mbed TLS upgraded to 2.6.0
Fork of mbedtls by
ChangeLog@2:bbdeda018a3c, 2017-09-29 (annotated)
- Committer:
- Jasper Wallace
- Date:
- Fri Sep 29 19:50:30 2017 +0100
- Revision:
- 2:bbdeda018a3c
- Parent:
- 1:9ebc941037d5
Update to mbedtls 2.6.0, many changes.
Changes to mbedtls sources made:
in include/mbedtls/config.h comment out:
#define MBEDTLS_FS_IO
#define MBEDTLS_NET_C
#define MBEDTLS_TIMING_C
uncomment:
#define MBEDTLS_NO_PLATFORM_ENTROPY
remove the following directorys:
programs
yotta
visualc
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
markrad | 0:cdf462088d13 | 1 | mbed TLS ChangeLog (Sorted per branch, date) |
markrad | 0:cdf462088d13 | 2 | |
Jasper Wallace |
2:bbdeda018a3c | 3 | = mbed TLS 2.6.0 branch released 2017-08-10 |
Jasper Wallace |
2:bbdeda018a3c | 4 | |
Jasper Wallace |
2:bbdeda018a3c | 5 | Security |
Jasper Wallace |
2:bbdeda018a3c | 6 | * Fix authentication bypass in SSL/TLS: when authmode is set to optional, |
Jasper Wallace |
2:bbdeda018a3c | 7 | mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's |
Jasper Wallace |
2:bbdeda018a3c | 8 | X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA |
Jasper Wallace |
2:bbdeda018a3c | 9 | (default: 8) intermediates, even when it was not trusted. This could be |
Jasper Wallace |
2:bbdeda018a3c | 10 | triggered remotely from either side. (With authmode set to 'required' |
Jasper Wallace |
2:bbdeda018a3c | 11 | (the default), the handshake was correctly aborted). |
Jasper Wallace |
2:bbdeda018a3c | 12 | * Reliably wipe sensitive data after use in the AES example applications |
Jasper Wallace |
2:bbdeda018a3c | 13 | programs/aes/aescrypt2 and programs/aes/crypt_and_hash. |
Jasper Wallace |
2:bbdeda018a3c | 14 | Found by Laurent Simon. |
Jasper Wallace |
2:bbdeda018a3c | 15 | |
Jasper Wallace |
2:bbdeda018a3c | 16 | Features |
Jasper Wallace |
2:bbdeda018a3c | 17 | * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown() |
Jasper Wallace |
2:bbdeda018a3c | 18 | and the context struct mbedtls_platform_context to perform |
Jasper Wallace |
2:bbdeda018a3c | 19 | platform-specific setup and teardown operations. The macro |
Jasper Wallace |
2:bbdeda018a3c | 20 | MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden |
Jasper Wallace |
2:bbdeda018a3c | 21 | by the user in a platform_alt.h file. These new functions are required in |
Jasper Wallace |
2:bbdeda018a3c | 22 | some embedded environments to provide a means of initialising underlying |
Jasper Wallace |
2:bbdeda018a3c | 23 | cryptographic acceleration hardware. |
Jasper Wallace |
2:bbdeda018a3c | 24 | |
Jasper Wallace |
2:bbdeda018a3c | 25 | API Changes |
Jasper Wallace |
2:bbdeda018a3c | 26 | * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the |
Jasper Wallace |
2:bbdeda018a3c | 27 | API consistent with mbed TLS 2.5.0. Specifically removed the inline |
Jasper Wallace |
2:bbdeda018a3c | 28 | qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt, |
Jasper Wallace |
2:bbdeda018a3c | 29 | mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found |
Jasper Wallace |
2:bbdeda018a3c | 30 | by James Cowgill. #978 |
Jasper Wallace |
2:bbdeda018a3c | 31 | * Certificate verification functions now set flags to -1 in case the full |
Jasper Wallace |
2:bbdeda018a3c | 32 | chain was not verified due to an internal error (including in the verify |
Jasper Wallace |
2:bbdeda018a3c | 33 | callback) or chain length limitations. |
Jasper Wallace |
2:bbdeda018a3c | 34 | * With authmode set to optional, the TLS handshake is now aborted if the |
Jasper Wallace |
2:bbdeda018a3c | 35 | verification of the peer's certificate failed due to an overlong chain or |
Jasper Wallace |
2:bbdeda018a3c | 36 | a fatal error in the verify callback. |
Jasper Wallace |
2:bbdeda018a3c | 37 | |
Jasper Wallace |
2:bbdeda018a3c | 38 | Bugfix |
Jasper Wallace |
2:bbdeda018a3c | 39 | * Add a check if iv_len is zero in GCM, and return an error if it is zero. |
Jasper Wallace |
2:bbdeda018a3c | 40 | Reported by roberto. #716 |
Jasper Wallace |
2:bbdeda018a3c | 41 | * Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD) |
Jasper Wallace |
2:bbdeda018a3c | 42 | to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will |
Jasper Wallace |
2:bbdeda018a3c | 43 | always be implemented by pthread support. #696 |
Jasper Wallace |
2:bbdeda018a3c | 44 | * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(), |
Jasper Wallace |
2:bbdeda018a3c | 45 | in the case of an error. Found by redplait. #590 |
Jasper Wallace |
2:bbdeda018a3c | 46 | * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random. |
Jasper Wallace |
2:bbdeda018a3c | 47 | Reported and fix suggested by guidovranken. #740 |
Jasper Wallace |
2:bbdeda018a3c | 48 | * Fix conditional preprocessor directives in bignum.h to enable 64-bit |
Jasper Wallace |
2:bbdeda018a3c | 49 | compilation when using ARM Compiler 6. |
Jasper Wallace |
2:bbdeda018a3c | 50 | * Fix a potential integer overflow in the version verification for DER |
Jasper Wallace |
2:bbdeda018a3c | 51 | encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs |
Jasper Wallace |
2:bbdeda018a3c | 52 | to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, |
Jasper Wallace |
2:bbdeda018a3c | 53 | KNOX Security, Samsung Research America |
Jasper Wallace |
2:bbdeda018a3c | 54 | * Fix potential integer overflow in the version verification for DER |
Jasper Wallace |
2:bbdeda018a3c | 55 | encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs |
Jasper Wallace |
2:bbdeda018a3c | 56 | to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin, |
Jasper Wallace |
2:bbdeda018a3c | 57 | KNOX Security, Samsung Research America |
Jasper Wallace |
2:bbdeda018a3c | 58 | * Fix a potential integer overflow in the version verification for DER |
Jasper Wallace |
2:bbdeda018a3c | 59 | encoded X.509 certificates. The overflow could enable maliciously |
Jasper Wallace |
2:bbdeda018a3c | 60 | constructed certificates to bypass the certificate verification check. |
Jasper Wallace |
2:bbdeda018a3c | 61 | * Fix a call to the libc function time() to call the platform abstraction |
Jasper Wallace |
2:bbdeda018a3c | 62 | function mbedtls_time() instead. Found by wairua. #666 |
Jasper Wallace |
2:bbdeda018a3c | 63 | * Avoid shadowing of time and index functions through mbed TLS function |
Jasper Wallace |
2:bbdeda018a3c | 64 | arguments. Found by inestlerode. #557. |
Jasper Wallace |
2:bbdeda018a3c | 65 | |
Jasper Wallace |
2:bbdeda018a3c | 66 | Changes |
Jasper Wallace |
2:bbdeda018a3c | 67 | * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of |
Jasper Wallace |
2:bbdeda018a3c | 68 | 64-bit division. This is useful on embedded platforms where 64-bit division |
Jasper Wallace |
2:bbdeda018a3c | 69 | created a dependency on external libraries. #708 |
Jasper Wallace |
2:bbdeda018a3c | 70 | * Removed mutexes from ECP hardware accelerator code. Now all hardware |
Jasper Wallace |
2:bbdeda018a3c | 71 | accelerator code in the library leaves concurrency handling to the |
Jasper Wallace |
2:bbdeda018a3c | 72 | platform. Reported by Steven Cooreman. #863 |
Jasper Wallace |
2:bbdeda018a3c | 73 | * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file |
Jasper Wallace |
2:bbdeda018a3c | 74 | config-no-entropy.h to reduce the RAM footprint. |
Jasper Wallace |
2:bbdeda018a3c | 75 | * Added a test script that can be hooked into git that verifies commits |
Jasper Wallace |
2:bbdeda018a3c | 76 | before they are pushed. |
Jasper Wallace |
2:bbdeda018a3c | 77 | * Improve documentation of PKCS1 decryption functions. |
Jasper Wallace |
2:bbdeda018a3c | 78 | |
Jasper Wallace |
2:bbdeda018a3c | 79 | = mbed TLS 2.5.1 released 2017-06-21 |
Jasper Wallace |
2:bbdeda018a3c | 80 | |
Jasper Wallace |
2:bbdeda018a3c | 81 | Security |
Jasper Wallace |
2:bbdeda018a3c | 82 | * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read(). |
Jasper Wallace |
2:bbdeda018a3c | 83 | The issue could only happen client-side with renegotiation enabled. |
Jasper Wallace |
2:bbdeda018a3c | 84 | Could result in DoS (application crash) or information leak |
Jasper Wallace |
2:bbdeda018a3c | 85 | (if the application layer sent data read from mbedtls_ssl_read() |
Jasper Wallace |
2:bbdeda018a3c | 86 | back to the server or to a third party). Can be triggered remotely. |
Jasper Wallace |
2:bbdeda018a3c | 87 | * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for |
Jasper Wallace |
2:bbdeda018a3c | 88 | certificate verification. SHA-1 can be turned back on with a compile-time |
Jasper Wallace |
2:bbdeda018a3c | 89 | option if needed. |
Jasper Wallace |
2:bbdeda018a3c | 90 | * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to |
Jasper Wallace |
2:bbdeda018a3c | 91 | detect it sometimes. Reported by Hugo Leisink. #810 |
Jasper Wallace |
2:bbdeda018a3c | 92 | * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a |
Jasper Wallace |
2:bbdeda018a3c | 93 | potential Bleichenbacher/BERserk-style attack. |
Jasper Wallace |
2:bbdeda018a3c | 94 | |
Jasper Wallace |
2:bbdeda018a3c | 95 | Bugfix |
Jasper Wallace |
2:bbdeda018a3c | 96 | * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not |
Jasper Wallace |
2:bbdeda018a3c | 97 | valid C and they prevented the test from compiling in Visual Studio 2015 |
Jasper Wallace |
2:bbdeda018a3c | 98 | and with GCC using the -Wpedantic compilation option. |
Jasper Wallace |
2:bbdeda018a3c | 99 | * Fix insufficient support for signature-hash-algorithm extension, |
Jasper Wallace |
2:bbdeda018a3c | 100 | resulting in compatibility problems with Chrome. Found by hfloyrd. #823 |
Jasper Wallace |
2:bbdeda018a3c | 101 | * Fix behaviour that hid the original cause of fatal alerts in some cases |
Jasper Wallace |
2:bbdeda018a3c | 102 | when sending the alert failed. The fix makes sure not to hide the error |
Jasper Wallace |
2:bbdeda018a3c | 103 | that triggered the alert. |
Jasper Wallace |
2:bbdeda018a3c | 104 | * Fix SSLv3 renegotiation behaviour and stop processing data received from |
Jasper Wallace |
2:bbdeda018a3c | 105 | peer after sending a fatal alert to refuse a renegotiation attempt. |
Jasper Wallace |
2:bbdeda018a3c | 106 | Previous behaviour was to keep processing data even after the alert has |
Jasper Wallace |
2:bbdeda018a3c | 107 | been sent. |
Jasper Wallace |
2:bbdeda018a3c | 108 | * Accept empty trusted CA chain in authentication mode |
Jasper Wallace |
2:bbdeda018a3c | 109 | MBEDTLS_SSL_VERIFY_OPTIONAL. |
Jasper Wallace |
2:bbdeda018a3c | 110 | Found by jethrogb. #864 |
Jasper Wallace |
2:bbdeda018a3c | 111 | * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate |
Jasper Wallace |
2:bbdeda018a3c | 112 | fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to |
Jasper Wallace |
2:bbdeda018a3c | 113 | reflect bad EC curves within verification result. |
Jasper Wallace |
2:bbdeda018a3c | 114 | * Fix bug that caused the modular inversion function to accept the invalid |
Jasper Wallace |
2:bbdeda018a3c | 115 | modulus 1 and therefore to hang. Found by blaufish. #641. |
Jasper Wallace |
2:bbdeda018a3c | 116 | * Fix incorrect sign computation in modular exponentiation when the base is |
Jasper Wallace |
2:bbdeda018a3c | 117 | a negative MPI. Previously the result was always negative. Found by Guido |
Jasper Wallace |
2:bbdeda018a3c | 118 | Vranken. |
Jasper Wallace |
2:bbdeda018a3c | 119 | * Fix a numerical underflow leading to stack overflow in mpi_read_file() |
Jasper Wallace |
2:bbdeda018a3c | 120 | that was triggered uppon reading an empty line. Found by Guido Vranken. |
Jasper Wallace |
2:bbdeda018a3c | 121 | |
Jasper Wallace |
2:bbdeda018a3c | 122 | Changes |
Jasper Wallace |
2:bbdeda018a3c | 123 | * Send fatal alerts in more cases. The previous behaviour was to skip |
Jasper Wallace |
2:bbdeda018a3c | 124 | sending the fatal alert and just drop the connection. |
Jasper Wallace |
2:bbdeda018a3c | 125 | * Clarify ECDSA documentation and improve the sample code to avoid |
Jasper Wallace |
2:bbdeda018a3c | 126 | misunderstanding and potentially dangerous use of the API. Pointed out |
Jasper Wallace |
2:bbdeda018a3c | 127 | by Jean-Philippe Aumasson. |
Jasper Wallace |
2:bbdeda018a3c | 128 | |
Jasper Wallace |
2:bbdeda018a3c | 129 | = mbed TLS 2.5.0 branch released 2017-05-17 |
Jasper Wallace |
2:bbdeda018a3c | 130 | |
Jasper Wallace |
2:bbdeda018a3c | 131 | Security |
Jasper Wallace |
2:bbdeda018a3c | 132 | * Wipe stack buffers in RSA private key operations |
Jasper Wallace |
2:bbdeda018a3c | 133 | (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent |
Jasper Wallace |
2:bbdeda018a3c | 134 | Simon. |
Jasper Wallace |
2:bbdeda018a3c | 135 | * Add exponent blinding to RSA private operations as a countermeasure |
Jasper Wallace |
2:bbdeda018a3c | 136 | against side-channel attacks like the cache attack described in |
Jasper Wallace |
2:bbdeda018a3c | 137 | https://arxiv.org/abs/1702.08719v2. |
Jasper Wallace |
2:bbdeda018a3c | 138 | Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss, |
Jasper Wallace |
2:bbdeda018a3c | 139 | Clémentine Maurice and Stefan Mangard. |
Jasper Wallace |
2:bbdeda018a3c | 140 | |
Jasper Wallace |
2:bbdeda018a3c | 141 | Features |
Jasper Wallace |
2:bbdeda018a3c | 142 | * Add hardware acceleration support for the Elliptic Curve Point module. |
Jasper Wallace |
2:bbdeda018a3c | 143 | This involved exposing parts of the internal interface to enable |
Jasper Wallace |
2:bbdeda018a3c | 144 | replacing the core functions and adding and alternative, module level |
Jasper Wallace |
2:bbdeda018a3c | 145 | replacement support for enabling the extension of the interface. |
Jasper Wallace |
2:bbdeda018a3c | 146 | * Add a new configuration option to 'mbedtls_ssl_config' to enable |
Jasper Wallace |
2:bbdeda018a3c | 147 | suppressing the CA list in Certificate Request messages. The default |
Jasper Wallace |
2:bbdeda018a3c | 148 | behaviour has not changed, namely every configured CAs name is included. |
Jasper Wallace |
2:bbdeda018a3c | 149 | |
Jasper Wallace |
2:bbdeda018a3c | 150 | API Changes |
Jasper Wallace |
2:bbdeda018a3c | 151 | * The following functions in the AES module have been deprecated and replaced |
Jasper Wallace |
2:bbdeda018a3c | 152 | by the functions shown below. The new functions change the return type from |
Jasper Wallace |
2:bbdeda018a3c | 153 | void to int to allow returning error codes when using MBEDTLS_AES_ALT, |
Jasper Wallace |
2:bbdeda018a3c | 154 | MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT. |
Jasper Wallace |
2:bbdeda018a3c | 155 | mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt() |
Jasper Wallace |
2:bbdeda018a3c | 156 | mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt() |
Jasper Wallace |
2:bbdeda018a3c | 157 | |
Jasper Wallace |
2:bbdeda018a3c | 158 | Bugfix |
Jasper Wallace |
2:bbdeda018a3c | 159 | * Remove macros from compat-1.3.h that correspond to deleted items from most |
Jasper Wallace |
2:bbdeda018a3c | 160 | recent versions of the library. Found by Kyle Keen. |
Jasper Wallace |
2:bbdeda018a3c | 161 | * Fixed issue in the Threading module that prevented mutexes from |
Jasper Wallace |
2:bbdeda018a3c | 162 | initialising. Found by sznaider. #667 #843 |
Jasper Wallace |
2:bbdeda018a3c | 163 | * Add checks in the PK module for the RSA functions on 64-bit systems. |
Jasper Wallace |
2:bbdeda018a3c | 164 | The PK and RSA modules use different types for passing hash length and |
Jasper Wallace |
2:bbdeda018a3c | 165 | without these checks the type cast could lead to data loss. Found by Guido |
Jasper Wallace |
2:bbdeda018a3c | 166 | Vranken. |
Jasper Wallace |
2:bbdeda018a3c | 167 | |
Jasper Wallace |
1:9ebc941037d5 | 168 | = mbed TLS 2.4.2 branch released 2017-03-08 |
Jasper Wallace |
1:9ebc941037d5 | 169 | |
Jasper Wallace |
1:9ebc941037d5 | 170 | Security |
Jasper Wallace |
1:9ebc941037d5 | 171 | * Add checks to prevent signature forgeries for very large messages while |
Jasper Wallace |
1:9ebc941037d5 | 172 | using RSA through the PK module in 64-bit systems. The issue was caused by |
Jasper Wallace |
1:9ebc941037d5 | 173 | some data loss when casting a size_t to an unsigned int value in the |
Jasper Wallace |
1:9ebc941037d5 | 174 | functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and |
Jasper Wallace |
1:9ebc941037d5 | 175 | mbedtls_pk_sign(). Found by Jean-Philippe Aumasson. |
Jasper Wallace |
1:9ebc941037d5 | 176 | * Fixed potential livelock during the parsing of a CRL in PEM format in |
Jasper Wallace |
1:9ebc941037d5 | 177 | mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing |
Jasper Wallace |
1:9ebc941037d5 | 178 | characters after the footer could result in the execution of an infinite |
Jasper Wallace |
1:9ebc941037d5 | 179 | loop. The issue can be triggered remotely. Found by Greg Zaverucha, |
Jasper Wallace |
1:9ebc941037d5 | 180 | Microsoft. |
Jasper Wallace |
1:9ebc941037d5 | 181 | * Removed MD5 from the allowed hash algorithms for CertificateRequest and |
Jasper Wallace |
1:9ebc941037d5 | 182 | CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. |
Jasper Wallace |
1:9ebc941037d5 | 183 | Introduced by interoperability fix for #513. |
Jasper Wallace |
1:9ebc941037d5 | 184 | * Fixed a bug that caused freeing a buffer that was allocated on the stack, |
Jasper Wallace |
1:9ebc941037d5 | 185 | when verifying the validity of a key on secp224k1. This could be |
Jasper Wallace |
1:9ebc941037d5 | 186 | triggered remotely for example with a maliciously constructed certificate |
Jasper Wallace |
1:9ebc941037d5 | 187 | and potentially could lead to remote code execution on some platforms. |
Jasper Wallace |
1:9ebc941037d5 | 188 | Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos |
Jasper Wallace |
1:9ebc941037d5 | 189 | team. #569 CVE-2017-2784 |
Jasper Wallace |
1:9ebc941037d5 | 190 | |
Jasper Wallace |
1:9ebc941037d5 | 191 | Bugfix |
Jasper Wallace |
1:9ebc941037d5 | 192 | * Fix output certificate verification flags set by x509_crt_verify_top() when |
Jasper Wallace |
1:9ebc941037d5 | 193 | traversing a chain of trusted CA. The issue would cause both flags, |
Jasper Wallace |
1:9ebc941037d5 | 194 | MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be |
Jasper Wallace |
1:9ebc941037d5 | 195 | set when the verification conditions are not met regardless of the cause. |
Jasper Wallace |
1:9ebc941037d5 | 196 | Found by Harm Verhagen and inestlerode. #665 #561 |
Jasper Wallace |
1:9ebc941037d5 | 197 | * Fix the redefinition of macro ssl_set_bio to an undefined symbol |
Jasper Wallace |
1:9ebc941037d5 | 198 | mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it. |
Jasper Wallace |
1:9ebc941037d5 | 199 | Found by omlib-lin. #673 |
Jasper Wallace |
1:9ebc941037d5 | 200 | * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and |
Jasper Wallace |
1:9ebc941037d5 | 201 | x509_csr.c that are reported when building mbed TLS with a config.h that |
Jasper Wallace |
1:9ebc941037d5 | 202 | does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562 |
Jasper Wallace |
1:9ebc941037d5 | 203 | * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that |
Jasper Wallace |
1:9ebc941037d5 | 204 | would compare 64 bits of the record counter instead of 48 bits as indicated |
Jasper Wallace |
1:9ebc941037d5 | 205 | in RFC 6347 Section 4.3.1. This could cause the execution of the |
Jasper Wallace |
1:9ebc941037d5 | 206 | renegotiation routines at unexpected times when the protocol is DTLS. Found |
Jasper Wallace |
1:9ebc941037d5 | 207 | by wariua. #687 |
Jasper Wallace |
1:9ebc941037d5 | 208 | * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing |
Jasper Wallace |
1:9ebc941037d5 | 209 | the input string in PEM format to extract the different components. Found |
Jasper Wallace |
1:9ebc941037d5 | 210 | by Eyal Itkin. |
Jasper Wallace |
1:9ebc941037d5 | 211 | * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could |
Jasper Wallace |
1:9ebc941037d5 | 212 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
Jasper Wallace |
1:9ebc941037d5 | 213 | * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could |
Jasper Wallace |
1:9ebc941037d5 | 214 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
Jasper Wallace |
1:9ebc941037d5 | 215 | * Fixed potential arithmetic overflow in mbedtls_md2_update() that could |
Jasper Wallace |
1:9ebc941037d5 | 216 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
Jasper Wallace |
1:9ebc941037d5 | 217 | * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could |
Jasper Wallace |
1:9ebc941037d5 | 218 | cause buffer bound checks to be bypassed. Found by Eyal Itkin. |
Jasper Wallace |
1:9ebc941037d5 | 219 | * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng |
Jasper Wallace |
1:9ebc941037d5 | 220 | Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America. |
Jasper Wallace |
1:9ebc941037d5 | 221 | * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused |
Jasper Wallace |
1:9ebc941037d5 | 222 | by missing calls to mbedtls_pem_free() in cases when a |
Jasper Wallace |
1:9ebc941037d5 | 223 | MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and |
Jasper Wallace |
1:9ebc941037d5 | 224 | fix proposed by Guido Vranken. #722 |
Jasper Wallace |
1:9ebc941037d5 | 225 | * Fixed the templates used to generate project and solution files for Visual |
Jasper Wallace |
1:9ebc941037d5 | 226 | Studio 2015 as well as the files themselves, to remove a build warning |
Jasper Wallace |
1:9ebc941037d5 | 227 | generated in Visual Studio 2015. Reported by Steve Valliere. #742 |
Jasper Wallace |
1:9ebc941037d5 | 228 | * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C. |
Jasper Wallace |
1:9ebc941037d5 | 229 | Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771 |
Jasper Wallace |
1:9ebc941037d5 | 230 | * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI |
Jasper Wallace |
1:9ebc941037d5 | 231 | number to write in hexadecimal is negative and requires an odd number of |
Jasper Wallace |
1:9ebc941037d5 | 232 | digits. Found and fixed by Guido Vranken. |
Jasper Wallace |
1:9ebc941037d5 | 233 | * Fix unlisted DES configuration dependency in some pkparse test cases. Found |
Jasper Wallace |
1:9ebc941037d5 | 234 | by inestlerode. #555 |
Jasper Wallace |
1:9ebc941037d5 | 235 | |
markrad | 0:cdf462088d13 | 236 | = mbed TLS 2.4.1 branch released 2016-12-13 |
markrad | 0:cdf462088d13 | 237 | |
markrad | 0:cdf462088d13 | 238 | Changes |
markrad | 0:cdf462088d13 | 239 | * Update to CMAC test data, taken from - NIST Special Publication 800-38B - |
markrad | 0:cdf462088d13 | 240 | Recommendation for Block Cipher Modes of Operation: The CMAC Mode for |
markrad | 0:cdf462088d13 | 241 | Authentication – October 2016 |
markrad | 0:cdf462088d13 | 242 | |
markrad | 0:cdf462088d13 | 243 | = mbed TLS 2.4.0 branch released 2016-10-17 |
markrad | 0:cdf462088d13 | 244 | |
markrad | 0:cdf462088d13 | 245 | Security |
markrad | 0:cdf462088d13 | 246 | * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant |
markrad | 0:cdf462088d13 | 247 | with RFC-5116 and could lead to session key recovery in very long TLS |
markrad | 0:cdf462088d13 | 248 | sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in |
markrad | 0:cdf462088d13 | 249 | TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic. |
markrad | 0:cdf462088d13 | 250 | https://eprint.iacr.org/2016/475.pdf |
markrad | 0:cdf462088d13 | 251 | * Fixed potential stack corruption in mbedtls_x509write_crt_der() and |
markrad | 0:cdf462088d13 | 252 | mbedtls_x509write_csr_der() when the signature is copied to the buffer |
markrad | 0:cdf462088d13 | 253 | without checking whether there is enough space in the destination. The |
markrad | 0:cdf462088d13 | 254 | issue cannot be triggered remotely. Found by Jethro Beekman. |
markrad | 0:cdf462088d13 | 255 | |
markrad | 0:cdf462088d13 | 256 | Features |
markrad | 0:cdf462088d13 | 257 | * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by |
markrad | 0:cdf462088d13 | 258 | NIST SP 800-38B, RFC-4493 and RFC-4615. |
markrad | 0:cdf462088d13 | 259 | * Added hardware entropy selftest to verify that the hardware entropy source |
markrad | 0:cdf462088d13 | 260 | is functioning correctly. |
markrad | 0:cdf462088d13 | 261 | * Added a script to print build environment info for diagnostic use in test |
markrad | 0:cdf462088d13 | 262 | scripts, which is also now called by all.sh. |
markrad | 0:cdf462088d13 | 263 | * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to |
markrad | 0:cdf462088d13 | 264 | configure the maximum length of a file path that can be buffered when |
markrad | 0:cdf462088d13 | 265 | calling mbedtls_x509_crt_parse_path(). |
markrad | 0:cdf462088d13 | 266 | * Added a configuration file config-no-entropy.h that configures the subset of |
markrad | 0:cdf462088d13 | 267 | library features that do not require an entropy source. |
markrad | 0:cdf462088d13 | 268 | * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users |
markrad | 0:cdf462088d13 | 269 | to configure the minimum number of bytes for entropy sources using the |
markrad | 0:cdf462088d13 | 270 | mbedtls_hardware_poll() function. |
markrad | 0:cdf462088d13 | 271 | |
markrad | 0:cdf462088d13 | 272 | Bugfix |
markrad | 0:cdf462088d13 | 273 | * Fix for platform time abstraction to avoid dependency issues where a build |
markrad | 0:cdf462088d13 | 274 | may need time but not the standard C library abstraction, and added |
markrad | 0:cdf462088d13 | 275 | configuration consistency checks to check_config.h |
markrad | 0:cdf462088d13 | 276 | * Fix dependency issue in Makefile to allow parallel builds. |
markrad | 0:cdf462088d13 | 277 | * Fix incorrect handling of block lengths in crypt_and_hash.c sample program, |
markrad | 0:cdf462088d13 | 278 | when GCM is used. Found by udf2457. #441 |
markrad | 0:cdf462088d13 | 279 | * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't |
markrad | 0:cdf462088d13 | 280 | enabled unless others were also present. Found by David Fernandez. #428 |
markrad | 0:cdf462088d13 | 281 | * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on |
markrad | 0:cdf462088d13 | 282 | a contribution from Tobias Tangemann. #541 |
markrad | 0:cdf462088d13 | 283 | * Fixed cert_app.c sample program for debug output and for use when no root |
markrad | 0:cdf462088d13 | 284 | certificates are provided. |
markrad | 0:cdf462088d13 | 285 | * Fix conditional statement that would cause a 1 byte overread in |
markrad | 0:cdf462088d13 | 286 | mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599 |
markrad | 0:cdf462088d13 | 287 | * Fixed pthread implementation to avoid unintended double initialisations |
markrad | 0:cdf462088d13 | 288 | and double frees. Found by Niklas Amnebratt. |
markrad | 0:cdf462088d13 | 289 | * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for |
markrad | 0:cdf462088d13 | 290 | builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found |
markrad | 0:cdf462088d13 | 291 | by inestlerode. #559. |
markrad | 0:cdf462088d13 | 292 | * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf |
markrad | 0:cdf462088d13 | 293 | data structure until after error checks are successful. Found by |
markrad | 0:cdf462088d13 | 294 | subramanyam-c. #622 |
markrad | 0:cdf462088d13 | 295 | * Fix documentation and implementation missmatch for function arguments of |
markrad | 0:cdf462088d13 | 296 | mbedtls_gcm_finish(). Found by cmiatpaar. #602 |
markrad | 0:cdf462088d13 | 297 | * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558 |
markrad | 0:cdf462088d13 | 298 | * Fix potential byte overread when verifying malformed SERVER_HELLO in |
markrad | 0:cdf462088d13 | 299 | ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken. |
markrad | 0:cdf462088d13 | 300 | * Fix check for validity of date when parsing in mbedtls_x509_get_time(). |
markrad | 0:cdf462088d13 | 301 | Found by subramanyam-c. #626 |
markrad | 0:cdf462088d13 | 302 | * Fix compatibility issue with Internet Explorer client authentication, |
markrad | 0:cdf462088d13 | 303 | where the limited hash choices prevented the client from sending its |
markrad | 0:cdf462088d13 | 304 | certificate. Found by teumas. #513 |
markrad | 0:cdf462088d13 | 305 | * Fix compilation without MBEDTLS_SELF_TEST enabled. |
markrad | 0:cdf462088d13 | 306 | |
markrad | 0:cdf462088d13 | 307 | Changes |
markrad | 0:cdf462088d13 | 308 | * Extended test coverage of special cases, and added new timing test suite. |
markrad | 0:cdf462088d13 | 309 | * Removed self-tests from the basic-built-test.sh script, and added all |
markrad | 0:cdf462088d13 | 310 | missing self-tests to the test suites, to ensure self-tests are only |
markrad | 0:cdf462088d13 | 311 | executed once. |
markrad | 0:cdf462088d13 | 312 | * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len(). |
markrad | 0:cdf462088d13 | 313 | * Added support for a Yotta specific configuration file - |
markrad | 0:cdf462088d13 | 314 | through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE. |
markrad | 0:cdf462088d13 | 315 | * Added optimization for code space for X.509/OID based on configured |
markrad | 0:cdf462088d13 | 316 | features. Contributed by Aviv Palivoda. |
markrad | 0:cdf462088d13 | 317 | * Renamed source file library/net.c to library/net_sockets.c to avoid |
markrad | 0:cdf462088d13 | 318 | naming collision in projects which also have files with the common name |
markrad | 0:cdf462088d13 | 319 | net.c. For consistency, the corresponding header file, net.h, is marked as |
markrad | 0:cdf462088d13 | 320 | deprecated, and its contents moved to net_sockets.h. |
markrad | 0:cdf462088d13 | 321 | * Changed the strategy for X.509 certificate parsing and validation, to no |
markrad | 0:cdf462088d13 | 322 | longer disregard certificates with unrecognised fields. |
markrad | 0:cdf462088d13 | 323 | |
markrad | 0:cdf462088d13 | 324 | = mbed TLS 2.3.0 branch released 2016-06-28 |
markrad | 0:cdf462088d13 | 325 | |
markrad | 0:cdf462088d13 | 326 | Security |
markrad | 0:cdf462088d13 | 327 | * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt |
markrad | 0:cdf462088d13 | 328 | required by PKCS1 v2.2 |
markrad | 0:cdf462088d13 | 329 | * Fix potential integer overflow to buffer overflow in |
markrad | 0:cdf462088d13 | 330 | mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt |
markrad | 0:cdf462088d13 | 331 | (not triggerable remotely in (D)TLS). |
Jasper Wallace |
2:bbdeda018a3c | 332 | * Fix a potential integer underflow to buffer overread in |
markrad | 0:cdf462088d13 | 333 | mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in |
markrad | 0:cdf462088d13 | 334 | SSL/TLS. |
markrad | 0:cdf462088d13 | 335 | |
markrad | 0:cdf462088d13 | 336 | Features |
markrad | 0:cdf462088d13 | 337 | * Support for platform abstraction of the standard C library time() |
markrad | 0:cdf462088d13 | 338 | function. |
markrad | 0:cdf462088d13 | 339 | |
markrad | 0:cdf462088d13 | 340 | Bugfix |
markrad | 0:cdf462088d13 | 341 | * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three |
markrad | 0:cdf462088d13 | 342 | arguments where the same (in-place doubling). Found and fixed by Janos |
markrad | 0:cdf462088d13 | 343 | Follath. #309 |
markrad | 0:cdf462088d13 | 344 | * Fix potential build failures related to the 'apidoc' target, introduced |
markrad | 0:cdf462088d13 | 345 | in the previous patch release. Found by Robert Scheck. #390 #391 |
markrad | 0:cdf462088d13 | 346 | * Fix issue in Makefile that prevented building using armar. #386 |
markrad | 0:cdf462088d13 | 347 | * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and |
markrad | 0:cdf462088d13 | 348 | ECDSA was disabled in config.h . The leak didn't occur by default. |
markrad | 0:cdf462088d13 | 349 | * Fix an issue that caused valid certificates to be rejected whenever an |
markrad | 0:cdf462088d13 | 350 | expired or not yet valid certificate was parsed before a valid certificate |
markrad | 0:cdf462088d13 | 351 | in the trusted certificate list. |
Jasper Wallace |
2:bbdeda018a3c | 352 | * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the |
markrad | 0:cdf462088d13 | 353 | buffer after DER certificates to be included in the raw representation. |
markrad | 0:cdf462088d13 | 354 | * Fix issue that caused a hang when generating RSA keys of odd bitlength |
markrad | 0:cdf462088d13 | 355 | * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer |
markrad | 0:cdf462088d13 | 356 | dereference possible. |
markrad | 0:cdf462088d13 | 357 | * Fix issue that caused a crash if invalid curves were passed to |
markrad | 0:cdf462088d13 | 358 | mbedtls_ssl_conf_curves. #373 |
markrad | 0:cdf462088d13 | 359 | * Fix issue in ssl_fork_server which was preventing it from functioning. #429 |
markrad | 0:cdf462088d13 | 360 | * Fix memory leaks in test framework |
markrad | 0:cdf462088d13 | 361 | * Fix test in ssl-opt.sh that does not run properly with valgrind |
markrad | 0:cdf462088d13 | 362 | * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502 |
markrad | 0:cdf462088d13 | 363 | |
markrad | 0:cdf462088d13 | 364 | Changes |
markrad | 0:cdf462088d13 | 365 | * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, |
markrad | 0:cdf462088d13 | 366 | don't use the optimized assembly for bignum multiplication. This removes |
markrad | 0:cdf462088d13 | 367 | the need to pass -fomit-frame-pointer to avoid a build error with -O0. |
markrad | 0:cdf462088d13 | 368 | * Disabled SSLv3 in the default configuration. |
markrad | 0:cdf462088d13 | 369 | * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey |
markrad | 0:cdf462088d13 | 370 | Skalozub). |
markrad | 0:cdf462088d13 | 371 | * Fix non-compliance server extension handling. Extensions for SSLv3 are now |
markrad | 0:cdf462088d13 | 372 | ignored, as required by RFC6101. |
markrad | 0:cdf462088d13 | 373 | |
markrad | 0:cdf462088d13 | 374 | = mbed TLS 2.2.1 released 2016-01-05 |
markrad | 0:cdf462088d13 | 375 | |
markrad | 0:cdf462088d13 | 376 | Security |
markrad | 0:cdf462088d13 | 377 | * Fix potential double free when mbedtls_asn1_store_named_data() fails to |
markrad | 0:cdf462088d13 | 378 | allocate memory. Only used for certificate generation, not triggerable |
markrad | 0:cdf462088d13 | 379 | remotely in SSL/TLS. Found by Rafał Przywara. #367 |
markrad | 0:cdf462088d13 | 380 | * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the |
markrad | 0:cdf462088d13 | 381 | SLOTH attack on TLS 1.2 server authentication (other attacks from the |
markrad | 0:cdf462088d13 | 382 | SLOTH paper do not apply to any version of mbed TLS or PolarSSL). |
markrad | 0:cdf462088d13 | 383 | https://www.mitls.org/pages/attacks/SLOTH |
markrad | 0:cdf462088d13 | 384 | |
markrad | 0:cdf462088d13 | 385 | Bugfix |
markrad | 0:cdf462088d13 | 386 | * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362 |
markrad | 0:cdf462088d13 | 387 | * Fix bug in certificate validation that caused valid chains to be rejected |
markrad | 0:cdf462088d13 | 388 | when the first intermediate certificate has pathLenConstraint=0. Found by |
markrad | 0:cdf462088d13 | 389 | Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280 |
markrad | 0:cdf462088d13 | 390 | * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by |
markrad | 0:cdf462088d13 | 391 | JayaraghavendranK. #372 |
markrad | 0:cdf462088d13 | 392 | * Fix suboptimal handling of unexpected records that caused interop issues |
markrad | 0:cdf462088d13 | 393 | with some peers over unreliable links. Avoid dropping an entire DTLS |
markrad | 0:cdf462088d13 | 394 | datagram if a single record in a datagram is unexpected, instead only |
markrad | 0:cdf462088d13 | 395 | drop the record and look at subsequent records (if any are present) in |
markrad | 0:cdf462088d13 | 396 | the same datagram. Found by jeannotlapin. #345 |
markrad | 0:cdf462088d13 | 397 | |
markrad | 0:cdf462088d13 | 398 | = mbed TLS 2.2.0 released 2015-11-04 |
markrad | 0:cdf462088d13 | 399 | |
markrad | 0:cdf462088d13 | 400 | Security |
markrad | 0:cdf462088d13 | 401 | * Fix potential double free if mbedtls_ssl_conf_psk() is called more than |
markrad | 0:cdf462088d13 | 402 | once and some allocation fails. Cannot be forced remotely. Found by Guido |
markrad | 0:cdf462088d13 | 403 | Vranken, Intelworks. |
markrad | 0:cdf462088d13 | 404 | * Fix potential heap corruption on Windows when |
markrad | 0:cdf462088d13 | 405 | mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be |
markrad | 0:cdf462088d13 | 406 | triggered remotely. Found by Guido Vranken, Intelworks. |
markrad | 0:cdf462088d13 | 407 | * Fix potential buffer overflow in some asn1_write_xxx() functions. |
markrad | 0:cdf462088d13 | 408 | Cannot be triggered remotely unless you create X.509 certificates based |
markrad | 0:cdf462088d13 | 409 | on untrusted input or write keys of untrusted origin. Found by Guido |
markrad | 0:cdf462088d13 | 410 | Vranken, Intelworks. |
markrad | 0:cdf462088d13 | 411 | * The X509 max_pathlen constraint was not enforced on intermediate |
markrad | 0:cdf462088d13 | 412 | certificates. Found by Nicholas Wilson, fix and tests provided by |
markrad | 0:cdf462088d13 | 413 | Janos Follath. #280 and #319 |
markrad | 0:cdf462088d13 | 414 | |
markrad | 0:cdf462088d13 | 415 | Features |
markrad | 0:cdf462088d13 | 416 | * Experimental support for EC J-PAKE as defined in Thread 1.0.0. |
markrad | 0:cdf462088d13 | 417 | Disabled by default as the specification might still change. |
markrad | 0:cdf462088d13 | 418 | * Added a key extraction callback to accees the master secret and key |
markrad | 0:cdf462088d13 | 419 | block. (Potential uses include EAP-TLS and Thread.) |
markrad | 0:cdf462088d13 | 420 | |
markrad | 0:cdf462088d13 | 421 | Bugfix |
markrad | 0:cdf462088d13 | 422 | * Self-signed certificates were not excluded from pathlen counting, |
markrad | 0:cdf462088d13 | 423 | resulting in some valid X.509 being incorrectly rejected. Found and fix |
markrad | 0:cdf462088d13 | 424 | provided by Janos Follath. #319 |
markrad | 0:cdf462088d13 | 425 | * Fix build error with configurations where ECDHE-PSK is the only key |
markrad | 0:cdf462088d13 | 426 | exchange. Found and fix provided by Chris Hammond. #270 |
markrad | 0:cdf462088d13 | 427 | * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or |
markrad | 0:cdf462088d13 | 428 | ECHD-ECDSA if the only key exchange. Multiple reports. #310 |
markrad | 0:cdf462088d13 | 429 | * Fixed a bug causing some handshakes to fail due to some non-fatal alerts |
markrad | 0:cdf462088d13 | 430 | not being properly ignored. Found by mancha and Kasom Koht-arsa, #308 |
markrad | 0:cdf462088d13 | 431 | * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and |
markrad | 0:cdf462088d13 | 432 | size/curve against the profile. Before that, there was no way to set a |
markrad | 0:cdf462088d13 | 433 | minimum key size for end-entity certificates with RSA keys. Found by |
markrad | 0:cdf462088d13 | 434 | Matthew Page of Scannex Electronics Ltd. |
markrad | 0:cdf462088d13 | 435 | * Fix failures in MPI on Sparc(64) due to use of bad assembly code. |
markrad | 0:cdf462088d13 | 436 | Found by Kurt Danielson. #292 |
markrad | 0:cdf462088d13 | 437 | * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314 |
markrad | 0:cdf462088d13 | 438 | * Fix bug in ASN.1 encoding of booleans that caused generated CA |
markrad | 0:cdf462088d13 | 439 | certificates to be rejected by some applications, including OS X |
markrad | 0:cdf462088d13 | 440 | Keychain. Found and fixed by Jonathan Leroy, Inikup. |
markrad | 0:cdf462088d13 | 441 | |
markrad | 0:cdf462088d13 | 442 | Changes |
markrad | 0:cdf462088d13 | 443 | * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1 |
markrad | 0:cdf462088d13 | 444 | or -1. |
markrad | 0:cdf462088d13 | 445 | |
markrad | 0:cdf462088d13 | 446 | = mbed TLS 2.1.2 released 2015-10-06 |
markrad | 0:cdf462088d13 | 447 | |
markrad | 0:cdf462088d13 | 448 | Security |
markrad | 0:cdf462088d13 | 449 | * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer |
markrad | 0:cdf462088d13 | 450 | overflow of the hostname or session ticket. Found by Guido Vranken, |
markrad | 0:cdf462088d13 | 451 | Intelworks. |
markrad | 0:cdf462088d13 | 452 | * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than |
markrad | 0:cdf462088d13 | 453 | once in the same handhake and mbedtls_ssl_conf_psk() was used. |
markrad | 0:cdf462088d13 | 454 | Found and patch provided by Guido Vranken, Intelworks. Cannot be forced |
markrad | 0:cdf462088d13 | 455 | remotely. |
markrad | 0:cdf462088d13 | 456 | * Fix stack buffer overflow in pkcs12 decryption (used by |
markrad | 0:cdf462088d13 | 457 | mbedtls_pk_parse_key(file)() when the password is > 129 bytes. |
markrad | 0:cdf462088d13 | 458 | Found by Guido Vranken, Intelworks. Not triggerable remotely. |
markrad | 0:cdf462088d13 | 459 | * Fix potential buffer overflow in mbedtls_mpi_read_string(). |
markrad | 0:cdf462088d13 | 460 | Found by Guido Vranken, Intelworks. Not exploitable remotely in the context |
markrad | 0:cdf462088d13 | 461 | of TLS, but might be in other uses. On 32 bit machines, requires reading a |
markrad | 0:cdf462088d13 | 462 | string of close to or larger than 1GB to exploit; on 64 bit machines, would |
markrad | 0:cdf462088d13 | 463 | require reading a string of close to or larger than 2^62 bytes. |
markrad | 0:cdf462088d13 | 464 | * Fix potential random memory allocation in mbedtls_pem_read_buffer() |
markrad | 0:cdf462088d13 | 465 | on crafted PEM input data. Found and fix provided by Guido Vranken, |
markrad | 0:cdf462088d13 | 466 | Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you |
markrad | 0:cdf462088d13 | 467 | accept PEM data from an untrusted source. |
markrad | 0:cdf462088d13 | 468 | * Fix possible heap buffer overflow in base64_encoded() when the input |
markrad | 0:cdf462088d13 | 469 | buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken, |
markrad | 0:cdf462088d13 | 470 | Intelworks. Not trigerrable remotely in TLS. |
markrad | 0:cdf462088d13 | 471 | * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on |
markrad | 0:cdf462088d13 | 472 | the same mbedtls_ssl_config object and memory allocation fails. Found by |
markrad | 0:cdf462088d13 | 473 | Guido Vranken, Intelworks. Cannot be forced remotely. |
markrad | 0:cdf462088d13 | 474 | * Fix potential heap buffer overflow in servers that perform client |
markrad | 0:cdf462088d13 | 475 | authentication against a crafted CA cert. Cannot be triggered remotely |
markrad | 0:cdf462088d13 | 476 | unless you allow third parties to pick trust CAs for client auth. |
markrad | 0:cdf462088d13 | 477 | Found by Guido Vranken, Intelworks. |
markrad | 0:cdf462088d13 | 478 | |
markrad | 0:cdf462088d13 | 479 | Bugfix |
markrad | 0:cdf462088d13 | 480 | * Fix compile error in net.c with musl libc. Found and patch provided by |
markrad | 0:cdf462088d13 | 481 | zhasha (#278). |
markrad | 0:cdf462088d13 | 482 | * Fix macroization of 'inline' keyword when building as C++. (#279) |
markrad | 0:cdf462088d13 | 483 | |
markrad | 0:cdf462088d13 | 484 | Changes |
markrad | 0:cdf462088d13 | 485 | * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure |
markrad | 0:cdf462088d13 | 486 | domain names are compliant with RFC 1035. |
markrad | 0:cdf462088d13 | 487 | * Fixed paths for check_config.h in example config files. (Found by bachp) |
markrad | 0:cdf462088d13 | 488 | (#291) |
markrad | 0:cdf462088d13 | 489 | |
markrad | 0:cdf462088d13 | 490 | = mbed TLS 2.1.1 released 2015-09-17 |
markrad | 0:cdf462088d13 | 491 | |
markrad | 0:cdf462088d13 | 492 | Security |
markrad | 0:cdf462088d13 | 493 | * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5 |
markrad | 0:cdf462088d13 | 494 | signatures. (Found by Florian Weimer, Red Hat.) |
markrad | 0:cdf462088d13 | 495 | https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ |
markrad | 0:cdf462088d13 | 496 | * Fix possible client-side NULL pointer dereference (read) when the client |
markrad | 0:cdf462088d13 | 497 | tries to continue the handshake after it failed (a misuse of the API). |
markrad | 0:cdf462088d13 | 498 | (Found and patch provided by Fabian Foerg, Gotham Digital Science using |
markrad | 0:cdf462088d13 | 499 | afl-fuzz.) |
markrad | 0:cdf462088d13 | 500 | |
markrad | 0:cdf462088d13 | 501 | Bugfix |
markrad | 0:cdf462088d13 | 502 | * Fix warning when using a 64bit platform. (found by embedthis) (#275) |
markrad | 0:cdf462088d13 | 503 | * Fix off-by-one error in parsing Supported Point Format extension that |
markrad | 0:cdf462088d13 | 504 | caused some handshakes to fail. |
markrad | 0:cdf462088d13 | 505 | |
markrad | 0:cdf462088d13 | 506 | Changes |
markrad | 0:cdf462088d13 | 507 | * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow |
markrad | 0:cdf462088d13 | 508 | use of mbedtls_x509_crt_profile_next. (found by NWilson) |
markrad | 0:cdf462088d13 | 509 | * When a client initiates a reconnect from the same port as a live |
markrad | 0:cdf462088d13 | 510 | connection, if cookie verification is available |
markrad | 0:cdf462088d13 | 511 | (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie |
markrad | 0:cdf462088d13 | 512 | callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be |
markrad | 0:cdf462088d13 | 513 | detected and mbedtls_ssl_read() will return |
markrad | 0:cdf462088d13 | 514 | MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new |
markrad | 0:cdf462088d13 | 515 | handshake with the same context. (See RFC 6347 section 4.2.8.) |
markrad | 0:cdf462088d13 | 516 | |
markrad | 0:cdf462088d13 | 517 | = mbed TLS 2.1.0 released 2015-09-04 |
markrad | 0:cdf462088d13 | 518 | |
markrad | 0:cdf462088d13 | 519 | Features |
markrad | 0:cdf462088d13 | 520 | * Added support for yotta as a build system. |
markrad | 0:cdf462088d13 | 521 | * Primary open source license changed to Apache 2.0 license. |
markrad | 0:cdf462088d13 | 522 | |
markrad | 0:cdf462088d13 | 523 | Bugfix |
markrad | 0:cdf462088d13 | 524 | * Fix segfault in the benchmark program when benchmarking DHM. |
markrad | 0:cdf462088d13 | 525 | * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo |
markrad | 0:cdf462088d13 | 526 | Leisink). |
markrad | 0:cdf462088d13 | 527 | * Fix bug when parsing a ServerHello without extensions (found by David |
markrad | 0:cdf462088d13 | 528 | Sears). |
markrad | 0:cdf462088d13 | 529 | * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed |
markrad | 0:cdf462088d13 | 530 | (found by Benoit Lecocq). |
markrad | 0:cdf462088d13 | 531 | * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be |
markrad | 0:cdf462088d13 | 532 | installed (found by Rawi666). |
markrad | 0:cdf462088d13 | 533 | * Fix compile error with armcc 5 with --gnu option. |
markrad | 0:cdf462088d13 | 534 | * Fix bug in Makefile that caused programs not to be installed correctly |
markrad | 0:cdf462088d13 | 535 | (found by robotanarchy) (#232). |
markrad | 0:cdf462088d13 | 536 | * Fix bug in Makefile that prevented from installing without building the |
markrad | 0:cdf462088d13 | 537 | tests (found by robotanarchy) (#232). |
markrad | 0:cdf462088d13 | 538 | * Fix missing -static-libgcc when building shared libraries for Windows |
markrad | 0:cdf462088d13 | 539 | with make. |
markrad | 0:cdf462088d13 | 540 | * Fix link error when building shared libraries for Windows with make. |
markrad | 0:cdf462088d13 | 541 | * Fix error when loading libmbedtls.so. |
markrad | 0:cdf462088d13 | 542 | * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to |
markrad | 0:cdf462088d13 | 543 | be always used (found by dcb314) (#235) |
markrad | 0:cdf462088d13 | 544 | * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could |
markrad | 0:cdf462088d13 | 545 | result trying to unlock an unlocked mutex on invalid input (found by |
markrad | 0:cdf462088d13 | 546 | Fredrik Axelsson) (#257) |
markrad | 0:cdf462088d13 | 547 | * Fix -Wshadow warnings (found by hnrkp) (#240) |
markrad | 0:cdf462088d13 | 548 | * Fix memory corruption on client with overlong PSK identity, around |
markrad | 0:cdf462088d13 | 549 | SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by |
markrad | 0:cdf462088d13 | 550 | Aleksandrs Saveljevs) (#238) |
markrad | 0:cdf462088d13 | 551 | * Fix unused function warning when using MBEDTLS_MDx_ALT or |
markrad | 0:cdf462088d13 | 552 | MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) |
markrad | 0:cdf462088d13 | 553 | * Fix memory corruption in pkey programs (found by yankuncheng) (#210) |
markrad | 0:cdf462088d13 | 554 | |
markrad | 0:cdf462088d13 | 555 | Changes |
markrad | 0:cdf462088d13 | 556 | * The PEM parser now accepts a trailing space at end of lines (#226). |
markrad | 0:cdf462088d13 | 557 | * It is now possible to #include a user-provided configuration file at the |
markrad | 0:cdf462088d13 | 558 | end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the |
markrad | 0:cdf462088d13 | 559 | compiler's command line. |
markrad | 0:cdf462088d13 | 560 | * When verifying a certificate chain, if an intermediate certificate is |
markrad | 0:cdf462088d13 | 561 | trusted, no later cert is checked. (suggested by hannes-landeholm) |
markrad | 0:cdf462088d13 | 562 | (#220). |
markrad | 0:cdf462088d13 | 563 | * Prepend a "thread identifier" to debug messages (issue pointed out by |
markrad | 0:cdf462088d13 | 564 | Hugo Leisink) (#210). |
markrad | 0:cdf462088d13 | 565 | * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment |
markrad | 0:cdf462088d13 | 566 | length. |
markrad | 0:cdf462088d13 | 567 | |
markrad | 0:cdf462088d13 | 568 | = mbed TLS 2.0.0 released 2015-07-13 |
markrad | 0:cdf462088d13 | 569 | |
markrad | 0:cdf462088d13 | 570 | Features |
markrad | 0:cdf462088d13 | 571 | * Support for DTLS 1.0 and 1.2 (RFC 6347). |
markrad | 0:cdf462088d13 | 572 | * Ability to override core functions from MDx, SHAx, AES and DES modules |
markrad | 0:cdf462088d13 | 573 | with custom implementation (eg hardware accelerated), complementing the |
markrad | 0:cdf462088d13 | 574 | ability to override the whole module. |
markrad | 0:cdf462088d13 | 575 | * New server-side implementation of session tickets that rotate keys to |
markrad | 0:cdf462088d13 | 576 | preserve forward secrecy, and allows sharing across multiple contexts. |
markrad | 0:cdf462088d13 | 577 | * Added a concept of X.509 cerificate verification profile that controls |
markrad | 0:cdf462088d13 | 578 | which algorithms and key sizes (curves for ECDSA) are acceptable. |
markrad | 0:cdf462088d13 | 579 | * Expanded configurability of security parameters in the SSL module with |
markrad | 0:cdf462088d13 | 580 | mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes(). |
markrad | 0:cdf462088d13 | 581 | * Introduced a concept of presets for SSL security-relevant configuration |
markrad | 0:cdf462088d13 | 582 | parameters. |
markrad | 0:cdf462088d13 | 583 | |
markrad | 0:cdf462088d13 | 584 | API Changes |
markrad | 0:cdf462088d13 | 585 | * The library has been split into libmbedcrypto, libmbedx509, libmbedtls. |
markrad | 0:cdf462088d13 | 586 | You now need to link to all of them if you use TLS for example. |
markrad | 0:cdf462088d13 | 587 | * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace. |
markrad | 0:cdf462088d13 | 588 | Some names have been further changed to make them more consistent. |
markrad | 0:cdf462088d13 | 589 | Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are |
markrad | 0:cdf462088d13 | 590 | provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt |
markrad | 0:cdf462088d13 | 591 | * Renamings of fields inside structures, not covered by the previous list: |
markrad | 0:cdf462088d13 | 592 | mbedtls_cipher_info_t.key_length -> key_bitlen |
markrad | 0:cdf462088d13 | 593 | mbedtls_cipher_context_t.key_length -> key_bitlen |
markrad | 0:cdf462088d13 | 594 | mbedtls_ecp_curve_info.size -> bit_size |
markrad | 0:cdf462088d13 | 595 | * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). |
markrad | 0:cdf462088d13 | 596 | * The following _init() functions that could return errors have |
markrad | 0:cdf462088d13 | 597 | been split into an _init() that returns void and another function that |
markrad | 0:cdf462088d13 | 598 | should generally be the first function called on this context after init: |
markrad | 0:cdf462088d13 | 599 | mbedtls_ssl_init() -> mbedtls_ssl_setup() |
markrad | 0:cdf462088d13 | 600 | mbedtls_ccm_init() -> mbedtls_ccm_setkey() |
markrad | 0:cdf462088d13 | 601 | mbedtls_gcm_init() -> mbedtls_gcm_setkey() |
markrad | 0:cdf462088d13 | 602 | mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() |
markrad | 0:cdf462088d13 | 603 | mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() |
markrad | 0:cdf462088d13 | 604 | Note that for mbedtls_ssl_setup(), you need to be done setting up the |
markrad | 0:cdf462088d13 | 605 | ssl_config structure before calling it. |
markrad | 0:cdf462088d13 | 606 | * Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(), |
markrad | 0:cdf462088d13 | 607 | ssl_set_session() and ssl_set_client_transport_id(), plus |
markrad | 0:cdf462088d13 | 608 | ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() |
markrad | 0:cdf462088d13 | 609 | (see rename.pl and compat-1.3.h above) and their first argument's type |
markrad | 0:cdf462088d13 | 610 | changed from ssl_context to ssl_config. |
markrad | 0:cdf462088d13 | 611 | * ssl_set_bio() changed signature (contexts merged, order switched, one |
markrad | 0:cdf462088d13 | 612 | additional callback for read-with-timeout). |
markrad | 0:cdf462088d13 | 613 | * The following functions have been introduced and must be used in callback |
markrad | 0:cdf462088d13 | 614 | implementations (SNI, PSK) instead of their *conf counterparts: |
markrad | 0:cdf462088d13 | 615 | mbedtls_ssl_set_hs_own_cert() |
markrad | 0:cdf462088d13 | 616 | mbedtls_ssl_set_hs_ca_chain() |
markrad | 0:cdf462088d13 | 617 | mbedtls_ssl_set_hs_psk() |
markrad | 0:cdf462088d13 | 618 | * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set |
markrad | 0:cdf462088d13 | 619 | using mbedtls_ssl_set_hostname(). |
markrad | 0:cdf462088d13 | 620 | * mbedtls_ssl_conf_session_cache() changed prototype (only one context |
markrad | 0:cdf462088d13 | 621 | pointer, parameters reordered). |
markrad | 0:cdf462088d13 | 622 | * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in |
markrad | 0:cdf462088d13 | 623 | place of mbedtls_ssl_conf_session_tickets() to enable session tickets. |
markrad | 0:cdf462088d13 | 624 | * The SSL debug callback gained two new arguments (file name, line number). |
markrad | 0:cdf462088d13 | 625 | * Debug modes were removed. |
markrad | 0:cdf462088d13 | 626 | * mbedtls_ssl_conf_truncated_hmac() now returns void. |
markrad | 0:cdf462088d13 | 627 | * mbedtls_memory_buffer_alloc_init() now returns void. |
markrad | 0:cdf462088d13 | 628 | * X.509 verification flags are now an uint32_t. Affect the signature of: |
markrad | 0:cdf462088d13 | 629 | mbedtls_ssl_get_verify_result() |
markrad | 0:cdf462088d13 | 630 | mbedtls_x509_ctr_verify_info() |
markrad | 0:cdf462088d13 | 631 | mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated) |
markrad | 0:cdf462088d13 | 632 | mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated) |
markrad | 0:cdf462088d13 | 633 | * The following functions changed prototype to avoid an in-out length |
markrad | 0:cdf462088d13 | 634 | parameter: |
markrad | 0:cdf462088d13 | 635 | mbedtls_base64_encode() |
markrad | 0:cdf462088d13 | 636 | mbedtls_base64_decode() |
markrad | 0:cdf462088d13 | 637 | mbedtls_mpi_write_string() |
markrad | 0:cdf462088d13 | 638 | mbedtls_dhm_calc_secret() |
markrad | 0:cdf462088d13 | 639 | * In the NET module, all "int" and "int *" arguments for file descriptors |
markrad | 0:cdf462088d13 | 640 | changed type to "mbedtls_net_context *". |
markrad | 0:cdf462088d13 | 641 | * net_accept() gained new arguments for the size of the client_ip buffer. |
markrad | 0:cdf462088d13 | 642 | * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now |
markrad | 0:cdf462088d13 | 643 | return void. |
markrad | 0:cdf462088d13 | 644 | * ecdsa_write_signature() gained an addtional md_alg argument and |
markrad | 0:cdf462088d13 | 645 | ecdsa_write_signature_det() was deprecated. |
markrad | 0:cdf462088d13 | 646 | * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA. |
markrad | 0:cdf462088d13 | 647 | * Last argument of x509_crt_check_key_usage() and |
markrad | 0:cdf462088d13 | 648 | mbedtls_x509write_crt_set_key_usage() changed from int to unsigned. |
markrad | 0:cdf462088d13 | 649 | * test_ca_list (from certs.h) is renamed to test_cas_pem and is only |
markrad | 0:cdf462088d13 | 650 | available if POLARSSL_PEM_PARSE_C is defined (it never worked without). |
markrad | 0:cdf462088d13 | 651 | * Test certificates in certs.c are no longer guaranteed to be nul-terminated |
markrad | 0:cdf462088d13 | 652 | strings; use the new *_len variables instead of strlen(). |
markrad | 0:cdf462088d13 | 653 | * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(), |
markrad | 0:cdf462088d13 | 654 | mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the |
markrad | 0:cdf462088d13 | 655 | length parameter to include the terminating null byte for PEM input. |
markrad | 0:cdf462088d13 | 656 | * Signature of mpi_mul_mpi() changed to make the last argument unsigned |
markrad | 0:cdf462088d13 | 657 | * calloc() is now used instead of malloc() everywhere. API of platform |
markrad | 0:cdf462088d13 | 658 | layer and the memory_buffer_alloc module changed accordingly. |
markrad | 0:cdf462088d13 | 659 | (Thanks to Mansour Moufid for helping with the replacement.) |
markrad | 0:cdf462088d13 | 660 | * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION |
markrad | 0:cdf462088d13 | 661 | (support for renegotiation now needs explicit enabling in config.h). |
markrad | 0:cdf462088d13 | 662 | * Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE |
markrad | 0:cdf462088d13 | 663 | in config.h |
markrad | 0:cdf462088d13 | 664 | * net_connect() and net_bind() have a new 'proto' argument to choose |
markrad | 0:cdf462088d13 | 665 | between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP. |
markrad | 0:cdf462088d13 | 666 | Their 'port' argument type is changed to a string. |
markrad | 0:cdf462088d13 | 667 | * Some constness fixes |
markrad | 0:cdf462088d13 | 668 | |
markrad | 0:cdf462088d13 | 669 | Removals |
markrad | 0:cdf462088d13 | 670 | * Removed mbedtls_ecp_group_read_string(). Only named groups are supported. |
markrad | 0:cdf462088d13 | 671 | * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use |
markrad | 0:cdf462088d13 | 672 | mbedtls_ecp_muladd(). |
markrad | 0:cdf462088d13 | 673 | * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions |
markrad | 0:cdf462088d13 | 674 | (use generic functions from md.h) |
markrad | 0:cdf462088d13 | 675 | * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom |
markrad | 0:cdf462088d13 | 676 | waiting function. |
markrad | 0:cdf462088d13 | 677 | * Removed test DHM parameters from the test certs module. |
markrad | 0:cdf462088d13 | 678 | * Removed the PBKDF2 module (use PKCS5). |
markrad | 0:cdf462088d13 | 679 | * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()). |
markrad | 0:cdf462088d13 | 680 | * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3). |
markrad | 0:cdf462088d13 | 681 | * Removed openssl.h (very partial OpenSSL compatibility layer). |
markrad | 0:cdf462088d13 | 682 | * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on). |
markrad | 0:cdf462088d13 | 683 | * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have |
markrad | 0:cdf462088d13 | 684 | been removed (compiler is required to support 32-bit operations). |
markrad | 0:cdf462088d13 | 685 | * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled). |
markrad | 0:cdf462088d13 | 686 | * Removed test program o_p_test, the script compat.sh does more. |
markrad | 0:cdf462088d13 | 687 | * Removed test program ssl_test, superseded by ssl-opt.sh. |
markrad | 0:cdf462088d13 | 688 | * Removed helper script active-config.pl |
markrad | 0:cdf462088d13 | 689 | |
markrad | 0:cdf462088d13 | 690 | New deprecations |
markrad | 0:cdf462088d13 | 691 | * md_init_ctx() is deprecated in favour of md_setup(), that adds a third |
markrad | 0:cdf462088d13 | 692 | argument (allowing memory savings if HMAC is not used) |
markrad | 0:cdf462088d13 | 693 | |
markrad | 0:cdf462088d13 | 694 | Semi-API changes (technically public, morally private) |
markrad | 0:cdf462088d13 | 695 | * Renamed a few headers to include _internal in the name. Those headers are |
markrad | 0:cdf462088d13 | 696 | not supposed to be included by users. |
markrad | 0:cdf462088d13 | 697 | * Changed md_info_t into an opaque structure (use md_get_xxx() accessors). |
markrad | 0:cdf462088d13 | 698 | * Changed pk_info_t into an opaque structure. |
markrad | 0:cdf462088d13 | 699 | * Changed cipher_base_t into an opaque structure. |
markrad | 0:cdf462088d13 | 700 | * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl. |
markrad | 0:cdf462088d13 | 701 | * x509_crt.key_usage changed from unsigned char to unsigned int. |
markrad | 0:cdf462088d13 | 702 | * Removed r and s from ecdsa_context |
markrad | 0:cdf462088d13 | 703 | * Removed mode from des_context and des3_context |
markrad | 0:cdf462088d13 | 704 | |
markrad | 0:cdf462088d13 | 705 | Default behavior changes |
markrad | 0:cdf462088d13 | 706 | * The default minimum TLS version is now TLS 1.0. |
markrad | 0:cdf462088d13 | 707 | * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the |
markrad | 0:cdf462088d13 | 708 | default ciphersuite list returned by ssl_list_ciphersuites() |
markrad | 0:cdf462088d13 | 709 | * Support for receiving SSLv2 ClientHello is now disabled by default at |
markrad | 0:cdf462088d13 | 710 | compile time. |
markrad | 0:cdf462088d13 | 711 | * The default authmode for SSL/TLS clients is now REQUIRED. |
markrad | 0:cdf462088d13 | 712 | * Support for RSA_ALT contexts in the PK layer is now optional. Since is is |
markrad | 0:cdf462088d13 | 713 | enabled in the default configuration, this is only noticeable if using a |
markrad | 0:cdf462088d13 | 714 | custom config.h |
markrad | 0:cdf462088d13 | 715 | * Default DHM parameters server-side upgraded from 1024 to 2048 bits. |
markrad | 0:cdf462088d13 | 716 | * A minimum RSA key size of 2048 bits is now enforced during ceritificate |
markrad | 0:cdf462088d13 | 717 | chain verification. |
markrad | 0:cdf462088d13 | 718 | * Negotiation of truncated HMAC is now disabled by default on server too. |
markrad | 0:cdf462088d13 | 719 | * The following functions are now case-sensitive: |
markrad | 0:cdf462088d13 | 720 | mbedtls_cipher_info_from_string() |
markrad | 0:cdf462088d13 | 721 | mbedtls_ecp_curve_info_from_name() |
markrad | 0:cdf462088d13 | 722 | mbedtls_md_info_from_string() |
markrad | 0:cdf462088d13 | 723 | mbedtls_ssl_ciphersuite_from_string() |
markrad | 0:cdf462088d13 | 724 | mbedtls_version_check_feature() |
markrad | 0:cdf462088d13 | 725 | |
markrad | 0:cdf462088d13 | 726 | Requirement changes |
markrad | 0:cdf462088d13 | 727 | * The minimum MSVC version required is now 2010 (better C99 support). |
markrad | 0:cdf462088d13 | 728 | * The NET layer now unconditionnaly relies on getaddrinfo() and select(). |
markrad | 0:cdf462088d13 | 729 | * Compiler is required to support C99 types such as long long and uint32_t. |
markrad | 0:cdf462088d13 | 730 | |
markrad | 0:cdf462088d13 | 731 | API changes from the 1.4 preview branch |
markrad | 0:cdf462088d13 | 732 | * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with |
markrad | 0:cdf462088d13 | 733 | new prototype, and mbedtls_ssl_set_read_timeout(). |
markrad | 0:cdf462088d13 | 734 | * The following functions now return void: |
markrad | 0:cdf462088d13 | 735 | mbedtls_ssl_conf_transport() |
markrad | 0:cdf462088d13 | 736 | mbedtls_ssl_conf_max_version() |
markrad | 0:cdf462088d13 | 737 | mbedtls_ssl_conf_min_version() |
markrad | 0:cdf462088d13 | 738 | * DTLS no longer hard-depends on TIMING_C, but uses a callback interface |
markrad | 0:cdf462088d13 | 739 | instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing |
markrad | 0:cdf462088d13 | 740 | an example implementation, see mbedtls_timing_delay_context and |
markrad | 0:cdf462088d13 | 741 | mbedtls_timing_set/get_delay(). |
markrad | 0:cdf462088d13 | 742 | * With UDP sockets, it is no longer necessary to call net_bind() again |
markrad | 0:cdf462088d13 | 743 | after a successful net_accept(). |
markrad | 0:cdf462088d13 | 744 | |
markrad | 0:cdf462088d13 | 745 | Changes |
markrad | 0:cdf462088d13 | 746 | * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now |
markrad | 0:cdf462088d13 | 747 | thread-safe if MBEDTLS_THREADING_C is enabled. |
markrad | 0:cdf462088d13 | 748 | * Reduced ROM fooprint of SHA-256 and added an option to reduce it even |
markrad | 0:cdf462088d13 | 749 | more (at the expense of performance) MBEDTLS_SHA256_SMALLER. |
markrad | 0:cdf462088d13 | 750 | |
markrad | 0:cdf462088d13 | 751 | = mbed TLS 1.3 branch |
markrad | 0:cdf462088d13 | 752 | |
markrad | 0:cdf462088d13 | 753 | Security |
markrad | 0:cdf462088d13 | 754 | * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and |
markrad | 0:cdf462088d13 | 755 | extendedKeyUsage on the leaf certificate was lost (results not accessible |
markrad | 0:cdf462088d13 | 756 | via ssl_get_verify_results()). |
markrad | 0:cdf462088d13 | 757 | * Add countermeasure against "Lucky 13 strikes back" cache-based attack, |
markrad | 0:cdf462088d13 | 758 | https://dl.acm.org/citation.cfm?id=2714625 |
markrad | 0:cdf462088d13 | 759 | |
markrad | 0:cdf462088d13 | 760 | Features |
markrad | 0:cdf462088d13 | 761 | * Improve ECC performance by using more efficient doubling formulas |
markrad | 0:cdf462088d13 | 762 | (contributed by Peter Dettman). |
markrad | 0:cdf462088d13 | 763 | * Add x509_crt_verify_info() to display certificate verification results. |
markrad | 0:cdf462088d13 | 764 | * Add support for reading DH parameters with privateValueLength included |
markrad | 0:cdf462088d13 | 765 | (contributed by Daniel Kahn Gillmor). |
markrad | 0:cdf462088d13 | 766 | * Add support for bit strings in X.509 names (request by Fredrik Axelsson). |
markrad | 0:cdf462088d13 | 767 | * Add support for id-at-uniqueIdentifier in X.509 names. |
markrad | 0:cdf462088d13 | 768 | * Add support for overriding snprintf() (except on Windows) and exit() in |
markrad | 0:cdf462088d13 | 769 | the platform layer. |
markrad | 0:cdf462088d13 | 770 | * Add an option to use macros instead of function pointers in the platform |
markrad | 0:cdf462088d13 | 771 | layer (helps get rid of unwanted references). |
markrad | 0:cdf462088d13 | 772 | * Improved Makefiles for Windows targets by fixing library targets and making |
markrad | 0:cdf462088d13 | 773 | cross-compilation easier (thanks to Alon Bar-Lev). |
markrad | 0:cdf462088d13 | 774 | * The benchmark program also prints heap usage for public-key primitives |
markrad | 0:cdf462088d13 | 775 | if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. |
markrad | 0:cdf462088d13 | 776 | * New script ecc-heap.sh helps measuring the impact of ECC parameters on |
markrad | 0:cdf462088d13 | 777 | speed and RAM (heap only for now) usage. |
markrad | 0:cdf462088d13 | 778 | * New script memory.sh helps measuring the ROM and RAM requirements of two |
markrad | 0:cdf462088d13 | 779 | reduced configurations (PSK-CCM and NSA suite B). |
markrad | 0:cdf462088d13 | 780 | * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce |
markrad | 0:cdf462088d13 | 781 | warnings on use of deprecated functions (with GCC and Clang only). |
markrad | 0:cdf462088d13 | 782 | * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce |
markrad | 0:cdf462088d13 | 783 | errors on use of deprecated functions. |
markrad | 0:cdf462088d13 | 784 | |
markrad | 0:cdf462088d13 | 785 | Bugfix |
markrad | 0:cdf462088d13 | 786 | * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. |
markrad | 0:cdf462088d13 | 787 | * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). |
markrad | 0:cdf462088d13 | 788 | * Fix bug in entropy.c when THREADING_C is also enabled that caused |
markrad | 0:cdf462088d13 | 789 | entropy_free() to crash (thanks to Rafał Przywara). |
markrad | 0:cdf462088d13 | 790 | * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than |
markrad | 0:cdf462088d13 | 791 | once on the same context. |
markrad | 0:cdf462088d13 | 792 | * Fix bug in ssl_mail_client when password is longer that username (found |
markrad | 0:cdf462088d13 | 793 | by Bruno Pape). |
markrad | 0:cdf462088d13 | 794 | * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules |
markrad | 0:cdf462088d13 | 795 | (detected by Clang's 3.6 UBSan). |
markrad | 0:cdf462088d13 | 796 | * mpi_size() and mpi_msb() would segfault when called on an mpi that is |
markrad | 0:cdf462088d13 | 797 | initialized but not set (found by pravic). |
markrad | 0:cdf462088d13 | 798 | * Fix detection of support for getrandom() on Linux (reported by syzzer) by |
markrad | 0:cdf462088d13 | 799 | doing it at runtime (using uname) rather that compile time. |
markrad | 0:cdf462088d13 | 800 | * Fix handling of symlinks by "make install" (found by Gaël PORTAY). |
markrad | 0:cdf462088d13 | 801 | * Fix potential NULL pointer dereference (not trigerrable remotely) when |
markrad | 0:cdf462088d13 | 802 | ssl_write() is called before the handshake is finished (introduced in |
markrad | 0:cdf462088d13 | 803 | 1.3.10) (first reported by Martin Blumenstingl). |
markrad | 0:cdf462088d13 | 804 | * Fix bug in pk_parse_key() that caused some valid private EC keys to be |
markrad | 0:cdf462088d13 | 805 | rejected. |
markrad | 0:cdf462088d13 | 806 | * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). |
markrad | 0:cdf462088d13 | 807 | * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). |
markrad | 0:cdf462088d13 | 808 | * Fix hardclock() (only used in the benchmarking program) with some |
markrad | 0:cdf462088d13 | 809 | versions of mingw64 (found by kxjhlele). |
markrad | 0:cdf462088d13 | 810 | * Fix warnings from mingw64 in timing.c (found by kxjklele). |
markrad | 0:cdf462088d13 | 811 | * Fix potential unintended sign extension in asn1_get_len() on 64-bit |
markrad | 0:cdf462088d13 | 812 | platforms. |
markrad | 0:cdf462088d13 | 813 | * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). |
markrad | 0:cdf462088d13 | 814 | * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and |
markrad | 0:cdf462088d13 | 815 | POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced |
markrad | 0:cdf462088d13 | 816 | in 1.3.10). |
markrad | 0:cdf462088d13 | 817 | * Add missing extern "C" guard in aesni.h (reported by amir zamani). |
markrad | 0:cdf462088d13 | 818 | * Add missing dependency on SHA-256 in some x509 programs (reported by |
markrad | 0:cdf462088d13 | 819 | Gergely Budai). |
markrad | 0:cdf462088d13 | 820 | * Fix bug related to ssl_set_curves(): the client didn't check that the |
markrad | 0:cdf462088d13 | 821 | curve picked by the server was actually allowed. |
markrad | 0:cdf462088d13 | 822 | |
markrad | 0:cdf462088d13 | 823 | Changes |
markrad | 0:cdf462088d13 | 824 | * Remove bias in mpi_gen_prime (contributed by Pascal Junod). |
markrad | 0:cdf462088d13 | 825 | * Remove potential sources of timing variations (some contributed by Pascal |
markrad | 0:cdf462088d13 | 826 | Junod). |
markrad | 0:cdf462088d13 | 827 | * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. |
markrad | 0:cdf462088d13 | 828 | * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. |
markrad | 0:cdf462088d13 | 829 | * compat-1.2.h and openssl.h are deprecated. |
markrad | 0:cdf462088d13 | 830 | * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now |
markrad | 0:cdf462088d13 | 831 | more flexible (warning: OFLAGS is not used any more) (see the README) |
markrad | 0:cdf462088d13 | 832 | (contributed by Alon Bar-Lev). |
markrad | 0:cdf462088d13 | 833 | * ssl_set_own_cert() no longer calls pk_check_pair() since the |
markrad | 0:cdf462088d13 | 834 | performance impact was bad for some users (this was introduced in 1.3.10). |
markrad | 0:cdf462088d13 | 835 | * Move from SHA-1 to SHA-256 in example programs using signatures |
markrad | 0:cdf462088d13 | 836 | (suggested by Thorsten Mühlfelder). |
markrad | 0:cdf462088d13 | 837 | * Remove some unneeded inclusions of header files from the standard library |
markrad | 0:cdf462088d13 | 838 | "minimize" others (eg use stddef.h if only size_t is needed). |
markrad | 0:cdf462088d13 | 839 | * Change #include lines in test files to use double quotes instead of angle |
markrad | 0:cdf462088d13 | 840 | brackets for uniformity with the rest of the code. |
markrad | 0:cdf462088d13 | 841 | * Remove dependency on sscanf() in X.509 parsing modules. |
markrad | 0:cdf462088d13 | 842 | |
markrad | 0:cdf462088d13 | 843 | = mbed TLS 1.3.10 released 2015-02-09 |
markrad | 0:cdf462088d13 | 844 | Security |
markrad | 0:cdf462088d13 | 845 | * NULL pointer dereference in the buffer-based allocator when the buffer is |
markrad | 0:cdf462088d13 | 846 | full and polarssl_free() is called (found by Mark Hasemeyer) |
markrad | 0:cdf462088d13 | 847 | (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is |
markrad | 0:cdf462088d13 | 848 | not by default). |
markrad | 0:cdf462088d13 | 849 | * Fix remotely-triggerable uninitialised pointer dereference caused by |
markrad | 0:cdf462088d13 | 850 | crafted X.509 certificate (TLS server is not affected if it doesn't ask for a |
markrad | 0:cdf462088d13 | 851 | client certificate) (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 852 | * Fix remotely-triggerable memory leak caused by crafted X.509 certificates |
markrad | 0:cdf462088d13 | 853 | (TLS server is not affected if it doesn't ask for a client certificate) |
markrad | 0:cdf462088d13 | 854 | (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 855 | * Fix potential stack overflow while parsing crafted X.509 certificates |
markrad | 0:cdf462088d13 | 856 | (TLS server is not affected if it doesn't ask for a client certificate) |
markrad | 0:cdf462088d13 | 857 | (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 858 | * Fix timing difference that could theoretically lead to a |
markrad | 0:cdf462088d13 | 859 | Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges |
markrad | 0:cdf462088d13 | 860 | (reported by Sebastian Schinzel). |
markrad | 0:cdf462088d13 | 861 | |
markrad | 0:cdf462088d13 | 862 | Features |
markrad | 0:cdf462088d13 | 863 | * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). |
markrad | 0:cdf462088d13 | 864 | * Add support for Extended Master Secret (draft-ietf-tls-session-hash). |
markrad | 0:cdf462088d13 | 865 | * Add support for Encrypt-then-MAC (RFC 7366). |
markrad | 0:cdf462088d13 | 866 | * Add function pk_check_pair() to test if public and private keys match. |
markrad | 0:cdf462088d13 | 867 | * Add x509_crl_parse_der(). |
markrad | 0:cdf462088d13 | 868 | * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the |
markrad | 0:cdf462088d13 | 869 | length of an X.509 verification chain. |
markrad | 0:cdf462088d13 | 870 | * Support for renegotiation can now be disabled at compile-time |
markrad | 0:cdf462088d13 | 871 | * Support for 1/n-1 record splitting, a countermeasure against BEAST. |
markrad | 0:cdf462088d13 | 872 | * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 |
markrad | 0:cdf462088d13 | 873 | for pre-1.2 clients when multiple certificates are available. |
markrad | 0:cdf462088d13 | 874 | * Add support for getrandom() syscall on recent Linux kernels with Glibc or |
markrad | 0:cdf462088d13 | 875 | a compatible enough libc (eg uClibc). |
markrad | 0:cdf462088d13 | 876 | * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime |
markrad | 0:cdf462088d13 | 877 | while using the default ciphersuite list. |
markrad | 0:cdf462088d13 | 878 | * Added new error codes and debug messages about selection of |
markrad | 0:cdf462088d13 | 879 | ciphersuite/certificate. |
markrad | 0:cdf462088d13 | 880 | |
markrad | 0:cdf462088d13 | 881 | Bugfix |
markrad | 0:cdf462088d13 | 882 | * Stack buffer overflow if ctr_drbg_update() is called with too large |
markrad | 0:cdf462088d13 | 883 | add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). |
markrad | 0:cdf462088d13 | 884 | * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE |
markrad | 0:cdf462088d13 | 885 | if memory_buffer_alloc_init() was called with buf not aligned and len not |
markrad | 0:cdf462088d13 | 886 | a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). |
markrad | 0:cdf462088d13 | 887 | * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found |
markrad | 0:cdf462088d13 | 888 | by Julian Ospald). |
markrad | 0:cdf462088d13 | 889 | * Fix potential undefined behaviour in Camellia. |
markrad | 0:cdf462088d13 | 890 | * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a |
markrad | 0:cdf462088d13 | 891 | multiple of 8 (found by Gergely Budai). |
markrad | 0:cdf462088d13 | 892 | * Fix unchecked return code in x509_crt_parse_path() on Windows (found by |
markrad | 0:cdf462088d13 | 893 | Peter Vaskovic). |
markrad | 0:cdf462088d13 | 894 | * Fix assembly selection for MIPS64 (thanks to James Cowgill). |
markrad | 0:cdf462088d13 | 895 | * ssl_get_verify_result() now works even if the handshake was aborted due |
markrad | 0:cdf462088d13 | 896 | to a failed verification (found by Fredrik Axelsson). |
markrad | 0:cdf462088d13 | 897 | * Skip writing and parsing signature_algorithm extension if none of the |
markrad | 0:cdf462088d13 | 898 | key exchanges enabled needs certificates. This fixes a possible interop |
markrad | 0:cdf462088d13 | 899 | issue with some servers when a zero-length extension was sent. (Reported |
markrad | 0:cdf462088d13 | 900 | by Peter Dettman.) |
markrad | 0:cdf462088d13 | 901 | * On a 0-length input, base64_encode() did not correctly set output length |
markrad | 0:cdf462088d13 | 902 | (found by Hendrik van den Boogaard). |
markrad | 0:cdf462088d13 | 903 | |
markrad | 0:cdf462088d13 | 904 | Changes |
markrad | 0:cdf462088d13 | 905 | * Use deterministic nonces for AEAD ciphers in TLS by default (possible to |
markrad | 0:cdf462088d13 | 906 | switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). |
markrad | 0:cdf462088d13 | 907 | * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. |
markrad | 0:cdf462088d13 | 908 | * ssl_set_own_cert() now returns an error on key-certificate mismatch. |
markrad | 0:cdf462088d13 | 909 | * Forbid repeated extensions in X.509 certificates. |
markrad | 0:cdf462088d13 | 910 | * debug_print_buf() now prints a text view in addition to hexadecimal. |
markrad | 0:cdf462088d13 | 911 | * A specific error is now returned when there are ciphersuites in common |
markrad | 0:cdf462088d13 | 912 | but none of them is usable due to external factors such as no certificate |
markrad | 0:cdf462088d13 | 913 | with a suitable (extended)KeyUsage or curve or no PSK set. |
markrad | 0:cdf462088d13 | 914 | * It is now possible to disable negotiation of truncated HMAC server-side |
markrad | 0:cdf462088d13 | 915 | at runtime with ssl_set_truncated_hmac(). |
markrad | 0:cdf462088d13 | 916 | * Example programs for SSL client and server now disable SSLv3 by default. |
markrad | 0:cdf462088d13 | 917 | * Example programs for SSL client and server now disable RC4 by default. |
markrad | 0:cdf462088d13 | 918 | * Use platform.h in all test suites and programs. |
markrad | 0:cdf462088d13 | 919 | |
markrad | 0:cdf462088d13 | 920 | = PolarSSL 1.3.9 released 2014-10-20 |
markrad | 0:cdf462088d13 | 921 | Security |
markrad | 0:cdf462088d13 | 922 | * Lowest common hash was selected from signature_algorithms extension in |
markrad | 0:cdf462088d13 | 923 | TLS 1.2 (found by Darren Bane) (introduced in 1.3.8). |
markrad | 0:cdf462088d13 | 924 | * Remotely-triggerable memory leak when parsing some X.509 certificates |
markrad | 0:cdf462088d13 | 925 | (server is not affected if it doesn't ask for a client certificate) |
markrad | 0:cdf462088d13 | 926 | (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 927 | * Remotely-triggerable memory leak when parsing crafted ClientHello |
markrad | 0:cdf462088d13 | 928 | (not affected if ECC support was compiled out) (found using Codenomicon |
markrad | 0:cdf462088d13 | 929 | Defensics). |
markrad | 0:cdf462088d13 | 930 | |
markrad | 0:cdf462088d13 | 931 | Bugfix |
markrad | 0:cdf462088d13 | 932 | * Support escaping of commas in x509_string_to_names() |
markrad | 0:cdf462088d13 | 933 | * Fix compile error in ssl_pthread_server (found by Julian Ospald). |
markrad | 0:cdf462088d13 | 934 | * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). |
markrad | 0:cdf462088d13 | 935 | * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). |
markrad | 0:cdf462088d13 | 936 | * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). |
markrad | 0:cdf462088d13 | 937 | * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST |
markrad | 0:cdf462088d13 | 938 | are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito). |
markrad | 0:cdf462088d13 | 939 | * Remove non-existent file from VS projects (found by Peter Vaskovic). |
markrad | 0:cdf462088d13 | 940 | * ssl_read() could return non-application data records on server while |
markrad | 0:cdf462088d13 | 941 | renegotation was pending, and on client when a HelloRequest was received. |
markrad | 0:cdf462088d13 | 942 | * Server-initiated renegotiation would fail with non-blocking I/O if the |
markrad | 0:cdf462088d13 | 943 | write callback returned WANT_WRITE when requesting renegotiation. |
markrad | 0:cdf462088d13 | 944 | * ssl_close_notify() could send more than one message in some circumstances |
markrad | 0:cdf462088d13 | 945 | with non-blocking I/O. |
markrad | 0:cdf462088d13 | 946 | * Fix compiler warnings on iOS (found by Sander Niemeijer). |
markrad | 0:cdf462088d13 | 947 | * x509_crt_parse() did not increase total_failed on PEM error |
markrad | 0:cdf462088d13 | 948 | * Fix compile error with armcc in mpi_is_prime() |
markrad | 0:cdf462088d13 | 949 | * Fix potential bad read in parsing ServerHello (found by Adrien |
markrad | 0:cdf462088d13 | 950 | Vialletelle). |
markrad | 0:cdf462088d13 | 951 | |
markrad | 0:cdf462088d13 | 952 | Changes |
markrad | 0:cdf462088d13 | 953 | * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no |
markrad | 0:cdf462088d13 | 954 | standard defining how to use SHA-2 with SSL 3.0). |
markrad | 0:cdf462088d13 | 955 | * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is |
markrad | 0:cdf462088d13 | 956 | ambiguous on how to encode some packets with SSL 3.0). |
markrad | 0:cdf462088d13 | 957 | * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if |
markrad | 0:cdf462088d13 | 958 | RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger. |
markrad | 0:cdf462088d13 | 959 | * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than |
markrad | 0:cdf462088d13 | 960 | POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. |
markrad | 0:cdf462088d13 | 961 | * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits |
markrad | 0:cdf462088d13 | 962 | RSA keys. |
markrad | 0:cdf462088d13 | 963 | * Accept spaces at end of line or end of buffer in base64_decode(). |
markrad | 0:cdf462088d13 | 964 | * X.509 certificates with more than one AttributeTypeAndValue per |
markrad | 0:cdf462088d13 | 965 | RelativeDistinguishedName are not accepted any more. |
markrad | 0:cdf462088d13 | 966 | |
markrad | 0:cdf462088d13 | 967 | = PolarSSL 1.3.8 released 2014-07-11 |
markrad | 0:cdf462088d13 | 968 | Security |
markrad | 0:cdf462088d13 | 969 | * Fix length checking for AEAD ciphersuites (found by Codenomicon). |
markrad | 0:cdf462088d13 | 970 | It was possible to crash the server (and client) using crafted messages |
markrad | 0:cdf462088d13 | 971 | when a GCM suite was chosen. |
markrad | 0:cdf462088d13 | 972 | |
markrad | 0:cdf462088d13 | 973 | Features |
markrad | 0:cdf462088d13 | 974 | * Add CCM module and cipher mode to Cipher Layer |
markrad | 0:cdf462088d13 | 975 | * Support for CCM and CCM_8 ciphersuites |
markrad | 0:cdf462088d13 | 976 | * Support for parsing and verifying RSASSA-PSS signatures in the X.509 |
markrad | 0:cdf462088d13 | 977 | modules (certificates, CRLs and CSRs). |
markrad | 0:cdf462088d13 | 978 | * Blowfish in the cipher layer now supports variable length keys. |
markrad | 0:cdf462088d13 | 979 | * Add example config.h for PSK with CCM, optimized for low RAM usage. |
markrad | 0:cdf462088d13 | 980 | * Optimize for RAM usage in example config.h for NSA Suite B profile. |
markrad | 0:cdf462088d13 | 981 | * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites |
markrad | 0:cdf462088d13 | 982 | from the default list (inactive by default). |
markrad | 0:cdf462088d13 | 983 | * Add server-side enforcement of sent renegotiation requests |
markrad | 0:cdf462088d13 | 984 | (ssl_set_renegotiation_enforced()) |
markrad | 0:cdf462088d13 | 985 | * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of |
markrad | 0:cdf462088d13 | 986 | ciphersuites to use and save some memory if the list is small. |
markrad | 0:cdf462088d13 | 987 | |
markrad | 0:cdf462088d13 | 988 | Changes |
markrad | 0:cdf462088d13 | 989 | * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is |
markrad | 0:cdf462088d13 | 990 | required on some platforms (e.g. OpenBSD) |
markrad | 0:cdf462088d13 | 991 | * Migrate zeroizing of data to polarssl_zeroize() instead of memset() |
markrad | 0:cdf462088d13 | 992 | against unwanted compiler optimizations |
markrad | 0:cdf462088d13 | 993 | * md_list() now returns hashes strongest first |
markrad | 0:cdf462088d13 | 994 | * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks |
markrad | 0:cdf462088d13 | 995 | strongest offered by client. |
markrad | 0:cdf462088d13 | 996 | * All public contexts have _init() and _free() functions now for simpler |
markrad | 0:cdf462088d13 | 997 | usage pattern |
markrad | 0:cdf462088d13 | 998 | |
markrad | 0:cdf462088d13 | 999 | Bugfix |
markrad | 0:cdf462088d13 | 1000 | * Fix in debug_print_msg() |
markrad | 0:cdf462088d13 | 1001 | * Enforce alignment in the buffer allocator even if buffer is not aligned |
markrad | 0:cdf462088d13 | 1002 | * Remove less-than-zero checks on unsigned numbers |
markrad | 0:cdf462088d13 | 1003 | * Stricter check on SSL ClientHello internal sizes compared to actual packet |
markrad | 0:cdf462088d13 | 1004 | size (found by TrustInSoft) |
markrad | 0:cdf462088d13 | 1005 | * Fix WSAStartup() return value check (found by Peter Vaskovic) |
markrad | 0:cdf462088d13 | 1006 | * Other minor issues (found by Peter Vaskovic) |
markrad | 0:cdf462088d13 | 1007 | * Fix symlink command for cross compiling with CMake (found by Andre |
markrad | 0:cdf462088d13 | 1008 | Heinecke) |
markrad | 0:cdf462088d13 | 1009 | * Fix DER output of gen_key app (found by Gergely Budai) |
markrad | 0:cdf462088d13 | 1010 | * Very small records were incorrectly rejected when truncated HMAC was in |
markrad | 0:cdf462088d13 | 1011 | use with some ciphersuites and versions (RC4 in all versions, CBC with |
markrad | 0:cdf462088d13 | 1012 | versions < TLS 1.1). |
markrad | 0:cdf462088d13 | 1013 | * Very large records using more than 224 bytes of padding were incorrectly |
markrad | 0:cdf462088d13 | 1014 | rejected with CBC-based ciphersuites and TLS >= 1.1 |
markrad | 0:cdf462088d13 | 1015 | * Very large records using less padding could cause a buffer overread of up |
markrad | 0:cdf462088d13 | 1016 | to 32 bytes with CBC-based ciphersuites and TLS >= 1.1 |
markrad | 0:cdf462088d13 | 1017 | * Restore ability to use a v1 cert as a CA if trusted locally. (This had |
markrad | 0:cdf462088d13 | 1018 | been removed in 1.3.6.) |
markrad | 0:cdf462088d13 | 1019 | * Restore ability to locally trust a self-signed cert that is not a proper |
markrad | 0:cdf462088d13 | 1020 | CA for use as an end entity certificate. (This had been removed in |
markrad | 0:cdf462088d13 | 1021 | 1.3.6.) |
markrad | 0:cdf462088d13 | 1022 | * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). |
markrad | 0:cdf462088d13 | 1023 | * Use \n\t rather than semicolons for bn_mul asm, since some assemblers |
markrad | 0:cdf462088d13 | 1024 | interpret semicolons as comment delimiters (found by Barry K. Nathan). |
markrad | 0:cdf462088d13 | 1025 | * Fix off-by-one error in parsing Supported Point Format extension that |
markrad | 0:cdf462088d13 | 1026 | caused some handshakes to fail. |
markrad | 0:cdf462088d13 | 1027 | * Fix possible miscomputation of the premaster secret with DHE-PSK key |
markrad | 0:cdf462088d13 | 1028 | exchange that caused some handshakes to fail with other implementations. |
markrad | 0:cdf462088d13 | 1029 | (Failure rate <= 1/255 with common DHM moduli.) |
markrad | 0:cdf462088d13 | 1030 | * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). |
markrad | 0:cdf462088d13 | 1031 | * Fix base64_decode() to return and check length correctly (in case of |
markrad | 0:cdf462088d13 | 1032 | tight buffers) |
markrad | 0:cdf462088d13 | 1033 | * Fix mpi_write_string() to write "00" as hex output for empty MPI (found |
markrad | 0:cdf462088d13 | 1034 | by Hui Dong) |
markrad | 0:cdf462088d13 | 1035 | |
markrad | 0:cdf462088d13 | 1036 | = PolarSSL 1.3.7 released on 2014-05-02 |
markrad | 0:cdf462088d13 | 1037 | Features |
markrad | 0:cdf462088d13 | 1038 | * debug_set_log_mode() added to determine raw or full logging |
markrad | 0:cdf462088d13 | 1039 | * debug_set_threshold() added to ignore messages over threshold level |
markrad | 0:cdf462088d13 | 1040 | * version_check_feature() added to check for compile-time options at |
markrad | 0:cdf462088d13 | 1041 | run-time |
markrad | 0:cdf462088d13 | 1042 | |
markrad | 0:cdf462088d13 | 1043 | Changes |
markrad | 0:cdf462088d13 | 1044 | * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually |
markrad | 0:cdf462088d13 | 1045 | checked and filled in the relevant module headers |
markrad | 0:cdf462088d13 | 1046 | * Debug module only outputs full lines instead of parts |
markrad | 0:cdf462088d13 | 1047 | * Better support for the different Attribute Types from IETF PKIX (RFC 5280) |
markrad | 0:cdf462088d13 | 1048 | * AES-NI now compiles with "old" assemblers too |
markrad | 0:cdf462088d13 | 1049 | * Ciphersuites based on RC4 now have the lowest priority by default |
markrad | 0:cdf462088d13 | 1050 | |
markrad | 0:cdf462088d13 | 1051 | Bugfix |
markrad | 0:cdf462088d13 | 1052 | * Only iterate over actual certificates in ssl_write_certificate_request() |
markrad | 0:cdf462088d13 | 1053 | (found by Matthew Page) |
markrad | 0:cdf462088d13 | 1054 | * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan |
markrad | 0:cdf462088d13 | 1055 | Karger) |
markrad | 0:cdf462088d13 | 1056 | * cert_write app should use subject of issuer certificate as issuer of cert |
markrad | 0:cdf462088d13 | 1057 | * Fix false reject in padding check in ssl_decrypt_buf() for CBC |
markrad | 0:cdf462088d13 | 1058 | ciphersuites, for full SSL frames of data. |
markrad | 0:cdf462088d13 | 1059 | * Improve interoperability by not writing extension length in ClientHello / |
markrad | 0:cdf462088d13 | 1060 | ServerHello when no extensions are present (found by Matthew Page) |
markrad | 0:cdf462088d13 | 1061 | * rsa_check_pubkey() now allows an E up to N |
markrad | 0:cdf462088d13 | 1062 | * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings |
markrad | 0:cdf462088d13 | 1063 | * mpi_fill_random() was creating numbers larger than requested on |
markrad | 0:cdf462088d13 | 1064 | big-endian platform when size was not an integer number of limbs |
markrad | 0:cdf462088d13 | 1065 | * Fix dependencies issues in X.509 test suite. |
markrad | 0:cdf462088d13 | 1066 | * Some parts of ssl_tls.c were compiled even when the module was disabled. |
markrad | 0:cdf462088d13 | 1067 | * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) |
markrad | 0:cdf462088d13 | 1068 | * Fix detection of Clang on some Apple platforms with CMake |
markrad | 0:cdf462088d13 | 1069 | (found by Barry K. Nathan) |
markrad | 0:cdf462088d13 | 1070 | |
markrad | 0:cdf462088d13 | 1071 | = PolarSSL 1.3.6 released on 2014-04-11 |
markrad | 0:cdf462088d13 | 1072 | |
markrad | 0:cdf462088d13 | 1073 | Features |
markrad | 0:cdf462088d13 | 1074 | * Support for the ALPN SSL extension |
markrad | 0:cdf462088d13 | 1075 | * Add option 'use_dev_random' to gen_key application |
markrad | 0:cdf462088d13 | 1076 | * Enable verification of the keyUsage extension for CA and leaf |
markrad | 0:cdf462088d13 | 1077 | certificates (POLARSSL_X509_CHECK_KEY_USAGE) |
markrad | 0:cdf462088d13 | 1078 | * Enable verification of the extendedKeyUsage extension |
markrad | 0:cdf462088d13 | 1079 | (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) |
markrad | 0:cdf462088d13 | 1080 | |
markrad | 0:cdf462088d13 | 1081 | Changes |
markrad | 0:cdf462088d13 | 1082 | * x509_crt_info() now prints information about parsed extensions as well |
markrad | 0:cdf462088d13 | 1083 | * pk_verify() now returns a specific error code when the signature is valid |
markrad | 0:cdf462088d13 | 1084 | but shorter than the supplied length. |
markrad | 0:cdf462088d13 | 1085 | * Use UTC time to check certificate validity. |
markrad | 0:cdf462088d13 | 1086 | * Reject certificates with times not in UTC, per RFC 5280. |
markrad | 0:cdf462088d13 | 1087 | |
markrad | 0:cdf462088d13 | 1088 | Security |
markrad | 0:cdf462088d13 | 1089 | * Avoid potential timing leak in ecdsa_sign() by blinding modular division. |
markrad | 0:cdf462088d13 | 1090 | (Found by Watson Ladd.) |
markrad | 0:cdf462088d13 | 1091 | * The notAfter date of some certificates was no longer checked since 1.3.5. |
markrad | 0:cdf462088d13 | 1092 | This affects certificates in the user-supplied chain except the top |
markrad | 0:cdf462088d13 | 1093 | certificate. If the user-supplied chain contains only one certificates, |
markrad | 0:cdf462088d13 | 1094 | it is not affected (ie, its notAfter date is properly checked). |
markrad | 0:cdf462088d13 | 1095 | * Prevent potential NULL pointer dereference in ssl_read_record() (found by |
markrad | 0:cdf462088d13 | 1096 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1097 | |
markrad | 0:cdf462088d13 | 1098 | Bugfix |
markrad | 0:cdf462088d13 | 1099 | * The length of various ClientKeyExchange messages was not properly checked. |
markrad | 0:cdf462088d13 | 1100 | * Some example server programs were not sending the close_notify alert. |
markrad | 0:cdf462088d13 | 1101 | * Potential memory leak in mpi_exp_mod() when error occurs during |
markrad | 0:cdf462088d13 | 1102 | calculation of RR. |
markrad | 0:cdf462088d13 | 1103 | * Fixed malloc/free default #define in platform.c (found by Gergely Budai). |
markrad | 0:cdf462088d13 | 1104 | * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by |
markrad | 0:cdf462088d13 | 1105 | Gergely Budai). |
markrad | 0:cdf462088d13 | 1106 | * Fix #include path in ecdsa.h which wasn't accepted by some compilers. |
markrad | 0:cdf462088d13 | 1107 | (found by Gergely Budai) |
markrad | 0:cdf462088d13 | 1108 | * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by |
markrad | 0:cdf462088d13 | 1109 | Shuo Chen). |
markrad | 0:cdf462088d13 | 1110 | * oid_get_numeric_string() used to truncate the output without returning an |
markrad | 0:cdf462088d13 | 1111 | error if the output buffer was just 1 byte too small. |
markrad | 0:cdf462088d13 | 1112 | * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len. |
markrad | 0:cdf462088d13 | 1113 | * Calling pk_debug() on an RSA-alt key would segfault. |
markrad | 0:cdf462088d13 | 1114 | * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys. |
markrad | 0:cdf462088d13 | 1115 | * Potential buffer overwrite in pem_write_buffer() because of low length |
markrad | 0:cdf462088d13 | 1116 | indication (found by Thijs Alkemade) |
markrad | 0:cdf462088d13 | 1117 | * EC curves constants, which should be only in ROM since 1.3.3, were also |
markrad | 0:cdf462088d13 | 1118 | stored in RAM due to missing 'const's (found by Gergely Budai). |
markrad | 0:cdf462088d13 | 1119 | |
markrad | 0:cdf462088d13 | 1120 | = PolarSSL 1.3.5 released on 2014-03-26 |
markrad | 0:cdf462088d13 | 1121 | Features |
markrad | 0:cdf462088d13 | 1122 | * HMAC-DRBG as a separate module |
markrad | 0:cdf462088d13 | 1123 | * Option to set the Curve preference order (disabled by default) |
markrad | 0:cdf462088d13 | 1124 | * Single Platform compatilibity layer (for memory / printf / fprintf) |
markrad | 0:cdf462088d13 | 1125 | * Ability to provide alternate timing implementation |
markrad | 0:cdf462088d13 | 1126 | * Ability to force the entropy module to use SHA-256 as its basis |
markrad | 0:cdf462088d13 | 1127 | (POLARSSL_ENTROPY_FORCE_SHA256) |
markrad | 0:cdf462088d13 | 1128 | * Testing script ssl-opt.sh added for testing 'live' ssl option |
markrad | 0:cdf462088d13 | 1129 | interoperability against OpenSSL and PolarSSL |
markrad | 0:cdf462088d13 | 1130 | * Support for reading EC keys that use SpecifiedECDomain in some cases. |
markrad | 0:cdf462088d13 | 1131 | * Entropy module now supports seed writing and reading |
markrad | 0:cdf462088d13 | 1132 | |
markrad | 0:cdf462088d13 | 1133 | Changes |
markrad | 0:cdf462088d13 | 1134 | * Deprecated the Memory layer |
markrad | 0:cdf462088d13 | 1135 | * entropy_add_source(), entropy_update_manual() and entropy_gather() |
markrad | 0:cdf462088d13 | 1136 | now thread-safe if POLARSSL_THREADING_C defined |
markrad | 0:cdf462088d13 | 1137 | * Improvements to the CMake build system, contributed by Julian Ospald. |
markrad | 0:cdf462088d13 | 1138 | * Work around a bug of the version of Clang shipped by Apple with Mavericks |
markrad | 0:cdf462088d13 | 1139 | that prevented bignum.c from compiling. (Reported by Rafael Baptista.) |
markrad | 0:cdf462088d13 | 1140 | * Revamped the compat.sh interoperatibility script to include support for |
markrad | 0:cdf462088d13 | 1141 | testing against GnuTLS |
markrad | 0:cdf462088d13 | 1142 | * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt() |
markrad | 0:cdf462088d13 | 1143 | * Improvements to tests/Makefile, contributed by Oden Eriksson. |
markrad | 0:cdf462088d13 | 1144 | |
markrad | 0:cdf462088d13 | 1145 | Security |
markrad | 0:cdf462088d13 | 1146 | * Forbid change of server certificate during renegotiation to prevent |
markrad | 0:cdf462088d13 | 1147 | "triple handshake" attack when authentication mode is 'optional' (the |
markrad | 0:cdf462088d13 | 1148 | attack was already impossible when authentication is required). |
markrad | 0:cdf462088d13 | 1149 | * Check notBefore timestamp of certificates and CRLs from the future. |
markrad | 0:cdf462088d13 | 1150 | * Forbid sequence number wrapping |
markrad | 0:cdf462088d13 | 1151 | * Fixed possible buffer overflow with overlong PSK |
markrad | 0:cdf462088d13 | 1152 | * Possible remotely-triggered out-of-bounds memory access fixed (found by |
markrad | 0:cdf462088d13 | 1153 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1154 | |
markrad | 0:cdf462088d13 | 1155 | Bugfix |
markrad | 0:cdf462088d13 | 1156 | * ecp_gen_keypair() does more tries to prevent failure because of |
markrad | 0:cdf462088d13 | 1157 | statistics |
markrad | 0:cdf462088d13 | 1158 | * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations |
markrad | 0:cdf462088d13 | 1159 | * Fixed testing with out-of-source builds using cmake |
markrad | 0:cdf462088d13 | 1160 | * Fixed version-major intolerance in server |
markrad | 0:cdf462088d13 | 1161 | * Fixed CMake symlinking on out-of-source builds |
markrad | 0:cdf462088d13 | 1162 | * Fixed dependency issues in test suite |
markrad | 0:cdf462088d13 | 1163 | * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0 |
markrad | 0:cdf462088d13 | 1164 | * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by |
markrad | 0:cdf462088d13 | 1165 | Alex Wilson.) |
markrad | 0:cdf462088d13 | 1166 | * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled. |
markrad | 0:cdf462088d13 | 1167 | * m_sleep() was sleeping twice too long on most Unix platforms. |
markrad | 0:cdf462088d13 | 1168 | * Fixed bug with session tickets and non-blocking I/O in the unlikely case |
markrad | 0:cdf462088d13 | 1169 | send() would return an EAGAIN error when sending the ticket. |
markrad | 0:cdf462088d13 | 1170 | * ssl_cache was leaking memory when reusing a timed out entry containing a |
markrad | 0:cdf462088d13 | 1171 | client certificate. |
markrad | 0:cdf462088d13 | 1172 | * ssl_srv was leaking memory when client presented a timed out ticket |
markrad | 0:cdf462088d13 | 1173 | containing a client certificate |
markrad | 0:cdf462088d13 | 1174 | * ssl_init() was leaving a dirty pointer in ssl_context if malloc of |
markrad | 0:cdf462088d13 | 1175 | out_ctr failed |
markrad | 0:cdf462088d13 | 1176 | * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc |
markrad | 0:cdf462088d13 | 1177 | of one of them failed |
markrad | 0:cdf462088d13 | 1178 | * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts |
markrad | 0:cdf462088d13 | 1179 | * x509_get_current_time() uses localtime_r() to prevent thread issues |
markrad | 0:cdf462088d13 | 1180 | |
markrad | 0:cdf462088d13 | 1181 | = PolarSSL 1.3.4 released on 2014-01-27 |
markrad | 0:cdf462088d13 | 1182 | Features |
markrad | 0:cdf462088d13 | 1183 | * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1 |
markrad | 0:cdf462088d13 | 1184 | * Support for RIPEMD-160 |
markrad | 0:cdf462088d13 | 1185 | * Support for AES CFB8 mode |
markrad | 0:cdf462088d13 | 1186 | * Support for deterministic ECDSA (RFC 6979) |
markrad | 0:cdf462088d13 | 1187 | |
markrad | 0:cdf462088d13 | 1188 | Bugfix |
markrad | 0:cdf462088d13 | 1189 | * Potential memory leak in bignum_selftest() |
markrad | 0:cdf462088d13 | 1190 | * Replaced expired test certificate |
markrad | 0:cdf462088d13 | 1191 | * ssl_mail_client now terminates lines with CRLF, instead of LF |
markrad | 0:cdf462088d13 | 1192 | * net module handles timeouts on blocking sockets better (found by Tilman |
markrad | 0:cdf462088d13 | 1193 | Sauerbeck) |
markrad | 0:cdf462088d13 | 1194 | * Assembly format fixes in bn_mul.h |
markrad | 0:cdf462088d13 | 1195 | |
markrad | 0:cdf462088d13 | 1196 | Security |
markrad | 0:cdf462088d13 | 1197 | * Missing MPI_CHK calls added around unguarded mpi calls (found by |
markrad | 0:cdf462088d13 | 1198 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1199 | |
markrad | 0:cdf462088d13 | 1200 | = PolarSSL 1.3.3 released on 2013-12-31 |
markrad | 0:cdf462088d13 | 1201 | Features |
markrad | 0:cdf462088d13 | 1202 | * EC key generation support in gen_key app |
markrad | 0:cdf462088d13 | 1203 | * Support for adhering to client ciphersuite order preference |
markrad | 0:cdf462088d13 | 1204 | (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE) |
markrad | 0:cdf462088d13 | 1205 | * Support for Curve25519 |
markrad | 0:cdf462088d13 | 1206 | * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites |
markrad | 0:cdf462088d13 | 1207 | * Support for IPv6 in the NET module |
markrad | 0:cdf462088d13 | 1208 | * AES-NI support for AES, AES-GCM and AES key scheduling |
markrad | 0:cdf462088d13 | 1209 | * SSL Pthread-based server example added (ssl_pthread_server) |
markrad | 0:cdf462088d13 | 1210 | |
markrad | 0:cdf462088d13 | 1211 | Changes |
markrad | 0:cdf462088d13 | 1212 | * gen_prime() speedup |
markrad | 0:cdf462088d13 | 1213 | * Speedup of ECP multiplication operation |
markrad | 0:cdf462088d13 | 1214 | * Relaxed some SHA2 ciphersuite's version requirements |
markrad | 0:cdf462088d13 | 1215 | * Dropped use of readdir_r() instead of readdir() with threading support |
markrad | 0:cdf462088d13 | 1216 | * More constant-time checks in the RSA module |
markrad | 0:cdf462088d13 | 1217 | * Split off curves from ecp.c into ecp_curves.c |
markrad | 0:cdf462088d13 | 1218 | * Curves are now stored fully in ROM |
markrad | 0:cdf462088d13 | 1219 | * Memory usage optimizations in ECP module |
markrad | 0:cdf462088d13 | 1220 | * Removed POLARSSL_THREADING_DUMMY |
markrad | 0:cdf462088d13 | 1221 | |
markrad | 0:cdf462088d13 | 1222 | Bugfix |
markrad | 0:cdf462088d13 | 1223 | * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int |
markrad | 0:cdf462088d13 | 1224 | * Fixed X.509 hostname comparison (with non-regular characters) |
markrad | 0:cdf462088d13 | 1225 | * SSL now gracefully handles missing RNG |
markrad | 0:cdf462088d13 | 1226 | * Missing defines / cases for RSA_PSK key exchange |
markrad | 0:cdf462088d13 | 1227 | * crypt_and_hash app checks MAC before final decryption |
markrad | 0:cdf462088d13 | 1228 | * Potential memory leak in ssl_ticket_keys_init() |
markrad | 0:cdf462088d13 | 1229 | * Memory leak in benchmark application |
markrad | 0:cdf462088d13 | 1230 | * Fixed x509_crt_parse_path() bug on Windows platforms |
markrad | 0:cdf462088d13 | 1231 | * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by |
markrad | 0:cdf462088d13 | 1232 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1233 | * Fixed potential overflow in certificate size verification in |
markrad | 0:cdf462088d13 | 1234 | ssl_write_certificate() (found by TrustInSoft) |
markrad | 0:cdf462088d13 | 1235 | |
markrad | 0:cdf462088d13 | 1236 | Security |
markrad | 0:cdf462088d13 | 1237 | * Possible remotely-triggered out-of-bounds memory access fixed (found by |
markrad | 0:cdf462088d13 | 1238 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1239 | |
markrad | 0:cdf462088d13 | 1240 | = PolarSSL 1.3.2 released on 2013-11-04 |
markrad | 0:cdf462088d13 | 1241 | Features |
markrad | 0:cdf462088d13 | 1242 | * PK tests added to test framework |
markrad | 0:cdf462088d13 | 1243 | * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM) |
markrad | 0:cdf462088d13 | 1244 | * Support for Camellia-GCM mode and ciphersuites |
markrad | 0:cdf462088d13 | 1245 | |
markrad | 0:cdf462088d13 | 1246 | Changes |
markrad | 0:cdf462088d13 | 1247 | * Padding checks in cipher layer are now constant-time |
markrad | 0:cdf462088d13 | 1248 | * Value comparisons in SSL layer are now constant-time |
markrad | 0:cdf462088d13 | 1249 | * Support for serialNumber, postalAddress and postalCode in X509 names |
markrad | 0:cdf462088d13 | 1250 | * SSL Renegotiation was refactored |
markrad | 0:cdf462088d13 | 1251 | |
markrad | 0:cdf462088d13 | 1252 | Bugfix |
markrad | 0:cdf462088d13 | 1253 | * More stringent checks in cipher layer |
markrad | 0:cdf462088d13 | 1254 | * Server does not send out extensions not advertised by client |
markrad | 0:cdf462088d13 | 1255 | * Prevent possible alignment warnings on casting from char * to 'aligned *' |
markrad | 0:cdf462088d13 | 1256 | * Misc fixes and additions to dependency checks |
markrad | 0:cdf462088d13 | 1257 | * Const correctness |
markrad | 0:cdf462088d13 | 1258 | * cert_write with selfsign should use issuer_name as subject_name |
markrad | 0:cdf462088d13 | 1259 | * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon) |
markrad | 0:cdf462088d13 | 1260 | * Defines to handle UEFI environment under MSVC |
markrad | 0:cdf462088d13 | 1261 | * Server-side initiated renegotiations send HelloRequest |
markrad | 0:cdf462088d13 | 1262 | |
markrad | 0:cdf462088d13 | 1263 | = PolarSSL 1.3.1 released on 2013-10-15 |
markrad | 0:cdf462088d13 | 1264 | Features |
markrad | 0:cdf462088d13 | 1265 | * Support for Brainpool curves and TLS ciphersuites (RFC 7027) |
markrad | 0:cdf462088d13 | 1266 | * Support for ECDHE-PSK key-exchange and ciphersuites |
markrad | 0:cdf462088d13 | 1267 | * Support for RSA-PSK key-exchange and ciphersuites |
markrad | 0:cdf462088d13 | 1268 | |
markrad | 0:cdf462088d13 | 1269 | Changes |
markrad | 0:cdf462088d13 | 1270 | * RSA blinding locks for a smaller amount of time |
markrad | 0:cdf462088d13 | 1271 | * TLS compression only allocates working buffer once |
markrad | 0:cdf462088d13 | 1272 | * Introduced POLARSSL_HAVE_READDIR_R for systems without it |
markrad | 0:cdf462088d13 | 1273 | * config.h is more script-friendly |
markrad | 0:cdf462088d13 | 1274 | |
markrad | 0:cdf462088d13 | 1275 | Bugfix |
markrad | 0:cdf462088d13 | 1276 | * Missing MSVC defines added |
markrad | 0:cdf462088d13 | 1277 | * Compile errors with POLARSSL_RSA_NO_CRT |
markrad | 0:cdf462088d13 | 1278 | * Header files with 'polarssl/' |
markrad | 0:cdf462088d13 | 1279 | * Const correctness |
markrad | 0:cdf462088d13 | 1280 | * Possible naming collision in dhm_context |
markrad | 0:cdf462088d13 | 1281 | * Better support for MSVC |
markrad | 0:cdf462088d13 | 1282 | * threading_set_alt() name |
markrad | 0:cdf462088d13 | 1283 | * Added missing x509write_crt_set_version() |
markrad | 0:cdf462088d13 | 1284 | |
markrad | 0:cdf462088d13 | 1285 | = PolarSSL 1.3.0 released on 2013-10-01 |
markrad | 0:cdf462088d13 | 1286 | Features |
markrad | 0:cdf462088d13 | 1287 | * Elliptic Curve Cryptography module added |
markrad | 0:cdf462088d13 | 1288 | * Elliptic Curve Diffie Hellman module added |
markrad | 0:cdf462088d13 | 1289 | * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS |
markrad | 0:cdf462088d13 | 1290 | (ECDHE-based ciphersuites) |
markrad | 0:cdf462088d13 | 1291 | * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS |
markrad | 0:cdf462088d13 | 1292 | (ECDSA-based ciphersuites) |
markrad | 0:cdf462088d13 | 1293 | * Ability to specify allowed ciphersuites based on the protocol version. |
markrad | 0:cdf462088d13 | 1294 | * PSK and DHE-PSK based ciphersuites added |
markrad | 0:cdf462088d13 | 1295 | * Memory allocation abstraction layer added |
markrad | 0:cdf462088d13 | 1296 | * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) |
markrad | 0:cdf462088d13 | 1297 | * Threading abstraction layer added (dummy / pthread / alternate) |
markrad | 0:cdf462088d13 | 1298 | * Public Key abstraction layer added |
markrad | 0:cdf462088d13 | 1299 | * Parsing Elliptic Curve keys |
markrad | 0:cdf462088d13 | 1300 | * Parsing Elliptic Curve certificates |
markrad | 0:cdf462088d13 | 1301 | * Support for max_fragment_length extension (RFC 6066) |
markrad | 0:cdf462088d13 | 1302 | * Support for truncated_hmac extension (RFC 6066) |
markrad | 0:cdf462088d13 | 1303 | * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros |
markrad | 0:cdf462088d13 | 1304 | (ISO/IEC 7816-4) padding and zero padding in the cipher layer |
markrad | 0:cdf462088d13 | 1305 | * Support for session tickets (RFC 5077) |
markrad | 0:cdf462088d13 | 1306 | * Certificate Request (CSR) generation with extensions (key_usage, |
markrad | 0:cdf462088d13 | 1307 | ns_cert_type) |
markrad | 0:cdf462088d13 | 1308 | * X509 Certificate writing with extensions (basic_constraints, |
markrad | 0:cdf462088d13 | 1309 | issuer_key_identifier, etc) |
markrad | 0:cdf462088d13 | 1310 | * Optional blinding for RSA, DHM and EC |
markrad | 0:cdf462088d13 | 1311 | * Support for multiple active certificate / key pairs in SSL servers for |
markrad | 0:cdf462088d13 | 1312 | the same host (Not to be confused with SNI!) |
markrad | 0:cdf462088d13 | 1313 | |
markrad | 0:cdf462088d13 | 1314 | Changes |
markrad | 0:cdf462088d13 | 1315 | * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 |
markrad | 0:cdf462088d13 | 1316 | individually |
markrad | 0:cdf462088d13 | 1317 | * Introduced separate SSL Ciphersuites module that is based on |
markrad | 0:cdf462088d13 | 1318 | Cipher and MD information |
markrad | 0:cdf462088d13 | 1319 | * Internals for SSL module adapted to have separate IV pointer that is |
markrad | 0:cdf462088d13 | 1320 | dynamically set (Better support for hardware acceleration) |
markrad | 0:cdf462088d13 | 1321 | * Moved all OID functionality to a separate module. RSA function |
markrad | 0:cdf462088d13 | 1322 | prototypes for the RSA sign and verify functions changed as a result |
markrad | 0:cdf462088d13 | 1323 | * Split up the GCM module into a starts/update/finish cycle |
markrad | 0:cdf462088d13 | 1324 | * Client and server now filter sent and accepted ciphersuites on minimum |
markrad | 0:cdf462088d13 | 1325 | and maximum protocol version |
markrad | 0:cdf462088d13 | 1326 | * Ability to disable server_name extension (RFC 6066) |
markrad | 0:cdf462088d13 | 1327 | * Renamed error_strerror() to the less conflicting polarssl_strerror() |
markrad | 0:cdf462088d13 | 1328 | (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC) |
markrad | 0:cdf462088d13 | 1329 | * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly |
markrad | 0:cdf462088d13 | 1330 | * All RSA operations require a random generator for blinding purposes |
markrad | 0:cdf462088d13 | 1331 | * X509 core refactored |
markrad | 0:cdf462088d13 | 1332 | * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4) |
markrad | 0:cdf462088d13 | 1333 | * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME) |
markrad | 0:cdf462088d13 | 1334 | * Support faulty X509 v1 certificates with extensions |
markrad | 0:cdf462088d13 | 1335 | (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) |
markrad | 0:cdf462088d13 | 1336 | |
markrad | 0:cdf462088d13 | 1337 | Bugfix |
markrad | 0:cdf462088d13 | 1338 | * Fixed parse error in ssl_parse_certificate_request() |
markrad | 0:cdf462088d13 | 1339 | * zlib compression/decompression skipped on empty blocks |
markrad | 0:cdf462088d13 | 1340 | * Support for AIX header locations in net.c module |
markrad | 0:cdf462088d13 | 1341 | * Fixed file descriptor leaks |
markrad | 0:cdf462088d13 | 1342 | |
markrad | 0:cdf462088d13 | 1343 | Security |
markrad | 0:cdf462088d13 | 1344 | * RSA blinding on CRT operations to counter timing attacks |
markrad | 0:cdf462088d13 | 1345 | (found by Cyril Arnaud and Pierre-Alain Fouque) |
markrad | 0:cdf462088d13 | 1346 | |
markrad | 0:cdf462088d13 | 1347 | |
markrad | 0:cdf462088d13 | 1348 | = Version 1.2.14 released 2015-05-?? |
markrad | 0:cdf462088d13 | 1349 | |
markrad | 0:cdf462088d13 | 1350 | Security |
markrad | 0:cdf462088d13 | 1351 | * Fix potential invalid memory read in the server, that allows a client to |
markrad | 0:cdf462088d13 | 1352 | crash it remotely (found by Caj Larsson). |
markrad | 0:cdf462088d13 | 1353 | * Fix potential invalid memory read in certificate parsing, that allows a |
markrad | 0:cdf462088d13 | 1354 | client to crash the server remotely if client authentication is enabled |
markrad | 0:cdf462088d13 | 1355 | (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 1356 | * Add countermeasure against "Lucky 13 strikes back" cache-based attack, |
markrad | 0:cdf462088d13 | 1357 | https://dl.acm.org/citation.cfm?id=2714625 |
markrad | 0:cdf462088d13 | 1358 | |
markrad | 0:cdf462088d13 | 1359 | Bugfix |
markrad | 0:cdf462088d13 | 1360 | * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). |
markrad | 0:cdf462088d13 | 1361 | * Fix hardclock() (only used in the benchmarking program) with some |
markrad | 0:cdf462088d13 | 1362 | versions of mingw64 (found by kxjhlele). |
markrad | 0:cdf462088d13 | 1363 | * Fix warnings from mingw64 in timing.c (found by kxjklele). |
markrad | 0:cdf462088d13 | 1364 | * Fix potential unintended sign extension in asn1_get_len() on 64-bit |
markrad | 0:cdf462088d13 | 1365 | platforms (found with Coverity Scan). |
markrad | 0:cdf462088d13 | 1366 | |
markrad | 0:cdf462088d13 | 1367 | = Version 1.2.13 released 2015-02-16 |
markrad | 0:cdf462088d13 | 1368 | Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting |
markrad | 0:cdf462088d13 | 1369 | this will be made in the 1.2 branch at this point. |
markrad | 0:cdf462088d13 | 1370 | |
markrad | 0:cdf462088d13 | 1371 | Security |
markrad | 0:cdf462088d13 | 1372 | * Fix remotely-triggerable uninitialised pointer dereference caused by |
markrad | 0:cdf462088d13 | 1373 | crafted X.509 certificate (TLS server is not affected if it doesn't ask |
markrad | 0:cdf462088d13 | 1374 | for a client certificate) (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 1375 | * Fix remotely-triggerable memory leak caused by crafted X.509 certificates |
markrad | 0:cdf462088d13 | 1376 | (TLS server is not affected if it doesn't ask for a client certificate) |
markrad | 0:cdf462088d13 | 1377 | (found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 1378 | * Fix potential stack overflow while parsing crafted X.509 certificates |
markrad | 0:cdf462088d13 | 1379 | (TLS server is not affected if it doesn't ask for a client certificate) |
markrad | 0:cdf462088d13 | 1380 | found using Codenomicon Defensics). |
markrad | 0:cdf462088d13 | 1381 | * Fix buffer overread of size 1 when parsing crafted X.509 certificates |
markrad | 0:cdf462088d13 | 1382 | (TLS server is not affected if it doesn't ask for a client certificate). |
markrad | 0:cdf462088d13 | 1383 | |
markrad | 0:cdf462088d13 | 1384 | Bugfix |
markrad | 0:cdf462088d13 | 1385 | * Fix potential undefined behaviour in Camellia. |
markrad | 0:cdf462088d13 | 1386 | * Fix memory leaks in PKCS#5 and PKCS#12. |
markrad | 0:cdf462088d13 | 1387 | * Stack buffer overflow if ctr_drbg_update() is called with too large |
markrad | 0:cdf462088d13 | 1388 | add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). |
markrad | 0:cdf462088d13 | 1389 | * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced |
markrad | 0:cdf462088d13 | 1390 | in 1.2.12). |
markrad | 0:cdf462088d13 | 1391 | * Fix unchecked return code in x509_crt_parse_path() on Windows (found by |
markrad | 0:cdf462088d13 | 1392 | Peter Vaskovic). |
markrad | 0:cdf462088d13 | 1393 | * Fix assembly selection for MIPS64 (thanks to James Cowgill). |
markrad | 0:cdf462088d13 | 1394 | * ssl_get_verify_result() now works even if the handshake was aborted due |
markrad | 0:cdf462088d13 | 1395 | to a failed verification (found by Fredrik Axelsson). |
markrad | 0:cdf462088d13 | 1396 | * Skip writing and parsing signature_algorithm extension if none of the |
markrad | 0:cdf462088d13 | 1397 | key exchanges enabled needs certificates. This fixes a possible interop |
markrad | 0:cdf462088d13 | 1398 | issue with some servers when a zero-length extension was sent. (Reported |
markrad | 0:cdf462088d13 | 1399 | by Peter Dettman.) |
markrad | 0:cdf462088d13 | 1400 | * On a 0-length input, base64_encode() did not correctly set output length |
markrad | 0:cdf462088d13 | 1401 | (found by Hendrik van den Boogaard). |
markrad | 0:cdf462088d13 | 1402 | |
markrad | 0:cdf462088d13 | 1403 | Changes |
markrad | 0:cdf462088d13 | 1404 | * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. |
markrad | 0:cdf462088d13 | 1405 | * Forbid repeated extensions in X.509 certificates. |
markrad | 0:cdf462088d13 | 1406 | * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the |
markrad | 0:cdf462088d13 | 1407 | length of an X.509 verification chain (default = 8). |
markrad | 0:cdf462088d13 | 1408 | = Version 1.2.12 released 2014-10-24 |
markrad | 0:cdf462088d13 | 1409 | |
markrad | 0:cdf462088d13 | 1410 | Security |
markrad | 0:cdf462088d13 | 1411 | * Remotely-triggerable memory leak when parsing some X.509 certificates |
markrad | 0:cdf462088d13 | 1412 | (server is not affected if it doesn't ask for a client certificate). |
markrad | 0:cdf462088d13 | 1413 | (Found using Codenomicon Defensics.) |
markrad | 0:cdf462088d13 | 1414 | |
markrad | 0:cdf462088d13 | 1415 | Bugfix |
markrad | 0:cdf462088d13 | 1416 | * Fix potential bad read in parsing ServerHello (found by Adrien |
markrad | 0:cdf462088d13 | 1417 | Vialletelle). |
markrad | 0:cdf462088d13 | 1418 | * ssl_close_notify() could send more than one message in some circumstances |
markrad | 0:cdf462088d13 | 1419 | with non-blocking I/O. |
markrad | 0:cdf462088d13 | 1420 | * x509_crt_parse() did not increase total_failed on PEM error |
markrad | 0:cdf462088d13 | 1421 | * Fix compiler warnings on iOS (found by Sander Niemeijer). |
markrad | 0:cdf462088d13 | 1422 | * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). |
markrad | 0:cdf462088d13 | 1423 | * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). |
markrad | 0:cdf462088d13 | 1424 | * ssl_read() could return non-application data records on server while |
markrad | 0:cdf462088d13 | 1425 | renegotation was pending, and on client when a HelloRequest was received. |
markrad | 0:cdf462088d13 | 1426 | * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). |
markrad | 0:cdf462088d13 | 1427 | |
markrad | 0:cdf462088d13 | 1428 | Changes |
markrad | 0:cdf462088d13 | 1429 | * X.509 certificates with more than one AttributeTypeAndValue per |
markrad | 0:cdf462088d13 | 1430 | RelativeDistinguishedName are not accepted any more. |
markrad | 0:cdf462088d13 | 1431 | * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than |
markrad | 0:cdf462088d13 | 1432 | POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. |
markrad | 0:cdf462088d13 | 1433 | * Accept spaces at end of line or end of buffer in base64_decode(). |
markrad | 0:cdf462088d13 | 1434 | |
markrad | 0:cdf462088d13 | 1435 | = Version 1.2.11 released 2014-07-11 |
markrad | 0:cdf462088d13 | 1436 | Features |
markrad | 0:cdf462088d13 | 1437 | * Entropy module now supports seed writing and reading |
markrad | 0:cdf462088d13 | 1438 | |
markrad | 0:cdf462088d13 | 1439 | Changes |
markrad | 0:cdf462088d13 | 1440 | * Introduced POLARSSL_HAVE_READDIR_R for systems without it |
markrad | 0:cdf462088d13 | 1441 | * Improvements to the CMake build system, contributed by Julian Ospald. |
markrad | 0:cdf462088d13 | 1442 | * Work around a bug of the version of Clang shipped by Apple with Mavericks |
markrad | 0:cdf462088d13 | 1443 | that prevented bignum.c from compiling. (Reported by Rafael Baptista.) |
markrad | 0:cdf462088d13 | 1444 | * Improvements to tests/Makefile, contributed by Oden Eriksson. |
markrad | 0:cdf462088d13 | 1445 | * Use UTC time to check certificate validity. |
markrad | 0:cdf462088d13 | 1446 | * Reject certificates with times not in UTC, per RFC 5280. |
markrad | 0:cdf462088d13 | 1447 | * Migrate zeroizing of data to polarssl_zeroize() instead of memset() |
markrad | 0:cdf462088d13 | 1448 | against unwanted compiler optimizations |
markrad | 0:cdf462088d13 | 1449 | |
markrad | 0:cdf462088d13 | 1450 | Security |
markrad | 0:cdf462088d13 | 1451 | * Forbid change of server certificate during renegotiation to prevent |
markrad | 0:cdf462088d13 | 1452 | "triple handshake" attack when authentication mode is optional (the |
markrad | 0:cdf462088d13 | 1453 | attack was already impossible when authentication is required). |
markrad | 0:cdf462088d13 | 1454 | * Check notBefore timestamp of certificates and CRLs from the future. |
markrad | 0:cdf462088d13 | 1455 | * Forbid sequence number wrapping |
markrad | 0:cdf462088d13 | 1456 | * Prevent potential NULL pointer dereference in ssl_read_record() (found by |
markrad | 0:cdf462088d13 | 1457 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1458 | * Fix length checking for AEAD ciphersuites (found by Codenomicon). |
markrad | 0:cdf462088d13 | 1459 | It was possible to crash the server (and client) using crafted messages |
markrad | 0:cdf462088d13 | 1460 | when a GCM suite was chosen. |
markrad | 0:cdf462088d13 | 1461 | |
markrad | 0:cdf462088d13 | 1462 | Bugfix |
markrad | 0:cdf462088d13 | 1463 | * Fixed X.509 hostname comparison (with non-regular characters) |
markrad | 0:cdf462088d13 | 1464 | * SSL now gracefully handles missing RNG |
markrad | 0:cdf462088d13 | 1465 | * crypt_and_hash app checks MAC before final decryption |
markrad | 0:cdf462088d13 | 1466 | * Fixed x509_crt_parse_path() bug on Windows platforms |
markrad | 0:cdf462088d13 | 1467 | * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by |
markrad | 0:cdf462088d13 | 1468 | TrustInSoft) |
markrad | 0:cdf462088d13 | 1469 | * Fixed potential overflow in certificate size verification in |
markrad | 0:cdf462088d13 | 1470 | ssl_write_certificate() (found by TrustInSoft) |
markrad | 0:cdf462088d13 | 1471 | * Fix ASM format in bn_mul.h |
markrad | 0:cdf462088d13 | 1472 | * Potential memory leak in bignum_selftest() |
markrad | 0:cdf462088d13 | 1473 | * Replaced expired test certificate |
markrad | 0:cdf462088d13 | 1474 | * ssl_mail_client now terminates lines with CRLF, instead of LF |
markrad | 0:cdf462088d13 | 1475 | * Fix bug in RSA PKCS#1 v1.5 "reversed" operations |
markrad | 0:cdf462088d13 | 1476 | * Fixed testing with out-of-source builds using cmake |
markrad | 0:cdf462088d13 | 1477 | * Fixed version-major intolerance in server |
markrad | 0:cdf462088d13 | 1478 | * Fixed CMake symlinking on out-of-source builds |
markrad | 0:cdf462088d13 | 1479 | * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by |
markrad | 0:cdf462088d13 | 1480 | Alex Wilson.) |
markrad | 0:cdf462088d13 | 1481 | * ssl_init() was leaving a dirty pointer in ssl_context if malloc of |
markrad | 0:cdf462088d13 | 1482 | out_ctr failed |
markrad | 0:cdf462088d13 | 1483 | * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc |
markrad | 0:cdf462088d13 | 1484 | of one of them failed |
markrad | 0:cdf462088d13 | 1485 | * x509_get_current_time() uses localtime_r() to prevent thread issues |
markrad | 0:cdf462088d13 | 1486 | * Some example server programs were not sending the close_notify alert. |
markrad | 0:cdf462088d13 | 1487 | * Potential memory leak in mpi_exp_mod() when error occurs during |
markrad | 0:cdf462088d13 | 1488 | calculation of RR. |
markrad | 0:cdf462088d13 | 1489 | * Improve interoperability by not writing extension length in ClientHello |
markrad | 0:cdf462088d13 | 1490 | when no extensions are present (found by Matthew Page) |
markrad | 0:cdf462088d13 | 1491 | * rsa_check_pubkey() now allows an E up to N |
markrad | 0:cdf462088d13 | 1492 | * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings |
markrad | 0:cdf462088d13 | 1493 | * mpi_fill_random() was creating numbers larger than requested on |
markrad | 0:cdf462088d13 | 1494 | big-endian platform when size was not an integer number of limbs |
markrad | 0:cdf462088d13 | 1495 | * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) |
markrad | 0:cdf462088d13 | 1496 | * Stricter check on SSL ClientHello internal sizes compared to actual packet |
markrad | 0:cdf462088d13 | 1497 | size (found by TrustInSoft) |
markrad | 0:cdf462088d13 | 1498 | * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). |
markrad | 0:cdf462088d13 | 1499 | * Use \n\t rather than semicolons for bn_mul asm, since some assemblers |
markrad | 0:cdf462088d13 | 1500 | interpret semicolons as comment delimiters (found by Barry K. Nathan). |
markrad | 0:cdf462088d13 | 1501 | * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). |
markrad | 0:cdf462088d13 | 1502 | * Fix base64_decode() to return and check length correctly (in case of |
markrad | 0:cdf462088d13 | 1503 | tight buffers) |
markrad | 0:cdf462088d13 | 1504 | |
markrad | 0:cdf462088d13 | 1505 | = Version 1.2.10 released 2013-10-07 |
markrad | 0:cdf462088d13 | 1506 | Changes |
markrad | 0:cdf462088d13 | 1507 | * Changed RSA blinding to a slower but thread-safe version |
markrad | 0:cdf462088d13 | 1508 | |
markrad | 0:cdf462088d13 | 1509 | Bugfix |
markrad | 0:cdf462088d13 | 1510 | * Fixed memory leak in RSA as a result of introduction of blinding |
markrad | 0:cdf462088d13 | 1511 | * Fixed ssl_pkcs11_decrypt() prototype |
markrad | 0:cdf462088d13 | 1512 | * Fixed MSVC project files |
markrad | 0:cdf462088d13 | 1513 | |
markrad | 0:cdf462088d13 | 1514 | = Version 1.2.9 released 2013-10-01 |
markrad | 0:cdf462088d13 | 1515 | Changes |
markrad | 0:cdf462088d13 | 1516 | * x509_verify() now case insensitive for cn (RFC 6125 6.4) |
markrad | 0:cdf462088d13 | 1517 | |
markrad | 0:cdf462088d13 | 1518 | Bugfix |
markrad | 0:cdf462088d13 | 1519 | * Fixed potential memory leak when failing to resume a session |
markrad | 0:cdf462088d13 | 1520 | * Fixed potential file descriptor leaks (found by Remi Gacogne) |
markrad | 0:cdf462088d13 | 1521 | * Minor fixes |
markrad | 0:cdf462088d13 | 1522 | |
markrad | 0:cdf462088d13 | 1523 | Security |
markrad | 0:cdf462088d13 | 1524 | * Fixed potential heap buffer overflow on large hostname setting |
markrad | 0:cdf462088d13 | 1525 | * Fixed potential negative value misinterpretation in load_file() |
markrad | 0:cdf462088d13 | 1526 | * RSA blinding on CRT operations to counter timing attacks |
markrad | 0:cdf462088d13 | 1527 | (found by Cyril Arnaud and Pierre-Alain Fouque) |
markrad | 0:cdf462088d13 | 1528 | |
markrad | 0:cdf462088d13 | 1529 | = Version 1.2.8 released 2013-06-19 |
markrad | 0:cdf462088d13 | 1530 | Features |
markrad | 0:cdf462088d13 | 1531 | * Parsing of PKCS#8 encrypted private key files |
markrad | 0:cdf462088d13 | 1532 | * PKCS#12 PBE and derivation functions |
markrad | 0:cdf462088d13 | 1533 | * Centralized module option values in config.h to allow user-defined |
markrad | 0:cdf462088d13 | 1534 | settings without editing header files by using POLARSSL_CONFIG_OPTIONS |
markrad | 0:cdf462088d13 | 1535 | |
markrad | 0:cdf462088d13 | 1536 | Changes |
markrad | 0:cdf462088d13 | 1537 | * HAVEGE random generator disabled by default |
markrad | 0:cdf462088d13 | 1538 | * Internally split up x509parse_key() into a (PEM) handler function |
markrad | 0:cdf462088d13 | 1539 | and specific DER parser functions for the PKCS#1 and unencrypted |
markrad | 0:cdf462088d13 | 1540 | PKCS#8 private key formats |
markrad | 0:cdf462088d13 | 1541 | * Added mechanism to provide alternative implementations for all |
markrad | 0:cdf462088d13 | 1542 | symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in |
markrad | 0:cdf462088d13 | 1543 | config.h) |
markrad | 0:cdf462088d13 | 1544 | * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated |
markrad | 0:cdf462088d13 | 1545 | old PBKDF2 module |
markrad | 0:cdf462088d13 | 1546 | |
markrad | 0:cdf462088d13 | 1547 | Bugfix |
markrad | 0:cdf462088d13 | 1548 | * Secure renegotiation extension should only be sent in case client |
markrad | 0:cdf462088d13 | 1549 | supports secure renegotiation |
markrad | 0:cdf462088d13 | 1550 | * Fixed offset for cert_type list in ssl_parse_certificate_request() |
markrad | 0:cdf462088d13 | 1551 | * Fixed const correctness issues that have no impact on the ABI |
markrad | 0:cdf462088d13 | 1552 | * x509parse_crt() now better handles PEM error situations |
markrad | 0:cdf462088d13 | 1553 | * ssl_parse_certificate() now calls x509parse_crt_der() directly |
markrad | 0:cdf462088d13 | 1554 | instead of the x509parse_crt() wrapper that can also parse PEM |
markrad | 0:cdf462088d13 | 1555 | certificates |
markrad | 0:cdf462088d13 | 1556 | * x509parse_crtpath() is now reentrant and uses more portable stat() |
markrad | 0:cdf462088d13 | 1557 | * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler |
markrad | 0:cdf462088d13 | 1558 | * Fixed values for 2-key Triple DES in cipher layer |
markrad | 0:cdf462088d13 | 1559 | * ssl_write_certificate_request() can handle empty ca_chain |
markrad | 0:cdf462088d13 | 1560 | |
markrad | 0:cdf462088d13 | 1561 | Security |
markrad | 0:cdf462088d13 | 1562 | * A possible DoS during the SSL Handshake, due to faulty parsing of |
markrad | 0:cdf462088d13 | 1563 | PEM-encoded certificates has been fixed (found by Jack Lloyd) |
markrad | 0:cdf462088d13 | 1564 | |
markrad | 0:cdf462088d13 | 1565 | = Version 1.2.7 released 2013-04-13 |
markrad | 0:cdf462088d13 | 1566 | Features |
markrad | 0:cdf462088d13 | 1567 | * Ability to specify allowed ciphersuites based on the protocol version. |
markrad | 0:cdf462088d13 | 1568 | |
markrad | 0:cdf462088d13 | 1569 | Changes |
markrad | 0:cdf462088d13 | 1570 | * Default Blowfish keysize is now 128-bits |
markrad | 0:cdf462088d13 | 1571 | * Test suites made smaller to accommodate Raspberry Pi |
markrad | 0:cdf462088d13 | 1572 | |
markrad | 0:cdf462088d13 | 1573 | Bugfix |
markrad | 0:cdf462088d13 | 1574 | * Fix for MPI assembly for ARM |
markrad | 0:cdf462088d13 | 1575 | * GCM adapted to support sizes > 2^29 |
markrad | 0:cdf462088d13 | 1576 | |
markrad | 0:cdf462088d13 | 1577 | = Version 1.2.6 released 2013-03-11 |
markrad | 0:cdf462088d13 | 1578 | Bugfix |
markrad | 0:cdf462088d13 | 1579 | * Fixed memory leak in ssl_free() and ssl_reset() for active session |
markrad | 0:cdf462088d13 | 1580 | * Corrected GCM counter incrementation to use only 32-bits instead of |
markrad | 0:cdf462088d13 | 1581 | 128-bits (found by Yawning Angel) |
markrad | 0:cdf462088d13 | 1582 | * Fixes for 64-bit compilation with MS Visual Studio |
markrad | 0:cdf462088d13 | 1583 | * Fixed net_bind() for specified IP addresses on little endian systems |
markrad | 0:cdf462088d13 | 1584 | * Fixed assembly code for ARM (Thumb and regular) for some compilers |
markrad | 0:cdf462088d13 | 1585 | |
markrad | 0:cdf462088d13 | 1586 | Changes |
markrad | 0:cdf462088d13 | 1587 | * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(), |
markrad | 0:cdf462088d13 | 1588 | rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and |
markrad | 0:cdf462088d13 | 1589 | PKCS#1 v2.1 functions |
markrad | 0:cdf462088d13 | 1590 | * Added support for custom labels when using rsa_rsaes_oaep_encrypt() |
markrad | 0:cdf462088d13 | 1591 | or rsa_rsaes_oaep_decrypt() |
markrad | 0:cdf462088d13 | 1592 | * Re-added handling for SSLv2 Client Hello when the define |
markrad | 0:cdf462088d13 | 1593 | POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set |
markrad | 0:cdf462088d13 | 1594 | * The SSL session cache module (ssl_cache) now also retains peer_cert |
markrad | 0:cdf462088d13 | 1595 | information (not the entire chain) |
markrad | 0:cdf462088d13 | 1596 | |
markrad | 0:cdf462088d13 | 1597 | Security |
markrad | 0:cdf462088d13 | 1598 | * Removed further timing differences during SSL message decryption in |
markrad | 0:cdf462088d13 | 1599 | ssl_decrypt_buf() |
markrad | 0:cdf462088d13 | 1600 | * Removed timing differences due to bad padding from |
markrad | 0:cdf462088d13 | 1601 | rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 |
markrad | 0:cdf462088d13 | 1602 | operations |
markrad | 0:cdf462088d13 | 1603 | |
markrad | 0:cdf462088d13 | 1604 | = Version 1.2.5 released 2013-02-02 |
markrad | 0:cdf462088d13 | 1605 | Changes |
markrad | 0:cdf462088d13 | 1606 | * Allow enabling of dummy error_strerror() to support some use-cases |
markrad | 0:cdf462088d13 | 1607 | * Debug messages about padding errors during SSL message decryption are |
Jasper Wallace |
2:bbdeda018a3c | 1608 | disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL |
markrad | 0:cdf462088d13 | 1609 | * Sending of security-relevant alert messages that do not break |
markrad | 0:cdf462088d13 | 1610 | interoperability can be switched on/off with the flag |
markrad | 0:cdf462088d13 | 1611 | POLARSSL_SSL_ALL_ALERT_MESSAGES |
markrad | 0:cdf462088d13 | 1612 | |
markrad | 0:cdf462088d13 | 1613 | Security |
markrad | 0:cdf462088d13 | 1614 | * Removed timing differences during SSL message decryption in |
markrad | 0:cdf462088d13 | 1615 | ssl_decrypt_buf() due to badly formatted padding |
markrad | 0:cdf462088d13 | 1616 | |
markrad | 0:cdf462088d13 | 1617 | = Version 1.2.4 released 2013-01-25 |
markrad | 0:cdf462088d13 | 1618 | Changes |
markrad | 0:cdf462088d13 | 1619 | * More advanced SSL ciphersuite representation and moved to more dynamic |
markrad | 0:cdf462088d13 | 1620 | SSL core |
markrad | 0:cdf462088d13 | 1621 | * Added ssl_handshake_step() to allow single stepping the handshake process |
markrad | 0:cdf462088d13 | 1622 | |
markrad | 0:cdf462088d13 | 1623 | Bugfix |
markrad | 0:cdf462088d13 | 1624 | * Memory leak when using RSA_PKCS_V21 operations fixed |
markrad | 0:cdf462088d13 | 1625 | * Handle future version properly in ssl_write_certificate_request() |
markrad | 0:cdf462088d13 | 1626 | * Correctly handle CertificateRequest message in client for <= TLS 1.1 |
markrad | 0:cdf462088d13 | 1627 | without DN list |
markrad | 0:cdf462088d13 | 1628 | |
markrad | 0:cdf462088d13 | 1629 | = Version 1.2.3 released 2012-11-26 |
markrad | 0:cdf462088d13 | 1630 | Bugfix |
markrad | 0:cdf462088d13 | 1631 | * Server not always sending correct CertificateRequest message |
markrad | 0:cdf462088d13 | 1632 | |
markrad | 0:cdf462088d13 | 1633 | = Version 1.2.2 released 2012-11-24 |
markrad | 0:cdf462088d13 | 1634 | Changes |
markrad | 0:cdf462088d13 | 1635 | * Added p_hw_data to ssl_context for context specific hardware acceleration |
markrad | 0:cdf462088d13 | 1636 | data |
Jasper Wallace |
2:bbdeda018a3c | 1637 | * During verify trust-CA is only checked for expiration and CRL presence |
markrad | 0:cdf462088d13 | 1638 | |
markrad | 0:cdf462088d13 | 1639 | Bugfixes |
markrad | 0:cdf462088d13 | 1640 | * Fixed client authentication compatibility |
markrad | 0:cdf462088d13 | 1641 | * Fixed dependency on POLARSSL_SHA4_C in SSL modules |
markrad | 0:cdf462088d13 | 1642 | |
markrad | 0:cdf462088d13 | 1643 | = Version 1.2.1 released 2012-11-20 |
markrad | 0:cdf462088d13 | 1644 | Changes |
markrad | 0:cdf462088d13 | 1645 | * Depth that the certificate verify callback receives is now numbered |
markrad | 0:cdf462088d13 | 1646 | bottom-up (Peer cert depth is 0) |
markrad | 0:cdf462088d13 | 1647 | |
markrad | 0:cdf462088d13 | 1648 | Bugfixes |
markrad | 0:cdf462088d13 | 1649 | * Fixes for MSVC6 |
markrad | 0:cdf462088d13 | 1650 | * Moved mpi_inv_mod() outside POLARSSL_GENPRIME |
markrad | 0:cdf462088d13 | 1651 | * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel |
markrad | 0:cdf462088d13 | 1652 | Pégourié-Gonnard) |
markrad | 0:cdf462088d13 | 1653 | * Fixed possible segfault in mpi_shift_r() (found by Manuel |
markrad | 0:cdf462088d13 | 1654 | Pégourié-Gonnard) |
markrad | 0:cdf462088d13 | 1655 | * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 |
markrad | 0:cdf462088d13 | 1656 | |
markrad | 0:cdf462088d13 | 1657 | = Version 1.2.0 released 2012-10-31 |
markrad | 0:cdf462088d13 | 1658 | Features |
markrad | 0:cdf462088d13 | 1659 | * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak |
markrad | 0:cdf462088d13 | 1660 | ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by |
markrad | 0:cdf462088d13 | 1661 | default! |
markrad | 0:cdf462088d13 | 1662 | * Added support for wildcard certificates |
markrad | 0:cdf462088d13 | 1663 | * Added support for multi-domain certificates through the X509 Subject |
markrad | 0:cdf462088d13 | 1664 | Alternative Name extension |
markrad | 0:cdf462088d13 | 1665 | * Added preliminary ASN.1 buffer writing support |
markrad | 0:cdf462088d13 | 1666 | * Added preliminary X509 Certificate Request writing support |
markrad | 0:cdf462088d13 | 1667 | * Added key_app_writer example application |
markrad | 0:cdf462088d13 | 1668 | * Added cert_req example application |
markrad | 0:cdf462088d13 | 1669 | * Added base Galois Counter Mode (GCM) for AES |
markrad | 0:cdf462088d13 | 1670 | * Added TLS 1.2 support (RFC 5246) |
markrad | 0:cdf462088d13 | 1671 | * Added GCM suites to TLS 1.2 (RFC 5288) |
markrad | 0:cdf462088d13 | 1672 | * Added commandline error code convertor (util/strerror) |
markrad | 0:cdf462088d13 | 1673 | * Added support for Hardware Acceleration hooking in SSL/TLS |
markrad | 0:cdf462088d13 | 1674 | * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and |
markrad | 0:cdf462088d13 | 1675 | example application (programs/ssl/o_p_test) (requires OpenSSL) |
markrad | 0:cdf462088d13 | 1676 | * Added X509 CA Path support |
markrad | 0:cdf462088d13 | 1677 | * Added Thumb assembly optimizations |
markrad | 0:cdf462088d13 | 1678 | * Added DEFLATE compression support as per RFC3749 (requires zlib) |
markrad | 0:cdf462088d13 | 1679 | * Added blowfish algorithm (Generic and cipher layer) |
markrad | 0:cdf462088d13 | 1680 | * Added PKCS#5 PBKDF2 key derivation function |
markrad | 0:cdf462088d13 | 1681 | * Added Secure Renegotiation (RFC 5746) |
markrad | 0:cdf462088d13 | 1682 | * Added predefined DHM groups from RFC 5114 |
markrad | 0:cdf462088d13 | 1683 | * Added simple SSL session cache implementation |
markrad | 0:cdf462088d13 | 1684 | * Added ServerName extension parsing (SNI) at server side |
markrad | 0:cdf462088d13 | 1685 | * Added option to add minimum accepted SSL/TLS protocol version |
markrad | 0:cdf462088d13 | 1686 | |
markrad | 0:cdf462088d13 | 1687 | Changes |
markrad | 0:cdf462088d13 | 1688 | * Removed redundant POLARSSL_DEBUG_MSG define |
markrad | 0:cdf462088d13 | 1689 | * AES code only check for Padlock once |
markrad | 0:cdf462088d13 | 1690 | * Fixed const-correctness mpi_get_bit() |
markrad | 0:cdf462088d13 | 1691 | * Documentation for mpi_lsb() and mpi_msb() |
markrad | 0:cdf462088d13 | 1692 | * Moved out_msg to out_hdr + 32 to support hardware acceleration |
markrad | 0:cdf462088d13 | 1693 | * Changed certificate verify behaviour to comply with RFC 6125 section 6.3 |
markrad | 0:cdf462088d13 | 1694 | to not match CN if subjectAltName extension is present (Closes ticket #56) |
markrad | 0:cdf462088d13 | 1695 | * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to |
markrad | 0:cdf462088d13 | 1696 | POLARSSL_MODE_CFB, to also handle different block size CFB modes. |
markrad | 0:cdf462088d13 | 1697 | * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation) |
markrad | 0:cdf462088d13 | 1698 | * Revamped session resumption handling |
markrad | 0:cdf462088d13 | 1699 | * Generalized external private key implementation handling (like PKCS#11) |
markrad | 0:cdf462088d13 | 1700 | in SSL/TLS |
markrad | 0:cdf462088d13 | 1701 | * Revamped x509_verify() and the SSL f_vrfy callback implementations |
markrad | 0:cdf462088d13 | 1702 | * Moved from unsigned long to fixed width uint32_t types throughout code |
markrad | 0:cdf462088d13 | 1703 | * Renamed ciphersuites naming scheme to IANA reserved names |
markrad | 0:cdf462088d13 | 1704 | |
markrad | 0:cdf462088d13 | 1705 | Bugfix |
markrad | 0:cdf462088d13 | 1706 | * Fixed handling error in mpi_cmp_mpi() on longer B values (found by |
markrad | 0:cdf462088d13 | 1707 | Hui Dong) |
markrad | 0:cdf462088d13 | 1708 | * Fixed potential heap corruption in x509_name allocation |
markrad | 0:cdf462088d13 | 1709 | * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) |
markrad | 0:cdf462088d13 | 1710 | * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket |
markrad | 0:cdf462088d13 | 1711 | #52) |
markrad | 0:cdf462088d13 | 1712 | * Handle encryption with private key and decryption with public key as per |
markrad | 0:cdf462088d13 | 1713 | RFC 2313 |
markrad | 0:cdf462088d13 | 1714 | * Handle empty certificate subject names |
markrad | 0:cdf462088d13 | 1715 | * Prevent reading over buffer boundaries on X509 certificate parsing |
markrad | 0:cdf462088d13 | 1716 | * mpi_add_abs() now correctly handles adding short numbers to long numbers |
markrad | 0:cdf462088d13 | 1717 | with carry rollover (found by Ruslan Yushchenko) |
markrad | 0:cdf462088d13 | 1718 | * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob |
markrad | 0:cdf462088d13 | 1719 | * Fixed MPI assembly for SPARC64 platform |
markrad | 0:cdf462088d13 | 1720 | |
markrad | 0:cdf462088d13 | 1721 | Security |
markrad | 0:cdf462088d13 | 1722 | * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi |
markrad | 0:cdf462088d13 | 1723 | Vanderbeken) |
markrad | 0:cdf462088d13 | 1724 | |
markrad | 0:cdf462088d13 | 1725 | = Version 1.1.8 released on 2013-10-01 |
markrad | 0:cdf462088d13 | 1726 | Bugfix |
markrad | 0:cdf462088d13 | 1727 | * Fixed potential memory leak when failing to resume a session |
markrad | 0:cdf462088d13 | 1728 | * Fixed potential file descriptor leaks |
markrad | 0:cdf462088d13 | 1729 | |
markrad | 0:cdf462088d13 | 1730 | Security |
markrad | 0:cdf462088d13 | 1731 | * Potential buffer-overflow for ssl_read_record() (independently found by |
markrad | 0:cdf462088d13 | 1732 | both TrustInSoft and Paul Brodeur of Leviathan Security Group) |
markrad | 0:cdf462088d13 | 1733 | * Potential negative value misinterpretation in load_file() |
markrad | 0:cdf462088d13 | 1734 | * Potential heap buffer overflow on large hostname setting |
markrad | 0:cdf462088d13 | 1735 | |
markrad | 0:cdf462088d13 | 1736 | = Version 1.1.7 released on 2013-06-19 |
markrad | 0:cdf462088d13 | 1737 | Changes |
markrad | 0:cdf462088d13 | 1738 | * HAVEGE random generator disabled by default |
markrad | 0:cdf462088d13 | 1739 | |
markrad | 0:cdf462088d13 | 1740 | Bugfix |
markrad | 0:cdf462088d13 | 1741 | * x509parse_crt() now better handles PEM error situations |
markrad | 0:cdf462088d13 | 1742 | * ssl_parse_certificate() now calls x509parse_crt_der() directly |
markrad | 0:cdf462088d13 | 1743 | instead of the x509parse_crt() wrapper that can also parse PEM |
markrad | 0:cdf462088d13 | 1744 | certificates |
markrad | 0:cdf462088d13 | 1745 | * Fixed values for 2-key Triple DES in cipher layer |
markrad | 0:cdf462088d13 | 1746 | * ssl_write_certificate_request() can handle empty ca_chain |
markrad | 0:cdf462088d13 | 1747 | |
markrad | 0:cdf462088d13 | 1748 | Security |
markrad | 0:cdf462088d13 | 1749 | * A possible DoS during the SSL Handshake, due to faulty parsing of |
markrad | 0:cdf462088d13 | 1750 | PEM-encoded certificates has been fixed (found by Jack Lloyd) |
markrad | 0:cdf462088d13 | 1751 | |
markrad | 0:cdf462088d13 | 1752 | = Version 1.1.6 released on 2013-03-11 |
markrad | 0:cdf462088d13 | 1753 | Bugfix |
markrad | 0:cdf462088d13 | 1754 | * Fixed net_bind() for specified IP addresses on little endian systems |
markrad | 0:cdf462088d13 | 1755 | |
markrad | 0:cdf462088d13 | 1756 | Changes |
markrad | 0:cdf462088d13 | 1757 | * Allow enabling of dummy error_strerror() to support some use-cases |
markrad | 0:cdf462088d13 | 1758 | * Debug messages about padding errors during SSL message decryption are |
markrad | 0:cdf462088d13 | 1759 | disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL |
markrad | 0:cdf462088d13 | 1760 | |
markrad | 0:cdf462088d13 | 1761 | Security |
markrad | 0:cdf462088d13 | 1762 | * Removed timing differences during SSL message decryption in |
markrad | 0:cdf462088d13 | 1763 | ssl_decrypt_buf() |
markrad | 0:cdf462088d13 | 1764 | * Removed timing differences due to bad padding from |
markrad | 0:cdf462088d13 | 1765 | rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 |
markrad | 0:cdf462088d13 | 1766 | operations |
markrad | 0:cdf462088d13 | 1767 | |
markrad | 0:cdf462088d13 | 1768 | = Version 1.1.5 released on 2013-01-16 |
markrad | 0:cdf462088d13 | 1769 | Bugfix |
markrad | 0:cdf462088d13 | 1770 | * Fixed MPI assembly for SPARC64 platform |
markrad | 0:cdf462088d13 | 1771 | * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob |
markrad | 0:cdf462088d13 | 1772 | * mpi_add_abs() now correctly handles adding short numbers to long numbers |
markrad | 0:cdf462088d13 | 1773 | with carry rollover |
markrad | 0:cdf462088d13 | 1774 | * Moved mpi_inv_mod() outside POLARSSL_GENPRIME |
markrad | 0:cdf462088d13 | 1775 | * Prevent reading over buffer boundaries on X509 certificate parsing |
markrad | 0:cdf462088d13 | 1776 | * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket |
markrad | 0:cdf462088d13 | 1777 | #52) |
markrad | 0:cdf462088d13 | 1778 | * Fixed possible segfault in mpi_shift_r() (found by Manuel |
markrad | 0:cdf462088d13 | 1779 | Pégourié-Gonnard) |
markrad | 0:cdf462088d13 | 1780 | * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel |
markrad | 0:cdf462088d13 | 1781 | Pégourié-Gonnard) |
markrad | 0:cdf462088d13 | 1782 | * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 |
markrad | 0:cdf462088d13 | 1783 | * Memory leak when using RSA_PKCS_V21 operations fixed |
markrad | 0:cdf462088d13 | 1784 | * Handle encryption with private key and decryption with public key as per |
markrad | 0:cdf462088d13 | 1785 | RFC 2313 |
markrad | 0:cdf462088d13 | 1786 | * Fixes for MSVC6 |
markrad | 0:cdf462088d13 | 1787 | |
markrad | 0:cdf462088d13 | 1788 | Security |
markrad | 0:cdf462088d13 | 1789 | * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi |
markrad | 0:cdf462088d13 | 1790 | Vanderbeken) |
markrad | 0:cdf462088d13 | 1791 | |
markrad | 0:cdf462088d13 | 1792 | = Version 1.1.4 released on 2012-05-31 |
markrad | 0:cdf462088d13 | 1793 | Bugfix |
markrad | 0:cdf462088d13 | 1794 | * Correctly handle empty SSL/TLS packets (Found by James Yonan) |
markrad | 0:cdf462088d13 | 1795 | * Fixed potential heap corruption in x509_name allocation |
markrad | 0:cdf462088d13 | 1796 | * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) |
markrad | 0:cdf462088d13 | 1797 | |
markrad | 0:cdf462088d13 | 1798 | = Version 1.1.3 released on 2012-04-29 |
markrad | 0:cdf462088d13 | 1799 | Bugfix |
markrad | 0:cdf462088d13 | 1800 | * Fixed random MPI generation to not generate more size than requested. |
markrad | 0:cdf462088d13 | 1801 | |
markrad | 0:cdf462088d13 | 1802 | = Version 1.1.2 released on 2012-04-26 |
markrad | 0:cdf462088d13 | 1803 | Bugfix |
markrad | 0:cdf462088d13 | 1804 | * Fixed handling error in mpi_cmp_mpi() on longer B values (found by |
markrad | 0:cdf462088d13 | 1805 | Hui Dong) |
markrad | 0:cdf462088d13 | 1806 | |
markrad | 0:cdf462088d13 | 1807 | Security |
markrad | 0:cdf462088d13 | 1808 | * Fixed potential memory corruption on miscrafted client messages (found by |
markrad | 0:cdf462088d13 | 1809 | Frama-C team at CEA LIST) |
markrad | 0:cdf462088d13 | 1810 | * Fixed generation of DHM parameters to correct length (found by Ruslan |
markrad | 0:cdf462088d13 | 1811 | Yushchenko) |
markrad | 0:cdf462088d13 | 1812 | |
markrad | 0:cdf462088d13 | 1813 | = Version 1.1.1 released on 2012-01-23 |
markrad | 0:cdf462088d13 | 1814 | Bugfix |
markrad | 0:cdf462088d13 | 1815 | * Check for failed malloc() in ssl_set_hostname() and x509_get_entries() |
markrad | 0:cdf462088d13 | 1816 | (Closes ticket #47, found by Hugo Leisink) |
markrad | 0:cdf462088d13 | 1817 | * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50) |
markrad | 0:cdf462088d13 | 1818 | * Fixed multiple compiler warnings for VS6 and armcc |
markrad | 0:cdf462088d13 | 1819 | * Fixed bug in CTR_CRBG selftest |
markrad | 0:cdf462088d13 | 1820 | |
markrad | 0:cdf462088d13 | 1821 | = Version 1.1.0 released on 2011-12-22 |
markrad | 0:cdf462088d13 | 1822 | Features |
markrad | 0:cdf462088d13 | 1823 | * Added ssl_session_reset() to allow better multi-connection pools of |
markrad | 0:cdf462088d13 | 1824 | SSL contexts without needing to set all non-connection-specific |
markrad | 0:cdf462088d13 | 1825 | data and pointers again. Adapted ssl_server to use this functionality. |
markrad | 0:cdf462088d13 | 1826 | * Added ssl_set_max_version() to allow clients to offer a lower maximum |
markrad | 0:cdf462088d13 | 1827 | supported version to a server to help buggy server implementations. |
markrad | 0:cdf462088d13 | 1828 | (Closes ticket #36) |
markrad | 0:cdf462088d13 | 1829 | * Added cipher_get_cipher_mode() and cipher_get_cipher_operation() |
markrad | 0:cdf462088d13 | 1830 | introspection functions (Closes ticket #40) |
markrad | 0:cdf462088d13 | 1831 | * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator |
markrad | 0:cdf462088d13 | 1832 | * Added a generic entropy accumulator that provides support for adding |
markrad | 0:cdf462088d13 | 1833 | custom entropy sources and added some generic and platform dependent |
markrad | 0:cdf462088d13 | 1834 | entropy sources |
markrad | 0:cdf462088d13 | 1835 | |
markrad | 0:cdf462088d13 | 1836 | Changes |
markrad | 0:cdf462088d13 | 1837 | * Documentation for AES and Camellia in modes CTR and CFB128 clarified. |
markrad | 0:cdf462088d13 | 1838 | * Fixed rsa_encrypt and rsa_decrypt examples to use public key for |
markrad | 0:cdf462088d13 | 1839 | encryption and private key for decryption. (Closes ticket #34) |
markrad | 0:cdf462088d13 | 1840 | * Inceased maximum size of ASN1 length reads to 32-bits. |
markrad | 0:cdf462088d13 | 1841 | * Added an EXPLICIT tag number parameter to x509_get_ext() |
markrad | 0:cdf462088d13 | 1842 | * Added a separate CRL entry extension parsing function |
markrad | 0:cdf462088d13 | 1843 | * Separated the ASN.1 parsing code from the X.509 specific parsing code. |
markrad | 0:cdf462088d13 | 1844 | So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C. |
markrad | 0:cdf462088d13 | 1845 | * Changed the defined key-length of DES ciphers in cipher.h to include the |
markrad | 0:cdf462088d13 | 1846 | parity bits, to prevent mistakes in copying data. (Closes ticket #33) |
markrad | 0:cdf462088d13 | 1847 | * Loads of minimal changes to better support WINCE as a build target |
markrad | 0:cdf462088d13 | 1848 | (Credits go to Marco Lizza) |
markrad | 0:cdf462088d13 | 1849 | * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory |
markrad | 0:cdf462088d13 | 1850 | trade-off |
markrad | 0:cdf462088d13 | 1851 | * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size |
markrad | 0:cdf462088d13 | 1852 | management (Closes ticket #44) |
markrad | 0:cdf462088d13 | 1853 | * Changed the used random function pointer to more flexible format. Renamed |
markrad | 0:cdf462088d13 | 1854 | havege_rand() to havege_random() to prevent mistakes. Lots of changes as |
markrad | 0:cdf462088d13 | 1855 | a consequence in library code and programs |
markrad | 0:cdf462088d13 | 1856 | * Moved all examples programs to use the new entropy and CTR_DRBG |
markrad | 0:cdf462088d13 | 1857 | * Added permissive certificate parsing to x509parse_crt() and |
markrad | 0:cdf462088d13 | 1858 | x509parse_crtfile(). With permissive parsing the parsing does not stop on |
markrad | 0:cdf462088d13 | 1859 | encountering a parse-error. Beware that the meaning of return values has |
markrad | 0:cdf462088d13 | 1860 | changed! |
markrad | 0:cdf462088d13 | 1861 | * All error codes are now negative. Even on mermory failures and IO errors. |
markrad | 0:cdf462088d13 | 1862 | |
markrad | 0:cdf462088d13 | 1863 | Bugfix |
markrad | 0:cdf462088d13 | 1864 | * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes |
markrad | 0:cdf462088d13 | 1865 | ticket #37) |
markrad | 0:cdf462088d13 | 1866 | * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag |
markrad | 0:cdf462088d13 | 1867 | before version numbers |
markrad | 0:cdf462088d13 | 1868 | * Allowed X509 key usage parsing to accept 4 byte values instead of the |
markrad | 0:cdf462088d13 | 1869 | standard 1 byte version sometimes used by Microsoft. (Closes ticket #38) |
markrad | 0:cdf462088d13 | 1870 | * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length |
markrad | 0:cdf462088d13 | 1871 | smaller than the hash length. (Closes ticket #41) |
markrad | 0:cdf462088d13 | 1872 | * If certificate serial is longer than 32 octets, serial number is now |
markrad | 0:cdf462088d13 | 1873 | appended with '....' after first 28 octets |
markrad | 0:cdf462088d13 | 1874 | * Improved build support for s390x and sparc64 in bignum.h |
markrad | 0:cdf462088d13 | 1875 | * Fixed MS Visual C++ name clash with int64 in sha4.h |
markrad | 0:cdf462088d13 | 1876 | * Corrected removal of leading "00:" in printing serial numbers in |
markrad | 0:cdf462088d13 | 1877 | certificates and CRLs |
markrad | 0:cdf462088d13 | 1878 | |
markrad | 0:cdf462088d13 | 1879 | = Version 1.0.0 released on 2011-07-27 |
markrad | 0:cdf462088d13 | 1880 | Features |
markrad | 0:cdf462088d13 | 1881 | * Expanded cipher layer with support for CFB128 and CTR mode |
markrad | 0:cdf462088d13 | 1882 | * Added rsa_encrypt and rsa_decrypt simple example programs. |
markrad | 0:cdf462088d13 | 1883 | |
markrad | 0:cdf462088d13 | 1884 | Changes |
markrad | 0:cdf462088d13 | 1885 | * The generic cipher and message digest layer now have normal error |
markrad | 0:cdf462088d13 | 1886 | codes instead of integers |
markrad | 0:cdf462088d13 | 1887 | |
markrad | 0:cdf462088d13 | 1888 | Bugfix |
markrad | 0:cdf462088d13 | 1889 | * Undid faulty bug fix in ssl_write() when flushing old data (Ticket |
markrad | 0:cdf462088d13 | 1890 | #18) |
markrad | 0:cdf462088d13 | 1891 | |
markrad | 0:cdf462088d13 | 1892 | = Version 0.99-pre5 released on 2011-05-26 |
markrad | 0:cdf462088d13 | 1893 | Features |
markrad | 0:cdf462088d13 | 1894 | * Added additional Cipher Block Modes to symmetric ciphers |
markrad | 0:cdf462088d13 | 1895 | (AES CTR, Camellia CTR, XTEA CBC) including the option to |
markrad | 0:cdf462088d13 | 1896 | enable and disable individual modes when needed |
markrad | 0:cdf462088d13 | 1897 | * Functions requiring File System functions can now be disabled |
markrad | 0:cdf462088d13 | 1898 | by undefining POLARSSL_FS_IO |
markrad | 0:cdf462088d13 | 1899 | * A error_strerror function() has been added to translate between |
markrad | 0:cdf462088d13 | 1900 | error codes and their description. |
markrad | 0:cdf462088d13 | 1901 | * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter |
markrad | 0:cdf462088d13 | 1902 | functions. |
markrad | 0:cdf462088d13 | 1903 | * Added ssl_mail_client and ssl_fork_server as example programs. |
markrad | 0:cdf462088d13 | 1904 | |
markrad | 0:cdf462088d13 | 1905 | Changes |
markrad | 0:cdf462088d13 | 1906 | * Major argument / variable rewrite. Introduced use of size_t |
markrad | 0:cdf462088d13 | 1907 | instead of int for buffer lengths and loop variables for |
markrad | 0:cdf462088d13 | 1908 | better unsigned / signed use. Renamed internal bigint types |
markrad | 0:cdf462088d13 | 1909 | t_int and t_dbl to t_uint and t_udbl in the process |
markrad | 0:cdf462088d13 | 1910 | * mpi_init() and mpi_free() now only accept a single MPI |
markrad | 0:cdf462088d13 | 1911 | argument and do not accept variable argument lists anymore. |
markrad | 0:cdf462088d13 | 1912 | * The error codes have been remapped and combining error codes |
markrad | 0:cdf462088d13 | 1913 | is now done with a PLUS instead of an OR as error codes |
markrad | 0:cdf462088d13 | 1914 | used are negative. |
markrad | 0:cdf462088d13 | 1915 | * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv(). |
markrad | 0:cdf462088d13 | 1916 | net_recv() now returns 0 on EOF instead of |
markrad | 0:cdf462088d13 | 1917 | POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns |
markrad | 0:cdf462088d13 | 1918 | POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. |
markrad | 0:cdf462088d13 | 1919 | ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received |
markrad | 0:cdf462088d13 | 1920 | after the handshake. |
markrad | 0:cdf462088d13 | 1921 | * Network functions now return POLARSSL_ERR_NET_WANT_READ or |
markrad | 0:cdf462088d13 | 1922 | POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous |
markrad | 0:cdf462088d13 | 1923 | POLARSSL_ERR_NET_TRY_AGAIN |
markrad | 0:cdf462088d13 | 1924 | |
markrad | 0:cdf462088d13 | 1925 | = Version 0.99-pre4 released on 2011-04-01 |
markrad | 0:cdf462088d13 | 1926 | Features |
markrad | 0:cdf462088d13 | 1927 | * Added support for PKCS#1 v2.1 encoding and thus support |
markrad | 0:cdf462088d13 | 1928 | for the RSAES-OAEP and RSASSA-PSS operations. |
markrad | 0:cdf462088d13 | 1929 | * Reading of Public Key files incorporated into default x509 |
markrad | 0:cdf462088d13 | 1930 | functionality as well. |
markrad | 0:cdf462088d13 | 1931 | * Added mpi_fill_random() for centralized filling of big numbers |
markrad | 0:cdf462088d13 | 1932 | with random data (Fixed ticket #10) |
markrad | 0:cdf462088d13 | 1933 | |
markrad | 0:cdf462088d13 | 1934 | Changes |
Jasper Wallace |
2:bbdeda018a3c | 1935 | * Debug print of MPI now removes leading zero octets and |
markrad | 0:cdf462088d13 | 1936 | displays actual bit size of the value. |
Jasper Wallace |
2:bbdeda018a3c | 1937 | * x509parse_key() (and as a consequence x509parse_keyfile()) |
markrad | 0:cdf462088d13 | 1938 | does not zeroize memory in advance anymore. Use rsa_init() |
markrad | 0:cdf462088d13 | 1939 | before parsing a key or keyfile! |
markrad | 0:cdf462088d13 | 1940 | |
markrad | 0:cdf462088d13 | 1941 | Bugfix |
markrad | 0:cdf462088d13 | 1942 | * Debug output of MPI's now the same independent of underlying |
markrad | 0:cdf462088d13 | 1943 | platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads |
markrad | 0:cdf462088d13 | 1944 | Kiilerich and Mihai Militaru) |
markrad | 0:cdf462088d13 | 1945 | * Fixed bug in ssl_write() when flushing old data (Fixed ticket |
markrad | 0:cdf462088d13 | 1946 | #18, found by Nikolay Epifanov) |
markrad | 0:cdf462088d13 | 1947 | * Fixed proper handling of RSASSA-PSS verification with variable |
markrad | 0:cdf462088d13 | 1948 | length salt lengths |
markrad | 0:cdf462088d13 | 1949 | |
markrad | 0:cdf462088d13 | 1950 | = Version 0.99-pre3 released on 2011-02-28 |
markrad | 0:cdf462088d13 | 1951 | This release replaces version 0.99-pre2 which had possible copyright issues. |
markrad | 0:cdf462088d13 | 1952 | Features |
markrad | 0:cdf462088d13 | 1953 | * Parsing PEM private keys encrypted with DES and AES |
markrad | 0:cdf462088d13 | 1954 | are now supported as well (Fixes ticket #5) |
markrad | 0:cdf462088d13 | 1955 | * Added crl_app program to allow easy reading and |
markrad | 0:cdf462088d13 | 1956 | printing of X509 CRLs from file |
markrad | 0:cdf462088d13 | 1957 | |
markrad | 0:cdf462088d13 | 1958 | Changes |
Jasper Wallace |
2:bbdeda018a3c | 1959 | * Parsing of PEM files moved to separate module (Fixes |
markrad | 0:cdf462088d13 | 1960 | ticket #13). Also possible to remove PEM support for |
markrad | 0:cdf462088d13 | 1961 | systems only using DER encoding |
markrad | 0:cdf462088d13 | 1962 | |
markrad | 0:cdf462088d13 | 1963 | Bugfixes |
markrad | 0:cdf462088d13 | 1964 | * Corrected parsing of UTCTime dates before 1990 and |
markrad | 0:cdf462088d13 | 1965 | after 1950 |
markrad | 0:cdf462088d13 | 1966 | * Support more exotic OID's when parsing certificates |
markrad | 0:cdf462088d13 | 1967 | (found by Mads Kiilerich) |
markrad | 0:cdf462088d13 | 1968 | * Support more exotic name representations when parsing |
markrad | 0:cdf462088d13 | 1969 | certificates (found by Mads Kiilerich) |
markrad | 0:cdf462088d13 | 1970 | * Replaced the expired test certificates |
markrad | 0:cdf462088d13 | 1971 | * Do not bail out if no client certificate specified. Try |
markrad | 0:cdf462088d13 | 1972 | to negotiate anonymous connection (Fixes ticket #12, |
markrad | 0:cdf462088d13 | 1973 | found by Boris Krasnovskiy) |
markrad | 0:cdf462088d13 | 1974 | |
markrad | 0:cdf462088d13 | 1975 | Security fixes |
markrad | 0:cdf462088d13 | 1976 | * Fixed a possible Man-in-the-Middle attack on the |
markrad | 0:cdf462088d13 | 1977 | Diffie Hellman key exchange (thanks to Larry Highsmith, |
markrad | 0:cdf462088d13 | 1978 | Subreption LLC) |
markrad | 0:cdf462088d13 | 1979 | |
markrad | 0:cdf462088d13 | 1980 | = Version 0.99-pre1 released on 2011-01-30 |
markrad | 0:cdf462088d13 | 1981 | Features |
markrad | 0:cdf462088d13 | 1982 | Note: Most of these features have been donated by Fox-IT |
markrad | 0:cdf462088d13 | 1983 | * Added Doxygen source code documentation parts |
markrad | 0:cdf462088d13 | 1984 | * Added reading of DHM context from memory and file |
markrad | 0:cdf462088d13 | 1985 | * Improved X509 certificate parsing to include extended |
markrad | 0:cdf462088d13 | 1986 | certificate fields, including Key Usage |
markrad | 0:cdf462088d13 | 1987 | * Improved certificate verification and verification |
markrad | 0:cdf462088d13 | 1988 | against the available CRLs |
markrad | 0:cdf462088d13 | 1989 | * Detection for DES weak keys and parity bits added |
markrad | 0:cdf462088d13 | 1990 | * Improvements to support integration in other |
markrad | 0:cdf462088d13 | 1991 | applications: |
markrad | 0:cdf462088d13 | 1992 | + Added generic message digest and cipher wrapper |
markrad | 0:cdf462088d13 | 1993 | + Improved information about current capabilities, |
markrad | 0:cdf462088d13 | 1994 | status, objects and configuration |
markrad | 0:cdf462088d13 | 1995 | + Added verification callback on certificate chain |
markrad | 0:cdf462088d13 | 1996 | verification to allow external blacklisting |
markrad | 0:cdf462088d13 | 1997 | + Additional example programs to show usage |
markrad | 0:cdf462088d13 | 1998 | * Added support for PKCS#11 through the use of the |
markrad | 0:cdf462088d13 | 1999 | libpkcs11-helper library |
markrad | 0:cdf462088d13 | 2000 | |
markrad | 0:cdf462088d13 | 2001 | Changes |
markrad | 0:cdf462088d13 | 2002 | * x509parse_time_expired() checks time in addition to |
markrad | 0:cdf462088d13 | 2003 | the existing date check |
markrad | 0:cdf462088d13 | 2004 | * The ciphers member of ssl_context and the cipher member |
markrad | 0:cdf462088d13 | 2005 | of ssl_session have been renamed to ciphersuites and |
markrad | 0:cdf462088d13 | 2006 | ciphersuite respectively. This clarifies the difference |
markrad | 0:cdf462088d13 | 2007 | with the generic cipher layer and is better naming |
markrad | 0:cdf462088d13 | 2008 | altogether |
markrad | 0:cdf462088d13 | 2009 | |
markrad | 0:cdf462088d13 | 2010 | = Version 0.14.0 released on 2010-08-16 |
markrad | 0:cdf462088d13 | 2011 | Features |
markrad | 0:cdf462088d13 | 2012 | * Added support for SSL_EDH_RSA_AES_128_SHA and |
markrad | 0:cdf462088d13 | 2013 | SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites |
markrad | 0:cdf462088d13 | 2014 | * Added compile-time and run-time version information |
markrad | 0:cdf462088d13 | 2015 | * Expanded ssl_client2 arguments for more flexibility |
markrad | 0:cdf462088d13 | 2016 | * Added support for TLS v1.1 |
markrad | 0:cdf462088d13 | 2017 | |
markrad | 0:cdf462088d13 | 2018 | Changes |
markrad | 0:cdf462088d13 | 2019 | * Made Makefile cleaner |
markrad | 0:cdf462088d13 | 2020 | * Removed dependency on rand() in rsa_pkcs1_encrypt(). |
markrad | 0:cdf462088d13 | 2021 | Now using random fuction provided to function and |
markrad | 0:cdf462088d13 | 2022 | changed the prototype of rsa_pkcs1_encrypt(), |
markrad | 0:cdf462088d13 | 2023 | rsa_init() and rsa_gen_key(). |
markrad | 0:cdf462088d13 | 2024 | * Some SSL defines were renamed in order to avoid |
markrad | 0:cdf462088d13 | 2025 | future confusion |
markrad | 0:cdf462088d13 | 2026 | |
markrad | 0:cdf462088d13 | 2027 | Bug fixes |
markrad | 0:cdf462088d13 | 2028 | * Fixed CMake out of source build for tests (found by |
markrad | 0:cdf462088d13 | 2029 | kkert) |
markrad | 0:cdf462088d13 | 2030 | * rsa_check_private() now supports PKCS1v2 keys as well |
markrad | 0:cdf462088d13 | 2031 | * Fixed deadlock in rsa_pkcs1_encrypt() on failing random |
markrad | 0:cdf462088d13 | 2032 | generator |
markrad | 0:cdf462088d13 | 2033 | |
markrad | 0:cdf462088d13 | 2034 | = Version 0.13.1 released on 2010-03-24 |
markrad | 0:cdf462088d13 | 2035 | Bug fixes |
markrad | 0:cdf462088d13 | 2036 | * Fixed Makefile in library that was mistakenly merged |
markrad | 0:cdf462088d13 | 2037 | * Added missing const string fixes |
markrad | 0:cdf462088d13 | 2038 | |
markrad | 0:cdf462088d13 | 2039 | = Version 0.13.0 released on 2010-03-21 |
markrad | 0:cdf462088d13 | 2040 | Features |
markrad | 0:cdf462088d13 | 2041 | * Added option parsing for host and port selection to |
markrad | 0:cdf462088d13 | 2042 | ssl_client2 |
markrad | 0:cdf462088d13 | 2043 | * Added support for GeneralizedTime in X509 parsing |
markrad | 0:cdf462088d13 | 2044 | * Added cert_app program to allow easy reading and |
markrad | 0:cdf462088d13 | 2045 | printing of X509 certificates from file or SSL |
markrad | 0:cdf462088d13 | 2046 | connection. |
markrad | 0:cdf462088d13 | 2047 | |
markrad | 0:cdf462088d13 | 2048 | Changes |
markrad | 0:cdf462088d13 | 2049 | * Added const correctness for main code base |
markrad | 0:cdf462088d13 | 2050 | * X509 signature algorithm determination is now |
markrad | 0:cdf462088d13 | 2051 | in a function to allow easy future expansion |
markrad | 0:cdf462088d13 | 2052 | * Changed symmetric cipher functions to |
markrad | 0:cdf462088d13 | 2053 | identical interface (returning int result values) |
markrad | 0:cdf462088d13 | 2054 | * Changed ARC4 to use separate input/output buffer |
markrad | 0:cdf462088d13 | 2055 | * Added reset function for HMAC context as speed-up |
markrad | 0:cdf462088d13 | 2056 | for specific use-cases |
markrad | 0:cdf462088d13 | 2057 | |
markrad | 0:cdf462088d13 | 2058 | Bug fixes |
markrad | 0:cdf462088d13 | 2059 | * Fixed bug resulting in failure to send the last |
markrad | 0:cdf462088d13 | 2060 | certificate in the chain in ssl_write_certificate() and |
markrad | 0:cdf462088d13 | 2061 | ssl_write_certificate_request() (found by fatbob) |
markrad | 0:cdf462088d13 | 2062 | * Added small fixes for compiler warnings on a Mac |
markrad | 0:cdf462088d13 | 2063 | (found by Frank de Brabander) |
markrad | 0:cdf462088d13 | 2064 | * Fixed algorithmic bug in mpi_is_prime() (found by |
markrad | 0:cdf462088d13 | 2065 | Smbat Tonoyan) |
markrad | 0:cdf462088d13 | 2066 | |
markrad | 0:cdf462088d13 | 2067 | = Version 0.12.1 released on 2009-10-04 |
markrad | 0:cdf462088d13 | 2068 | Changes |
markrad | 0:cdf462088d13 | 2069 | * Coverage test definitions now support 'depends_on' |
markrad | 0:cdf462088d13 | 2070 | tagging system. |
markrad | 0:cdf462088d13 | 2071 | * Tests requiring specific hashing algorithms now honor |
markrad | 0:cdf462088d13 | 2072 | the defines. |
markrad | 0:cdf462088d13 | 2073 | |
markrad | 0:cdf462088d13 | 2074 | Bug fixes |
markrad | 0:cdf462088d13 | 2075 | * Changed typo in #ifdef in x509parse.c (found |
markrad | 0:cdf462088d13 | 2076 | by Eduardo) |
markrad | 0:cdf462088d13 | 2077 | |
markrad | 0:cdf462088d13 | 2078 | = Version 0.12.0 released on 2009-07-28 |
markrad | 0:cdf462088d13 | 2079 | Features |
markrad | 0:cdf462088d13 | 2080 | * Added CMake makefiles as alternative to regular Makefiles. |
markrad | 0:cdf462088d13 | 2081 | * Added preliminary Code Coverage tests for AES, ARC4, |
markrad | 0:cdf462088d13 | 2082 | Base64, MPI, SHA-family, MD-family, HMAC-SHA-family, |
markrad | 0:cdf462088d13 | 2083 | Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman |
markrad | 0:cdf462088d13 | 2084 | and X509parse. |
markrad | 0:cdf462088d13 | 2085 | |
markrad | 0:cdf462088d13 | 2086 | Changes |
markrad | 0:cdf462088d13 | 2087 | * Error codes are not (necessarily) negative. Keep |
markrad | 0:cdf462088d13 | 2088 | this is mind when checking for errors. |
markrad | 0:cdf462088d13 | 2089 | * RSA_RAW renamed to SIG_RSA_RAW for consistency. |
markrad | 0:cdf462088d13 | 2090 | * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE. |
markrad | 0:cdf462088d13 | 2091 | * Changed interface for AES and Camellia setkey functions |
markrad | 0:cdf462088d13 | 2092 | to indicate invalid key lengths. |
markrad | 0:cdf462088d13 | 2093 | |
markrad | 0:cdf462088d13 | 2094 | Bug fixes |
markrad | 0:cdf462088d13 | 2095 | * Fixed include location of endian.h on FreeBSD (found by |
markrad | 0:cdf462088d13 | 2096 | Gabriel) |
markrad | 0:cdf462088d13 | 2097 | * Fixed include location of endian.h and name clash on |
markrad | 0:cdf462088d13 | 2098 | Apples (found by Martin van Hensbergen) |
markrad | 0:cdf462088d13 | 2099 | * Fixed HMAC-MD2 by modifying md2_starts(), so that the |
markrad | 0:cdf462088d13 | 2100 | required HMAC ipad and opad variables are not cleared. |
markrad | 0:cdf462088d13 | 2101 | (found by code coverage tests) |
Jasper Wallace |
2:bbdeda018a3c | 2102 | * Prevented use of long long in bignum if |
markrad | 0:cdf462088d13 | 2103 | POLARSSL_HAVE_LONGLONG not defined (found by Giles |
markrad | 0:cdf462088d13 | 2104 | Bathgate). |
markrad | 0:cdf462088d13 | 2105 | * Fixed incorrect handling of negative strings in |
markrad | 0:cdf462088d13 | 2106 | mpi_read_string() (found by code coverage tests). |
markrad | 0:cdf462088d13 | 2107 | * Fixed segfault on handling empty rsa_context in |
markrad | 0:cdf462088d13 | 2108 | rsa_check_pubkey() and rsa_check_privkey() (found by |
markrad | 0:cdf462088d13 | 2109 | code coverage tests). |
markrad | 0:cdf462088d13 | 2110 | * Fixed incorrect handling of one single negative input |
markrad | 0:cdf462088d13 | 2111 | value in mpi_add_abs() (found by code coverage tests). |
markrad | 0:cdf462088d13 | 2112 | * Fixed incorrect handling of negative first input |
markrad | 0:cdf462088d13 | 2113 | value in mpi_sub_abs() (found by code coverage tests). |
markrad | 0:cdf462088d13 | 2114 | * Fixed incorrect handling of negative first input |
markrad | 0:cdf462088d13 | 2115 | value in mpi_mod_mpi() and mpi_mod_int(). Resulting |
markrad | 0:cdf462088d13 | 2116 | change also affects mpi_write_string() (found by code |
markrad | 0:cdf462088d13 | 2117 | coverage tests). |
markrad | 0:cdf462088d13 | 2118 | * Corrected is_prime() results for 0, 1 and 2 (found by |
markrad | 0:cdf462088d13 | 2119 | code coverage tests). |
markrad | 0:cdf462088d13 | 2120 | * Fixed Camellia and XTEA for 64-bit Windows systems. |
markrad | 0:cdf462088d13 | 2121 | |
markrad | 0:cdf462088d13 | 2122 | = Version 0.11.1 released on 2009-05-17 |
markrad | 0:cdf462088d13 | 2123 | * Fixed missing functionality for SHA-224, SHA-256, SHA384, |
markrad | 0:cdf462088d13 | 2124 | SHA-512 in rsa_pkcs1_sign() |
markrad | 0:cdf462088d13 | 2125 | |
markrad | 0:cdf462088d13 | 2126 | = Version 0.11.0 released on 2009-05-03 |
markrad | 0:cdf462088d13 | 2127 | * Fixed a bug in mpi_gcd() so that it also works when both |
markrad | 0:cdf462088d13 | 2128 | input numbers are even and added testcases to check |
markrad | 0:cdf462088d13 | 2129 | (found by Pierre Habouzit). |
markrad | 0:cdf462088d13 | 2130 | * Added support for SHA-224, SHA-256, SHA-384 and SHA-512 |
markrad | 0:cdf462088d13 | 2131 | one way hash functions with the PKCS#1 v1.5 signing and |
markrad | 0:cdf462088d13 | 2132 | verification. |
markrad | 0:cdf462088d13 | 2133 | * Fixed minor bug regarding mpi_gcd located within the |
markrad | 0:cdf462088d13 | 2134 | POLARSSL_GENPRIME block. |
markrad | 0:cdf462088d13 | 2135 | * Fixed minor memory leak in x509parse_crt() and added better |
markrad | 0:cdf462088d13 | 2136 | handling of 'full' certificate chains (found by Mathias |
markrad | 0:cdf462088d13 | 2137 | Olsson). |
markrad | 0:cdf462088d13 | 2138 | * Centralized file opening and reading for x509 files into |
markrad | 0:cdf462088d13 | 2139 | load_file() |
markrad | 0:cdf462088d13 | 2140 | * Made definition of net_htons() endian-clean for big endian |
markrad | 0:cdf462088d13 | 2141 | systems (Found by Gernot). |
markrad | 0:cdf462088d13 | 2142 | * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in |
Jasper Wallace |
2:bbdeda018a3c | 2143 | padlock and timing code. |
markrad | 0:cdf462088d13 | 2144 | * Fixed an off-by-one buffer allocation in ssl_set_hostname() |
markrad | 0:cdf462088d13 | 2145 | responsible for crashes and unwanted behaviour. |
markrad | 0:cdf462088d13 | 2146 | * Added support for Certificate Revocation List (CRL) parsing. |
markrad | 0:cdf462088d13 | 2147 | * Added support for CRL revocation to x509parse_verify() and |
markrad | 0:cdf462088d13 | 2148 | SSL/TLS code. |
markrad | 0:cdf462088d13 | 2149 | * Fixed compatibility of XTEA and Camellia on a 64-bit system |
markrad | 0:cdf462088d13 | 2150 | (found by Felix von Leitner). |
markrad | 0:cdf462088d13 | 2151 | |
markrad | 0:cdf462088d13 | 2152 | = Version 0.10.0 released on 2009-01-12 |
markrad | 0:cdf462088d13 | 2153 | * Migrated XySSL to PolarSSL |
markrad | 0:cdf462088d13 | 2154 | * Added XTEA symmetric cipher |
markrad | 0:cdf462088d13 | 2155 | * Added Camellia symmetric cipher |
markrad | 0:cdf462088d13 | 2156 | * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA, |
markrad | 0:cdf462088d13 | 2157 | SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA |
markrad | 0:cdf462088d13 | 2158 | * Fixed dangerous bug that can cause a heap overflow in |
markrad | 0:cdf462088d13 | 2159 | rsa_pkcs1_decrypt (found by Christophe Devine) |
markrad | 0:cdf462088d13 | 2160 | |
markrad | 0:cdf462088d13 | 2161 | ================================================================ |
markrad | 0:cdf462088d13 | 2162 | XySSL ChangeLog |
markrad | 0:cdf462088d13 | 2163 | |
markrad | 0:cdf462088d13 | 2164 | = Version 0.9 released on 2008-03-16 |
markrad | 0:cdf462088d13 | 2165 | |
markrad | 0:cdf462088d13 | 2166 | * Added support for ciphersuite: SSL_RSA_AES_128_SHA |
markrad | 0:cdf462088d13 | 2167 | * Enabled support for large files by default in aescrypt2.c |
markrad | 0:cdf462088d13 | 2168 | * Preliminary openssl wrapper contributed by David Barrett |
markrad | 0:cdf462088d13 | 2169 | * Fixed a bug in ssl_write() that caused the same payload to |
markrad | 0:cdf462088d13 | 2170 | be sent twice in non-blocking mode when send returns EAGAIN |
markrad | 0:cdf462088d13 | 2171 | * Fixed ssl_parse_client_hello(): session id and challenge must |
markrad | 0:cdf462088d13 | 2172 | not be swapped in the SSLv2 ClientHello (found by Greg Robson) |
markrad | 0:cdf462088d13 | 2173 | * Added user-defined callback debug function (Krystian Kolodziej) |
markrad | 0:cdf462088d13 | 2174 | * Before freeing a certificate, properly zero out all cert. data |
markrad | 0:cdf462088d13 | 2175 | * Fixed the "mode" parameter so that encryption/decryption are |
markrad | 0:cdf462088d13 | 2176 | not swapped on PadLock; also fixed compilation on older versions |
markrad | 0:cdf462088d13 | 2177 | of gcc (bug reported by David Barrett) |
markrad | 0:cdf462088d13 | 2178 | * Correctly handle the case in padlock_xcryptcbc() when input or |
markrad | 0:cdf462088d13 | 2179 | ouput data is non-aligned by falling back to the software |
markrad | 0:cdf462088d13 | 2180 | implementation, as VIA Nehemiah cannot handle non-aligned buffers |
markrad | 0:cdf462088d13 | 2181 | * Fixed a memory leak in x509parse_crt() which was reported by Greg |
markrad | 0:cdf462088d13 | 2182 | Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to |
markrad | 0:cdf462088d13 | 2183 | Matthew Page who reported several bugs |
markrad | 0:cdf462088d13 | 2184 | * Fixed x509_get_ext() to accept some rare certificates which have |
markrad | 0:cdf462088d13 | 2185 | an INTEGER instead of a BOOLEAN for BasicConstraints::cA. |
markrad | 0:cdf462088d13 | 2186 | * Added support on the client side for the TLS "hostname" extension |
markrad | 0:cdf462088d13 | 2187 | (patch contributed by David Patino) |
markrad | 0:cdf462088d13 | 2188 | * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty |
markrad | 0:cdf462088d13 | 2189 | string is passed as the CN (bug reported by spoofy) |
markrad | 0:cdf462088d13 | 2190 | * Added an option to enable/disable the BN assembly code |
markrad | 0:cdf462088d13 | 2191 | * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1) |
markrad | 0:cdf462088d13 | 2192 | * Disabled obsolete hash functions by default (MD2, MD4); updated |
markrad | 0:cdf462088d13 | 2193 | selftest and benchmark to not test ciphers that have been disabled |
markrad | 0:cdf462088d13 | 2194 | * Updated x509parse_cert_info() to correctly display byte 0 of the |
markrad | 0:cdf462088d13 | 2195 | serial number, setup correct server port in the ssl client example |
markrad | 0:cdf462088d13 | 2196 | * Fixed a critical denial-of-service with X.509 cert. verification: |
markrad | 0:cdf462088d13 | 2197 | peer may cause xyssl to loop indefinitely by sending a certificate |
markrad | 0:cdf462088d13 | 2198 | for which the RSA signature check fails (bug reported by Benoit) |
markrad | 0:cdf462088d13 | 2199 | * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC, |
markrad | 0:cdf462088d13 | 2200 | HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 |
markrad | 0:cdf462088d13 | 2201 | * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin) |
markrad | 0:cdf462088d13 | 2202 | * Modified ssl_parse_client_key_exchange() to protect against |
markrad | 0:cdf462088d13 | 2203 | Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well |
markrad | 0:cdf462088d13 | 2204 | as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack |
markrad | 0:cdf462088d13 | 2205 | * Updated rsa_gen_key() so that ctx->N is always nbits in size |
markrad | 0:cdf462088d13 | 2206 | * Fixed assembly PPC compilation errors on Mac OS X, thanks to |
markrad | 0:cdf462088d13 | 2207 | David Barrett and Dusan Semen |
markrad | 0:cdf462088d13 | 2208 | |
markrad | 0:cdf462088d13 | 2209 | = Version 0.8 released on 2007-10-20 |
markrad | 0:cdf462088d13 | 2210 | |
markrad | 0:cdf462088d13 | 2211 | * Modified the HMAC functions to handle keys larger |
markrad | 0:cdf462088d13 | 2212 | than 64 bytes, thanks to Stephane Desneux and gary ng |
markrad | 0:cdf462088d13 | 2213 | * Fixed ssl_read_record() to properly update the handshake |
markrad | 0:cdf462088d13 | 2214 | message digests, which fixes IE6/IE7 client authentication |
markrad | 0:cdf462088d13 | 2215 | * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten |
markrad | 0:cdf462088d13 | 2216 | * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan |
markrad | 0:cdf462088d13 | 2217 | * Added user-defined callbacks for handling I/O and sessions |
markrad | 0:cdf462088d13 | 2218 | * Added lots of debugging output in the SSL/TLS functions |
markrad | 0:cdf462088d13 | 2219 | * Added preliminary X.509 cert. writing by Pascal Vizeli |
markrad | 0:cdf462088d13 | 2220 | * Added preliminary support for the VIA PadLock routines |
markrad | 0:cdf462088d13 | 2221 | * Added AES-CFB mode of operation, contributed by chmike |
markrad | 0:cdf462088d13 | 2222 | * Added an SSL/TLS stress testing program (ssl_test.c) |
markrad | 0:cdf462088d13 | 2223 | * Updated the RSA PKCS#1 code to allow choosing between |
markrad | 0:cdf462088d13 | 2224 | RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett |
markrad | 0:cdf462088d13 | 2225 | * Updated ssl_read() to skip 0-length records from OpenSSL |
markrad | 0:cdf462088d13 | 2226 | * Fixed the make install target to comply with *BSD make |
markrad | 0:cdf462088d13 | 2227 | * Fixed a bug in mpi_read_binary() on 64-bit platforms |
markrad | 0:cdf462088d13 | 2228 | * mpi_is_prime() speedups, thanks to Kevin McLaughlin |
markrad | 0:cdf462088d13 | 2229 | * Fixed a long standing memory leak in mpi_is_prime() |
markrad | 0:cdf462088d13 | 2230 | * Replaced realloc with malloc in mpi_grow(), and set |
markrad | 0:cdf462088d13 | 2231 | the sign of zero as positive in mpi_init() (reported |
markrad | 0:cdf462088d13 | 2232 | by Jonathan M. McCune) |
markrad | 0:cdf462088d13 | 2233 | |
markrad | 0:cdf462088d13 | 2234 | = Version 0.7 released on 2007-07-07 |
markrad | 0:cdf462088d13 | 2235 | |
markrad | 0:cdf462088d13 | 2236 | * Added support for the MicroBlaze soft-core processor |
markrad | 0:cdf462088d13 | 2237 | * Fixed a bug in ssl_tls.c which sometimes prevented SSL |
markrad | 0:cdf462088d13 | 2238 | connections from being established with non-blocking I/O |
markrad | 0:cdf462088d13 | 2239 | * Fixed a couple bugs in the VS6 and UNIX Makefiles |
markrad | 0:cdf462088d13 | 2240 | * Fixed the "PIC register ebx clobbered in asm" bug |
markrad | 0:cdf462088d13 | 2241 | * Added HMAC starts/update/finish support functions |
markrad | 0:cdf462088d13 | 2242 | * Added the SHA-224, SHA-384 and SHA-512 hash functions |
markrad | 0:cdf462088d13 | 2243 | * Fixed the net_set_*block routines, thanks to Andreas |
markrad | 0:cdf462088d13 | 2244 | * Added a few demonstration programs: md5sum, sha1sum, |
markrad | 0:cdf462088d13 | 2245 | dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify |
markrad | 0:cdf462088d13 | 2246 | * Added new bignum import and export helper functions |
markrad | 0:cdf462088d13 | 2247 | * Rewrote README.txt in program/ssl/ca to better explain |
markrad | 0:cdf462088d13 | 2248 | how to create a test PKI |
markrad | 0:cdf462088d13 | 2249 | |
markrad | 0:cdf462088d13 | 2250 | = Version 0.6 released on 2007-04-01 |
markrad | 0:cdf462088d13 | 2251 | |
markrad | 0:cdf462088d13 | 2252 | * Ciphers used in SSL/TLS can now be disabled at compile |
markrad | 0:cdf462088d13 | 2253 | time, to reduce the memory footprint on embedded systems |
markrad | 0:cdf462088d13 | 2254 | * Added multiply assembly code for the TriCore and modified |
markrad | 0:cdf462088d13 | 2255 | havege_struct for this processor, thanks to David Patiño |
markrad | 0:cdf462088d13 | 2256 | * Added multiply assembly code for 64-bit PowerPCs, |
markrad | 0:cdf462088d13 | 2257 | thanks to Peking University and the OSU Open Source Lab |
markrad | 0:cdf462088d13 | 2258 | * Added experimental support of Quantum Cryptography |
markrad | 0:cdf462088d13 | 2259 | * Added support for autoconf, contributed by Arnaud Cornet |
markrad | 0:cdf462088d13 | 2260 | * Fixed "long long" compilation issues on IA-64 and PPC64 |
markrad | 0:cdf462088d13 | 2261 | * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock |
markrad | 0:cdf462088d13 | 2262 | was not being correctly defined on ARM and MIPS |
markrad | 0:cdf462088d13 | 2263 | |
markrad | 0:cdf462088d13 | 2264 | = Version 0.5 released on 2007-03-01 |
markrad | 0:cdf462088d13 | 2265 | |
markrad | 0:cdf462088d13 | 2266 | * Added multiply assembly code for SPARC and Alpha |
markrad | 0:cdf462088d13 | 2267 | * Added (beta) support for non-blocking I/O operations |
markrad | 0:cdf462088d13 | 2268 | * Implemented session resuming and client authentication |
markrad | 0:cdf462088d13 | 2269 | * Fixed some portability issues on WinCE, MINIX 3, Plan9 |
markrad | 0:cdf462088d13 | 2270 | (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris |
markrad | 0:cdf462088d13 | 2271 | * Improved the performance of the EDH key exchange |
markrad | 0:cdf462088d13 | 2272 | * Fixed a bug that caused valid packets with a payload |
markrad | 0:cdf462088d13 | 2273 | size of 16384 bytes to be rejected |
markrad | 0:cdf462088d13 | 2274 | |
markrad | 0:cdf462088d13 | 2275 | = Version 0.4 released on 2007-02-01 |
markrad | 0:cdf462088d13 | 2276 | |
markrad | 0:cdf462088d13 | 2277 | * Added support for Ephemeral Diffie-Hellman key exchange |
markrad | 0:cdf462088d13 | 2278 | * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K |
markrad | 0:cdf462088d13 | 2279 | * Various improvement to the modular exponentiation code |
markrad | 0:cdf462088d13 | 2280 | * Rewrote the headers to generate the API docs with doxygen |
markrad | 0:cdf462088d13 | 2281 | * Fixed a bug in ssl_encrypt_buf (incorrect padding was |
markrad | 0:cdf462088d13 | 2282 | generated) and in ssl_parse_client_hello (max. client |
markrad | 0:cdf462088d13 | 2283 | version was not properly set), thanks to Didier Rebeix |
markrad | 0:cdf462088d13 | 2284 | * Fixed another bug in ssl_parse_client_hello: clients with |
markrad | 0:cdf462088d13 | 2285 | cipherlists larger than 96 bytes were incorrectly rejected |
markrad | 0:cdf462088d13 | 2286 | * Fixed a couple memory leak in x509_read.c |
markrad | 0:cdf462088d13 | 2287 | |
markrad | 0:cdf462088d13 | 2288 | = Version 0.3 released on 2007-01-01 |
markrad | 0:cdf462088d13 | 2289 | |
markrad | 0:cdf462088d13 | 2290 | * Added server-side SSLv3 and TLSv1.0 support |
markrad | 0:cdf462088d13 | 2291 | * Multiple fixes to enhance the compatibility with g++, |
markrad | 0:cdf462088d13 | 2292 | thanks to Xosé Antón Otero Ferreira |
markrad | 0:cdf462088d13 | 2293 | * Fixed a bug in the CBC code, thanks to dowst; also, |
markrad | 0:cdf462088d13 | 2294 | the bignum code is no longer dependent on long long |
markrad | 0:cdf462088d13 | 2295 | * Updated rsa_pkcs1_sign to handle arbitrary large inputs |
markrad | 0:cdf462088d13 | 2296 | * Updated timing.c for improved compatibility with i386 |
markrad | 0:cdf462088d13 | 2297 | and 486 processors, thanks to Arnaud Cornet |
markrad | 0:cdf462088d13 | 2298 | |
markrad | 0:cdf462088d13 | 2299 | = Version 0.2 released on 2006-12-01 |
markrad | 0:cdf462088d13 | 2300 | |
markrad | 0:cdf462088d13 | 2301 | * Updated timing.c to support ARM and MIPS arch |
markrad | 0:cdf462088d13 | 2302 | * Updated the MPI code to support 8086 on MSVC 1.5 |
markrad | 0:cdf462088d13 | 2303 | * Added the copyright notice at the top of havege.h |
markrad | 0:cdf462088d13 | 2304 | * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang |
markrad | 0:cdf462088d13 | 2305 | * Fixed a bug reported by Adrian Rüegsegger in x509_read_key |
markrad | 0:cdf462088d13 | 2306 | * Fixed a bug reported by Torsten Lauter in ssl_read_record |
markrad | 0:cdf462088d13 | 2307 | * Fixed a bug in rsa_check_privkey that would wrongly cause |
markrad | 0:cdf462088d13 | 2308 | valid RSA keys to be dismissed (thanks to oldwolf) |
markrad | 0:cdf462088d13 | 2309 | * Fixed a bug in mpi_is_prime that caused some primes to fail |
markrad | 0:cdf462088d13 | 2310 | the Miller-Rabin primality test |
markrad | 0:cdf462088d13 | 2311 | |
markrad | 0:cdf462088d13 | 2312 | I'd also like to thank Younès Hafri for the CRUX linux port, |
markrad | 0:cdf462088d13 | 2313 | Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet |
markrad | 0:cdf462088d13 | 2314 | who maintains the Debian package :-) |
markrad | 0:cdf462088d13 | 2315 | |
markrad | 0:cdf462088d13 | 2316 | = Version 0.1 released on 2006-11-01 |