 2:bbdeda018a3c 81 Security
Jasper Wallace 2:bbdeda018a3c 82 * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
Jasper Wallace 2:bbdeda018a3c 83 The issue could only happen client-side with renegotiation enabled.
Jasper Wallace 2:bbdeda018a3c 84 Could result in DoS (application crash) or information leak
Jasper Wallace 2:bbdeda018a3c 85 (if the application layer sent data read from mbedtls_ssl_read()
Jasper Wallace 2:bbdeda018a3c 86 back to the server or to a third party). Can be triggered remotely.
Jasper Wallace 2:bbdeda018a3c 87 * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
Jasper Wallace 2:bbdeda018a3c 88 certificate verification. SHA-1 can be turned back on with a compile-time
Jasper Wallace 2:bbdeda018a3c 89 option if needed.
Jasper Wallace 2:bbdeda018a3c 90 * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
Jasper Wallace 2:bbdeda018a3c 91 detect it sometimes. Reported by Hugo Leisink. #810
Jasper Wallace 2:bbdeda018a3c 92 * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
Jasper Wallace 2:bbdeda018a3c 93 potential Bleichenbacher/BERserk-style attack.
Jasper Wallace 2:bbdeda018a3c 94
Jasper Wallace 2:bbdeda018a3c 95 Bugfix
Jasper Wallace 2:bbdeda018a3c 96 * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
Jasper Wallace 2:bbdeda018a3c 97 valid C and they prevented the test from compiling in Visual Studio 2015
Jasper Wallace 2:bbdeda018a3c 98 and with GCC using the -Wpedantic compilation option.
Jasper Wallace 2:bbdeda018a3c 99 * Fix insufficient support for signature-hash-algorithm extension,
Jasper Wallace 2:bbdeda018a3c 100 resulting in compatibility problems with Chrome. Found by hfloyrd. #823
Jasper Wallace 2:bbdeda018a3c 101 * Fix behaviour that hid the original cause of fatal alerts in some cases
Jasper Wallace 2:bbdeda018a3c 102 when sending the alert failed. The fix makes sure not to hide the error
Jasper Wallace 2:bbdeda018a3c 103 that triggered the alert.
Jasper Wallace 2:bbdeda018a3c 104 * Fix SSLv3 renegotiation behaviour and stop processing data received from
Jasper Wallace 2:bbdeda018a3c 105 peer after sending a fatal alert to refuse a renegotiation attempt.
Jasper Wallace 2:bbdeda018a3c 106 Previous behaviour was to keep processing data even after the alert has
Jasper Wallace 2:bbdeda018a3c 107 been sent.
Jasper Wallace 2:bbdeda018a3c 108 * Accept empty trusted CA chain in authentication mode
Jasper Wallace 2:bbdeda018a3c 109 MBEDTLS_SSL_VERIFY_OPTIONAL.
Jasper Wallace 2:bbdeda018a3c 110 Found by jethrogb. #864
Jasper Wallace 2:bbdeda018a3c 111 * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
Jasper Wallace 2:bbdeda018a3c 112 fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
Jasper Wallace 2:bbdeda018a3c 113 reflect bad EC curves within verification result.
Jasper Wallace 2:bbdeda018a3c 114 * Fix bug that caused the modular inversion function to accept the invalid
Jasper Wallace 2:bbdeda018a3c 115 modulus 1 and therefore to hang. Found by blaufish. #641.
Jasper Wallace 2:bbdeda018a3c 116 * Fix incorrect sign computation in modular exponentiation when the base is
Jasper Wallace 2:bbdeda018a3c 117 a negative MPI. Previously the result was always negative. Found by Guido
Jasper Wallace 2:bbdeda018a3c 118 Vranken.
Jasper Wallace 2:bbdeda018a3c 119 * Fix a numerical underflow leading to stack overflow in mpi_read_file()
Jasper Wallace 2:bbdeda018a3c 120 that was triggered uppon reading an empty line. Found by Guido Vranken.
Jasper Wallace 2:bbdeda018a3c 121
Jasper Wallace 2:bbdeda018a3c 122 Changes
Jasper Wallace 2:bbdeda018a3c 123 * Send fatal alerts in more cases. The previous behaviour was to skip
Jasper Wallace 2:bbdeda018a3c 124 sending the fatal alert and just drop the connection.
Jasper Wallace 2:bbdeda018a3c 125 * Clarify ECDSA documentation and improve the sample code to avoid
Jasper Wallace 2:bbdeda018a3c 126 misunderstanding and potentially dangerous use of the API. Pointed out
Jasper Wallace 2:bbdeda018a3c 127 by Jean-Philippe Aumasson.
Jasper Wallace 2:bbdeda018a3c 128
Jasper Wallace 2:bbdeda018a3c 129 = mbed TLS 2.5.0 branch released 2017-05-17
Jasper Wallace 2:bbdeda018a3c 130
Jasper Wallace 2:bbdeda018a3c 131 Security
Jasper Wallace 2:bbdeda018a3c 132 * Wipe stack buffers in RSA private key operations
Jasper Wallace 2:bbdeda018a3c 133 (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
Jasper Wallace 2:bbdeda018a3c 134 Simon.
Jasper Wallace 2:bbdeda018a3c 135 * Add exponent blinding to RSA private operations as a countermeasure
Jasper Wallace 2:bbdeda018a3c 136 against side-channel attacks like the cache attack described in
Jasper Wallace 2:bbdeda018a3c 137 https://arxiv.org/abs/1702.08719v2.
Jasper Wallace 2:bbdeda018a3c 138 Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
Jasper Wallace 2:bbdeda018a3c 139 Clémentine Maurice and Stefan Mangard.
Jasper Wallace 2:bbdeda018a3c 140
Jasper Wallace 2:bbdeda018a3c 141 Features
Jasper Wallace 2:bbdeda018a3c 142 * Add hardware acceleration support for the Elliptic Curve Point module.
Jasper Wallace 2:bbdeda018a3c 143 This involved exposing parts of the internal interface to enable
Jasper Wallace 2:bbdeda018a3c 144 replacing the core functions and adding and alternative, module level
Jasper Wallace 2:bbdeda018a3c 145 replacement support for enabling the extension of the interface.
Jasper Wallace 2:bbdeda018a3c 146 * Add a new configuration option to 'mbedtls_ssl_config' to enable
Jasper Wallace 2:bbdeda018a3c 147 suppressing the CA list in Certificate Request messages. The default
Jasper Wallace 2:bbdeda018a3c 148 behaviour has not changed, namely every configured CAs name is included.
Jasper Wallace 2:bbdeda018a3c 149
Jasper Wallace 2:bbdeda018a3c 150 API Changes
Jasper Wallace 2:bbdeda018a3c 151 * The following functions in the AES module have been deprecated and replaced
Jasper Wallace 2:bbdeda018a3c 152 by the functions shown below. The new functions change the return type from
Jasper Wallace 2:bbdeda018a3c 153 void to int to allow returning error codes when using MBEDTLS_AES_ALT,
Jasper Wallace 2:bbdeda018a3c 154 MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT.
Jasper Wallace 2:bbdeda018a3c 155 mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
Jasper Wallace 2:bbdeda018a3c 156 mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
Jasper Wallace 2:bbdeda018a3c 157
Jasper Wallace 2:bbdeda018a3c 158 Bugfix
Jasper Wallace 2:bbdeda018a3c 159 * Remove macros from compat-1.3.h that correspond to deleted items from most
Jasper Wallace 2:bbdeda018a3c 160 recent versions of the library. Found by Kyle Keen.
Jasper Wallace 2:bbdeda018a3c 161 * Fixed issue in the Threading module that prevented mutexes from
Jasper Wallace 2:bbdeda018a3c 162 initialising. Found by sznaider. #667 #843
Jasper Wallace 2:bbdeda018a3c 163 * Add checks in the PK module for the RSA functions on 64-bit systems.
Jasper Wallace 2:bbdeda018a3c 164 The PK and RSA modules use different types for passing hash length and
Jasper Wallace 2:bbdeda018a3c 165 without these checks the type cast could lead to data loss. Found by Guido
Jasper Wallace 2:bbdeda018a3c 166 Vranken.
Jasper Wallace 2:bbdeda018a3c 167
Jasper Wallace 1:9ebc941037d5 168 = mbed TLS 2.4.2 branch released 2017-03-08
Jasper Wallace 1:9ebc941037d5 169
Jasper Wallace 1:9ebc941037d5 170 Security
Jasper Wallace 1:9ebc941037d5 171 * Add checks to prevent signature forgeries for very large messages while
Jasper Wallace 1:9ebc941037d5 172 using RSA through the PK module in 64-bit systems. The issue was caused by
Jasper Wallace 1:9ebc941037d5 173 some data loss when casting a size_t to an unsigned int value in the
Jasper Wallace 1:9ebc941037d5 174 functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
Jasper Wallace 1:9ebc941037d5 175 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
Jasper Wallace 1:9ebc941037d5 176 * Fixed potential livelock during the parsing of a CRL in PEM format in
Jasper Wallace 1:9ebc941037d5 177 mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
Jasper Wallace 1:9ebc941037d5 178 characters after the footer could result in the execution of an infinite
Jasper Wallace 1:9ebc941037d5 179 loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Jasper Wallace 1:9ebc941037d5 180 Microsoft.
Jasper Wallace 1:9ebc941037d5 181 * Removed MD5 from the allowed hash algorithms for CertificateRequest and
Jasper Wallace 1:9ebc941037d5 182 CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Jasper Wallace 1:9ebc941037d5 183 Introduced by interoperability fix for #513.
Jasper Wallace 1:9ebc941037d5 184 * Fixed a bug that caused freeing a buffer that was allocated on the stack,
Jasper Wallace 1:9ebc941037d5 185 when verifying the validity of a key on secp224k1. This could be
Jasper Wallace 1:9ebc941037d5 186 triggered remotely for example with a maliciously constructed certificate
Jasper Wallace 1:9ebc941037d5 187 and potentially could lead to remote code execution on some platforms.
Jasper Wallace 1:9ebc941037d5 188 Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
Jasper Wallace 1:9ebc941037d5 189 team. #569 CVE-2017-2784
Jasper Wallace 1:9ebc941037d5 190
Jasper Wallace 1:9ebc941037d5 191 Bugfix
Jasper Wallace 1:9ebc941037d5 192 * Fix output certificate verification flags set by x509_crt_verify_top() when
Jasper Wallace 1:9ebc941037d5 193 traversing a chain of trusted CA. The issue would cause both flags,
Jasper Wallace 1:9ebc941037d5 194 MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
Jasper Wallace 1:9ebc941037d5 195 set when the verification conditions are not met regardless of the cause.
Jasper Wallace 1:9ebc941037d5 196 Found by Harm Verhagen and inestlerode. #665 #561
Jasper Wallace 1:9ebc941037d5 197 * Fix the redefinition of macro ssl_set_bio to an undefined symbol
Jasper Wallace 1:9ebc941037d5 198 mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
Jasper Wallace 1:9ebc941037d5 199 Found by omlib-lin. #673
Jasper Wallace 1:9ebc941037d5 200 * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
Jasper Wallace 1:9ebc941037d5 201 x509_csr.c that are reported when building mbed TLS with a config.h that
Jasper Wallace 1:9ebc941037d5 202 does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
Jasper Wallace 1:9ebc941037d5 203 * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
Jasper Wallace 1:9ebc941037d5 204 would compare 64 bits of the record counter instead of 48 bits as indicated
Jasper Wallace 1:9ebc941037d5 205 in RFC 6347 Section 4.3.1. This could cause the execution of the
Jasper Wallace 1:9ebc941037d5 206 renegotiation routines at unexpected times when the protocol is DTLS. Found
Jasper Wallace 1:9ebc941037d5 207 by wariua. #687
Jasper Wallace 1:9ebc941037d5 208 * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
Jasper Wallace 1:9ebc941037d5 209 the input string in PEM format to extract the different components. Found
Jasper Wallace 1:9ebc941037d5 210 by Eyal Itkin.
Jasper Wallace 1:9ebc941037d5 211 * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
Jasper Wallace 1:9ebc941037d5 212 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace 1:9ebc941037d5 213 * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
Jasper Wallace 1:9ebc941037d5 214 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace 1:9ebc941037d5 215 * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
Jasper Wallace 1:9ebc941037d5 216 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace 1:9ebc941037d5 217 * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
Jasper Wallace 1:9ebc941037d5 218 cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace 1:9ebc941037d5 219 * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
Jasper Wallace 1:9ebc941037d5 220 Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
Jasper Wallace 1:9ebc941037d5 221 * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
Jasper Wallace 1:9ebc941037d5 222 by missing calls to mbedtls_pem_free() in cases when a
Jasper Wallace 1:9ebc941037d5 223 MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
Jasper Wallace 1:9ebc941037d5 224 fix proposed by Guido Vranken. #722
Jasper Wallace 1:9ebc941037d5 225 * Fixed the templates used to generate project and solution files for Visual
Jasper Wallace 1:9ebc941037d5 226 Studio 2015 as well as the files themselves, to remove a build warning
Jasper Wallace 1:9ebc941037d5 227 generated in Visual Studio 2015. Reported by Steve Valliere. #742
Jasper Wallace 1:9ebc941037d5 228 * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
Jasper Wallace 1:9ebc941037d5 229 Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
Jasper Wallace 1:9ebc941037d5 230 * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
Jasper Wallace 1:9ebc941037d5 231 number to write in hexadecimal is negative and requires an odd number of
Jasper Wallace 1:9ebc941037d5 232 digits. Found and fixed by Guido Vranken.
Jasper Wallace 1:9ebc941037d5 233 * Fix unlisted DES configuration dependency in some pkparse test cases. Found
Jasper Wallace 1:9ebc941037d5 234 by inestlerode. #555
Jasper Wallace 1:9ebc941037d5 235
markrad 0:cdf462088d13 236 = mbed TLS 2.4.1 branch released 2016-12-13
markrad 0:cdf462088d13 237
markrad 0:cdf462088d13 238 Changes
markrad 0:cdf462088d13 239 * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
markrad 0:cdf462088d13 240 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
markrad 0:cdf462088d13 241 Authentication – October 2016
markrad 0:cdf462088d13 242
markrad 0:cdf462088d13 243 = mbed TLS 2.4.0 branch released 2016-10-17
markrad 0:cdf462088d13 244
markrad 0:cdf462088d13 245 Security
markrad 0:cdf462088d13 246 * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
markrad 0:cdf462088d13 247 with RFC-5116 and could lead to session key recovery in very long TLS
markrad 0:cdf462088d13 248 sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
markrad 0:cdf462088d13 249 TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
markrad 0:cdf462088d13 250 https://eprint.iacr.org/2016/475.pdf
markrad 0:cdf462088d13 251 * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
markrad 0:cdf462088d13 252 mbedtls_x509write_csr_der() when the signature is copied to the buffer
markrad 0:cdf462088d13 253 without checking whether there is enough space in the destination. The
markrad 0:cdf462088d13 254 issue cannot be triggered remotely. Found by Jethro Beekman.
markrad 0:cdf462088d13 255
markrad 0:cdf462088d13 256 Features
markrad 0:cdf462088d13 257 * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
markrad 0:cdf462088d13 258 NIST SP 800-38B, RFC-4493 and RFC-4615.
markrad 0:cdf462088d13 259 * Added hardware entropy selftest to verify that the hardware entropy source
markrad 0:cdf462088d13 260 is functioning correctly.
markrad 0:cdf462088d13 261 * Added a script to print build environment info for diagnostic use in test
markrad 0:cdf462088d13 262 scripts, which is also now called by all.sh.
markrad 0:cdf462088d13 263 * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
markrad 0:cdf462088d13 264 configure the maximum length of a file path that can be buffered when
markrad 0:cdf462088d13 265 calling mbedtls_x509_crt_parse_path().
markrad 0:cdf462088d13 266 * Added a configuration file config-no-entropy.h that configures the subset of
markrad 0:cdf462088d13 267 library features that do not require an entropy source.
markrad 0:cdf462088d13 268 * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
markrad 0:cdf462088d13 269 to configure the minimum number of bytes for entropy sources using the
markrad 0:cdf462088d13 270 mbedtls_hardware_poll() function.
markrad 0:cdf462088d13 271
markrad 0:cdf462088d13 272 Bugfix
markrad 0:cdf462088d13 273 * Fix for platform time abstraction to avoid dependency issues where a build
markrad 0:cdf462088d13 274 may need time but not the standard C library abstraction, and added
markrad 0:cdf462088d13 275 configuration consistency checks to check_config.h
markrad 0:cdf462088d13 276 * Fix dependency issue in Makefile to allow parallel builds.
markrad 0:cdf462088d13 277 * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
markrad 0:cdf462088d13 278 when GCM is used. Found by udf2457. #441
markrad 0:cdf462088d13 279 * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
markrad 0:cdf462088d13 280 enabled unless others were also present. Found by David Fernandez. #428
markrad 0:cdf462088d13 281 * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
markrad 0:cdf462088d13 282 a contribution from Tobias Tangemann. #541
markrad 0:cdf462088d13 283 * Fixed cert_app.c sample program for debug output and for use when no root
markrad 0:cdf462088d13 284 certificates are provided.
markrad 0:cdf462088d13 285 * Fix conditional statement that would cause a 1 byte overread in
markrad 0:cdf462088d13 286 mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
markrad 0:cdf462088d13 287 * Fixed pthread implementation to avoid unintended double initialisations
markrad 0:cdf462088d13 288 and double frees. Found by Niklas Amnebratt.
markrad 0:cdf462088d13 289 * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
markrad 0:cdf462088d13 290 builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
markrad 0:cdf462088d13 291 by inestlerode. #559.
markrad 0:cdf462088d13 292 * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
markrad 0:cdf462088d13 293 data structure until after error checks are successful. Found by
markrad 0:cdf462088d13 294 subramanyam-c. #622
markrad 0:cdf462088d13 295 * Fix documentation and implementation missmatch for function arguments of
markrad 0:cdf462088d13 296 mbedtls_gcm_finish(). Found by cmiatpaar. #602
markrad 0:cdf462088d13 297 * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
markrad 0:cdf462088d13 298 * Fix potential byte overread when verifying malformed SERVER_HELLO in
markrad 0:cdf462088d13 299 ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
markrad 0:cdf462088d13 300 * Fix check for validity of date when parsing in mbedtls_x509_get_time().
markrad 0:cdf462088d13 301 Found by subramanyam-c. #626
markrad 0:cdf462088d13 302 * Fix compatibility issue with Internet Explorer client authentication,
markrad 0:cdf462088d13 303 where the limited hash choices prevented the client from sending its
markrad 0:cdf462088d13 304 certificate. Found by teumas. #513
markrad 0:cdf462088d13 305 * Fix compilation without MBEDTLS_SELF_TEST enabled.
markrad 0:cdf462088d13 306
markrad 0:cdf462088d13 307 Changes
markrad 0:cdf462088d13 308 * Extended test coverage of special cases, and added new timing test suite.
markrad 0:cdf462088d13 309 * Removed self-tests from the basic-built-test.sh script, and added all
markrad 0:cdf462088d13 310 missing self-tests to the test suites, to ensure self-tests are only
markrad 0:cdf462088d13 311 executed once.
markrad 0:cdf462088d13 312 * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
markrad 0:cdf462088d13 313 * Added support for a Yotta specific configuration file -
markrad 0:cdf462088d13 314 through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
markrad 0:cdf462088d13 315 * Added optimization for code space for X.509/OID based on configured
markrad 0:cdf462088d13 316 features. Contributed by Aviv Palivoda.
markrad 0:cdf462088d13 317 * Renamed source file library/net.c to library/net_sockets.c to avoid
markrad 0:cdf462088d13 318 naming collision in projects which also have files with the common name
markrad 0:cdf462088d13 319 net.c. For consistency, the corresponding header file, net.h, is marked as
markrad 0:cdf462088d13 320 deprecated, and its contents moved to net_sockets.h.
markrad 0:cdf462088d13 321 * Changed the strategy for X.509 certificate parsing and validation, to no
markrad 0:cdf462088d13 322 longer disregard certificates with unrecognised fields.
markrad 0:cdf462088d13 323
markrad 0:cdf462088d13 324 = mbed TLS 2.3.0 branch released 2016-06-28
markrad 0:cdf462088d13 325
markrad 0:cdf462088d13 326 Security
markrad 0:cdf462088d13 327 * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
markrad 0:cdf462088d13 328 required by PKCS1 v2.2
markrad 0:cdf462088d13 329 * Fix potential integer overflow to buffer overflow in
markrad 0:cdf462088d13 330 mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
markrad 0:cdf462088d13 331 (not triggerable remotely in (D)TLS).
Jasper Wallace 2:bbdeda018a3c 332 * Fix a potential integer underflow to buffer overread in
markrad 0:cdf462088d13 333 mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
markrad 0:cdf462088d13 334 SSL/TLS.
markrad 0:cdf462088d13 335
markrad 0:cdf462088d13 336 Features
markrad 0:cdf462088d13 337 * Support for platform abstraction of the standard C library time()
markrad 0:cdf462088d13 338 function.
markrad 0:cdf462088d13 339
markrad 0:cdf462088d13 340 Bugfix
markrad 0:cdf462088d13 341 * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
markrad 0:cdf462088d13 342 arguments where the same (in-place doubling). Found and fixed by Janos
markrad 0:cdf462088d13 343 Follath. #309
markrad 0:cdf462088d13 344 * Fix potential build failures related to the 'apidoc' target, introduced
markrad 0:cdf462088d13 345 in the previous patch release. Found by Robert Scheck. #390 #391
markrad 0:cdf462088d13 346 * Fix issue in Makefile that prevented building using armar. #386
markrad 0:cdf462088d13 347 * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
markrad 0:cdf462088d13 348 ECDSA was disabled in config.h . The leak didn't occur by default.
markrad 0:cdf462088d13 349 * Fix an issue that caused valid certificates to be rejected whenever an
markrad 0:cdf462088d13 350 expired or not yet valid certificate was parsed before a valid certificate
markrad 0:cdf462088d13 351 in the trusted certificate list.
Jasper Wallace 2:bbdeda018a3c 352 * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
markrad 0:cdf462088d13 353 buffer after DER certificates to be included in the raw representation.
markrad 0:cdf462088d13 354 * Fix issue that caused a hang when generating RSA keys of odd bitlength
markrad 0:cdf462088d13 355 * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
markrad 0:cdf462088d13 356 dereference possible.
markrad 0:cdf462088d13 357 * Fix issue that caused a crash if invalid curves were passed to
markrad 0:cdf462088d13 358 mbedtls_ssl_conf_curves. #373
markrad 0:cdf462088d13 359 * Fix issue in ssl_fork_server which was preventing it from functioning. #429
markrad 0:cdf462088d13 360 * Fix memory leaks in test framework
markrad 0:cdf462088d13 361 * Fix test in ssl-opt.sh that does not run properly with valgrind
markrad 0:cdf462088d13 362 * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
markrad 0:cdf462088d13 363
markrad 0:cdf462088d13 364 Changes
markrad 0:cdf462088d13 365 * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
markrad 0:cdf462088d13 366 don't use the optimized assembly for bignum multiplication. This removes
markrad 0:cdf462088d13 367 the need to pass -fomit-frame-pointer to avoid a build error with -O0.
markrad 0:cdf462088d13 368 * Disabled SSLv3 in the default configuration.
markrad 0:cdf462088d13 369 * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
markrad 0:cdf462088d13 370 Skalozub).
markrad 0:cdf462088d13 371 * Fix non-compliance server extension handling. Extensions for SSLv3 are now
markrad 0:cdf462088d13 372 ignored, as required by RFC6101.
markrad 0:cdf462088d13 373
markrad 0:cdf462088d13 374 = mbed TLS 2.2.1 released 2016-01-05
markrad 0:cdf462088d13 375
markrad 0:cdf462088d13 376 Security
markrad 0:cdf462088d13 377 * Fix potential double free when mbedtls_asn1_store_named_data() fails to
markrad 0:cdf462088d13 378 allocate memory. Only used for certificate generation, not triggerable
markrad 0:cdf462088d13 379 remotely in SSL/TLS. Found by Rafał Przywara. #367
markrad 0:cdf462088d13 380 * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
markrad 0:cdf462088d13 381 SLOTH attack on TLS 1.2 server authentication (other attacks from the
markrad 0:cdf462088d13 382 SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
markrad 0:cdf462088d13 383 https://www.mitls.org/pages/attacks/SLOTH
markrad 0:cdf462088d13 384
markrad 0:cdf462088d13 385 Bugfix
markrad 0:cdf462088d13 386 * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
markrad 0:cdf462088d13 387 * Fix bug in certificate validation that caused valid chains to be rejected
markrad 0:cdf462088d13 388 when the first intermediate certificate has pathLenConstraint=0. Found by
markrad 0:cdf462088d13 389 Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
markrad 0:cdf462088d13 390 * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
markrad 0:cdf462088d13 391 JayaraghavendranK. #372
markrad 0:cdf462088d13 392 * Fix suboptimal handling of unexpected records that caused interop issues
markrad 0:cdf462088d13 393 with some peers over unreliable links. Avoid dropping an entire DTLS
markrad 0:cdf462088d13 394 datagram if a single record in a datagram is unexpected, instead only
markrad 0:cdf462088d13 395 drop the record and look at subsequent records (if any are present) in
markrad 0:cdf462088d13 396 the same datagram. Found by jeannotlapin. #345
markrad 0:cdf462088d13 397
markrad 0:cdf462088d13 398 = mbed TLS 2.2.0 released 2015-11-04
markrad 0:cdf462088d13 399
markrad 0:cdf462088d13 400 Security
markrad 0:cdf462088d13 401 * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
markrad 0:cdf462088d13 402 once and some allocation fails. Cannot be forced remotely. Found by Guido
markrad 0:cdf462088d13 403 Vranken, Intelworks.
markrad 0:cdf462088d13 404 * Fix potential heap corruption on Windows when
markrad 0:cdf462088d13 405 mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
markrad 0:cdf462088d13 406 triggered remotely. Found by Guido Vranken, Intelworks.
markrad 0:cdf462088d13 407 * Fix potential buffer overflow in some asn1_write_xxx() functions.
markrad 0:cdf462088d13 408 Cannot be triggered remotely unless you create X.509 certificates based
markrad 0:cdf462088d13 409 on untrusted input or write keys of untrusted origin. Found by Guido
markrad 0:cdf462088d13 410 Vranken, Intelworks.
markrad 0:cdf462088d13 411 * The X509 max_pathlen constraint was not enforced on intermediate
markrad 0:cdf462088d13 412 certificates. Found by Nicholas Wilson, fix and tests provided by
markrad 0:cdf462088d13 413 Janos Follath. #280 and #319
markrad 0:cdf462088d13 414
markrad 0:cdf462088d13 415 Features
markrad 0:cdf462088d13 416 * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
markrad 0:cdf462088d13 417 Disabled by default as the specification might still change.
markrad 0:cdf462088d13 418 * Added a key extraction callback to accees the master secret and key
markrad 0:cdf462088d13 419 block. (Potential uses include EAP-TLS and Thread.)
markrad 0:cdf462088d13 420
markrad 0:cdf462088d13 421 Bugfix
markrad 0:cdf462088d13 422 * Self-signed certificates were not excluded from pathlen counting,
markrad 0:cdf462088d13 423 resulting in some valid X.509 being incorrectly rejected. Found and fix
markrad 0:cdf462088d13 424 provided by Janos Follath. #319
markrad 0:cdf462088d13 425 * Fix build error with configurations where ECDHE-PSK is the only key
markrad 0:cdf462088d13 426 exchange. Found and fix provided by Chris Hammond. #270
markrad 0:cdf462088d13 427 * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
markrad 0:cdf462088d13 428 ECHD-ECDSA if the only key exchange. Multiple reports. #310
markrad 0:cdf462088d13 429 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
markrad 0:cdf462088d13 430 not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
markrad 0:cdf462088d13 431 * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
markrad 0:cdf462088d13 432 size/curve against the profile. Before that, there was no way to set a
markrad 0:cdf462088d13 433 minimum key size for end-entity certificates with RSA keys. Found by
markrad 0:cdf462088d13 434 Matthew Page of Scannex Electronics Ltd.
markrad 0:cdf462088d13 435 * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
markrad 0:cdf462088d13 436 Found by Kurt Danielson. #292
markrad 0:cdf462088d13 437 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
markrad 0:cdf462088d13 438 * Fix bug in ASN.1 encoding of booleans that caused generated CA
markrad 0:cdf462088d13 439 certificates to be rejected by some applications, including OS X
markrad 0:cdf462088d13 440 Keychain. Found and fixed by Jonathan Leroy, Inikup.
markrad 0:cdf462088d13 441
markrad 0:cdf462088d13 442 Changes
markrad 0:cdf462088d13 443 * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
markrad 0:cdf462088d13 444 or -1.
markrad 0:cdf462088d13 445
markrad 0:cdf462088d13 446 = mbed TLS 2.1.2 released 2015-10-06
markrad 0:cdf462088d13 447
markrad 0:cdf462088d13 448 Security
markrad 0:cdf462088d13 449 * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
markrad 0:cdf462088d13 450 overflow of the hostname or session ticket. Found by Guido Vranken,
markrad 0:cdf462088d13 451 Intelworks.
markrad 0:cdf462088d13 452 * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
markrad 0:cdf462088d13 453 once in the same handhake and mbedtls_ssl_conf_psk() was used.
markrad 0:cdf462088d13 454 Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
markrad 0:cdf462088d13 455 remotely.
markrad 0:cdf462088d13 456 * Fix stack buffer overflow in pkcs12 decryption (used by
markrad 0:cdf462088d13 457 mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
markrad 0:cdf462088d13 458 Found by Guido Vranken, Intelworks. Not triggerable remotely.
markrad 0:cdf462088d13 459 * Fix potential buffer overflow in mbedtls_mpi_read_string().
markrad 0:cdf462088d13 460 Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
markrad 0:cdf462088d13 461 of TLS, but might be in other uses. On 32 bit machines, requires reading a
markrad 0:cdf462088d13 462 string of close to or larger than 1GB to exploit; on 64 bit machines, would
markrad 0:cdf462088d13 463 require reading a string of close to or larger than 2^62 bytes.
markrad 0:cdf462088d13 464 * Fix potential random memory allocation in mbedtls_pem_read_buffer()
markrad 0:cdf462088d13 465 on crafted PEM input data. Found and fix provided by Guido Vranken,
markrad 0:cdf462088d13 466 Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
markrad 0:cdf462088d13 467 accept PEM data from an untrusted source.
markrad 0:cdf462088d13 468 * Fix possible heap buffer overflow in base64_encoded() when the input
markrad 0:cdf462088d13 469 buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
markrad 0:cdf462088d13 470 Intelworks. Not trigerrable remotely in TLS.
markrad 0:cdf462088d13 471 * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
markrad 0:cdf462088d13 472 the same mbedtls_ssl_config object and memory allocation fails. Found by
markrad 0:cdf462088d13 473 Guido Vranken, Intelworks. Cannot be forced remotely.
markrad 0:cdf462088d13 474 * Fix potential heap buffer overflow in servers that perform client
markrad 0:cdf462088d13 475 authentication against a crafted CA cert. Cannot be triggered remotely
markrad 0:cdf462088d13 476 unless you allow third parties to pick trust CAs for client auth.
markrad 0:cdf462088d13 477 Found by Guido Vranken, Intelworks.
markrad 0:cdf462088d13 478
markrad 0:cdf462088d13 479 Bugfix
markrad 0:cdf462088d13 480 * Fix compile error in net.c with musl libc. Found and patch provided by
markrad 0:cdf462088d13 481 zhasha (#278).
markrad 0:cdf462088d13 482 * Fix macroization of 'inline' keyword when building as C++. (#279)
markrad 0:cdf462088d13 483
markrad 0:cdf462088d13 484 Changes
markrad 0:cdf462088d13 485 * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
markrad 0:cdf462088d13 486 domain names are compliant with RFC 1035.
markrad 0:cdf462088d13 487 * Fixed paths for check_config.h in example config files. (Found by bachp)
markrad 0:cdf462088d13 488 (#291)
markrad 0:cdf462088d13 489
markrad 0:cdf462088d13 490 = mbed TLS 2.1.1 released 2015-09-17
markrad 0:cdf462088d13 491
markrad 0:cdf462088d13 492 Security
markrad 0:cdf462088d13 493 * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
markrad 0:cdf462088d13 494 signatures. (Found by Florian Weimer, Red Hat.)
markrad 0:cdf462088d13 495 https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
markrad 0:cdf462088d13 496 * Fix possible client-side NULL pointer dereference (read) when the client
markrad 0:cdf462088d13 497 tries to continue the handshake after it failed (a misuse of the API).
markrad 0:cdf462088d13 498 (Found and patch provided by Fabian Foerg, Gotham Digital Science using
markrad 0:cdf462088d13 499 afl-fuzz.)
markrad 0:cdf462088d13 500
markrad 0:cdf462088d13 501 Bugfix
markrad 0:cdf462088d13 502 * Fix warning when using a 64bit platform. (found by embedthis) (#275)
markrad 0:cdf462088d13 503 * Fix off-by-one error in parsing Supported Point Format extension that
markrad 0:cdf462088d13 504 caused some handshakes to fail.
markrad 0:cdf462088d13 505
markrad 0:cdf462088d13 506 Changes
markrad 0:cdf462088d13 507 * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
markrad 0:cdf462088d13 508 use of mbedtls_x509_crt_profile_next. (found by NWilson)
markrad 0:cdf462088d13 509 * When a client initiates a reconnect from the same port as a live
markrad 0:cdf462088d13 510 connection, if cookie verification is available
markrad 0:cdf462088d13 511 (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
markrad 0:cdf462088d13 512 callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
markrad 0:cdf462088d13 513 detected and mbedtls_ssl_read() will return
markrad 0:cdf462088d13 514 MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
markrad 0:cdf462088d13 515 handshake with the same context. (See RFC 6347 section 4.2.8.)
markrad 0:cdf462088d13 516
markrad 0:cdf462088d13 517 = mbed TLS 2.1.0 released 2015-09-04
markrad 0:cdf462088d13 518
markrad 0:cdf462088d13 519 Features
markrad 0:cdf462088d13 520 * Added support for yotta as a build system.
markrad 0:cdf462088d13 521 * Primary open source license changed to Apache 2.0 license.
markrad 0:cdf462088d13 522
markrad 0:cdf462088d13 523 Bugfix
markrad 0:cdf462088d13 524 * Fix segfault in the benchmark program when benchmarking DHM.
markrad 0:cdf462088d13 525 * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
markrad 0:cdf462088d13 526 Leisink).
markrad 0:cdf462088d13 527 * Fix bug when parsing a ServerHello without extensions (found by David
markrad 0:cdf462088d13 528 Sears).
markrad 0:cdf462088d13 529 * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
markrad 0:cdf462088d13 530 (found by Benoit Lecocq).
markrad 0:cdf462088d13 531 * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
markrad 0:cdf462088d13 532 installed (found by Rawi666).
markrad 0:cdf462088d13 533 * Fix compile error with armcc 5 with --gnu option.
markrad 0:cdf462088d13 534 * Fix bug in Makefile that caused programs not to be installed correctly
markrad 0:cdf462088d13 535 (found by robotanarchy) (#232).
markrad 0:cdf462088d13 536 * Fix bug in Makefile that prevented from installing without building the
markrad 0:cdf462088d13 537 tests (found by robotanarchy) (#232).
markrad 0:cdf462088d13 538 * Fix missing -static-libgcc when building shared libraries for Windows
markrad 0:cdf462088d13 539 with make.
markrad 0:cdf462088d13 540 * Fix link error when building shared libraries for Windows with make.
markrad 0:cdf462088d13 541 * Fix error when loading libmbedtls.so.
markrad 0:cdf462088d13 542 * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
markrad 0:cdf462088d13 543 be always used (found by dcb314) (#235)
markrad 0:cdf462088d13 544 * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
markrad 0:cdf462088d13 545 result trying to unlock an unlocked mutex on invalid input (found by
markrad 0:cdf462088d13 546 Fredrik Axelsson) (#257)
markrad 0:cdf462088d13 547 * Fix -Wshadow warnings (found by hnrkp) (#240)
markrad 0:cdf462088d13 548 * Fix memory corruption on client with overlong PSK identity, around
markrad 0:cdf462088d13 549 SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
markrad 0:cdf462088d13 550 Aleksandrs Saveljevs) (#238)
markrad 0:cdf462088d13 551 * Fix unused function warning when using MBEDTLS_MDx_ALT or
markrad 0:cdf462088d13 552 MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
markrad 0:cdf462088d13 553 * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
markrad 0:cdf462088d13 554
markrad 0:cdf462088d13 555 Changes
markrad 0:cdf462088d13 556 * The PEM parser now accepts a trailing space at end of lines (#226).
markrad 0:cdf462088d13 557 * It is now possible to #include a user-provided configuration file at the
markrad 0:cdf462088d13 558 end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
markrad 0:cdf462088d13 559 compiler's command line.
markrad 0:cdf462088d13 560 * When verifying a certificate chain, if an intermediate certificate is
markrad 0:cdf462088d13 561 trusted, no later cert is checked. (suggested by hannes-landeholm)
markrad 0:cdf462088d13 562 (#220).
markrad 0:cdf462088d13 563 * Prepend a "thread identifier" to debug messages (issue pointed out by
markrad 0:cdf462088d13 564 Hugo Leisink) (#210).
markrad 0:cdf462088d13 565 * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
markrad 0:cdf462088d13 566 length.
markrad 0:cdf462088d13 567
markrad 0:cdf462088d13 568 = mbed TLS 2.0.0 released 2015-07-13
markrad 0:cdf462088d13 569
markrad 0:cdf462088d13 570 Features
markrad 0:cdf462088d13 571 * Support for DTLS 1.0 and 1.2 (RFC 6347).
markrad 0:cdf462088d13 572 * Ability to override core functions from MDx, SHAx, AES and DES modules
markrad 0:cdf462088d13 573 with custom implementation (eg hardware accelerated), complementing the
markrad 0:cdf462088d13 574 ability to override the whole module.
markrad 0:cdf462088d13 575 * New server-side implementation of session tickets that rotate keys to
markrad 0:cdf462088d13 576 preserve forward secrecy, and allows sharing across multiple contexts.
markrad 0:cdf462088d13 577 * Added a concept of X.509 cerificate verification profile that controls
markrad 0:cdf462088d13 578 which algorithms and key sizes (curves for ECDSA) are acceptable.
markrad 0:cdf462088d13 579 * Expanded configurability of security parameters in the SSL module with
markrad 0:cdf462088d13 580 mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
markrad 0:cdf462088d13 581 * Introduced a concept of presets for SSL security-relevant configuration
markrad 0:cdf462088d13 582 parameters.
markrad 0:cdf462088d13 583
markrad 0:cdf462088d13 584 API Changes
markrad 0:cdf462088d13 585 * The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
markrad 0:cdf462088d13 586 You now need to link to all of them if you use TLS for example.
markrad 0:cdf462088d13 587 * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
markrad 0:cdf462088d13 588 Some names have been further changed to make them more consistent.
markrad 0:cdf462088d13 589 Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
markrad 0:cdf462088d13 590 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
markrad 0:cdf462088d13 591 * Renamings of fields inside structures, not covered by the previous list:
markrad 0:cdf462088d13 592 mbedtls_cipher_info_t.key_length -> key_bitlen
markrad 0:cdf462088d13 593 mbedtls_cipher_context_t.key_length -> key_bitlen
markrad 0:cdf462088d13 594 mbedtls_ecp_curve_info.size -> bit_size
markrad 0:cdf462088d13 595 * Headers are now found in the 'mbedtls' directory (previously 'polarssl').
markrad 0:cdf462088d13 596 * The following _init() functions that could return errors have
markrad 0:cdf462088d13 597 been split into an _init() that returns void and another function that
markrad 0:cdf462088d13 598 should generally be the first function called on this context after init:
markrad 0:cdf462088d13 599 mbedtls_ssl_init() -> mbedtls_ssl_setup()
markrad 0:cdf462088d13 600 mbedtls_ccm_init() -> mbedtls_ccm_setkey()
markrad 0:cdf462088d13 601 mbedtls_gcm_init() -> mbedtls_gcm_setkey()
markrad 0:cdf462088d13 602 mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
markrad 0:cdf462088d13 603 mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
markrad 0:cdf462088d13 604 Note that for mbedtls_ssl_setup(), you need to be done setting up the
markrad 0:cdf462088d13 605 ssl_config structure before calling it.
markrad 0:cdf462088d13 606 * Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
markrad 0:cdf462088d13 607 ssl_set_session() and ssl_set_client_transport_id(), plus
markrad 0:cdf462088d13 608 ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
markrad 0:cdf462088d13 609 (see rename.pl and compat-1.3.h above) and their first argument's type
markrad 0:cdf462088d13 610 changed from ssl_context to ssl_config.
markrad 0:cdf462088d13 611 * ssl_set_bio() changed signature (contexts merged, order switched, one
markrad 0:cdf462088d13 612 additional callback for read-with-timeout).
markrad 0:cdf462088d13 613 * The following functions have been introduced and must be used in callback
markrad 0:cdf462088d13 614 implementations (SNI, PSK) instead of their *conf counterparts:
markrad 0:cdf462088d13 615 mbedtls_ssl_set_hs_own_cert()
markrad 0:cdf462088d13 616 mbedtls_ssl_set_hs_ca_chain()
markrad 0:cdf462088d13 617 mbedtls_ssl_set_hs_psk()
markrad 0:cdf462088d13 618 * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
markrad 0:cdf462088d13 619 using mbedtls_ssl_set_hostname().
markrad 0:cdf462088d13 620 * mbedtls_ssl_conf_session_cache() changed prototype (only one context
markrad 0:cdf462088d13 621 pointer, parameters reordered).
markrad 0:cdf462088d13 622 * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
markrad 0:cdf462088d13 623 place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
markrad 0:cdf462088d13 624 * The SSL debug callback gained two new arguments (file name, line number).
markrad 0:cdf462088d13 625 * Debug modes were removed.
markrad 0:cdf462088d13 626 * mbedtls_ssl_conf_truncated_hmac() now returns void.
markrad 0:cdf462088d13 627 * mbedtls_memory_buffer_alloc_init() now returns void.
markrad 0:cdf462088d13 628 * X.509 verification flags are now an uint32_t. Affect the signature of:
markrad 0:cdf462088d13 629 mbedtls_ssl_get_verify_result()
markrad 0:cdf462088d13 630 mbedtls_x509_ctr_verify_info()
markrad 0:cdf462088d13 631 mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
markrad 0:cdf462088d13 632 mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
markrad 0:cdf462088d13 633 * The following functions changed prototype to avoid an in-out length
markrad 0:cdf462088d13 634 parameter:
markrad 0:cdf462088d13 635 mbedtls_base64_encode()
markrad 0:cdf462088d13 636 mbedtls_base64_decode()
markrad 0:cdf462088d13 637 mbedtls_mpi_write_string()
markrad 0:cdf462088d13 638 mbedtls_dhm_calc_secret()
markrad 0:cdf462088d13 639 * In the NET module, all "int" and "int *" arguments for file descriptors
markrad 0:cdf462088d13 640 changed type to "mbedtls_net_context *".
markrad 0:cdf462088d13 641 * net_accept() gained new arguments for the size of the client_ip buffer.
markrad 0:cdf462088d13 642 * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
markrad 0:cdf462088d13 643 return void.
markrad 0:cdf462088d13 644 * ecdsa_write_signature() gained an addtional md_alg argument and
markrad 0:cdf462088d13 645 ecdsa_write_signature_det() was deprecated.
markrad 0:cdf462088d13 646 * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
markrad 0:cdf462088d13 647 * Last argument of x509_crt_check_key_usage() and
markrad 0:cdf462088d13 648 mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
markrad 0:cdf462088d13 649 * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
markrad 0:cdf462088d13 650 available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
markrad 0:cdf462088d13 651 * Test certificates in certs.c are no longer guaranteed to be nul-terminated
markrad 0:cdf462088d13 652 strings; use the new *_len variables instead of strlen().
markrad 0:cdf462088d13 653 * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
markrad 0:cdf462088d13 654 mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
markrad 0:cdf462088d13 655 length parameter to include the terminating null byte for PEM input.
markrad 0:cdf462088d13 656 * Signature of mpi_mul_mpi() changed to make the last argument unsigned
markrad 0:cdf462088d13 657 * calloc() is now used instead of malloc() everywhere. API of platform
markrad 0:cdf462088d13 658 layer and the memory_buffer_alloc module changed accordingly.
markrad 0:cdf462088d13 659 (Thanks to Mansour Moufid for helping with the replacement.)
markrad 0:cdf462088d13 660 * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
markrad 0:cdf462088d13 661 (support for renegotiation now needs explicit enabling in config.h).
markrad 0:cdf462088d13 662 * Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
markrad 0:cdf462088d13 663 in config.h
markrad 0:cdf462088d13 664 * net_connect() and net_bind() have a new 'proto' argument to choose
markrad 0:cdf462088d13 665 between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
markrad 0:cdf462088d13 666 Their 'port' argument type is changed to a string.
markrad 0:cdf462088d13 667 * Some constness fixes
markrad 0:cdf462088d13 668
markrad 0:cdf462088d13 669 Removals
markrad 0:cdf462088d13 670 * Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
markrad 0:cdf462088d13 671 * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
markrad 0:cdf462088d13 672 mbedtls_ecp_muladd().
markrad 0:cdf462088d13 673 * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
markrad 0:cdf462088d13 674 (use generic functions from md.h)
markrad 0:cdf462088d13 675 * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
markrad 0:cdf462088d13 676 waiting function.
markrad 0:cdf462088d13 677 * Removed test DHM parameters from the test certs module.
markrad 0:cdf462088d13 678 * Removed the PBKDF2 module (use PKCS5).
markrad 0:cdf462088d13 679 * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
markrad 0:cdf462088d13 680 * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
markrad 0:cdf462088d13 681 * Removed openssl.h (very partial OpenSSL compatibility layer).
markrad 0:cdf462088d13 682 * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
markrad 0:cdf462088d13 683 * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
markrad 0:cdf462088d13 684 been removed (compiler is required to support 32-bit operations).
markrad 0:cdf462088d13 685 * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
markrad 0:cdf462088d13 686 * Removed test program o_p_test, the script compat.sh does more.
markrad 0:cdf462088d13 687 * Removed test program ssl_test, superseded by ssl-opt.sh.
markrad 0:cdf462088d13 688 * Removed helper script active-config.pl
markrad 0:cdf462088d13 689
markrad 0:cdf462088d13 690 New deprecations
markrad 0:cdf462088d13 691 * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
markrad 0:cdf462088d13 692 argument (allowing memory savings if HMAC is not used)
markrad 0:cdf462088d13 693
markrad 0:cdf462088d13 694 Semi-API changes (technically public, morally private)
markrad 0:cdf462088d13 695 * Renamed a few headers to include _internal in the name. Those headers are
markrad 0:cdf462088d13 696 not supposed to be included by users.
markrad 0:cdf462088d13 697 * Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
markrad 0:cdf462088d13 698 * Changed pk_info_t into an opaque structure.
markrad 0:cdf462088d13 699 * Changed cipher_base_t into an opaque structure.
markrad 0:cdf462088d13 700 * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
markrad 0:cdf462088d13 701 * x509_crt.key_usage changed from unsigned char to unsigned int.
markrad 0:cdf462088d13 702 * Removed r and s from ecdsa_context
markrad 0:cdf462088d13 703 * Removed mode from des_context and des3_context
markrad 0:cdf462088d13 704
markrad 0:cdf462088d13 705 Default behavior changes
markrad 0:cdf462088d13 706 * The default minimum TLS version is now TLS 1.0.
markrad 0:cdf462088d13 707 * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
markrad 0:cdf462088d13 708 default ciphersuite list returned by ssl_list_ciphersuites()
markrad 0:cdf462088d13 709 * Support for receiving SSLv2 ClientHello is now disabled by default at
markrad 0:cdf462088d13 710 compile time.
markrad 0:cdf462088d13 711 * The default authmode for SSL/TLS clients is now REQUIRED.
markrad 0:cdf462088d13 712 * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
markrad 0:cdf462088d13 713 enabled in the default configuration, this is only noticeable if using a
markrad 0:cdf462088d13 714 custom config.h
markrad 0:cdf462088d13 715 * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
markrad 0:cdf462088d13 716 * A minimum RSA key size of 2048 bits is now enforced during ceritificate
markrad 0:cdf462088d13 717 chain verification.
markrad 0:cdf462088d13 718 * Negotiation of truncated HMAC is now disabled by default on server too.
markrad 0:cdf462088d13 719 * The following functions are now case-sensitive:
markrad 0:cdf462088d13 720 mbedtls_cipher_info_from_string()
markrad 0:cdf462088d13 721 mbedtls_ecp_curve_info_from_name()
markrad 0:cdf462088d13 722 mbedtls_md_info_from_string()
markrad 0:cdf462088d13 723 mbedtls_ssl_ciphersuite_from_string()
markrad 0:cdf462088d13 724 mbedtls_version_check_feature()
markrad 0:cdf462088d13 725
markrad 0:cdf462088d13 726 Requirement changes
markrad 0:cdf462088d13 727 * The minimum MSVC version required is now 2010 (better C99 support).
markrad 0:cdf462088d13 728 * The NET layer now unconditionnaly relies on getaddrinfo() and select().
markrad 0:cdf462088d13 729 * Compiler is required to support C99 types such as long long and uint32_t.
markrad 0:cdf462088d13 730
markrad 0:cdf462088d13 731 API changes from the 1.4 preview branch
markrad 0:cdf462088d13 732 * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
markrad 0:cdf462088d13 733 new prototype, and mbedtls_ssl_set_read_timeout().
markrad 0:cdf462088d13 734 * The following functions now return void:
markrad 0:cdf462088d13 735 mbedtls_ssl_conf_transport()
markrad 0:cdf462088d13 736 mbedtls_ssl_conf_max_version()
markrad 0:cdf462088d13 737 mbedtls_ssl_conf_min_version()
markrad 0:cdf462088d13 738 * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
markrad 0:cdf462088d13 739 instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
markrad 0:cdf462088d13 740 an example implementation, see mbedtls_timing_delay_context and
markrad 0:cdf462088d13 741 mbedtls_timing_set/get_delay().
markrad 0:cdf462088d13 742 * With UDP sockets, it is no longer necessary to call net_bind() again
markrad 0:cdf462088d13 743 after a successful net_accept().
markrad 0:cdf462088d13 744
markrad 0:cdf462088d13 745 Changes
markrad 0:cdf462088d13 746 * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
markrad 0:cdf462088d13 747 thread-safe if MBEDTLS_THREADING_C is enabled.
markrad 0:cdf462088d13 748 * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
markrad 0:cdf462088d13 749 more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
markrad 0:cdf462088d13 750
markrad 0:cdf462088d13 751 = mbed TLS 1.3 branch
markrad 0:cdf462088d13 752
markrad 0:cdf462088d13 753 Security
markrad 0:cdf462088d13 754 * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
markrad 0:cdf462088d13 755 extendedKeyUsage on the leaf certificate was lost (results not accessible
markrad 0:cdf462088d13 756 via ssl_get_verify_results()).
markrad 0:cdf462088d13 757 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
markrad 0:cdf462088d13 758 https://dl.acm.org/citation.cfm?id=2714625
markrad 0:cdf462088d13 759
markrad 0:cdf462088d13 760 Features
markrad 0:cdf462088d13 761 * Improve ECC performance by using more efficient doubling formulas
markrad 0:cdf462088d13 762 (contributed by Peter Dettman).
markrad 0:cdf462088d13 763 * Add x509_crt_verify_info() to display certificate verification results.
markrad 0:cdf462088d13 764 * Add support for reading DH parameters with privateValueLength included
markrad 0:cdf462088d13 765 (contributed by Daniel Kahn Gillmor).
markrad 0:cdf462088d13 766 * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
markrad 0:cdf462088d13 767 * Add support for id-at-uniqueIdentifier in X.509 names.
markrad 0:cdf462088d13 768 * Add support for overriding snprintf() (except on Windows) and exit() in
markrad 0:cdf462088d13 769 the platform layer.
markrad 0:cdf462088d13 770 * Add an option to use macros instead of function pointers in the platform
markrad 0:cdf462088d13 771 layer (helps get rid of unwanted references).
markrad 0:cdf462088d13 772 * Improved Makefiles for Windows targets by fixing library targets and making
markrad 0:cdf462088d13 773 cross-compilation easier (thanks to Alon Bar-Lev).
markrad 0:cdf462088d13 774 * The benchmark program also prints heap usage for public-key primitives
markrad 0:cdf462088d13 775 if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
markrad 0:cdf462088d13 776 * New script ecc-heap.sh helps measuring the impact of ECC parameters on
markrad 0:cdf462088d13 777 speed and RAM (heap only for now) usage.
markrad 0:cdf462088d13 778 * New script memory.sh helps measuring the ROM and RAM requirements of two
markrad 0:cdf462088d13 779 reduced configurations (PSK-CCM and NSA suite B).
markrad 0:cdf462088d13 780 * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
markrad 0:cdf462088d13 781 warnings on use of deprecated functions (with GCC and Clang only).
markrad 0:cdf462088d13 782 * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
markrad 0:cdf462088d13 783 errors on use of deprecated functions.
markrad 0:cdf462088d13 784
markrad 0:cdf462088d13 785 Bugfix
markrad 0:cdf462088d13 786 * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
markrad 0:cdf462088d13 787 * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
markrad 0:cdf462088d13 788 * Fix bug in entropy.c when THREADING_C is also enabled that caused
markrad 0:cdf462088d13 789 entropy_free() to crash (thanks to Rafał Przywara).
markrad 0:cdf462088d13 790 * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
markrad 0:cdf462088d13 791 once on the same context.
markrad 0:cdf462088d13 792 * Fix bug in ssl_mail_client when password is longer that username (found
markrad 0:cdf462088d13 793 by Bruno Pape).
markrad 0:cdf462088d13 794 * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
markrad 0:cdf462088d13 795 (detected by Clang's 3.6 UBSan).
markrad 0:cdf462088d13 796 * mpi_size() and mpi_msb() would segfault when called on an mpi that is
markrad 0:cdf462088d13 797 initialized but not set (found by pravic).
markrad 0:cdf462088d13 798 * Fix detection of support for getrandom() on Linux (reported by syzzer) by
markrad 0:cdf462088d13 799 doing it at runtime (using uname) rather that compile time.
markrad 0:cdf462088d13 800 * Fix handling of symlinks by "make install" (found by Gaël PORTAY).
markrad 0:cdf462088d13 801 * Fix potential NULL pointer dereference (not trigerrable remotely) when
markrad 0:cdf462088d13 802 ssl_write() is called before the handshake is finished (introduced in
markrad 0:cdf462088d13 803 1.3.10) (first reported by Martin Blumenstingl).
markrad 0:cdf462088d13 804 * Fix bug in pk_parse_key() that caused some valid private EC keys to be
markrad 0:cdf462088d13 805 rejected.
markrad 0:cdf462088d13 806 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
markrad 0:cdf462088d13 807 * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
markrad 0:cdf462088d13 808 * Fix hardclock() (only used in the benchmarking program) with some
markrad 0:cdf462088d13 809 versions of mingw64 (found by kxjhlele).
markrad 0:cdf462088d13 810 * Fix warnings from mingw64 in timing.c (found by kxjklele).
markrad 0:cdf462088d13 811 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
markrad 0:cdf462088d13 812 platforms.
markrad 0:cdf462088d13 813 * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
markrad 0:cdf462088d13 814 * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
markrad 0:cdf462088d13 815 POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
markrad 0:cdf462088d13 816 in 1.3.10).
markrad 0:cdf462088d13 817 * Add missing extern "C" guard in aesni.h (reported by amir zamani).
markrad 0:cdf462088d13 818 * Add missing dependency on SHA-256 in some x509 programs (reported by
markrad 0:cdf462088d13 819 Gergely Budai).
markrad 0:cdf462088d13 820 * Fix bug related to ssl_set_curves(): the client didn't check that the
markrad 0:cdf462088d13 821 curve picked by the server was actually allowed.
markrad 0:cdf462088d13 822
markrad 0:cdf462088d13 823 Changes
markrad 0:cdf462088d13 824 * Remove bias in mpi_gen_prime (contributed by Pascal Junod).
markrad 0:cdf462088d13 825 * Remove potential sources of timing variations (some contributed by Pascal
markrad 0:cdf462088d13 826 Junod).
markrad 0:cdf462088d13 827 * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
markrad 0:cdf462088d13 828 * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
markrad 0:cdf462088d13 829 * compat-1.2.h and openssl.h are deprecated.
markrad 0:cdf462088d13 830 * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
markrad 0:cdf462088d13 831 more flexible (warning: OFLAGS is not used any more) (see the README)
markrad 0:cdf462088d13 832 (contributed by Alon Bar-Lev).
markrad 0:cdf462088d13 833 * ssl_set_own_cert() no longer calls pk_check_pair() since the
markrad 0:cdf462088d13 834 performance impact was bad for some users (this was introduced in 1.3.10).
markrad 0:cdf462088d13 835 * Move from SHA-1 to SHA-256 in example programs using signatures
markrad 0:cdf462088d13 836 (suggested by Thorsten Mühlfelder).
markrad 0:cdf462088d13 837 * Remove some unneeded inclusions of header files from the standard library
markrad 0:cdf462088d13 838 "minimize" others (eg use stddef.h if only size_t is needed).
markrad 0:cdf462088d13 839 * Change #include lines in test files to use double quotes instead of angle
markrad 0:cdf462088d13 840 brackets for uniformity with the rest of the code.
markrad 0:cdf462088d13 841 * Remove dependency on sscanf() in X.509 parsing modules.
markrad 0:cdf462088d13 842
markrad 0:cdf462088d13 843 = mbed TLS 1.3.10 released 2015-02-09
markrad 0:cdf462088d13 844 Security
markrad 0:cdf462088d13 845 * NULL pointer dereference in the buffer-based allocator when the buffer is
markrad 0:cdf462088d13 846 full and polarssl_free() is called (found by Mark Hasemeyer)
markrad 0:cdf462088d13 847 (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
markrad 0:cdf462088d13 848 not by default).
markrad 0:cdf462088d13 849 * Fix remotely-triggerable uninitialised pointer dereference caused by
markrad 0:cdf462088d13 850 crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
markrad 0:cdf462088d13 851 client certificate) (found using Codenomicon Defensics).
markrad 0:cdf462088d13 852 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
markrad 0:cdf462088d13 853 (TLS server is not affected if it doesn't ask for a client certificate)
markrad 0:cdf462088d13 854 (found using Codenomicon Defensics).
markrad 0:cdf462088d13 855 * Fix potential stack overflow while parsing crafted X.509 certificates
markrad 0:cdf462088d13 856 (TLS server is not affected if it doesn't ask for a client certificate)
markrad 0:cdf462088d13 857 (found using Codenomicon Defensics).
markrad 0:cdf462088d13 858 * Fix timing difference that could theoretically lead to a
markrad 0:cdf462088d13 859 Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
markrad 0:cdf462088d13 860 (reported by Sebastian Schinzel).
markrad 0:cdf462088d13 861
markrad 0:cdf462088d13 862 Features
markrad 0:cdf462088d13 863 * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
markrad 0:cdf462088d13 864 * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
markrad 0:cdf462088d13 865 * Add support for Encrypt-then-MAC (RFC 7366).
markrad 0:cdf462088d13 866 * Add function pk_check_pair() to test if public and private keys match.
markrad 0:cdf462088d13 867 * Add x509_crl_parse_der().
markrad 0:cdf462088d13 868 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
markrad 0:cdf462088d13 869 length of an X.509 verification chain.
markrad 0:cdf462088d13 870 * Support for renegotiation can now be disabled at compile-time
markrad 0:cdf462088d13 871 * Support for 1/n-1 record splitting, a countermeasure against BEAST.
markrad 0:cdf462088d13 872 * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
markrad 0:cdf462088d13 873 for pre-1.2 clients when multiple certificates are available.
markrad 0:cdf462088d13 874 * Add support for getrandom() syscall on recent Linux kernels with Glibc or
markrad 0:cdf462088d13 875 a compatible enough libc (eg uClibc).
markrad 0:cdf462088d13 876 * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
markrad 0:cdf462088d13 877 while using the default ciphersuite list.
markrad 0:cdf462088d13 878 * Added new error codes and debug messages about selection of
markrad 0:cdf462088d13 879 ciphersuite/certificate.
markrad 0:cdf462088d13 880
markrad 0:cdf462088d13 881 Bugfix
markrad 0:cdf462088d13 882 * Stack buffer overflow if ctr_drbg_update() is called with too large
markrad 0:cdf462088d13 883 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
markrad 0:cdf462088d13 884 * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
markrad 0:cdf462088d13 885 if memory_buffer_alloc_init() was called with buf not aligned and len not
markrad 0:cdf462088d13 886 a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
markrad 0:cdf462088d13 887 * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
markrad 0:cdf462088d13 888 by Julian Ospald).
markrad 0:cdf462088d13 889 * Fix potential undefined behaviour in Camellia.
markrad 0:cdf462088d13 890 * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
markrad 0:cdf462088d13 891 multiple of 8 (found by Gergely Budai).
markrad 0:cdf462088d13 892 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
markrad 0:cdf462088d13 893 Peter Vaskovic).
markrad 0:cdf462088d13 894 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
markrad 0:cdf462088d13 895 * ssl_get_verify_result() now works even if the handshake was aborted due
markrad 0:cdf462088d13 896 to a failed verification (found by Fredrik Axelsson).
markrad 0:cdf462088d13 897 * Skip writing and parsing signature_algorithm extension if none of the
markrad 0:cdf462088d13 898 key exchanges enabled needs certificates. This fixes a possible interop
markrad 0:cdf462088d13 899 issue with some servers when a zero-length extension was sent. (Reported
markrad 0:cdf462088d13 900 by Peter Dettman.)
markrad 0:cdf462088d13 901 * On a 0-length input, base64_encode() did not correctly set output length
markrad 0:cdf462088d13 902 (found by Hendrik van den Boogaard).
markrad 0:cdf462088d13 903
markrad 0:cdf462088d13 904 Changes
markrad 0:cdf462088d13 905 * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
markrad 0:cdf462088d13 906 switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
markrad 0:cdf462088d13 907 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
markrad 0:cdf462088d13 908 * ssl_set_own_cert() now returns an error on key-certificate mismatch.
markrad 0:cdf462088d13 909 * Forbid repeated extensions in X.509 certificates.
markrad 0:cdf462088d13 910 * debug_print_buf() now prints a text view in addition to hexadecimal.
markrad 0:cdf462088d13 911 * A specific error is now returned when there are ciphersuites in common
markrad 0:cdf462088d13 912 but none of them is usable due to external factors such as no certificate
markrad 0:cdf462088d13 913 with a suitable (extended)KeyUsage or curve or no PSK set.
markrad 0:cdf462088d13 914 * It is now possible to disable negotiation of truncated HMAC server-side
markrad 0:cdf462088d13 915 at runtime with ssl_set_truncated_hmac().
markrad 0:cdf462088d13 916 * Example programs for SSL client and server now disable SSLv3 by default.
markrad 0:cdf462088d13 917 * Example programs for SSL client and server now disable RC4 by default.
markrad 0:cdf462088d13 918 * Use platform.h in all test suites and programs.
markrad 0:cdf462088d13 919
markrad 0:cdf462088d13 920 = PolarSSL 1.3.9 released 2014-10-20
markrad 0:cdf462088d13 921 Security
markrad 0:cdf462088d13 922 * Lowest common hash was selected from signature_algorithms extension in
markrad 0:cdf462088d13 923 TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
markrad 0:cdf462088d13 924 * Remotely-triggerable memory leak when parsing some X.509 certificates
markrad 0:cdf462088d13 925 (server is not affected if it doesn't ask for a client certificate)
markrad 0:cdf462088d13 926 (found using Codenomicon Defensics).
markrad 0:cdf462088d13 927 * Remotely-triggerable memory leak when parsing crafted ClientHello
markrad 0:cdf462088d13 928 (not affected if ECC support was compiled out) (found using Codenomicon
markrad 0:cdf462088d13 929 Defensics).
markrad 0:cdf462088d13 930
markrad 0:cdf462088d13 931 Bugfix
markrad 0:cdf462088d13 932 * Support escaping of commas in x509_string_to_names()
markrad 0:cdf462088d13 933 * Fix compile error in ssl_pthread_server (found by Julian Ospald).
markrad 0:cdf462088d13 934 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
markrad 0:cdf462088d13 935 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
markrad 0:cdf462088d13 936 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
markrad 0:cdf462088d13 937 * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
markrad 0:cdf462088d13 938 are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
markrad 0:cdf462088d13 939 * Remove non-existent file from VS projects (found by Peter Vaskovic).
markrad 0:cdf462088d13 940 * ssl_read() could return non-application data records on server while
markrad 0:cdf462088d13 941 renegotation was pending, and on client when a HelloRequest was received.
markrad 0:cdf462088d13 942 * Server-initiated renegotiation would fail with non-blocking I/O if the
markrad 0:cdf462088d13 943 write callback returned WANT_WRITE when requesting renegotiation.
markrad 0:cdf462088d13 944 * ssl_close_notify() could send more than one message in some circumstances
markrad 0:cdf462088d13 945 with non-blocking I/O.
markrad 0:cdf462088d13 946 * Fix compiler warnings on iOS (found by Sander Niemeijer).
markrad 0:cdf462088d13 947 * x509_crt_parse() did not increase total_failed on PEM error
markrad 0:cdf462088d13 948 * Fix compile error with armcc in mpi_is_prime()
markrad 0:cdf462088d13 949 * Fix potential bad read in parsing ServerHello (found by Adrien
markrad 0:cdf462088d13 950 Vialletelle).
markrad 0:cdf462088d13 951
markrad 0:cdf462088d13 952 Changes
markrad 0:cdf462088d13 953 * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
markrad 0:cdf462088d13 954 standard defining how to use SHA-2 with SSL 3.0).
markrad 0:cdf462088d13 955 * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
markrad 0:cdf462088d13 956 ambiguous on how to encode some packets with SSL 3.0).
markrad 0:cdf462088d13 957 * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
markrad 0:cdf462088d13 958 RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
markrad 0:cdf462088d13 959 * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
markrad 0:cdf462088d13 960 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
markrad 0:cdf462088d13 961 * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
markrad 0:cdf462088d13 962 RSA keys.
markrad 0:cdf462088d13 963 * Accept spaces at end of line or end of buffer in base64_decode().
markrad 0:cdf462088d13 964 * X.509 certificates with more than one AttributeTypeAndValue per
markrad 0:cdf462088d13 965 RelativeDistinguishedName are not accepted any more.
markrad 0:cdf462088d13 966
markrad 0:cdf462088d13 967 = PolarSSL 1.3.8 released 2014-07-11
markrad 0:cdf462088d13 968 Security
markrad 0:cdf462088d13 969 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
markrad 0:cdf462088d13 970 It was possible to crash the server (and client) using crafted messages
markrad 0:cdf462088d13 971 when a GCM suite was chosen.
markrad 0:cdf462088d13 972
markrad 0:cdf462088d13 973 Features
markrad 0:cdf462088d13 974 * Add CCM module and cipher mode to Cipher Layer
markrad 0:cdf462088d13 975 * Support for CCM and CCM_8 ciphersuites
markrad 0:cdf462088d13 976 * Support for parsing and verifying RSASSA-PSS signatures in the X.509
markrad 0:cdf462088d13 977 modules (certificates, CRLs and CSRs).
markrad 0:cdf462088d13 978 * Blowfish in the cipher layer now supports variable length keys.
markrad 0:cdf462088d13 979 * Add example config.h for PSK with CCM, optimized for low RAM usage.
markrad 0:cdf462088d13 980 * Optimize for RAM usage in example config.h for NSA Suite B profile.
markrad 0:cdf462088d13 981 * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
markrad 0:cdf462088d13 982 from the default list (inactive by default).
markrad 0:cdf462088d13 983 * Add server-side enforcement of sent renegotiation requests
markrad 0:cdf462088d13 984 (ssl_set_renegotiation_enforced())
markrad 0:cdf462088d13 985 * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
markrad 0:cdf462088d13 986 ciphersuites to use and save some memory if the list is small.
markrad 0:cdf462088d13 987
markrad 0:cdf462088d13 988 Changes
markrad 0:cdf462088d13 989 * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
markrad 0:cdf462088d13 990 required on some platforms (e.g. OpenBSD)
markrad 0:cdf462088d13 991 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
markrad 0:cdf462088d13 992 against unwanted compiler optimizations
markrad 0:cdf462088d13 993 * md_list() now returns hashes strongest first
markrad 0:cdf462088d13 994 * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
markrad 0:cdf462088d13 995 strongest offered by client.
markrad 0:cdf462088d13 996 * All public contexts have _init() and _free() functions now for simpler
markrad 0:cdf462088d13 997 usage pattern
markrad 0:cdf462088d13 998
markrad 0:cdf462088d13 999 Bugfix
markrad 0:cdf462088d13 1000 * Fix in debug_print_msg()
markrad 0:cdf462088d13 1001 * Enforce alignment in the buffer allocator even if buffer is not aligned
markrad 0:cdf462088d13 1002 * Remove less-than-zero checks on unsigned numbers
markrad 0:cdf462088d13 1003 * Stricter check on SSL ClientHello internal sizes compared to actual packet
markrad 0:cdf462088d13 1004 size (found by TrustInSoft)
markrad 0:cdf462088d13 1005 * Fix WSAStartup() return value check (found by Peter Vaskovic)
markrad 0:cdf462088d13 1006 * Other minor issues (found by Peter Vaskovic)
markrad 0:cdf462088d13 1007 * Fix symlink command for cross compiling with CMake (found by Andre
markrad 0:cdf462088d13 1008 Heinecke)
markrad 0:cdf462088d13 1009 * Fix DER output of gen_key app (found by Gergely Budai)
markrad 0:cdf462088d13 1010 * Very small records were incorrectly rejected when truncated HMAC was in
markrad 0:cdf462088d13 1011 use with some ciphersuites and versions (RC4 in all versions, CBC with
markrad 0:cdf462088d13 1012 versions < TLS 1.1).
markrad 0:cdf462088d13 1013 * Very large records using more than 224 bytes of padding were incorrectly
markrad 0:cdf462088d13 1014 rejected with CBC-based ciphersuites and TLS >= 1.1
markrad 0:cdf462088d13 1015 * Very large records using less padding could cause a buffer overread of up
markrad 0:cdf462088d13 1016 to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
markrad 0:cdf462088d13 1017 * Restore ability to use a v1 cert as a CA if trusted locally. (This had
markrad 0:cdf462088d13 1018 been removed in 1.3.6.)
markrad 0:cdf462088d13 1019 * Restore ability to locally trust a self-signed cert that is not a proper
markrad 0:cdf462088d13 1020 CA for use as an end entity certificate. (This had been removed in
markrad 0:cdf462088d13 1021 1.3.6.)
markrad 0:cdf462088d13 1022 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
markrad 0:cdf462088d13 1023 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
markrad 0:cdf462088d13 1024 interpret semicolons as comment delimiters (found by Barry K. Nathan).
markrad 0:cdf462088d13 1025 * Fix off-by-one error in parsing Supported Point Format extension that
markrad 0:cdf462088d13 1026 caused some handshakes to fail.
markrad 0:cdf462088d13 1027 * Fix possible miscomputation of the premaster secret with DHE-PSK key
markrad 0:cdf462088d13 1028 exchange that caused some handshakes to fail with other implementations.
markrad 0:cdf462088d13 1029 (Failure rate <= 1/255 with common DHM moduli.)
markrad 0:cdf462088d13 1030 * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
markrad 0:cdf462088d13 1031 * Fix base64_decode() to return and check length correctly (in case of
markrad 0:cdf462088d13 1032 tight buffers)
markrad 0:cdf462088d13 1033 * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
markrad 0:cdf462088d13 1034 by Hui Dong)
markrad 0:cdf462088d13 1035
markrad 0:cdf462088d13 1036 = PolarSSL 1.3.7 released on 2014-05-02
markrad 0:cdf462088d13 1037 Features
markrad 0:cdf462088d13 1038 * debug_set_log_mode() added to determine raw or full logging
markrad 0:cdf462088d13 1039 * debug_set_threshold() added to ignore messages over threshold level
markrad 0:cdf462088d13 1040 * version_check_feature() added to check for compile-time options at
markrad 0:cdf462088d13 1041 run-time
markrad 0:cdf462088d13 1042
markrad 0:cdf462088d13 1043 Changes
markrad 0:cdf462088d13 1044 * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
markrad 0:cdf462088d13 1045 checked and filled in the relevant module headers
markrad 0:cdf462088d13 1046 * Debug module only outputs full lines instead of parts
markrad 0:cdf462088d13 1047 * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
markrad 0:cdf462088d13 1048 * AES-NI now compiles with "old" assemblers too
markrad 0:cdf462088d13 1049 * Ciphersuites based on RC4 now have the lowest priority by default
markrad 0:cdf462088d13 1050
markrad 0:cdf462088d13 1051 Bugfix
markrad 0:cdf462088d13 1052 * Only iterate over actual certificates in ssl_write_certificate_request()
markrad 0:cdf462088d13 1053 (found by Matthew Page)
markrad 0:cdf462088d13 1054 * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
markrad 0:cdf462088d13 1055 Karger)
markrad 0:cdf462088d13 1056 * cert_write app should use subject of issuer certificate as issuer of cert
markrad 0:cdf462088d13 1057 * Fix false reject in padding check in ssl_decrypt_buf() for CBC
markrad 0:cdf462088d13 1058 ciphersuites, for full SSL frames of data.
markrad 0:cdf462088d13 1059 * Improve interoperability by not writing extension length in ClientHello /
markrad 0:cdf462088d13 1060 ServerHello when no extensions are present (found by Matthew Page)
markrad 0:cdf462088d13 1061 * rsa_check_pubkey() now allows an E up to N
markrad 0:cdf462088d13 1062 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
markrad 0:cdf462088d13 1063 * mpi_fill_random() was creating numbers larger than requested on
markrad 0:cdf462088d13 1064 big-endian platform when size was not an integer number of limbs
markrad 0:cdf462088d13 1065 * Fix dependencies issues in X.509 test suite.
markrad 0:cdf462088d13 1066 * Some parts of ssl_tls.c were compiled even when the module was disabled.
markrad 0:cdf462088d13 1067 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
markrad 0:cdf462088d13 1068 * Fix detection of Clang on some Apple platforms with CMake
markrad 0:cdf462088d13 1069 (found by Barry K. Nathan)
markrad 0:cdf462088d13 1070
markrad 0:cdf462088d13 1071 = PolarSSL 1.3.6 released on 2014-04-11
markrad 0:cdf462088d13 1072
markrad 0:cdf462088d13 1073 Features
markrad 0:cdf462088d13 1074 * Support for the ALPN SSL extension
markrad 0:cdf462088d13 1075 * Add option 'use_dev_random' to gen_key application
markrad 0:cdf462088d13 1076 * Enable verification of the keyUsage extension for CA and leaf
markrad 0:cdf462088d13 1077 certificates (POLARSSL_X509_CHECK_KEY_USAGE)
markrad 0:cdf462088d13 1078 * Enable verification of the extendedKeyUsage extension
markrad 0:cdf462088d13 1079 (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
markrad 0:cdf462088d13 1080
markrad 0:cdf462088d13 1081 Changes
markrad 0:cdf462088d13 1082 * x509_crt_info() now prints information about parsed extensions as well
markrad 0:cdf462088d13 1083 * pk_verify() now returns a specific error code when the signature is valid
markrad 0:cdf462088d13 1084 but shorter than the supplied length.
markrad 0:cdf462088d13 1085 * Use UTC time to check certificate validity.
markrad 0:cdf462088d13 1086 * Reject certificates with times not in UTC, per RFC 5280.
markrad 0:cdf462088d13 1087
markrad 0:cdf462088d13 1088 Security
markrad 0:cdf462088d13 1089 * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
markrad 0:cdf462088d13 1090 (Found by Watson Ladd.)
markrad 0:cdf462088d13 1091 * The notAfter date of some certificates was no longer checked since 1.3.5.
markrad 0:cdf462088d13 1092 This affects certificates in the user-supplied chain except the top
markrad 0:cdf462088d13 1093 certificate. If the user-supplied chain contains only one certificates,
markrad 0:cdf462088d13 1094 it is not affected (ie, its notAfter date is properly checked).
markrad 0:cdf462088d13 1095 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
markrad 0:cdf462088d13 1096 TrustInSoft)
markrad 0:cdf462088d13 1097
markrad 0:cdf462088d13 1098 Bugfix
markrad 0:cdf462088d13 1099 * The length of various ClientKeyExchange messages was not properly checked.
markrad 0:cdf462088d13 1100 * Some example server programs were not sending the close_notify alert.
markrad 0:cdf462088d13 1101 * Potential memory leak in mpi_exp_mod() when error occurs during
markrad 0:cdf462088d13 1102 calculation of RR.
markrad 0:cdf462088d13 1103 * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
markrad 0:cdf462088d13 1104 * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
markrad 0:cdf462088d13 1105 Gergely Budai).
markrad 0:cdf462088d13 1106 * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
markrad 0:cdf462088d13 1107 (found by Gergely Budai)
markrad 0:cdf462088d13 1108 * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
markrad 0:cdf462088d13 1109 Shuo Chen).
markrad 0:cdf462088d13 1110 * oid_get_numeric_string() used to truncate the output without returning an
markrad 0:cdf462088d13 1111 error if the output buffer was just 1 byte too small.
markrad 0:cdf462088d13 1112 * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
markrad 0:cdf462088d13 1113 * Calling pk_debug() on an RSA-alt key would segfault.
markrad 0:cdf462088d13 1114 * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
markrad 0:cdf462088d13 1115 * Potential buffer overwrite in pem_write_buffer() because of low length
markrad 0:cdf462088d13 1116 indication (found by Thijs Alkemade)
markrad 0:cdf462088d13 1117 * EC curves constants, which should be only in ROM since 1.3.3, were also
markrad 0:cdf462088d13 1118 stored in RAM due to missing 'const's (found by Gergely Budai).
markrad 0:cdf462088d13 1119
markrad 0:cdf462088d13 1120 = PolarSSL 1.3.5 released on 2014-03-26
markrad 0:cdf462088d13 1121 Features
markrad 0:cdf462088d13 1122 * HMAC-DRBG as a separate module
markrad 0:cdf462088d13 1123 * Option to set the Curve preference order (disabled by default)
markrad 0:cdf462088d13 1124 * Single Platform compatilibity layer (for memory / printf / fprintf)
markrad 0:cdf462088d13 1125 * Ability to provide alternate timing implementation
markrad 0:cdf462088d13 1126 * Ability to force the entropy module to use SHA-256 as its basis
markrad 0:cdf462088d13 1127 (POLARSSL_ENTROPY_FORCE_SHA256)
markrad 0:cdf462088d13 1128 * Testing script ssl-opt.sh added for testing 'live' ssl option
markrad 0:cdf462088d13 1129 interoperability against OpenSSL and PolarSSL
markrad 0:cdf462088d13 1130 * Support for reading EC keys that use SpecifiedECDomain in some cases.
markrad 0:cdf462088d13 1131 * Entropy module now supports seed writing and reading
markrad 0:cdf462088d13 1132
markrad 0:cdf462088d13 1133 Changes
markrad 0:cdf462088d13 1134 * Deprecated the Memory layer
markrad 0:cdf462088d13 1135 * entropy_add_source(), entropy_update_manual() and entropy_gather()
markrad 0:cdf462088d13 1136 now thread-safe if POLARSSL_THREADING_C defined
markrad 0:cdf462088d13 1137 * Improvements to the CMake build system, contributed by Julian Ospald.
markrad 0:cdf462088d13 1138 * Work around a bug of the version of Clang shipped by Apple with Mavericks
markrad 0:cdf462088d13 1139 that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
markrad 0:cdf462088d13 1140 * Revamped the compat.sh interoperatibility script to include support for
markrad 0:cdf462088d13 1141 testing against GnuTLS
markrad 0:cdf462088d13 1142 * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
markrad 0:cdf462088d13 1143 * Improvements to tests/Makefile, contributed by Oden Eriksson.
markrad 0:cdf462088d13 1144
markrad 0:cdf462088d13 1145 Security
markrad 0:cdf462088d13 1146 * Forbid change of server certificate during renegotiation to prevent
markrad 0:cdf462088d13 1147 "triple handshake" attack when authentication mode is 'optional' (the
markrad 0:cdf462088d13 1148 attack was already impossible when authentication is required).
markrad 0:cdf462088d13 1149 * Check notBefore timestamp of certificates and CRLs from the future.
markrad 0:cdf462088d13 1150 * Forbid sequence number wrapping
markrad 0:cdf462088d13 1151 * Fixed possible buffer overflow with overlong PSK
markrad 0:cdf462088d13 1152 * Possible remotely-triggered out-of-bounds memory access fixed (found by
markrad 0:cdf462088d13 1153 TrustInSoft)
markrad 0:cdf462088d13 1154
markrad 0:cdf462088d13 1155 Bugfix
markrad 0:cdf462088d13 1156 * ecp_gen_keypair() does more tries to prevent failure because of
markrad 0:cdf462088d13 1157 statistics
markrad 0:cdf462088d13 1158 * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
markrad 0:cdf462088d13 1159 * Fixed testing with out-of-source builds using cmake
markrad 0:cdf462088d13 1160 * Fixed version-major intolerance in server
markrad 0:cdf462088d13 1161 * Fixed CMake symlinking on out-of-source builds
markrad 0:cdf462088d13 1162 * Fixed dependency issues in test suite
markrad 0:cdf462088d13 1163 * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
markrad 0:cdf462088d13 1164 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
markrad 0:cdf462088d13 1165 Alex Wilson.)
markrad 0:cdf462088d13 1166 * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
markrad 0:cdf462088d13 1167 * m_sleep() was sleeping twice too long on most Unix platforms.
markrad 0:cdf462088d13 1168 * Fixed bug with session tickets and non-blocking I/O in the unlikely case
markrad 0:cdf462088d13 1169 send() would return an EAGAIN error when sending the ticket.
markrad 0:cdf462088d13 1170 * ssl_cache was leaking memory when reusing a timed out entry containing a
markrad 0:cdf462088d13 1171 client certificate.
markrad 0:cdf462088d13 1172 * ssl_srv was leaking memory when client presented a timed out ticket
markrad 0:cdf462088d13 1173 containing a client certificate
markrad 0:cdf462088d13 1174 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
markrad 0:cdf462088d13 1175 out_ctr failed
markrad 0:cdf462088d13 1176 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
markrad 0:cdf462088d13 1177 of one of them failed
markrad 0:cdf462088d13 1178 * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
markrad 0:cdf462088d13 1179 * x509_get_current_time() uses localtime_r() to prevent thread issues
markrad 0:cdf462088d13 1180
markrad 0:cdf462088d13 1181 = PolarSSL 1.3.4 released on 2014-01-27
markrad 0:cdf462088d13 1182 Features
markrad 0:cdf462088d13 1183 * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
markrad 0:cdf462088d13 1184 * Support for RIPEMD-160
markrad 0:cdf462088d13 1185 * Support for AES CFB8 mode
markrad 0:cdf462088d13 1186 * Support for deterministic ECDSA (RFC 6979)
markrad 0:cdf462088d13 1187
markrad 0:cdf462088d13 1188 Bugfix
markrad 0:cdf462088d13 1189 * Potential memory leak in bignum_selftest()
markrad 0:cdf462088d13 1190 * Replaced expired test certificate
markrad 0:cdf462088d13 1191 * ssl_mail_client now terminates lines with CRLF, instead of LF
markrad 0:cdf462088d13 1192 * net module handles timeouts on blocking sockets better (found by Tilman
markrad 0:cdf462088d13 1193 Sauerbeck)
markrad 0:cdf462088d13 1194 * Assembly format fixes in bn_mul.h
markrad 0:cdf462088d13 1195
markrad 0:cdf462088d13 1196 Security
markrad 0:cdf462088d13 1197 * Missing MPI_CHK calls added around unguarded mpi calls (found by
markrad 0:cdf462088d13 1198 TrustInSoft)
markrad 0:cdf462088d13 1199
markrad 0:cdf462088d13 1200 = PolarSSL 1.3.3 released on 2013-12-31
markrad 0:cdf462088d13 1201 Features
markrad 0:cdf462088d13 1202 * EC key generation support in gen_key app
markrad 0:cdf462088d13 1203 * Support for adhering to client ciphersuite order preference
markrad 0:cdf462088d13 1204 (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
markrad 0:cdf462088d13 1205 * Support for Curve25519
markrad 0:cdf462088d13 1206 * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
markrad 0:cdf462088d13 1207 * Support for IPv6 in the NET module
markrad 0:cdf462088d13 1208 * AES-NI support for AES, AES-GCM and AES key scheduling
markrad 0:cdf462088d13 1209 * SSL Pthread-based server example added (ssl_pthread_server)
markrad 0:cdf462088d13 1210
markrad 0:cdf462088d13 1211 Changes
markrad 0:cdf462088d13 1212 * gen_prime() speedup
markrad 0:cdf462088d13 1213 * Speedup of ECP multiplication operation
markrad 0:cdf462088d13 1214 * Relaxed some SHA2 ciphersuite's version requirements
markrad 0:cdf462088d13 1215 * Dropped use of readdir_r() instead of readdir() with threading support
markrad 0:cdf462088d13 1216 * More constant-time checks in the RSA module
markrad 0:cdf462088d13 1217 * Split off curves from ecp.c into ecp_curves.c
markrad 0:cdf462088d13 1218 * Curves are now stored fully in ROM
markrad 0:cdf462088d13 1219 * Memory usage optimizations in ECP module
markrad 0:cdf462088d13 1220 * Removed POLARSSL_THREADING_DUMMY
markrad 0:cdf462088d13 1221
markrad 0:cdf462088d13 1222 Bugfix
markrad 0:cdf462088d13 1223 * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
markrad 0:cdf462088d13 1224 * Fixed X.509 hostname comparison (with non-regular characters)
markrad 0:cdf462088d13 1225 * SSL now gracefully handles missing RNG
markrad 0:cdf462088d13 1226 * Missing defines / cases for RSA_PSK key exchange
markrad 0:cdf462088d13 1227 * crypt_and_hash app checks MAC before final decryption
markrad 0:cdf462088d13 1228 * Potential memory leak in ssl_ticket_keys_init()
markrad 0:cdf462088d13 1229 * Memory leak in benchmark application
markrad 0:cdf462088d13 1230 * Fixed x509_crt_parse_path() bug on Windows platforms
markrad 0:cdf462088d13 1231 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
markrad 0:cdf462088d13 1232 TrustInSoft)
markrad 0:cdf462088d13 1233 * Fixed potential overflow in certificate size verification in
markrad 0:cdf462088d13 1234 ssl_write_certificate() (found by TrustInSoft)
markrad 0:cdf462088d13 1235
markrad 0:cdf462088d13 1236 Security
markrad 0:cdf462088d13 1237 * Possible remotely-triggered out-of-bounds memory access fixed (found by
markrad 0:cdf462088d13 1238 TrustInSoft)
markrad 0:cdf462088d13 1239
markrad 0:cdf462088d13 1240 = PolarSSL 1.3.2 released on 2013-11-04
markrad 0:cdf462088d13 1241 Features
markrad 0:cdf462088d13 1242 * PK tests added to test framework
markrad 0:cdf462088d13 1243 * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
markrad 0:cdf462088d13 1244 * Support for Camellia-GCM mode and ciphersuites
markrad 0:cdf462088d13 1245
markrad 0:cdf462088d13 1246 Changes
markrad 0:cdf462088d13 1247 * Padding checks in cipher layer are now constant-time
markrad 0:cdf462088d13 1248 * Value comparisons in SSL layer are now constant-time
markrad 0:cdf462088d13 1249 * Support for serialNumber, postalAddress and postalCode in X509 names
markrad 0:cdf462088d13 1250 * SSL Renegotiation was refactored
markrad 0:cdf462088d13 1251
markrad 0:cdf462088d13 1252 Bugfix
markrad 0:cdf462088d13 1253 * More stringent checks in cipher layer
markrad 0:cdf462088d13 1254 * Server does not send out extensions not advertised by client
markrad 0:cdf462088d13 1255 * Prevent possible alignment warnings on casting from char * to 'aligned *'
markrad 0:cdf462088d13 1256 * Misc fixes and additions to dependency checks
markrad 0:cdf462088d13 1257 * Const correctness
markrad 0:cdf462088d13 1258 * cert_write with selfsign should use issuer_name as subject_name
markrad 0:cdf462088d13 1259 * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
markrad 0:cdf462088d13 1260 * Defines to handle UEFI environment under MSVC
markrad 0:cdf462088d13 1261 * Server-side initiated renegotiations send HelloRequest
markrad 0:cdf462088d13 1262
markrad 0:cdf462088d13 1263 = PolarSSL 1.3.1 released on 2013-10-15
markrad 0:cdf462088d13 1264 Features
markrad 0:cdf462088d13 1265 * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
markrad 0:cdf462088d13 1266 * Support for ECDHE-PSK key-exchange and ciphersuites
markrad 0:cdf462088d13 1267 * Support for RSA-PSK key-exchange and ciphersuites
markrad 0:cdf462088d13 1268
markrad 0:cdf462088d13 1269 Changes
markrad 0:cdf462088d13 1270 * RSA blinding locks for a smaller amount of time
markrad 0:cdf462088d13 1271 * TLS compression only allocates working buffer once
markrad 0:cdf462088d13 1272 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
markrad 0:cdf462088d13 1273 * config.h is more script-friendly
markrad 0:cdf462088d13 1274
markrad 0:cdf462088d13 1275 Bugfix
markrad 0:cdf462088d13 1276 * Missing MSVC defines added
markrad 0:cdf462088d13 1277 * Compile errors with POLARSSL_RSA_NO_CRT
markrad 0:cdf462088d13 1278 * Header files with 'polarssl/'
markrad 0:cdf462088d13 1279 * Const correctness
markrad 0:cdf462088d13 1280 * Possible naming collision in dhm_context
markrad 0:cdf462088d13 1281 * Better support for MSVC
markrad 0:cdf462088d13 1282 * threading_set_alt() name
markrad 0:cdf462088d13 1283 * Added missing x509write_crt_set_version()
markrad 0:cdf462088d13 1284
markrad 0:cdf462088d13 1285 = PolarSSL 1.3.0 released on 2013-10-01
markrad 0:cdf462088d13 1286 Features
markrad 0:cdf462088d13 1287 * Elliptic Curve Cryptography module added
markrad 0:cdf462088d13 1288 * Elliptic Curve Diffie Hellman module added
markrad 0:cdf462088d13 1289 * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
markrad 0:cdf462088d13 1290 (ECDHE-based ciphersuites)
markrad 0:cdf462088d13 1291 * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
markrad 0:cdf462088d13 1292 (ECDSA-based ciphersuites)
markrad 0:cdf462088d13 1293 * Ability to specify allowed ciphersuites based on the protocol version.
markrad 0:cdf462088d13 1294 * PSK and DHE-PSK based ciphersuites added
markrad 0:cdf462088d13 1295 * Memory allocation abstraction layer added
markrad 0:cdf462088d13 1296 * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
markrad 0:cdf462088d13 1297 * Threading abstraction layer added (dummy / pthread / alternate)
markrad 0:cdf462088d13 1298 * Public Key abstraction layer added
markrad 0:cdf462088d13 1299 * Parsing Elliptic Curve keys
markrad 0:cdf462088d13 1300 * Parsing Elliptic Curve certificates
markrad 0:cdf462088d13 1301 * Support for max_fragment_length extension (RFC 6066)
markrad 0:cdf462088d13 1302 * Support for truncated_hmac extension (RFC 6066)
markrad 0:cdf462088d13 1303 * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
markrad 0:cdf462088d13 1304 (ISO/IEC 7816-4) padding and zero padding in the cipher layer
markrad 0:cdf462088d13 1305 * Support for session tickets (RFC 5077)
markrad 0:cdf462088d13 1306 * Certificate Request (CSR) generation with extensions (key_usage,
markrad 0:cdf462088d13 1307 ns_cert_type)
markrad 0:cdf462088d13 1308 * X509 Certificate writing with extensions (basic_constraints,
markrad 0:cdf462088d13 1309 issuer_key_identifier, etc)
markrad 0:cdf462088d13 1310 * Optional blinding for RSA, DHM and EC
markrad 0:cdf462088d13 1311 * Support for multiple active certificate / key pairs in SSL servers for
markrad 0:cdf462088d13 1312 the same host (Not to be confused with SNI!)
markrad 0:cdf462088d13 1313
markrad 0:cdf462088d13 1314 Changes
markrad 0:cdf462088d13 1315 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
markrad 0:cdf462088d13 1316 individually
markrad 0:cdf462088d13 1317 * Introduced separate SSL Ciphersuites module that is based on
markrad 0:cdf462088d13 1318 Cipher and MD information
markrad 0:cdf462088d13 1319 * Internals for SSL module adapted to have separate IV pointer that is
markrad 0:cdf462088d13 1320 dynamically set (Better support for hardware acceleration)
markrad 0:cdf462088d13 1321 * Moved all OID functionality to a separate module. RSA function
markrad 0:cdf462088d13 1322 prototypes for the RSA sign and verify functions changed as a result
markrad 0:cdf462088d13 1323 * Split up the GCM module into a starts/update/finish cycle
markrad 0:cdf462088d13 1324 * Client and server now filter sent and accepted ciphersuites on minimum
markrad 0:cdf462088d13 1325 and maximum protocol version
markrad 0:cdf462088d13 1326 * Ability to disable server_name extension (RFC 6066)
markrad 0:cdf462088d13 1327 * Renamed error_strerror() to the less conflicting polarssl_strerror()
markrad 0:cdf462088d13 1328 (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
markrad 0:cdf462088d13 1329 * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
markrad 0:cdf462088d13 1330 * All RSA operations require a random generator for blinding purposes
markrad 0:cdf462088d13 1331 * X509 core refactored
markrad 0:cdf462088d13 1332 * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
markrad 0:cdf462088d13 1333 * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
markrad 0:cdf462088d13 1334 * Support faulty X509 v1 certificates with extensions
markrad 0:cdf462088d13 1335 (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
markrad 0:cdf462088d13 1336
markrad 0:cdf462088d13 1337 Bugfix
markrad 0:cdf462088d13 1338 * Fixed parse error in ssl_parse_certificate_request()
markrad 0:cdf462088d13 1339 * zlib compression/decompression skipped on empty blocks
markrad 0:cdf462088d13 1340 * Support for AIX header locations in net.c module
markrad 0:cdf462088d13 1341 * Fixed file descriptor leaks
markrad 0:cdf462088d13 1342
markrad 0:cdf462088d13 1343 Security
markrad 0:cdf462088d13 1344 * RSA blinding on CRT operations to counter timing attacks
markrad 0:cdf462088d13 1345 (found by Cyril Arnaud and Pierre-Alain Fouque)
markrad 0:cdf462088d13 1346
markrad 0:cdf462088d13 1347
markrad 0:cdf462088d13 1348 = Version 1.2.14 released 2015-05-??
markrad 0:cdf462088d13 1349
markrad 0:cdf462088d13 1350 Security
markrad 0:cdf462088d13 1351 * Fix potential invalid memory read in the server, that allows a client to
markrad 0:cdf462088d13 1352 crash it remotely (found by Caj Larsson).
markrad 0:cdf462088d13 1353 * Fix potential invalid memory read in certificate parsing, that allows a
markrad 0:cdf462088d13 1354 client to crash the server remotely if client authentication is enabled
markrad 0:cdf462088d13 1355 (found using Codenomicon Defensics).
markrad 0:cdf462088d13 1356 * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
markrad 0:cdf462088d13 1357 https://dl.acm.org/citation.cfm?id=2714625
markrad 0:cdf462088d13 1358
markrad 0:cdf462088d13 1359 Bugfix
markrad 0:cdf462088d13 1360 * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
markrad 0:cdf462088d13 1361 * Fix hardclock() (only used in the benchmarking program) with some
markrad 0:cdf462088d13 1362 versions of mingw64 (found by kxjhlele).
markrad 0:cdf462088d13 1363 * Fix warnings from mingw64 in timing.c (found by kxjklele).
markrad 0:cdf462088d13 1364 * Fix potential unintended sign extension in asn1_get_len() on 64-bit
markrad 0:cdf462088d13 1365 platforms (found with Coverity Scan).
markrad 0:cdf462088d13 1366
markrad 0:cdf462088d13 1367 = Version 1.2.13 released 2015-02-16
markrad 0:cdf462088d13 1368 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
markrad 0:cdf462088d13 1369 this will be made in the 1.2 branch at this point.
markrad 0:cdf462088d13 1370
markrad 0:cdf462088d13 1371 Security
markrad 0:cdf462088d13 1372 * Fix remotely-triggerable uninitialised pointer dereference caused by
markrad 0:cdf462088d13 1373 crafted X.509 certificate (TLS server is not affected if it doesn't ask
markrad 0:cdf462088d13 1374 for a client certificate) (found using Codenomicon Defensics).
markrad 0:cdf462088d13 1375 * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
markrad 0:cdf462088d13 1376 (TLS server is not affected if it doesn't ask for a client certificate)
markrad 0:cdf462088d13 1377 (found using Codenomicon Defensics).
markrad 0:cdf462088d13 1378 * Fix potential stack overflow while parsing crafted X.509 certificates
markrad 0:cdf462088d13 1379 (TLS server is not affected if it doesn't ask for a client certificate)
markrad 0:cdf462088d13 1380 found using Codenomicon Defensics).
markrad 0:cdf462088d13 1381 * Fix buffer overread of size 1 when parsing crafted X.509 certificates
markrad 0:cdf462088d13 1382 (TLS server is not affected if it doesn't ask for a client certificate).
markrad 0:cdf462088d13 1383
markrad 0:cdf462088d13 1384 Bugfix
markrad 0:cdf462088d13 1385 * Fix potential undefined behaviour in Camellia.
markrad 0:cdf462088d13 1386 * Fix memory leaks in PKCS#5 and PKCS#12.
markrad 0:cdf462088d13 1387 * Stack buffer overflow if ctr_drbg_update() is called with too large
markrad 0:cdf462088d13 1388 add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
markrad 0:cdf462088d13 1389 * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
markrad 0:cdf462088d13 1390 in 1.2.12).
markrad 0:cdf462088d13 1391 * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
markrad 0:cdf462088d13 1392 Peter Vaskovic).
markrad 0:cdf462088d13 1393 * Fix assembly selection for MIPS64 (thanks to James Cowgill).
markrad 0:cdf462088d13 1394 * ssl_get_verify_result() now works even if the handshake was aborted due
markrad 0:cdf462088d13 1395 to a failed verification (found by Fredrik Axelsson).
markrad 0:cdf462088d13 1396 * Skip writing and parsing signature_algorithm extension if none of the
markrad 0:cdf462088d13 1397 key exchanges enabled needs certificates. This fixes a possible interop
markrad 0:cdf462088d13 1398 issue with some servers when a zero-length extension was sent. (Reported
markrad 0:cdf462088d13 1399 by Peter Dettman.)
markrad 0:cdf462088d13 1400 * On a 0-length input, base64_encode() did not correctly set output length
markrad 0:cdf462088d13 1401 (found by Hendrik van den Boogaard).
markrad 0:cdf462088d13 1402
markrad 0:cdf462088d13 1403 Changes
markrad 0:cdf462088d13 1404 * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
markrad 0:cdf462088d13 1405 * Forbid repeated extensions in X.509 certificates.
markrad 0:cdf462088d13 1406 * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
markrad 0:cdf462088d13 1407 length of an X.509 verification chain (default = 8).
markrad 0:cdf462088d13 1408 = Version 1.2.12 released 2014-10-24
markrad 0:cdf462088d13 1409
markrad 0:cdf462088d13 1410 Security
markrad 0:cdf462088d13 1411 * Remotely-triggerable memory leak when parsing some X.509 certificates
markrad 0:cdf462088d13 1412 (server is not affected if it doesn't ask for a client certificate).
markrad 0:cdf462088d13 1413 (Found using Codenomicon Defensics.)
markrad 0:cdf462088d13 1414
markrad 0:cdf462088d13 1415 Bugfix
markrad 0:cdf462088d13 1416 * Fix potential bad read in parsing ServerHello (found by Adrien
markrad 0:cdf462088d13 1417 Vialletelle).
markrad 0:cdf462088d13 1418 * ssl_close_notify() could send more than one message in some circumstances
markrad 0:cdf462088d13 1419 with non-blocking I/O.
markrad 0:cdf462088d13 1420 * x509_crt_parse() did not increase total_failed on PEM error
markrad 0:cdf462088d13 1421 * Fix compiler warnings on iOS (found by Sander Niemeijer).
markrad 0:cdf462088d13 1422 * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
markrad 0:cdf462088d13 1423 * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
markrad 0:cdf462088d13 1424 * ssl_read() could return non-application data records on server while
markrad 0:cdf462088d13 1425 renegotation was pending, and on client when a HelloRequest was received.
markrad 0:cdf462088d13 1426 * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
markrad 0:cdf462088d13 1427
markrad 0:cdf462088d13 1428 Changes
markrad 0:cdf462088d13 1429 * X.509 certificates with more than one AttributeTypeAndValue per
markrad 0:cdf462088d13 1430 RelativeDistinguishedName are not accepted any more.
markrad 0:cdf462088d13 1431 * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
markrad 0:cdf462088d13 1432 POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
markrad 0:cdf462088d13 1433 * Accept spaces at end of line or end of buffer in base64_decode().
markrad 0:cdf462088d13 1434
markrad 0:cdf462088d13 1435 = Version 1.2.11 released 2014-07-11
markrad 0:cdf462088d13 1436 Features
markrad 0:cdf462088d13 1437 * Entropy module now supports seed writing and reading
markrad 0:cdf462088d13 1438
markrad 0:cdf462088d13 1439 Changes
markrad 0:cdf462088d13 1440 * Introduced POLARSSL_HAVE_READDIR_R for systems without it
markrad 0:cdf462088d13 1441 * Improvements to the CMake build system, contributed by Julian Ospald.
markrad 0:cdf462088d13 1442 * Work around a bug of the version of Clang shipped by Apple with Mavericks
markrad 0:cdf462088d13 1443 that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
markrad 0:cdf462088d13 1444 * Improvements to tests/Makefile, contributed by Oden Eriksson.
markrad 0:cdf462088d13 1445 * Use UTC time to check certificate validity.
markrad 0:cdf462088d13 1446 * Reject certificates with times not in UTC, per RFC 5280.
markrad 0:cdf462088d13 1447 * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
markrad 0:cdf462088d13 1448 against unwanted compiler optimizations
markrad 0:cdf462088d13 1449
markrad 0:cdf462088d13 1450 Security
markrad 0:cdf462088d13 1451 * Forbid change of server certificate during renegotiation to prevent
markrad 0:cdf462088d13 1452 "triple handshake" attack when authentication mode is optional (the
markrad 0:cdf462088d13 1453 attack was already impossible when authentication is required).
markrad 0:cdf462088d13 1454 * Check notBefore timestamp of certificates and CRLs from the future.
markrad 0:cdf462088d13 1455 * Forbid sequence number wrapping
markrad 0:cdf462088d13 1456 * Prevent potential NULL pointer dereference in ssl_read_record() (found by
markrad 0:cdf462088d13 1457 TrustInSoft)
markrad 0:cdf462088d13 1458 * Fix length checking for AEAD ciphersuites (found by Codenomicon).
markrad 0:cdf462088d13 1459 It was possible to crash the server (and client) using crafted messages
markrad 0:cdf462088d13 1460 when a GCM suite was chosen.
markrad 0:cdf462088d13 1461
markrad 0:cdf462088d13 1462 Bugfix
markrad 0:cdf462088d13 1463 * Fixed X.509 hostname comparison (with non-regular characters)
markrad 0:cdf462088d13 1464 * SSL now gracefully handles missing RNG
markrad 0:cdf462088d13 1465 * crypt_and_hash app checks MAC before final decryption
markrad 0:cdf462088d13 1466 * Fixed x509_crt_parse_path() bug on Windows platforms
markrad 0:cdf462088d13 1467 * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
markrad 0:cdf462088d13 1468 TrustInSoft)
markrad 0:cdf462088d13 1469 * Fixed potential overflow in certificate size verification in
markrad 0:cdf462088d13 1470 ssl_write_certificate() (found by TrustInSoft)
markrad 0:cdf462088d13 1471 * Fix ASM format in bn_mul.h
markrad 0:cdf462088d13 1472 * Potential memory leak in bignum_selftest()
markrad 0:cdf462088d13 1473 * Replaced expired test certificate
markrad 0:cdf462088d13 1474 * ssl_mail_client now terminates lines with CRLF, instead of LF
markrad 0:cdf462088d13 1475 * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
markrad 0:cdf462088d13 1476 * Fixed testing with out-of-source builds using cmake
markrad 0:cdf462088d13 1477 * Fixed version-major intolerance in server
markrad 0:cdf462088d13 1478 * Fixed CMake symlinking on out-of-source builds
markrad 0:cdf462088d13 1479 * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
markrad 0:cdf462088d13 1480 Alex Wilson.)
markrad 0:cdf462088d13 1481 * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
markrad 0:cdf462088d13 1482 out_ctr failed
markrad 0:cdf462088d13 1483 * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
markrad 0:cdf462088d13 1484 of one of them failed
markrad 0:cdf462088d13 1485 * x509_get_current_time() uses localtime_r() to prevent thread issues
markrad 0:cdf462088d13 1486 * Some example server programs were not sending the close_notify alert.
markrad 0:cdf462088d13 1487 * Potential memory leak in mpi_exp_mod() when error occurs during
markrad 0:cdf462088d13 1488 calculation of RR.
markrad 0:cdf462088d13 1489 * Improve interoperability by not writing extension length in ClientHello
markrad 0:cdf462088d13 1490 when no extensions are present (found by Matthew Page)
markrad 0:cdf462088d13 1491 * rsa_check_pubkey() now allows an E up to N
markrad 0:cdf462088d13 1492 * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
markrad 0:cdf462088d13 1493 * mpi_fill_random() was creating numbers larger than requested on
markrad 0:cdf462088d13 1494 big-endian platform when size was not an integer number of limbs
markrad 0:cdf462088d13 1495 * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
markrad 0:cdf462088d13 1496 * Stricter check on SSL ClientHello internal sizes compared to actual packet
markrad 0:cdf462088d13 1497 size (found by TrustInSoft)
markrad 0:cdf462088d13 1498 * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
markrad 0:cdf462088d13 1499 * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
markrad 0:cdf462088d13 1500 interpret semicolons as comment delimiters (found by Barry K. Nathan).
markrad 0:cdf462088d13 1501 * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
markrad 0:cdf462088d13 1502 * Fix base64_decode() to return and check length correctly (in case of
markrad 0:cdf462088d13 1503 tight buffers)
markrad 0:cdf462088d13 1504
markrad 0:cdf462088d13 1505 = Version 1.2.10 released 2013-10-07
markrad 0:cdf462088d13 1506 Changes
markrad 0:cdf462088d13 1507 * Changed RSA blinding to a slower but thread-safe version
markrad 0:cdf462088d13 1508
markrad 0:cdf462088d13 1509 Bugfix
markrad 0:cdf462088d13 1510 * Fixed memory leak in RSA as a result of introduction of blinding
markrad 0:cdf462088d13 1511 * Fixed ssl_pkcs11_decrypt() prototype
markrad 0:cdf462088d13 1512 * Fixed MSVC project files
markrad 0:cdf462088d13 1513
markrad 0:cdf462088d13 1514 = Version 1.2.9 released 2013-10-01
markrad 0:cdf462088d13 1515 Changes
markrad 0:cdf462088d13 1516 * x509_verify() now case insensitive for cn (RFC 6125 6.4)
markrad 0:cdf462088d13 1517
markrad 0:cdf462088d13 1518 Bugfix
markrad 0:cdf462088d13 1519 * Fixed potential memory leak when failing to resume a session
markrad 0:cdf462088d13 1520 * Fixed potential file descriptor leaks (found by Remi Gacogne)
markrad 0:cdf462088d13 1521 * Minor fixes
markrad 0:cdf462088d13 1522
markrad 0:cdf462088d13 1523 Security
markrad 0:cdf462088d13 1524 * Fixed potential heap buffer overflow on large hostname setting
markrad 0:cdf462088d13 1525 * Fixed potential negative value misinterpretation in load_file()
markrad 0:cdf462088d13 1526 * RSA blinding on CRT operations to counter timing attacks
markrad 0:cdf462088d13 1527 (found by Cyril Arnaud and Pierre-Alain Fouque)
markrad 0:cdf462088d13 1528
markrad 0:cdf462088d13 1529 = Version 1.2.8 released 2013-06-19
markrad 0:cdf462088d13 1530 Features
markrad 0:cdf462088d13 1531 * Parsing of PKCS#8 encrypted private key files
markrad 0:cdf462088d13 1532 * PKCS#12 PBE and derivation functions
markrad 0:cdf462088d13 1533 * Centralized module option values in config.h to allow user-defined
markrad 0:cdf462088d13 1534 settings without editing header files by using POLARSSL_CONFIG_OPTIONS
markrad 0:cdf462088d13 1535
markrad 0:cdf462088d13 1536 Changes
markrad 0:cdf462088d13 1537 * HAVEGE random generator disabled by default
markrad 0:cdf462088d13 1538 * Internally split up x509parse_key() into a (PEM) handler function
markrad 0:cdf462088d13 1539 and specific DER parser functions for the PKCS#1 and unencrypted
markrad 0:cdf462088d13 1540 PKCS#8 private key formats
markrad 0:cdf462088d13 1541 * Added mechanism to provide alternative implementations for all
markrad 0:cdf462088d13 1542 symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
markrad 0:cdf462088d13 1543 config.h)
markrad 0:cdf462088d13 1544 * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
markrad 0:cdf462088d13 1545 old PBKDF2 module
markrad 0:cdf462088d13 1546
markrad 0:cdf462088d13 1547 Bugfix
markrad 0:cdf462088d13 1548 * Secure renegotiation extension should only be sent in case client
markrad 0:cdf462088d13 1549 supports secure renegotiation
markrad 0:cdf462088d13 1550 * Fixed offset for cert_type list in ssl_parse_certificate_request()
markrad 0:cdf462088d13 1551 * Fixed const correctness issues that have no impact on the ABI
markrad 0:cdf462088d13 1552 * x509parse_crt() now better handles PEM error situations
markrad 0:cdf462088d13 1553 * ssl_parse_certificate() now calls x509parse_crt_der() directly
markrad 0:cdf462088d13 1554 instead of the x509parse_crt() wrapper that can also parse PEM
markrad 0:cdf462088d13 1555 certificates
markrad 0:cdf462088d13 1556 * x509parse_crtpath() is now reentrant and uses more portable stat()
markrad 0:cdf462088d13 1557 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
markrad 0:cdf462088d13 1558 * Fixed values for 2-key Triple DES in cipher layer
markrad 0:cdf462088d13 1559 * ssl_write_certificate_request() can handle empty ca_chain
markrad 0:cdf462088d13 1560
markrad 0:cdf462088d13 1561 Security
markrad 0:cdf462088d13 1562 * A possible DoS during the SSL Handshake, due to faulty parsing of
markrad 0:cdf462088d13 1563 PEM-encoded certificates has been fixed (found by Jack Lloyd)
markrad 0:cdf462088d13 1564
markrad 0:cdf462088d13 1565 = Version 1.2.7 released 2013-04-13
markrad 0:cdf462088d13 1566 Features
markrad 0:cdf462088d13 1567 * Ability to specify allowed ciphersuites based on the protocol version.
markrad 0:cdf462088d13 1568
markrad 0:cdf462088d13 1569 Changes
markrad 0:cdf462088d13 1570 * Default Blowfish keysize is now 128-bits
markrad 0:cdf462088d13 1571 * Test suites made smaller to accommodate Raspberry Pi
markrad 0:cdf462088d13 1572
markrad 0:cdf462088d13 1573 Bugfix
markrad 0:cdf462088d13 1574 * Fix for MPI assembly for ARM
markrad 0:cdf462088d13 1575 * GCM adapted to support sizes > 2^29
markrad 0:cdf462088d13 1576
markrad 0:cdf462088d13 1577 = Version 1.2.6 released 2013-03-11
markrad 0:cdf462088d13 1578 Bugfix
markrad 0:cdf462088d13 1579 * Fixed memory leak in ssl_free() and ssl_reset() for active session
markrad 0:cdf462088d13 1580 * Corrected GCM counter incrementation to use only 32-bits instead of
markrad 0:cdf462088d13 1581 128-bits (found by Yawning Angel)
markrad 0:cdf462088d13 1582 * Fixes for 64-bit compilation with MS Visual Studio
markrad 0:cdf462088d13 1583 * Fixed net_bind() for specified IP addresses on little endian systems
markrad 0:cdf462088d13 1584 * Fixed assembly code for ARM (Thumb and regular) for some compilers
markrad 0:cdf462088d13 1585
markrad 0:cdf462088d13 1586 Changes
markrad 0:cdf462088d13 1587 * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
markrad 0:cdf462088d13 1588 rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
markrad 0:cdf462088d13 1589 PKCS#1 v2.1 functions
markrad 0:cdf462088d13 1590 * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
markrad 0:cdf462088d13 1591 or rsa_rsaes_oaep_decrypt()
markrad 0:cdf462088d13 1592 * Re-added handling for SSLv2 Client Hello when the define
markrad 0:cdf462088d13 1593 POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
markrad 0:cdf462088d13 1594 * The SSL session cache module (ssl_cache) now also retains peer_cert
markrad 0:cdf462088d13 1595 information (not the entire chain)
markrad 0:cdf462088d13 1596
markrad 0:cdf462088d13 1597 Security
markrad 0:cdf462088d13 1598 * Removed further timing differences during SSL message decryption in
markrad 0:cdf462088d13 1599 ssl_decrypt_buf()
markrad 0:cdf462088d13 1600 * Removed timing differences due to bad padding from
markrad 0:cdf462088d13 1601 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
markrad 0:cdf462088d13 1602 operations
markrad 0:cdf462088d13 1603
markrad 0:cdf462088d13 1604 = Version 1.2.5 released 2013-02-02
markrad 0:cdf462088d13 1605 Changes
markrad 0:cdf462088d13 1606 * Allow enabling of dummy error_strerror() to support some use-cases
markrad 0:cdf462088d13 1607 * Debug messages about padding errors during SSL message decryption are
Jasper Wallace 2:bbdeda018a3c 1608 disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
markrad 0:cdf462088d13 1609 * Sending of security-relevant alert messages that do not break
markrad 0:cdf462088d13 1610 interoperability can be switched on/off with the flag
markrad 0:cdf462088d13 1611 POLARSSL_SSL_ALL_ALERT_MESSAGES
markrad 0:cdf462088d13 1612
markrad 0:cdf462088d13 1613 Security
markrad 0:cdf462088d13 1614 * Removed timing differences during SSL message decryption in
markrad 0:cdf462088d13 1615 ssl_decrypt_buf() due to badly formatted padding
markrad 0:cdf462088d13 1616
markrad 0:cdf462088d13 1617 = Version 1.2.4 released 2013-01-25
markrad 0:cdf462088d13 1618 Changes
markrad 0:cdf462088d13 1619 * More advanced SSL ciphersuite representation and moved to more dynamic
markrad 0:cdf462088d13 1620 SSL core
markrad 0:cdf462088d13 1621 * Added ssl_handshake_step() to allow single stepping the handshake process
markrad 0:cdf462088d13 1622
markrad 0:cdf462088d13 1623 Bugfix
markrad 0:cdf462088d13 1624 * Memory leak when using RSA_PKCS_V21 operations fixed
markrad 0:cdf462088d13 1625 * Handle future version properly in ssl_write_certificate_request()
markrad 0:cdf462088d13 1626 * Correctly handle CertificateRequest message in client for <= TLS 1.1
markrad 0:cdf462088d13 1627 without DN list
markrad 0:cdf462088d13 1628
markrad 0:cdf462088d13 1629 = Version 1.2.3 released 2012-11-26
markrad 0:cdf462088d13 1630 Bugfix
markrad 0:cdf462088d13 1631 * Server not always sending correct CertificateRequest message
markrad 0:cdf462088d13 1632
markrad 0:cdf462088d13 1633 = Version 1.2.2 released 2012-11-24
markrad 0:cdf462088d13 1634 Changes
markrad 0:cdf462088d13 1635 * Added p_hw_data to ssl_context for context specific hardware acceleration
markrad 0:cdf462088d13 1636 data
Jasper Wallace 2:bbdeda018a3c 1637 * During verify trust-CA is only checked for expiration and CRL presence
markrad 0:cdf462088d13 1638
markrad 0:cdf462088d13 1639 Bugfixes
markrad 0:cdf462088d13 1640 * Fixed client authentication compatibility
markrad 0:cdf462088d13 1641 * Fixed dependency on POLARSSL_SHA4_C in SSL modules
markrad 0:cdf462088d13 1642
markrad 0:cdf462088d13 1643 = Version 1.2.1 released 2012-11-20
markrad 0:cdf462088d13 1644 Changes
markrad 0:cdf462088d13 1645 * Depth that the certificate verify callback receives is now numbered
markrad 0:cdf462088d13 1646 bottom-up (Peer cert depth is 0)
markrad 0:cdf462088d13 1647
markrad 0:cdf462088d13 1648 Bugfixes
markrad 0:cdf462088d13 1649 * Fixes for MSVC6
markrad 0:cdf462088d13 1650 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
markrad 0:cdf462088d13 1651 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
markrad 0:cdf462088d13 1652 Pégourié-Gonnard)
markrad 0:cdf462088d13 1653 * Fixed possible segfault in mpi_shift_r() (found by Manuel
markrad 0:cdf462088d13 1654 Pégourié-Gonnard)
markrad 0:cdf462088d13 1655 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
markrad 0:cdf462088d13 1656
markrad 0:cdf462088d13 1657 = Version 1.2.0 released 2012-10-31
markrad 0:cdf462088d13 1658 Features
markrad 0:cdf462088d13 1659 * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
markrad 0:cdf462088d13 1660 ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
markrad 0:cdf462088d13 1661 default!
markrad 0:cdf462088d13 1662 * Added support for wildcard certificates
markrad 0:cdf462088d13 1663 * Added support for multi-domain certificates through the X509 Subject
markrad 0:cdf462088d13 1664 Alternative Name extension
markrad 0:cdf462088d13 1665 * Added preliminary ASN.1 buffer writing support
markrad 0:cdf462088d13 1666 * Added preliminary X509 Certificate Request writing support
markrad 0:cdf462088d13 1667 * Added key_app_writer example application
markrad 0:cdf462088d13 1668 * Added cert_req example application
markrad 0:cdf462088d13 1669 * Added base Galois Counter Mode (GCM) for AES
markrad 0:cdf462088d13 1670 * Added TLS 1.2 support (RFC 5246)
markrad 0:cdf462088d13 1671 * Added GCM suites to TLS 1.2 (RFC 5288)
markrad 0:cdf462088d13 1672 * Added commandline error code convertor (util/strerror)
markrad 0:cdf462088d13 1673 * Added support for Hardware Acceleration hooking in SSL/TLS
markrad 0:cdf462088d13 1674 * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
markrad 0:cdf462088d13 1675 example application (programs/ssl/o_p_test) (requires OpenSSL)
markrad 0:cdf462088d13 1676 * Added X509 CA Path support
markrad 0:cdf462088d13 1677 * Added Thumb assembly optimizations
markrad 0:cdf462088d13 1678 * Added DEFLATE compression support as per RFC3749 (requires zlib)
markrad 0:cdf462088d13 1679 * Added blowfish algorithm (Generic and cipher layer)
markrad 0:cdf462088d13 1680 * Added PKCS#5 PBKDF2 key derivation function
markrad 0:cdf462088d13 1681 * Added Secure Renegotiation (RFC 5746)
markrad 0:cdf462088d13 1682 * Added predefined DHM groups from RFC 5114
markrad 0:cdf462088d13 1683 * Added simple SSL session cache implementation
markrad 0:cdf462088d13 1684 * Added ServerName extension parsing (SNI) at server side
markrad 0:cdf462088d13 1685 * Added option to add minimum accepted SSL/TLS protocol version
markrad 0:cdf462088d13 1686
markrad 0:cdf462088d13 1687 Changes
markrad 0:cdf462088d13 1688 * Removed redundant POLARSSL_DEBUG_MSG define
markrad 0:cdf462088d13 1689 * AES code only check for Padlock once
markrad 0:cdf462088d13 1690 * Fixed const-correctness mpi_get_bit()
markrad 0:cdf462088d13 1691 * Documentation for mpi_lsb() and mpi_msb()
markrad 0:cdf462088d13 1692 * Moved out_msg to out_hdr + 32 to support hardware acceleration
markrad 0:cdf462088d13 1693 * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
markrad 0:cdf462088d13 1694 to not match CN if subjectAltName extension is present (Closes ticket #56)
markrad 0:cdf462088d13 1695 * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
markrad 0:cdf462088d13 1696 POLARSSL_MODE_CFB, to also handle different block size CFB modes.
markrad 0:cdf462088d13 1697 * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
markrad 0:cdf462088d13 1698 * Revamped session resumption handling
markrad 0:cdf462088d13 1699 * Generalized external private key implementation handling (like PKCS#11)
markrad 0:cdf462088d13 1700 in SSL/TLS
markrad 0:cdf462088d13 1701 * Revamped x509_verify() and the SSL f_vrfy callback implementations
markrad 0:cdf462088d13 1702 * Moved from unsigned long to fixed width uint32_t types throughout code
markrad 0:cdf462088d13 1703 * Renamed ciphersuites naming scheme to IANA reserved names
markrad 0:cdf462088d13 1704
markrad 0:cdf462088d13 1705 Bugfix
markrad 0:cdf462088d13 1706 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
markrad 0:cdf462088d13 1707 Hui Dong)
markrad 0:cdf462088d13 1708 * Fixed potential heap corruption in x509_name allocation
markrad 0:cdf462088d13 1709 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
markrad 0:cdf462088d13 1710 * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
markrad 0:cdf462088d13 1711 #52)
markrad 0:cdf462088d13 1712 * Handle encryption with private key and decryption with public key as per
markrad 0:cdf462088d13 1713 RFC 2313
markrad 0:cdf462088d13 1714 * Handle empty certificate subject names
markrad 0:cdf462088d13 1715 * Prevent reading over buffer boundaries on X509 certificate parsing
markrad 0:cdf462088d13 1716 * mpi_add_abs() now correctly handles adding short numbers to long numbers
markrad 0:cdf462088d13 1717 with carry rollover (found by Ruslan Yushchenko)
markrad 0:cdf462088d13 1718 * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
markrad 0:cdf462088d13 1719 * Fixed MPI assembly for SPARC64 platform
markrad 0:cdf462088d13 1720
markrad 0:cdf462088d13 1721 Security
markrad 0:cdf462088d13 1722 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
markrad 0:cdf462088d13 1723 Vanderbeken)
markrad 0:cdf462088d13 1724
markrad 0:cdf462088d13 1725 = Version 1.1.8 released on 2013-10-01
markrad 0:cdf462088d13 1726 Bugfix
markrad 0:cdf462088d13 1727 * Fixed potential memory leak when failing to resume a session
markrad 0:cdf462088d13 1728 * Fixed potential file descriptor leaks
markrad 0:cdf462088d13 1729
markrad 0:cdf462088d13 1730 Security
markrad 0:cdf462088d13 1731 * Potential buffer-overflow for ssl_read_record() (independently found by
markrad 0:cdf462088d13 1732 both TrustInSoft and Paul Brodeur of Leviathan Security Group)
markrad 0:cdf462088d13 1733 * Potential negative value misinterpretation in load_file()
markrad 0:cdf462088d13 1734 * Potential heap buffer overflow on large hostname setting
markrad 0:cdf462088d13 1735
markrad 0:cdf462088d13 1736 = Version 1.1.7 released on 2013-06-19
markrad 0:cdf462088d13 1737 Changes
markrad 0:cdf462088d13 1738 * HAVEGE random generator disabled by default
markrad 0:cdf462088d13 1739
markrad 0:cdf462088d13 1740 Bugfix
markrad 0:cdf462088d13 1741 * x509parse_crt() now better handles PEM error situations
markrad 0:cdf462088d13 1742 * ssl_parse_certificate() now calls x509parse_crt_der() directly
markrad 0:cdf462088d13 1743 instead of the x509parse_crt() wrapper that can also parse PEM
markrad 0:cdf462088d13 1744 certificates
markrad 0:cdf462088d13 1745 * Fixed values for 2-key Triple DES in cipher layer
markrad 0:cdf462088d13 1746 * ssl_write_certificate_request() can handle empty ca_chain
markrad 0:cdf462088d13 1747
markrad 0:cdf462088d13 1748 Security
markrad 0:cdf462088d13 1749 * A possible DoS during the SSL Handshake, due to faulty parsing of
markrad 0:cdf462088d13 1750 PEM-encoded certificates has been fixed (found by Jack Lloyd)
markrad 0:cdf462088d13 1751
markrad 0:cdf462088d13 1752 = Version 1.1.6 released on 2013-03-11
markrad 0:cdf462088d13 1753 Bugfix
markrad 0:cdf462088d13 1754 * Fixed net_bind() for specified IP addresses on little endian systems
markrad 0:cdf462088d13 1755
markrad 0:cdf462088d13 1756 Changes
markrad 0:cdf462088d13 1757 * Allow enabling of dummy error_strerror() to support some use-cases
markrad 0:cdf462088d13 1758 * Debug messages about padding errors during SSL message decryption are
markrad 0:cdf462088d13 1759 disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
markrad 0:cdf462088d13 1760
markrad 0:cdf462088d13 1761 Security
markrad 0:cdf462088d13 1762 * Removed timing differences during SSL message decryption in
markrad 0:cdf462088d13 1763 ssl_decrypt_buf()
markrad 0:cdf462088d13 1764 * Removed timing differences due to bad padding from
markrad 0:cdf462088d13 1765 rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
markrad 0:cdf462088d13 1766 operations
markrad 0:cdf462088d13 1767
markrad 0:cdf462088d13 1768 = Version 1.1.5 released on 2013-01-16
markrad 0:cdf462088d13 1769 Bugfix
markrad 0:cdf462088d13 1770 * Fixed MPI assembly for SPARC64 platform
markrad 0:cdf462088d13 1771 * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
markrad 0:cdf462088d13 1772 * mpi_add_abs() now correctly handles adding short numbers to long numbers
markrad 0:cdf462088d13 1773 with carry rollover
markrad 0:cdf462088d13 1774 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
markrad 0:cdf462088d13 1775 * Prevent reading over buffer boundaries on X509 certificate parsing
markrad 0:cdf462088d13 1776 * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
markrad 0:cdf462088d13 1777 #52)
markrad 0:cdf462088d13 1778 * Fixed possible segfault in mpi_shift_r() (found by Manuel
markrad 0:cdf462088d13 1779 Pégourié-Gonnard)
markrad 0:cdf462088d13 1780 * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
markrad 0:cdf462088d13 1781 Pégourié-Gonnard)
markrad 0:cdf462088d13 1782 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
markrad 0:cdf462088d13 1783 * Memory leak when using RSA_PKCS_V21 operations fixed
markrad 0:cdf462088d13 1784 * Handle encryption with private key and decryption with public key as per
markrad 0:cdf462088d13 1785 RFC 2313
markrad 0:cdf462088d13 1786 * Fixes for MSVC6
markrad 0:cdf462088d13 1787
markrad 0:cdf462088d13 1788 Security
markrad 0:cdf462088d13 1789 * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
markrad 0:cdf462088d13 1790 Vanderbeken)
markrad 0:cdf462088d13 1791
markrad 0:cdf462088d13 1792 = Version 1.1.4 released on 2012-05-31
markrad 0:cdf462088d13 1793 Bugfix
markrad 0:cdf462088d13 1794 * Correctly handle empty SSL/TLS packets (Found by James Yonan)
markrad 0:cdf462088d13 1795 * Fixed potential heap corruption in x509_name allocation
markrad 0:cdf462088d13 1796 * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
markrad 0:cdf462088d13 1797
markrad 0:cdf462088d13 1798 = Version 1.1.3 released on 2012-04-29
markrad 0:cdf462088d13 1799 Bugfix
markrad 0:cdf462088d13 1800 * Fixed random MPI generation to not generate more size than requested.
markrad 0:cdf462088d13 1801
markrad 0:cdf462088d13 1802 = Version 1.1.2 released on 2012-04-26
markrad 0:cdf462088d13 1803 Bugfix
markrad 0:cdf462088d13 1804 * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
markrad 0:cdf462088d13 1805 Hui Dong)
markrad 0:cdf462088d13 1806
markrad 0:cdf462088d13 1807 Security
markrad 0:cdf462088d13 1808 * Fixed potential memory corruption on miscrafted client messages (found by
markrad 0:cdf462088d13 1809 Frama-C team at CEA LIST)
markrad 0:cdf462088d13 1810 * Fixed generation of DHM parameters to correct length (found by Ruslan
markrad 0:cdf462088d13 1811 Yushchenko)
markrad 0:cdf462088d13 1812
markrad 0:cdf462088d13 1813 = Version 1.1.1 released on 2012-01-23
markrad 0:cdf462088d13 1814 Bugfix
markrad 0:cdf462088d13 1815 * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
markrad 0:cdf462088d13 1816 (Closes ticket #47, found by Hugo Leisink)
markrad 0:cdf462088d13 1817 * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
markrad 0:cdf462088d13 1818 * Fixed multiple compiler warnings for VS6 and armcc
markrad 0:cdf462088d13 1819 * Fixed bug in CTR_CRBG selftest
markrad 0:cdf462088d13 1820
markrad 0:cdf462088d13 1821 = Version 1.1.0 released on 2011-12-22
markrad 0:cdf462088d13 1822 Features
markrad 0:cdf462088d13 1823 * Added ssl_session_reset() to allow better multi-connection pools of
markrad 0:cdf462088d13 1824 SSL contexts without needing to set all non-connection-specific
markrad 0:cdf462088d13 1825 data and pointers again. Adapted ssl_server to use this functionality.
markrad 0:cdf462088d13 1826 * Added ssl_set_max_version() to allow clients to offer a lower maximum
markrad 0:cdf462088d13 1827 supported version to a server to help buggy server implementations.
markrad 0:cdf462088d13 1828 (Closes ticket #36)
markrad 0:cdf462088d13 1829 * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
markrad 0:cdf462088d13 1830 introspection functions (Closes ticket #40)
markrad 0:cdf462088d13 1831 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
markrad 0:cdf462088d13 1832 * Added a generic entropy accumulator that provides support for adding
markrad 0:cdf462088d13 1833 custom entropy sources and added some generic and platform dependent
markrad 0:cdf462088d13 1834 entropy sources
markrad 0:cdf462088d13 1835
markrad 0:cdf462088d13 1836 Changes
markrad 0:cdf462088d13 1837 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
markrad 0:cdf462088d13 1838 * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
markrad 0:cdf462088d13 1839 encryption and private key for decryption. (Closes ticket #34)
markrad 0:cdf462088d13 1840 * Inceased maximum size of ASN1 length reads to 32-bits.
markrad 0:cdf462088d13 1841 * Added an EXPLICIT tag number parameter to x509_get_ext()
markrad 0:cdf462088d13 1842 * Added a separate CRL entry extension parsing function
markrad 0:cdf462088d13 1843 * Separated the ASN.1 parsing code from the X.509 specific parsing code.
markrad 0:cdf462088d13 1844 So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
markrad 0:cdf462088d13 1845 * Changed the defined key-length of DES ciphers in cipher.h to include the
markrad 0:cdf462088d13 1846 parity bits, to prevent mistakes in copying data. (Closes ticket #33)
markrad 0:cdf462088d13 1847 * Loads of minimal changes to better support WINCE as a build target
markrad 0:cdf462088d13 1848 (Credits go to Marco Lizza)
markrad 0:cdf462088d13 1849 * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
markrad 0:cdf462088d13 1850 trade-off
markrad 0:cdf462088d13 1851 * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
markrad 0:cdf462088d13 1852 management (Closes ticket #44)
markrad 0:cdf462088d13 1853 * Changed the used random function pointer to more flexible format. Renamed
markrad 0:cdf462088d13 1854 havege_rand() to havege_random() to prevent mistakes. Lots of changes as
markrad 0:cdf462088d13 1855 a consequence in library code and programs
markrad 0:cdf462088d13 1856 * Moved all examples programs to use the new entropy and CTR_DRBG
markrad 0:cdf462088d13 1857 * Added permissive certificate parsing to x509parse_crt() and
markrad 0:cdf462088d13 1858 x509parse_crtfile(). With permissive parsing the parsing does not stop on
markrad 0:cdf462088d13 1859 encountering a parse-error. Beware that the meaning of return values has
markrad 0:cdf462088d13 1860 changed!
markrad 0:cdf462088d13 1861 * All error codes are now negative. Even on mermory failures and IO errors.
markrad 0:cdf462088d13 1862
markrad 0:cdf462088d13 1863 Bugfix
markrad 0:cdf462088d13 1864 * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
markrad 0:cdf462088d13 1865 ticket #37)
markrad 0:cdf462088d13 1866 * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
markrad 0:cdf462088d13 1867 before version numbers
markrad 0:cdf462088d13 1868 * Allowed X509 key usage parsing to accept 4 byte values instead of the
markrad 0:cdf462088d13 1869 standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
markrad 0:cdf462088d13 1870 * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
markrad 0:cdf462088d13 1871 smaller than the hash length. (Closes ticket #41)
markrad 0:cdf462088d13 1872 * If certificate serial is longer than 32 octets, serial number is now
markrad 0:cdf462088d13 1873 appended with '....' after first 28 octets
markrad 0:cdf462088d13 1874 * Improved build support for s390x and sparc64 in bignum.h
markrad 0:cdf462088d13 1875 * Fixed MS Visual C++ name clash with int64 in sha4.h
markrad 0:cdf462088d13 1876 * Corrected removal of leading "00:" in printing serial numbers in
markrad 0:cdf462088d13 1877 certificates and CRLs
markrad 0:cdf462088d13 1878
markrad 0:cdf462088d13 1879 = Version 1.0.0 released on 2011-07-27
markrad 0:cdf462088d13 1880 Features
markrad 0:cdf462088d13 1881 * Expanded cipher layer with support for CFB128 and CTR mode
markrad 0:cdf462088d13 1882 * Added rsa_encrypt and rsa_decrypt simple example programs.
markrad 0:cdf462088d13 1883
markrad 0:cdf462088d13 1884 Changes
markrad 0:cdf462088d13 1885 * The generic cipher and message digest layer now have normal error
markrad 0:cdf462088d13 1886 codes instead of integers
markrad 0:cdf462088d13 1887
markrad 0:cdf462088d13 1888 Bugfix
markrad 0:cdf462088d13 1889 * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
markrad 0:cdf462088d13 1890 #18)
markrad 0:cdf462088d13 1891
markrad 0:cdf462088d13 1892 = Version 0.99-pre5 released on 2011-05-26
markrad 0:cdf462088d13 1893 Features
markrad 0:cdf462088d13 1894 * Added additional Cipher Block Modes to symmetric ciphers
markrad 0:cdf462088d13 1895 (AES CTR, Camellia CTR, XTEA CBC) including the option to
markrad 0:cdf462088d13 1896 enable and disable individual modes when needed
markrad 0:cdf462088d13 1897 * Functions requiring File System functions can now be disabled
markrad 0:cdf462088d13 1898 by undefining POLARSSL_FS_IO
markrad 0:cdf462088d13 1899 * A error_strerror function() has been added to translate between
markrad 0:cdf462088d13 1900 error codes and their description.
markrad 0:cdf462088d13 1901 * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
markrad 0:cdf462088d13 1902 functions.
markrad 0:cdf462088d13 1903 * Added ssl_mail_client and ssl_fork_server as example programs.
markrad 0:cdf462088d13 1904
markrad 0:cdf462088d13 1905 Changes
markrad 0:cdf462088d13 1906 * Major argument / variable rewrite. Introduced use of size_t
markrad 0:cdf462088d13 1907 instead of int for buffer lengths and loop variables for
markrad 0:cdf462088d13 1908 better unsigned / signed use. Renamed internal bigint types
markrad 0:cdf462088d13 1909 t_int and t_dbl to t_uint and t_udbl in the process
markrad 0:cdf462088d13 1910 * mpi_init() and mpi_free() now only accept a single MPI
markrad 0:cdf462088d13 1911 argument and do not accept variable argument lists anymore.
markrad 0:cdf462088d13 1912 * The error codes have been remapped and combining error codes
markrad 0:cdf462088d13 1913 is now done with a PLUS instead of an OR as error codes
markrad 0:cdf462088d13 1914 used are negative.
markrad 0:cdf462088d13 1915 * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
markrad 0:cdf462088d13 1916 net_recv() now returns 0 on EOF instead of
markrad 0:cdf462088d13 1917 POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
markrad 0:cdf462088d13 1918 POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
markrad 0:cdf462088d13 1919 ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
markrad 0:cdf462088d13 1920 after the handshake.
markrad 0:cdf462088d13 1921 * Network functions now return POLARSSL_ERR_NET_WANT_READ or
markrad 0:cdf462088d13 1922 POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
markrad 0:cdf462088d13 1923 POLARSSL_ERR_NET_TRY_AGAIN
markrad 0:cdf462088d13 1924
markrad 0:cdf462088d13 1925 = Version 0.99-pre4 released on 2011-04-01
markrad 0:cdf462088d13 1926 Features
markrad 0:cdf462088d13 1927 * Added support for PKCS#1 v2.1 encoding and thus support
markrad 0:cdf462088d13 1928 for the RSAES-OAEP and RSASSA-PSS operations.
markrad 0:cdf462088d13 1929 * Reading of Public Key files incorporated into default x509
markrad 0:cdf462088d13 1930 functionality as well.
markrad 0:cdf462088d13 1931 * Added mpi_fill_random() for centralized filling of big numbers
markrad 0:cdf462088d13 1932 with random data (Fixed ticket #10)
markrad 0:cdf462088d13 1933
markrad 0:cdf462088d13 1934 Changes
Jasper Wallace 2:bbdeda018a3c 1935 * Debug print of MPI now removes leading zero octets and
markrad 0:cdf462088d13 1936 displays actual bit size of the value.
Jasper Wallace 2:bbdeda018a3c 1937 * x509parse_key() (and as a consequence x509parse_keyfile())
markrad 0:cdf462088d13 1938 does not zeroize memory in advance anymore. Use rsa_init()
markrad 0:cdf462088d13 1939 before parsing a key or keyfile!
markrad 0:cdf462088d13 1940
markrad 0:cdf462088d13 1941 Bugfix
markrad 0:cdf462088d13 1942 * Debug output of MPI's now the same independent of underlying
markrad 0:cdf462088d13 1943 platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
markrad 0:cdf462088d13 1944 Kiilerich and Mihai Militaru)
markrad 0:cdf462088d13 1945 * Fixed bug in ssl_write() when flushing old data (Fixed ticket
markrad 0:cdf462088d13 1946 #18, found by Nikolay Epifanov)
markrad 0:cdf462088d13 1947 * Fixed proper handling of RSASSA-PSS verification with variable
markrad 0:cdf462088d13 1948 length salt lengths
markrad 0:cdf462088d13 1949
markrad 0:cdf462088d13 1950 = Version 0.99-pre3 released on 2011-02-28
markrad 0:cdf462088d13 1951 This release replaces version 0.99-pre2 which had possible copyright issues.
markrad 0:cdf462088d13 1952 Features
markrad 0:cdf462088d13 1953 * Parsing PEM private keys encrypted with DES and AES
markrad 0:cdf462088d13 1954 are now supported as well (Fixes ticket #5)
markrad 0:cdf462088d13 1955 * Added crl_app program to allow easy reading and
markrad 0:cdf462088d13 1956 printing of X509 CRLs from file
markrad 0:cdf462088d13 1957
markrad 0:cdf462088d13 1958 Changes
Jasper Wallace 2:bbdeda018a3c 1959 * Parsing of PEM files moved to separate module (Fixes
markrad 0:cdf462088d13 1960 ticket #13). Also possible to remove PEM support for
markrad 0:cdf462088d13 1961 systems only using DER encoding
markrad 0:cdf462088d13 1962
markrad 0:cdf462088d13 1963 Bugfixes
markrad 0:cdf462088d13 1964 * Corrected parsing of UTCTime dates before 1990 and
markrad 0:cdf462088d13 1965 after 1950
markrad 0:cdf462088d13 1966 * Support more exotic OID's when parsing certificates
markrad 0:cdf462088d13 1967 (found by Mads Kiilerich)
markrad 0:cdf462088d13 1968 * Support more exotic name representations when parsing
markrad 0:cdf462088d13 1969 certificates (found by Mads Kiilerich)
markrad 0:cdf462088d13 1970 * Replaced the expired test certificates
markrad 0:cdf462088d13 1971 * Do not bail out if no client certificate specified. Try
markrad 0:cdf462088d13 1972 to negotiate anonymous connection (Fixes ticket #12,
markrad 0:cdf462088d13 1973 found by Boris Krasnovskiy)
markrad 0:cdf462088d13 1974
markrad 0:cdf462088d13 1975 Security fixes
markrad 0:cdf462088d13 1976 * Fixed a possible Man-in-the-Middle attack on the
markrad 0:cdf462088d13 1977 Diffie Hellman key exchange (thanks to Larry Highsmith,
markrad 0:cdf462088d13 1978 Subreption LLC)
markrad 0:cdf462088d13 1979
markrad 0:cdf462088d13 1980 = Version 0.99-pre1 released on 2011-01-30
markrad 0:cdf462088d13 1981 Features
markrad 0:cdf462088d13 1982 Note: Most of these features have been donated by Fox-IT
markrad 0:cdf462088d13 1983 * Added Doxygen source code documentation parts
markrad 0:cdf462088d13 1984 * Added reading of DHM context from memory and file
markrad 0:cdf462088d13 1985 * Improved X509 certificate parsing to include extended
markrad 0:cdf462088d13 1986 certificate fields, including Key Usage
markrad 0:cdf462088d13 1987 * Improved certificate verification and verification
markrad 0:cdf462088d13 1988 against the available CRLs
markrad 0:cdf462088d13 1989 * Detection for DES weak keys and parity bits added
markrad 0:cdf462088d13 1990 * Improvements to support integration in other
markrad 0:cdf462088d13 1991 applications:
markrad 0:cdf462088d13 1992 + Added generic message digest and cipher wrapper
markrad 0:cdf462088d13 1993 + Improved information about current capabilities,
markrad 0:cdf462088d13 1994 status, objects and configuration
markrad 0:cdf462088d13 1995 + Added verification callback on certificate chain
markrad 0:cdf462088d13 1996 verification to allow external blacklisting
markrad 0:cdf462088d13 1997 + Additional example programs to show usage
markrad 0:cdf462088d13 1998 * Added support for PKCS#11 through the use of the
markrad 0:cdf462088d13 1999 libpkcs11-helper library
markrad 0:cdf462088d13 2000
markrad 0:cdf462088d13 2001 Changes
markrad 0:cdf462088d13 2002 * x509parse_time_expired() checks time in addition to
markrad 0:cdf462088d13 2003 the existing date check
markrad 0:cdf462088d13 2004 * The ciphers member of ssl_context and the cipher member
markrad 0:cdf462088d13 2005 of ssl_session have been renamed to ciphersuites and
markrad 0:cdf462088d13 2006 ciphersuite respectively. This clarifies the difference
markrad 0:cdf462088d13 2007 with the generic cipher layer and is better naming
markrad 0:cdf462088d13 2008 altogether
markrad 0:cdf462088d13 2009
markrad 0:cdf462088d13 2010 = Version 0.14.0 released on 2010-08-16
markrad 0:cdf462088d13 2011 Features
markrad 0:cdf462088d13 2012 * Added support for SSL_EDH_RSA_AES_128_SHA and
markrad 0:cdf462088d13 2013 SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
markrad 0:cdf462088d13 2014 * Added compile-time and run-time version information
markrad 0:cdf462088d13 2015 * Expanded ssl_client2 arguments for more flexibility
markrad 0:cdf462088d13 2016 * Added support for TLS v1.1
markrad 0:cdf462088d13 2017
markrad 0:cdf462088d13 2018 Changes
markrad 0:cdf462088d13 2019 * Made Makefile cleaner
markrad 0:cdf462088d13 2020 * Removed dependency on rand() in rsa_pkcs1_encrypt().
markrad 0:cdf462088d13 2021 Now using random fuction provided to function and
markrad 0:cdf462088d13 2022 changed the prototype of rsa_pkcs1_encrypt(),
markrad 0:cdf462088d13 2023 rsa_init() and rsa_gen_key().
markrad 0:cdf462088d13 2024 * Some SSL defines were renamed in order to avoid
markrad 0:cdf462088d13 2025 future confusion
markrad 0:cdf462088d13 2026
markrad 0:cdf462088d13 2027 Bug fixes
markrad 0:cdf462088d13 2028 * Fixed CMake out of source build for tests (found by
markrad 0:cdf462088d13 2029 kkert)
markrad 0:cdf462088d13 2030 * rsa_check_private() now supports PKCS1v2 keys as well
markrad 0:cdf462088d13 2031 * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
markrad 0:cdf462088d13 2032 generator
markrad 0:cdf462088d13 2033
markrad 0:cdf462088d13 2034 = Version 0.13.1 released on 2010-03-24
markrad 0:cdf462088d13 2035 Bug fixes
markrad 0:cdf462088d13 2036 * Fixed Makefile in library that was mistakenly merged
markrad 0:cdf462088d13 2037 * Added missing const string fixes
markrad 0:cdf462088d13 2038
markrad 0:cdf462088d13 2039 = Version 0.13.0 released on 2010-03-21
markrad 0:cdf462088d13 2040 Features
markrad 0:cdf462088d13 2041 * Added option parsing for host and port selection to
markrad 0:cdf462088d13 2042 ssl_client2
markrad 0:cdf462088d13 2043 * Added support for GeneralizedTime in X509 parsing
markrad 0:cdf462088d13 2044 * Added cert_app program to allow easy reading and
markrad 0:cdf462088d13 2045 printing of X509 certificates from file or SSL
markrad 0:cdf462088d13 2046 connection.
markrad 0:cdf462088d13 2047
markrad 0:cdf462088d13 2048 Changes
markrad 0:cdf462088d13 2049 * Added const correctness for main code base
markrad 0:cdf462088d13 2050 * X509 signature algorithm determination is now
markrad 0:cdf462088d13 2051 in a function to allow easy future expansion
markrad 0:cdf462088d13 2052 * Changed symmetric cipher functions to
markrad 0:cdf462088d13 2053 identical interface (returning int result values)
markrad 0:cdf462088d13 2054 * Changed ARC4 to use separate input/output buffer
markrad 0:cdf462088d13 2055 * Added reset function for HMAC context as speed-up
markrad 0:cdf462088d13 2056 for specific use-cases
markrad 0:cdf462088d13 2057
markrad 0:cdf462088d13 2058 Bug fixes
markrad 0:cdf462088d13 2059 * Fixed bug resulting in failure to send the last
markrad 0:cdf462088d13 2060 certificate in the chain in ssl_write_certificate() and
markrad 0:cdf462088d13 2061 ssl_write_certificate_request() (found by fatbob)
markrad 0:cdf462088d13 2062 * Added small fixes for compiler warnings on a Mac
markrad 0:cdf462088d13 2063 (found by Frank de Brabander)
markrad 0:cdf462088d13 2064 * Fixed algorithmic bug in mpi_is_prime() (found by
markrad 0:cdf462088d13 2065 Smbat Tonoyan)
markrad 0:cdf462088d13 2066
markrad 0:cdf462088d13 2067 = Version 0.12.1 released on 2009-10-04
markrad 0:cdf462088d13 2068 Changes
markrad 0:cdf462088d13 2069 * Coverage test definitions now support 'depends_on'
markrad 0:cdf462088d13 2070 tagging system.
markrad 0:cdf462088d13 2071 * Tests requiring specific hashing algorithms now honor
markrad 0:cdf462088d13 2072 the defines.
markrad 0:cdf462088d13 2073
markrad 0:cdf462088d13 2074 Bug fixes
markrad 0:cdf462088d13 2075 * Changed typo in #ifdef in x509parse.c (found
markrad 0:cdf462088d13 2076 by Eduardo)
markrad 0:cdf462088d13 2077
markrad 0:cdf462088d13 2078 = Version 0.12.0 released on 2009-07-28
markrad 0:cdf462088d13 2079 Features
markrad 0:cdf462088d13 2080 * Added CMake makefiles as alternative to regular Makefiles.
markrad 0:cdf462088d13 2081 * Added preliminary Code Coverage tests for AES, ARC4,
markrad 0:cdf462088d13 2082 Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
markrad 0:cdf462088d13 2083 Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
markrad 0:cdf462088d13 2084 and X509parse.
markrad 0:cdf462088d13 2085
markrad 0:cdf462088d13 2086 Changes
markrad 0:cdf462088d13 2087 * Error codes are not (necessarily) negative. Keep
markrad 0:cdf462088d13 2088 this is mind when checking for errors.
markrad 0:cdf462088d13 2089 * RSA_RAW renamed to SIG_RSA_RAW for consistency.
markrad 0:cdf462088d13 2090 * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
markrad 0:cdf462088d13 2091 * Changed interface for AES and Camellia setkey functions
markrad 0:cdf462088d13 2092 to indicate invalid key lengths.
markrad 0:cdf462088d13 2093
markrad 0:cdf462088d13 2094 Bug fixes
markrad 0:cdf462088d13 2095 * Fixed include location of endian.h on FreeBSD (found by
markrad 0:cdf462088d13 2096 Gabriel)
markrad 0:cdf462088d13 2097 * Fixed include location of endian.h and name clash on
markrad 0:cdf462088d13 2098 Apples (found by Martin van Hensbergen)
markrad 0:cdf462088d13 2099 * Fixed HMAC-MD2 by modifying md2_starts(), so that the
markrad 0:cdf462088d13 2100 required HMAC ipad and opad variables are not cleared.
markrad 0:cdf462088d13 2101 (found by code coverage tests)
Jasper Wallace 2:bbdeda018a3c 2102 * Prevented use of long long in bignum if
markrad 0:cdf462088d13 2103 POLARSSL_HAVE_LONGLONG not defined (found by Giles
markrad 0:cdf462088d13 2104 Bathgate).
markrad 0:cdf462088d13 2105 * Fixed incorrect handling of negative strings in
markrad 0:cdf462088d13 2106 mpi_read_string() (found by code coverage tests).
markrad 0:cdf462088d13 2107 * Fixed segfault on handling empty rsa_context in
markrad 0:cdf462088d13 2108 rsa_check_pubkey() and rsa_check_privkey() (found by
markrad 0:cdf462088d13 2109 code coverage tests).
markrad 0:cdf462088d13 2110 * Fixed incorrect handling of one single negative input
markrad 0:cdf462088d13 2111 value in mpi_add_abs() (found by code coverage tests).
markrad 0:cdf462088d13 2112 * Fixed incorrect handling of negative first input
markrad 0:cdf462088d13 2113 value in mpi_sub_abs() (found by code coverage tests).
markrad 0:cdf462088d13 2114 * Fixed incorrect handling of negative first input
markrad 0:cdf462088d13 2115 value in mpi_mod_mpi() and mpi_mod_int(). Resulting
markrad 0:cdf462088d13 2116 change also affects mpi_write_string() (found by code
markrad 0:cdf462088d13 2117 coverage tests).
markrad 0:cdf462088d13 2118 * Corrected is_prime() results for 0, 1 and 2 (found by
markrad 0:cdf462088d13 2119 code coverage tests).
markrad 0:cdf462088d13 2120 * Fixed Camellia and XTEA for 64-bit Windows systems.
markrad 0:cdf462088d13 2121
markrad 0:cdf462088d13 2122 = Version 0.11.1 released on 2009-05-17
markrad 0:cdf462088d13 2123 * Fixed missing functionality for SHA-224, SHA-256, SHA384,
markrad 0:cdf462088d13 2124 SHA-512 in rsa_pkcs1_sign()
markrad 0:cdf462088d13 2125
markrad 0:cdf462088d13 2126 = Version 0.11.0 released on 2009-05-03
markrad 0:cdf462088d13 2127 * Fixed a bug in mpi_gcd() so that it also works when both
markrad 0:cdf462088d13 2128 input numbers are even and added testcases to check
markrad 0:cdf462088d13 2129 (found by Pierre Habouzit).
markrad 0:cdf462088d13 2130 * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
markrad 0:cdf462088d13 2131 one way hash functions with the PKCS#1 v1.5 signing and
markrad 0:cdf462088d13 2132 verification.
markrad 0:cdf462088d13 2133 * Fixed minor bug regarding mpi_gcd located within the
markrad 0:cdf462088d13 2134 POLARSSL_GENPRIME block.
markrad 0:cdf462088d13 2135 * Fixed minor memory leak in x509parse_crt() and added better
markrad 0:cdf462088d13 2136 handling of 'full' certificate chains (found by Mathias
markrad 0:cdf462088d13 2137 Olsson).
markrad 0:cdf462088d13 2138 * Centralized file opening and reading for x509 files into
markrad 0:cdf462088d13 2139 load_file()
markrad 0:cdf462088d13 2140 * Made definition of net_htons() endian-clean for big endian
markrad 0:cdf462088d13 2141 systems (Found by Gernot).
markrad 0:cdf462088d13 2142 * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
Jasper Wallace 2:bbdeda018a3c 2143 padlock and timing code.
markrad 0:cdf462088d13 2144 * Fixed an off-by-one buffer allocation in ssl_set_hostname()
markrad 0:cdf462088d13 2145 responsible for crashes and unwanted behaviour.
markrad 0:cdf462088d13 2146 * Added support for Certificate Revocation List (CRL) parsing.
markrad 0:cdf462088d13 2147 * Added support for CRL revocation to x509parse_verify() and
markrad 0:cdf462088d13 2148 SSL/TLS code.
markrad 0:cdf462088d13 2149 * Fixed compatibility of XTEA and Camellia on a 64-bit system
markrad 0:cdf462088d13 2150 (found by Felix von Leitner).
markrad 0:cdf462088d13 2151
markrad 0:cdf462088d13 2152 = Version 0.10.0 released on 2009-01-12
markrad 0:cdf462088d13 2153 * Migrated XySSL to PolarSSL
markrad 0:cdf462088d13 2154 * Added XTEA symmetric cipher
markrad 0:cdf462088d13 2155 * Added Camellia symmetric cipher
markrad 0:cdf462088d13 2156 * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
markrad 0:cdf462088d13 2157 SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
markrad 0:cdf462088d13 2158 * Fixed dangerous bug that can cause a heap overflow in
markrad 0:cdf462088d13 2159 rsa_pkcs1_decrypt (found by Christophe Devine)
markrad 0:cdf462088d13 2160
markrad 0:cdf462088d13 2161 ================================================================
markrad 0:cdf462088d13 2162 XySSL ChangeLog
markrad 0:cdf462088d13 2163
markrad 0:cdf462088d13 2164 = Version 0.9 released on 2008-03-16
markrad 0:cdf462088d13 2165
markrad 0:cdf462088d13 2166 * Added support for ciphersuite: SSL_RSA_AES_128_SHA
markrad 0:cdf462088d13 2167 * Enabled support for large files by default in aescrypt2.c
markrad 0:cdf462088d13 2168 * Preliminary openssl wrapper contributed by David Barrett
markrad 0:cdf462088d13 2169 * Fixed a bug in ssl_write() that caused the same payload to
markrad 0:cdf462088d13 2170 be sent twice in non-blocking mode when send returns EAGAIN
markrad 0:cdf462088d13 2171 * Fixed ssl_parse_client_hello(): session id and challenge must
markrad 0:cdf462088d13 2172 not be swapped in the SSLv2 ClientHello (found by Greg Robson)
markrad 0:cdf462088d13 2173 * Added user-defined callback debug function (Krystian Kolodziej)
markrad 0:cdf462088d13 2174 * Before freeing a certificate, properly zero out all cert. data
markrad 0:cdf462088d13 2175 * Fixed the "mode" parameter so that encryption/decryption are
markrad 0:cdf462088d13 2176 not swapped on PadLock; also fixed compilation on older versions
markrad 0:cdf462088d13 2177 of gcc (bug reported by David Barrett)
markrad 0:cdf462088d13 2178 * Correctly handle the case in padlock_xcryptcbc() when input or
markrad 0:cdf462088d13 2179 ouput data is non-aligned by falling back to the software
markrad 0:cdf462088d13 2180 implementation, as VIA Nehemiah cannot handle non-aligned buffers
markrad 0:cdf462088d13 2181 * Fixed a memory leak in x509parse_crt() which was reported by Greg
markrad 0:cdf462088d13 2182 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
markrad 0:cdf462088d13 2183 Matthew Page who reported several bugs
markrad 0:cdf462088d13 2184 * Fixed x509_get_ext() to accept some rare certificates which have
markrad 0:cdf462088d13 2185 an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
markrad 0:cdf462088d13 2186 * Added support on the client side for the TLS "hostname" extension
markrad 0:cdf462088d13 2187 (patch contributed by David Patino)
markrad 0:cdf462088d13 2188 * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
markrad 0:cdf462088d13 2189 string is passed as the CN (bug reported by spoofy)
markrad 0:cdf462088d13 2190 * Added an option to enable/disable the BN assembly code
markrad 0:cdf462088d13 2191 * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
markrad 0:cdf462088d13 2192 * Disabled obsolete hash functions by default (MD2, MD4); updated
markrad 0:cdf462088d13 2193 selftest and benchmark to not test ciphers that have been disabled
markrad 0:cdf462088d13 2194 * Updated x509parse_cert_info() to correctly display byte 0 of the
markrad 0:cdf462088d13 2195 serial number, setup correct server port in the ssl client example
markrad 0:cdf462088d13 2196 * Fixed a critical denial-of-service with X.509 cert. verification:
markrad 0:cdf462088d13 2197 peer may cause xyssl to loop indefinitely by sending a certificate
markrad 0:cdf462088d13 2198 for which the RSA signature check fails (bug reported by Benoit)
markrad 0:cdf462088d13 2199 * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
markrad 0:cdf462088d13 2200 HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
markrad 0:cdf462088d13 2201 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
markrad 0:cdf462088d13 2202 * Modified ssl_parse_client_key_exchange() to protect against
markrad 0:cdf462088d13 2203 Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
markrad 0:cdf462088d13 2204 as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
markrad 0:cdf462088d13 2205 * Updated rsa_gen_key() so that ctx->N is always nbits in size
markrad 0:cdf462088d13 2206 * Fixed assembly PPC compilation errors on Mac OS X, thanks to
markrad 0:cdf462088d13 2207 David Barrett and Dusan Semen
markrad 0:cdf462088d13 2208
markrad 0:cdf462088d13 2209 = Version 0.8 released on 2007-10-20
markrad 0:cdf462088d13 2210
markrad 0:cdf462088d13 2211 * Modified the HMAC functions to handle keys larger
markrad 0:cdf462088d13 2212 than 64 bytes, thanks to Stephane Desneux and gary ng
markrad 0:cdf462088d13 2213 * Fixed ssl_read_record() to properly update the handshake
markrad 0:cdf462088d13 2214 message digests, which fixes IE6/IE7 client authentication
markrad 0:cdf462088d13 2215 * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
markrad 0:cdf462088d13 2216 * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
markrad 0:cdf462088d13 2217 * Added user-defined callbacks for handling I/O and sessions
markrad 0:cdf462088d13 2218 * Added lots of debugging output in the SSL/TLS functions
markrad 0:cdf462088d13 2219 * Added preliminary X.509 cert. writing by Pascal Vizeli
markrad 0:cdf462088d13 2220 * Added preliminary support for the VIA PadLock routines
markrad 0:cdf462088d13 2221 * Added AES-CFB mode of operation, contributed by chmike
markrad 0:cdf462088d13 2222 * Added an SSL/TLS stress testing program (ssl_test.c)
markrad 0:cdf462088d13 2223 * Updated the RSA PKCS#1 code to allow choosing between
markrad 0:cdf462088d13 2224 RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
markrad 0:cdf462088d13 2225 * Updated ssl_read() to skip 0-length records from OpenSSL
markrad 0:cdf462088d13 2226 * Fixed the make install target to comply with *BSD make
markrad 0:cdf462088d13 2227 * Fixed a bug in mpi_read_binary() on 64-bit platforms
markrad 0:cdf462088d13 2228 * mpi_is_prime() speedups, thanks to Kevin McLaughlin
markrad 0:cdf462088d13 2229 * Fixed a long standing memory leak in mpi_is_prime()
markrad 0:cdf462088d13 2230 * Replaced realloc with malloc in mpi_grow(), and set
markrad 0:cdf462088d13 2231 the sign of zero as positive in mpi_init() (reported
markrad 0:cdf462088d13 2232 by Jonathan M. McCune)
markrad 0:cdf462088d13 2233
markrad 0:cdf462088d13 2234 = Version 0.7 released on 2007-07-07
markrad 0:cdf462088d13 2235
markrad 0:cdf462088d13 2236 * Added support for the MicroBlaze soft-core processor
markrad 0:cdf462088d13 2237 * Fixed a bug in ssl_tls.c which sometimes prevented SSL
markrad 0:cdf462088d13 2238 connections from being established with non-blocking I/O
markrad 0:cdf462088d13 2239 * Fixed a couple bugs in the VS6 and UNIX Makefiles
markrad 0:cdf462088d13 2240 * Fixed the "PIC register ebx clobbered in asm" bug
markrad 0:cdf462088d13 2241 * Added HMAC starts/update/finish support functions
markrad 0:cdf462088d13 2242 * Added the SHA-224, SHA-384 and SHA-512 hash functions
markrad 0:cdf462088d13 2243 * Fixed the net_set_*block routines, thanks to Andreas
markrad 0:cdf462088d13 2244 * Added a few demonstration programs: md5sum, sha1sum,
markrad 0:cdf462088d13 2245 dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
markrad 0:cdf462088d13 2246 * Added new bignum import and export helper functions
markrad 0:cdf462088d13 2247 * Rewrote README.txt in program/ssl/ca to better explain
markrad 0:cdf462088d13 2248 how to create a test PKI
markrad 0:cdf462088d13 2249
markrad 0:cdf462088d13 2250 = Version 0.6 released on 2007-04-01
markrad 0:cdf462088d13 2251
markrad 0:cdf462088d13 2252 * Ciphers used in SSL/TLS can now be disabled at compile
markrad 0:cdf462088d13 2253 time, to reduce the memory footprint on embedded systems
markrad 0:cdf462088d13 2254 * Added multiply assembly code for the TriCore and modified
markrad 0:cdf462088d13 2255 havege_struct for this processor, thanks to David Patiño
markrad 0:cdf462088d13 2256 * Added multiply assembly code for 64-bit PowerPCs,
markrad 0:cdf462088d13 2257 thanks to Peking University and the OSU Open Source Lab
markrad 0:cdf462088d13 2258 * Added experimental support of Quantum Cryptography
markrad 0:cdf462088d13 2259 * Added support for autoconf, contributed by Arnaud Cornet
markrad 0:cdf462088d13 2260 * Fixed "long long" compilation issues on IA-64 and PPC64
markrad 0:cdf462088d13 2261 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
markrad 0:cdf462088d13 2262 was not being correctly defined on ARM and MIPS
markrad 0:cdf462088d13 2263
markrad 0:cdf462088d13 2264 = Version 0.5 released on 2007-03-01
markrad 0:cdf462088d13 2265
markrad 0:cdf462088d13 2266 * Added multiply assembly code for SPARC and Alpha
markrad 0:cdf462088d13 2267 * Added (beta) support for non-blocking I/O operations
markrad 0:cdf462088d13 2268 * Implemented session resuming and client authentication
markrad 0:cdf462088d13 2269 * Fixed some portability issues on WinCE, MINIX 3, Plan9
markrad 0:cdf462088d13 2270 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
markrad 0:cdf462088d13 2271 * Improved the performance of the EDH key exchange
markrad 0:cdf462088d13 2272 * Fixed a bug that caused valid packets with a payload
markrad 0:cdf462088d13 2273 size of 16384 bytes to be rejected
markrad 0:cdf462088d13 2274
markrad 0:cdf462088d13 2275 = Version 0.4 released on 2007-02-01
markrad 0:cdf462088d13 2276
markrad 0:cdf462088d13 2277 * Added support for Ephemeral Diffie-Hellman key exchange
markrad 0:cdf462088d13 2278 * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
markrad 0:cdf462088d13 2279 * Various improvement to the modular exponentiation code
markrad 0:cdf462088d13 2280 * Rewrote the headers to generate the API docs with doxygen
markrad 0:cdf462088d13 2281 * Fixed a bug in ssl_encrypt_buf (incorrect padding was
markrad 0:cdf462088d13 2282 generated) and in ssl_parse_client_hello (max. client
markrad 0:cdf462088d13 2283 version was not properly set), thanks to Didier Rebeix
markrad 0:cdf462088d13 2284 * Fixed another bug in ssl_parse_client_hello: clients with
markrad 0:cdf462088d13 2285 cipherlists larger than 96 bytes were incorrectly rejected
markrad 0:cdf462088d13 2286 * Fixed a couple memory leak in x509_read.c
markrad 0:cdf462088d13 2287
markrad 0:cdf462088d13 2288 = Version 0.3 released on 2007-01-01
markrad 0:cdf462088d13 2289
markrad 0:cdf462088d13 2290 * Added server-side SSLv3 and TLSv1.0 support
markrad 0:cdf462088d13 2291 * Multiple fixes to enhance the compatibility with g++,
markrad 0:cdf462088d13 2292 thanks to Xosé Antón Otero Ferreira
markrad 0:cdf462088d13 2293 * Fixed a bug in the CBC code, thanks to dowst; also,
markrad 0:cdf462088d13 2294 the bignum code is no longer dependent on long long
markrad 0:cdf462088d13 2295 * Updated rsa_pkcs1_sign to handle arbitrary large inputs
markrad 0:cdf462088d13 2296 * Updated timing.c for improved compatibility with i386
markrad 0:cdf462088d13 2297 and 486 processors, thanks to Arnaud Cornet
markrad 0:cdf462088d13 2298
markrad 0:cdf462088d13 2299 = Version 0.2 released on 2006-12-01
markrad 0:cdf462088d13 2300
markrad 0:cdf462088d13 2301 * Updated timing.c to support ARM and MIPS arch
markrad 0:cdf462088d13 2302 * Updated the MPI code to support 8086 on MSVC 1.5
markrad 0:cdf462088d13 2303 * Added the copyright notice at the top of havege.h
markrad 0:cdf462088d13 2304 * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
markrad 0:cdf462088d13 2305 * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
markrad 0:cdf462088d13 2306 * Fixed a bug reported by Torsten Lauter in ssl_read_record
markrad 0:cdf462088d13 2307 * Fixed a bug in rsa_check_privkey that would wrongly cause
markrad 0:cdf462088d13 2308 valid RSA keys to be dismissed (thanks to oldwolf)
markrad 0:cdf462088d13 2309 * Fixed a bug in mpi_is_prime that caused some primes to fail
markrad 0:cdf462088d13 2310 the Miller-Rabin primality test
markrad 0:cdf462088d13 2311
markrad 0:cdf462088d13 2312 I'd also like to thank Younès Hafri for the CRUX linux port,
markrad 0:cdf462088d13 2313 Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
markrad 0:cdf462088d13 2314 who maintains the Debian package :-)
markrad 0:cdf462088d13 2315
markrad 0:cdf462088d13 2316 = Version 0.1 released on 2006-11-01