2015-02-08 15:49:54 +01:00
|
|
|
mbed TLS ChangeLog (Sorted per branch, date)
|
2011-01-05 15:48:42 +01:00
|
|
|
|
2018-12-02 00:18:29 +01:00
|
|
|
= mbed TLS 2.1.17 branch released 2018-11-30
|
2018-06-20 17:40:21 +02:00
|
|
|
|
2018-10-03 13:40:16 +02:00
|
|
|
Security
|
2018-10-05 15:42:52 +02:00
|
|
|
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
|
|
|
|
decryption that could lead to a Bleichenbacher-style padding oracle
|
2018-11-29 12:45:01 +01:00
|
|
|
attack. In TLS, this affects servers that accept ciphersuites based on
|
|
|
|
RSA decryption (i.e. ciphersuites whose name contains RSA but not
|
2018-12-02 13:26:34 +01:00
|
|
|
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
|
|
|
|
(University of Adelaide), Daniel Genkin (University of Michigan),
|
|
|
|
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
|
|
|
|
(University of Adelaide, Data61). The attack is described in more detail
|
|
|
|
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
|
2018-11-29 12:46:05 +01:00
|
|
|
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
|
|
|
|
via branching and memory access patterns. An attacker who could submit
|
|
|
|
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
|
|
|
|
of the decryption and not its result could nonetheless decrypt RSA
|
|
|
|
plaintexts and forge RSA signatures. Other asymmetric algorithms may
|
|
|
|
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
|
|
|
|
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
|
2018-09-11 18:53:58 +02:00
|
|
|
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
|
|
|
|
modules.
|
2018-10-03 13:40:16 +02:00
|
|
|
|
2018-11-19 19:33:24 +01:00
|
|
|
= mbed TLS 2.1.16 branch released 2018-11-19
|
2018-06-20 17:40:21 +02:00
|
|
|
|
2018-11-02 10:36:45 +01:00
|
|
|
Security
|
2018-11-08 14:47:40 +01:00
|
|
|
* Fix overly strict DN comparison when looking for CRLs belonging to a
|
2018-11-19 17:11:15 +01:00
|
|
|
particular CA. This previously led to ignoring CRLs when the CRL's issuer
|
2018-11-08 14:47:40 +01:00
|
|
|
name and the CA's subject name differed in their string encoding (e.g.,
|
|
|
|
one using PrintableString and the other UTF8String) or in the choice of
|
|
|
|
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
|
|
|
|
#1784.
|
2018-11-19 17:11:15 +01:00
|
|
|
* Fix a flawed bounds check in server PSK hint parsing. In case the
|
|
|
|
incoming message buffer was placed within the first 64KiB of address
|
|
|
|
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
|
|
|
|
to trigger a memory access up to 64KiB beyond the incoming message buffer,
|
|
|
|
potentially leading to application crash or information disclosure.
|
2018-11-08 14:47:40 +01:00
|
|
|
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
|
|
|
|
previous settings for the number of rounds made it practical for an
|
|
|
|
adversary to construct non-primes that would be erroneously accepted as
|
|
|
|
primes with high probability. This does not have an impact on the
|
2018-11-19 17:11:15 +01:00
|
|
|
security of TLS, but can matter in other contexts with numbers chosen
|
|
|
|
potentially by an adversary that should be prime and can be validated.
|
2018-11-08 14:47:40 +01:00
|
|
|
For example, the number of rounds was enough to securely generate RSA key
|
|
|
|
pairs or Diffie-Hellman parameters, but was insufficient to validate
|
|
|
|
Diffie-Hellman parameters properly.
|
|
|
|
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
|
|
|
|
Kenneth G. Paterson and Juraj Somorovsky.
|
2018-11-02 10:36:45 +01:00
|
|
|
|
2018-06-20 17:40:21 +02:00
|
|
|
Bugfix
|
2018-10-25 17:18:13 +02:00
|
|
|
* Fix failure in hmac_drbg in the benchmark sample application, when
|
|
|
|
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
|
|
|
|
* Fix a bug in the update function for SSL ticket keys which previously
|
|
|
|
invalidated keys of a lifetime of less than a 1s. Fixes #1968.
|
|
|
|
* Fix potential build failures related to the 'apidoc' target, introduced
|
|
|
|
in the previous patch release. Found by Robert Scheck. #390 #391
|
2018-10-28 17:32:05 +01:00
|
|
|
* Fix a bug in the record decryption routine ssl_decrypt_buf()
|
2018-11-19 17:11:15 +01:00
|
|
|
which led to accepting properly authenticated but improperly
|
2018-10-28 17:32:05 +01:00
|
|
|
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
|
2018-10-28 17:58:29 +01:00
|
|
|
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
|
|
|
|
application leading to a memory leak in case both
|
|
|
|
MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
|
|
|
|
Fixes #2069.
|
2018-10-05 10:51:36 +02:00
|
|
|
* Fix memory leak and freeing without initialization in the example
|
|
|
|
program programs/x509/cert_write. Fixes #1422.
|
2018-11-08 14:47:40 +01:00
|
|
|
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
|
|
|
|
MBEDTLS_MODE_ECB. Found by ezdevelop, Fixes #1091.
|
2018-11-07 00:50:32 +01:00
|
|
|
* Zeroize memory used for reassembling handshake messages after use.
|
|
|
|
* Use `mbedtls_zeroize()` instead of `memset()` for zeroization of
|
|
|
|
sensitive data in the example programs aescrypt2 and crypt_and_hash.
|
|
|
|
* Fix compilation failure for configurations which use compile time
|
|
|
|
replacements of standard calloc/free functions through the macros
|
|
|
|
MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
|
|
|
|
Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
|
|
|
|
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
|
|
|
|
Found and fixed by Martijn de Milliano.
|
2018-09-26 23:39:29 +02:00
|
|
|
|
|
|
|
Changes
|
2018-10-25 17:18:13 +02:00
|
|
|
* "make apidoc" now generates the documentation for the current
|
|
|
|
configuration. Run "scripts/apidoc_full.sh" to generate the full
|
|
|
|
documentation. This aligns the behavior with Mbed TLS versions 2.2 and
|
|
|
|
later and reverts it back to how it behaved in version 2.1.3.
|
2018-09-26 23:39:29 +02:00
|
|
|
* Add tests for session resumption in DTLS.
|
2018-09-27 00:03:56 +02:00
|
|
|
* Close a test gap in (D)TLS between the client side and the server side:
|
|
|
|
test the handling of large packets and small packets on the client side
|
|
|
|
in the same way as on the server side.
|
2018-05-12 21:28:56 +02:00
|
|
|
* Change the dtls_client and dtls_server samples to work by default over
|
|
|
|
IPv6 and optionally by a build option over IPv4.
|
2018-10-01 15:44:22 +02:00
|
|
|
* Change the use of Windows threading to use Microsoft Visual C++ runtime
|
|
|
|
calls, rather than Win32 API calls directly. This is necessary to avoid
|
|
|
|
conflict with C runtime usage. Found and fixed by irwir.
|
2018-10-30 11:08:33 +01:00
|
|
|
* Improve documentation of mbedtls_ssl_get_verify_result().
|
|
|
|
Fixes #517 reported by github-monoculture.
|
2018-06-20 17:40:21 +02:00
|
|
|
|
2018-08-31 17:10:48 +02:00
|
|
|
= mbed TLS 2.1.15 branch released 2018-08-31
|
2018-07-30 23:15:36 +02:00
|
|
|
|
2018-07-09 14:44:26 +02:00
|
|
|
Security
|
2018-07-16 12:14:18 +02:00
|
|
|
* Fix an issue in the X.509 module which could lead to a buffer overread
|
|
|
|
during certificate extensions parsing. In case of receiving malformed
|
|
|
|
input (extensions length field equal to 0), an illegal read of one byte
|
|
|
|
beyond the input buffer is made. Found and analyzed by Nathan Crandall.
|
2018-07-09 14:44:26 +02:00
|
|
|
|
2018-07-30 23:15:36 +02:00
|
|
|
Bugfix
|
2018-08-31 13:01:43 +02:00
|
|
|
* Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
|
|
|
|
failure in the function could lead to other buffers being leaked.
|
2018-09-13 13:05:40 +02:00
|
|
|
* Fixes a missing test dependency on MBEDTLS_ARC4_C. #1890
|
2018-08-10 11:50:03 +02:00
|
|
|
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
|
|
|
|
Fix contributed by Espressif Systems.
|
2018-06-21 15:40:24 +02:00
|
|
|
* Add ecc extensions only if an ecc based ciphersuite is used.
|
2018-06-28 10:09:09 +02:00
|
|
|
This improves compliance to RFC 4492, and as a result, solves
|
|
|
|
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
|
2018-08-13 17:36:58 +02:00
|
|
|
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
|
|
|
|
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
|
2018-08-03 10:53:48 +02:00
|
|
|
* Fix a miscalculation of the maximum record expansion in
|
|
|
|
mbedtls_ssl_get_record_expansion() in case of CBC ciphersuites
|
|
|
|
in (D)TLS versions 1.1 or higher. Fixes #1914.
|
2018-08-17 10:47:22 +02:00
|
|
|
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
|
|
|
|
with TLS versions 1.1 and earlier when the server requested authentication
|
|
|
|
without providing a list of CAs. This was due to an overly strict bounds
|
2018-09-13 13:05:40 +02:00
|
|
|
check in parsing the CertificateRequest message, introduced in
|
|
|
|
Mbed TLS 2.12.0. Fixes #1954.
|
2018-05-11 11:06:29 +02:00
|
|
|
* Fix undefined shifts with negative values in certificates parsing
|
|
|
|
(found by Catena cyber using oss-fuzz)
|
2017-10-08 17:13:03 +02:00
|
|
|
* Fix memory leak and free without initialization in pk_encrypt
|
|
|
|
and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.
|
2018-07-30 23:15:36 +02:00
|
|
|
|
2018-07-25 16:35:32 +02:00
|
|
|
= mbed TLS 2.1.14 branch released 2018-07-25
|
2018-06-22 13:02:59 +02:00
|
|
|
|
2018-06-27 10:57:33 +02:00
|
|
|
Security
|
|
|
|
* Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
|
|
|
|
in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
|
|
|
|
partially recover the plaintext of messages under some conditions by
|
|
|
|
exploiting timing measurements. With DTLS, the attacker could perform
|
|
|
|
this recovery by sending many messages in the same connection. With TLS
|
|
|
|
or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
|
|
|
|
worked if the same secret (for example a HTTP Cookie) has been repeatedly
|
|
|
|
sent over connections manipulated by the attacker. Connections using GCM
|
|
|
|
or CCM instead of CBC, using hash sizes other than SHA-384, or using
|
|
|
|
Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
|
|
|
|
caused by a miscalculation (for SHA-384) in a countermeasure to the
|
|
|
|
original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi
|
|
|
|
Shamir.
|
2018-06-28 12:10:27 +02:00
|
|
|
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
|
|
|
|
1.2, that allowed a local attacker, able to execute code on the local
|
|
|
|
machine as well as manipulate network packets, to partially recover the
|
2018-07-11 18:27:08 +02:00
|
|
|
plaintext of messages under some conditions by using a cache attack
|
|
|
|
targetting an internal MD/SHA buffer. With TLS or if
|
|
|
|
mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
|
|
|
|
the same secret (for example a HTTP Cookie) has been repeatedly sent over
|
|
|
|
connections manipulated by the attacker. Connections using GCM or CCM
|
|
|
|
instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
|
|
|
|
Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
|
2018-06-28 10:38:35 +02:00
|
|
|
* Add a counter-measure against a vulnerability in TLS ciphersuites based
|
|
|
|
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
|
|
|
|
execute code on the local machine as well as manipulate network packets,
|
|
|
|
to partially recover the plaintext of messages under some conditions (see
|
|
|
|
previous entry) by using a cache attack targeting the SSL input record
|
|
|
|
buffer. Connections using GCM or CCM instead of CBC or using
|
|
|
|
Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
|
|
|
|
Eyal Ronen and Adi Shamir.
|
2018-05-23 18:55:02 +02:00
|
|
|
|
2018-06-22 13:02:59 +02:00
|
|
|
Bugfix
|
2018-06-25 13:07:10 +02:00
|
|
|
* Fix compilation error on C++, because of a variable named new.
|
|
|
|
Found and fixed by Hirotaka Niisato in #1783.
|
2018-06-24 17:20:56 +02:00
|
|
|
* Fix the inline assembly for the MPI multiply helper function for i386 and
|
|
|
|
i386 with SSE2. Found by László Langó. Fixes #1550
|
2018-06-22 13:02:59 +02:00
|
|
|
* Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
|
2018-06-28 13:14:07 +02:00
|
|
|
Philippe Antoine. Fixes #1623.
|
2017-07-11 15:39:30 +02:00
|
|
|
* Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
|
|
|
|
return value. Found by @davidwu2000. #839
|
2018-06-28 13:00:55 +02:00
|
|
|
* Fix the key_app_writer example which was writing a leading zero byte which
|
|
|
|
was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257
|
2018-07-02 13:00:54 +02:00
|
|
|
* Remove unused headers included in x509.c. Found by Chris Hanson and fixed
|
|
|
|
by Brendan Shanks. Part of a fix for #992.
|
2018-06-17 13:51:59 +02:00
|
|
|
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
|
|
|
|
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
|
2018-07-19 20:59:02 +02:00
|
|
|
* Added length checks to some TLS parsing functions. Found and fixed by
|
|
|
|
Philippe Antoine from Catena cyber. #1663.
|
2017-10-01 16:11:54 +02:00
|
|
|
* Fix namespacing in header files. Remove the `mbedtls` namespacing in
|
2017-05-14 15:17:33 +02:00
|
|
|
the `#include` in the header files. Resolves #857
|
2018-07-24 14:01:59 +02:00
|
|
|
* Fix decryption for zero length messages (which contain all padding) when a
|
|
|
|
CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
|
|
|
|
such a message was wrongly reported as an invalid record and therefore lead
|
|
|
|
to the connection being terminated. Seen most often with OpenSSL using
|
|
|
|
TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
|
|
|
|
contributed by Espressif Systems. Fixes #1632
|
2018-07-04 11:01:39 +02:00
|
|
|
* Fix ssl_client2 example to send application data with 0-length content
|
|
|
|
when the request_size argument is set to 0 as stated in the documentation.
|
|
|
|
Fixes #1833.
|
2018-07-25 18:33:29 +02:00
|
|
|
* Correct the documentation for `mbedtls_ssl_get_session()`. This API has
|
|
|
|
deep copy of the session, and the peer certificate is not lost. Fixes #926.
|
2018-06-22 13:02:59 +02:00
|
|
|
|
2018-06-22 16:07:00 +02:00
|
|
|
Changes
|
2018-07-25 18:33:29 +02:00
|
|
|
* Fail when receiving a TLS alert message with an invalid length, or invalid
|
|
|
|
zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
|
2018-06-22 16:07:00 +02:00
|
|
|
* Change the shebang line in Perl scripts to look up perl in the PATH.
|
|
|
|
Contributed by fbrosson in #1533.
|
|
|
|
|
2018-06-18 15:49:02 +02:00
|
|
|
= mbed TLS 2.1.13 branch released 2018-06-18
|
2018-05-23 18:55:02 +02:00
|
|
|
|
|
|
|
Bugfix
|
2018-06-14 09:58:59 +02:00
|
|
|
* Fix compilation warnings with IAR toolchain, on 32 bit platform.
|
|
|
|
Reported by rahmanih in #683
|
2018-05-23 18:55:02 +02:00
|
|
|
* Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
|
2018-05-11 17:41:07 +02:00
|
|
|
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
|
|
|
|
configure the maximum length of a file path that can be buffered when
|
|
|
|
calling mbedtls_x509_crt_parse_path().
|
2018-02-25 12:29:03 +01:00
|
|
|
* Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
|
|
|
|
TrinityTonic. #1359.
|
2018-06-01 20:11:55 +02:00
|
|
|
* Fix an issue with MicroBlaze support in bn_mul.h which was causing the
|
|
|
|
build to fail. Found by zv-io. Fixes #1651.
|
2018-06-08 17:27:04 +02:00
|
|
|
* Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
|
|
|
|
used by user applications. Found and fixed by Fabio Alessandrelli.
|
2018-05-23 18:55:02 +02:00
|
|
|
|
2018-03-21 12:35:44 +01:00
|
|
|
Changes
|
|
|
|
* Support TLS testing in out-of-source builds using cmake.
|
2018-06-18 12:56:46 +02:00
|
|
|
* Changed the Clang parameters used in the CMake build files to work for
|
|
|
|
versions later than 3.6. Fixes #1072
|
2018-03-21 12:35:44 +01:00
|
|
|
|
2018-04-27 14:13:54 +02:00
|
|
|
= mbed TLS 2.1.12 branch released 2018-04-30
|
2018-03-23 02:28:33 +01:00
|
|
|
|
|
|
|
Security
|
2018-04-30 18:23:10 +02:00
|
|
|
* Fix an issue in the X.509 module which could lead to a buffer overread
|
|
|
|
during certificate validation. Additionally, the issue could also lead to
|
|
|
|
unnecessary callback checks being made or to some validation checks to be
|
|
|
|
omitted. The overread could be triggered remotely, while the other issues
|
|
|
|
would require a non DER-compliant certificate to be correctly signed by a
|
|
|
|
trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
|
|
|
|
luocm. Fixes #825.
|
|
|
|
* Fix the buffer length assertion in the ssl_parse_certificate_request()
|
|
|
|
function which led to an arbitrary overread of the message buffer. The
|
|
|
|
overreads could be caused by receiving a malformed message at the point
|
|
|
|
where an optional signature algorithms list is expected when the signature
|
|
|
|
algorithms section is too short. In builds with debug output, the overread
|
|
|
|
data is output with the debug data.
|
2018-04-25 11:25:30 +02:00
|
|
|
* Fix a client-side bug in the validation of the server's ciphersuite choice
|
2018-04-30 18:23:10 +02:00
|
|
|
which could potentially lead to the client accepting a ciphersuite it didn't
|
|
|
|
offer or a ciphersuite that cannot be used with the TLS or DTLS version
|
|
|
|
chosen by the server. This could lead to corruption of internal data
|
|
|
|
structures for some configurations.
|
2018-03-23 02:28:33 +01:00
|
|
|
|
2018-03-23 01:42:44 +01:00
|
|
|
Bugfix
|
|
|
|
* Add missing dependencies in test suites that led to build failures
|
|
|
|
in configurations that omit certain hashes or public-key algorithms.
|
|
|
|
Fixes #1040.
|
2018-03-27 23:08:53 +02:00
|
|
|
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
|
2018-04-30 18:23:10 +02:00
|
|
|
MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
|
|
|
|
Deomid Ryabkov. Fixes #1299, #1475.
|
|
|
|
* Fix the Makefile build process for building shared libraries on Mac OS X.
|
|
|
|
Fixed by mnacamura.
|
Fix parsing of PKCS#8 encoded Elliptic Curve keys.
The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:
PrivateKeyInfo ::= SEQUENCE {
version Version,
privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
privateKey PrivateKey,
attributes [0] IMPLICIT Attributes OPTIONAL
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
ECParameters ::= CHOICE {
namedCurve OBJECT IDENTIFIER
-- implicitCurve NULL
-- specifiedCurve SpecifiedECDomain
}
ECPrivateKey ::= SEQUENCE {
version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
privateKey OCTET STRING,
parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
publicKey [1] BIT STRING OPTIONAL
}
Because of the two optional fields, there are 4 possible variants that need to
be parsed: no optional fields, only parameters, only public key, and both
optional fields. Previously mbedTLS was unable to parse keys with "only
parameters". Also, only "only public key" was tested. There was a test for "no
optional fields", but it was labelled incorrectly as SEC.1 and not run because
of a great renaming mixup.
2018-02-16 22:11:04 +01:00
|
|
|
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
|
2018-04-30 18:23:10 +02:00
|
|
|
unable to parse keys which had only the optional parameters field of the
|
|
|
|
ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
|
|
|
|
* Return the plaintext data more quickly on unpadded CBC decryption, as
|
|
|
|
stated in the mbedtls_cipher_update() documentation. Contributed by
|
|
|
|
Andy Leiserson.
|
2018-04-03 19:38:45 +02:00
|
|
|
* Fix overriding and ignoring return values when parsing and writing to
|
|
|
|
a file in pk_sign program. Found by kevlut in #1142.
|
2018-04-05 08:51:35 +02:00
|
|
|
* Fix buffer length assertions in the ssl_parse_certificate_request()
|
|
|
|
function which leads to a potential one byte overread of the message
|
|
|
|
buffer.
|
2018-04-23 14:29:36 +02:00
|
|
|
* Fix invalid buffer sizes passed to zlib during record compression and
|
|
|
|
decompression.
|
2018-03-23 01:42:44 +01:00
|
|
|
|
|
|
|
Changes
|
|
|
|
* Improve testing in configurations that omit certain hashes or
|
|
|
|
public-key algorithms. Includes contributions by Gert van Dijk.
|
|
|
|
* Improve negative testing of X.509 parsing.
|
2018-03-21 16:35:01 +01:00
|
|
|
* Do not define global mutexes around readdir() and gmtime() in
|
|
|
|
configurations where the feature is disabled. Found and fixed by Gergely
|
|
|
|
Budai.
|
2018-03-27 22:19:50 +02:00
|
|
|
* Provide an empty implementation of mbedtls_pkcs5_pbes2() when
|
|
|
|
MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
|
|
|
|
without PBES2. Fixed by Marcos Del Sol Vives.
|
2018-04-30 18:23:10 +02:00
|
|
|
* Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
|
|
|
|
Krylov.
|
2018-03-29 17:05:44 +02:00
|
|
|
* Improve the documentation of mbedtls_ssl_write(). Suggested by
|
|
|
|
Paul Sokolovsky in #1356.
|
2018-04-30 18:23:10 +02:00
|
|
|
* Add an option in the Makefile to support ar utilities where the operation
|
2018-03-27 20:14:24 +02:00
|
|
|
letter must not be prefixed by '-', such as LLVM. Found and fixed by
|
|
|
|
Alex Hixon.
|
2018-03-26 01:15:21 +02:00
|
|
|
* Allow configuring the shared library extension by setting the DLEXT
|
2018-03-27 20:14:24 +02:00
|
|
|
environment variable when using the project makefiles.
|
2018-04-04 10:18:37 +02:00
|
|
|
* In the SSL module, when f_send, f_recv or f_recv_timeout report
|
|
|
|
transmitting more than the required length, return an error. Raised by
|
2018-04-03 13:07:19 +02:00
|
|
|
Sam O'Connor in #1245.
|
2018-04-03 19:27:18 +02:00
|
|
|
* Improve robustness of mbedtls_ssl_derive_keys against the use of
|
|
|
|
HMAC functions with non-HMAC ciphersuites. Independently contributed
|
|
|
|
by Jiayuan Chen in #1377. Fixes #1437.
|
2018-03-23 01:42:44 +01:00
|
|
|
|
2018-03-16 17:29:30 +01:00
|
|
|
= mbed TLS 2.1.11 branch released 2018-03-16
|
2018-02-14 15:13:37 +01:00
|
|
|
|
2018-03-06 10:34:56 +01:00
|
|
|
Default behavior changes
|
|
|
|
* The truncated HMAC extension now conforms to RFC 6066. This means
|
|
|
|
that when both sides of a TLS connection negotiate the truncated
|
|
|
|
HMAC extension, Mbed TLS can now interoperate with other
|
|
|
|
compliant implementations, but this breaks interoperability with
|
|
|
|
prior versions of Mbed TLS. To restore the old behavior, enable
|
|
|
|
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
|
|
|
|
config.h. Found by Andreas Walz (ivESK, Offenburg University of
|
|
|
|
Applied Sciences).
|
|
|
|
|
2017-11-20 11:43:35 +01:00
|
|
|
Security
|
2018-02-22 16:17:52 +01:00
|
|
|
* Fix implementation of the truncated HMAC extension. The previous
|
|
|
|
implementation allowed an offline 2^80 brute force attack on the
|
|
|
|
HMAC key of a single, uninterrupted connection (with no
|
|
|
|
resumption of the session).
|
2017-11-06 16:10:38 +01:00
|
|
|
* Verify results of RSA private key operations to defend
|
|
|
|
against Bellcore glitch attack.
|
2018-03-14 18:38:21 +01:00
|
|
|
* Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
|
|
|
|
a crash on invalid input.
|
2018-03-14 18:53:27 +01:00
|
|
|
* Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
|
|
|
|
crash on invalid input.
|
2018-03-13 11:53:30 +01:00
|
|
|
* Fix CRL parsing to reject CRLs containing unsupported critical
|
|
|
|
extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
|
2017-11-20 11:43:35 +01:00
|
|
|
|
2017-12-20 00:03:55 +01:00
|
|
|
Features
|
|
|
|
* Extend PKCS#8 interface by introducing support for the entire SHA
|
|
|
|
algorithms family when encrypting private keys using PKCS#5 v2.0.
|
2018-02-14 11:33:30 +01:00
|
|
|
This allows reading encrypted PEM files produced by software that
|
|
|
|
uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
|
|
|
|
OpenVPN Inc. Fixes #1339
|
2017-11-20 11:43:35 +01:00
|
|
|
|
2018-02-14 15:13:37 +01:00
|
|
|
Bugfix
|
|
|
|
* Fix assembly sequences in bn_mul.h and aesni.c to avoid segmentation
|
|
|
|
faults and errors when building for the 64-bit ILP32 ABI. Found and fixed
|
|
|
|
by James Cowgill.
|
|
|
|
* Fix test_suite_pk to work on 64-bit ILP32 systems. #849
|
2018-02-06 16:34:27 +01:00
|
|
|
* Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
|
|
|
|
with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
|
2018-02-27 08:37:52 +01:00
|
|
|
In the context of SSL, this resulted in handshake failure. Reported by
|
|
|
|
daniel in the Mbed TLS forum. #1351
|
2018-02-21 14:32:39 +01:00
|
|
|
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347
|
2018-03-11 00:52:24 +01:00
|
|
|
* Fix setting version TLSv1 as minimal version, even if TLS 1
|
|
|
|
is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
|
|
|
|
and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
|
|
|
|
MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
|
2018-03-11 00:10:50 +01:00
|
|
|
* Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
|
|
|
|
only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
|
|
|
|
Nick Wilson on issue #355
|
2018-03-11 00:15:56 +01:00
|
|
|
* In test_suite_pk, pass valid parameters when testing for hash length
|
2018-02-26 11:02:10 +01:00
|
|
|
overflow. #1179
|
2018-03-12 23:44:48 +01:00
|
|
|
* Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
|
|
|
|
by Guido Vranken. #639
|
2018-03-15 16:24:47 +01:00
|
|
|
* Log correct number of ciphersuites used in Client Hello message. #918
|
2018-03-12 23:51:01 +01:00
|
|
|
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or
|
|
|
|
mbedtls_sha512_init() is called before operating on the relevant context
|
|
|
|
structure. Do not assume that zeroizing a context is a correct way to
|
|
|
|
reset it. Found independently by ccli8 on Github.
|
|
|
|
* In mbedtls_entropy_free(), properly free the message digest context.
|
2018-03-13 17:26:49 +01:00
|
|
|
* Fix memory leak in RSA self test.
|
2018-03-13 17:28:42 +01:00
|
|
|
* Fix X509 CRT parsing that would potentially accept an invalid tag when
|
|
|
|
parsing the subject alternative names.
|
2018-03-14 18:38:21 +01:00
|
|
|
* Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
|
|
|
|
that could cause a key exchange to fail on valid data.
|
2018-03-14 18:53:27 +01:00
|
|
|
* Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
|
|
|
|
could cause a key exchange to fail on valid data.
|
2017-09-05 18:00:54 +02:00
|
|
|
* Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
|
|
|
|
Found through fuzz testing.
|
2018-02-14 15:13:37 +01:00
|
|
|
|
2017-05-29 14:49:36 +02:00
|
|
|
Changes
|
|
|
|
* Clarified the documentation of mbedtls_ssl_setup.
|
2018-02-14 15:13:37 +01:00
|
|
|
|
2018-02-05 02:11:05 +01:00
|
|
|
= mbed TLS 2.1.10 branch released 2018-02-03
|
2017-07-05 14:27:17 +02:00
|
|
|
|
2017-10-17 19:01:38 +02:00
|
|
|
Security
|
2018-02-05 02:11:05 +01:00
|
|
|
* Fix a heap corruption issue in the implementation of the truncated HMAC
|
|
|
|
extension. When the truncated HMAC extension is enabled and CBC is used,
|
|
|
|
sending a malicious application packet could be used to selectively corrupt
|
|
|
|
6 bytes on the peer's heap, which could potentially lead to crash or remote
|
|
|
|
code execution. The issue could be triggered remotely from either side in
|
|
|
|
both TLS and DTLS. CVE-2018-0488
|
|
|
|
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
|
|
|
|
for the key size, which could potentially lead to crash or remote code
|
|
|
|
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
|
|
|
|
Qualcomm Technologies Inc. CVE-2018-0487
|
|
|
|
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
|
|
|
|
zeros.
|
|
|
|
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
|
|
|
|
64 KiB to the address of the SSL buffer and causing a wrap around.
|
|
|
|
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
|
2017-11-23 20:09:48 +01:00
|
|
|
default enabled) maximum fragment length extension is disabled in the
|
|
|
|
config and the application data buffer passed to mbedtls_ssl_write
|
|
|
|
is larger than the internal message buffer (16384 bytes by default), the
|
|
|
|
latter overflows. The exploitability of this issue depends on whether the
|
|
|
|
application layer can be forced into sending such large packets. The issue
|
|
|
|
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
|
2018-02-05 02:11:05 +01:00
|
|
|
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
|
|
|
|
Fixes #707.
|
|
|
|
* Add a provision to prevent compiler optimizations breaking the time
|
|
|
|
constancy of mbedtls_ssl_safer_memcmp().
|
2017-07-05 16:40:17 +02:00
|
|
|
* Ensure that buffers are cleared after use if they contain sensitive data.
|
2017-07-06 18:17:43 +02:00
|
|
|
Changes were introduced in multiple places in the library.
|
2017-09-05 14:34:35 +02:00
|
|
|
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
|
|
|
|
being leaked to memory after release.
|
2017-09-20 16:33:24 +02:00
|
|
|
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
|
|
|
leaking 1 bit of the private key. Reported by prashantkspatil.
|
2018-02-05 02:11:05 +01:00
|
|
|
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
|
|
|
|
data. Previously, trailing zero bytes were detected and omitted for the
|
|
|
|
sake of saving memory, but potentially leading to slight timing
|
|
|
|
differences. Reported by Marco Macchetti, Kudelski Group.
|
2017-10-19 11:10:18 +02:00
|
|
|
* Wipe stack buffer temporarily holding EC private exponent
|
|
|
|
after keypair generation.
|
2018-02-05 02:11:05 +01:00
|
|
|
* Fix a potential heap buffer over-read in ALPN extension parsing
|
2018-01-09 10:43:43 +01:00
|
|
|
(server-side). Could result in application crash, but only if an ALPN
|
|
|
|
name larger than 16 bytes had been configured on the server.
|
2017-10-13 17:54:58 +02:00
|
|
|
* Change default choice of DHE parameters from untrustworthy RFC 5114
|
|
|
|
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
|
|
|
|
manner.
|
2017-10-17 19:01:38 +02:00
|
|
|
|
2017-10-10 20:10:46 +02:00
|
|
|
Features
|
|
|
|
* Allow comments in test data files.
|
2017-12-15 15:01:27 +01:00
|
|
|
* The selftest program can execute a subset of the tests based on command
|
|
|
|
line arguments.
|
2017-10-27 18:42:32 +02:00
|
|
|
* Improve the timing self-tests to be more robust when run on a
|
|
|
|
heavily-loaded machine.
|
2017-10-10 20:10:46 +02:00
|
|
|
|
2017-07-05 14:27:17 +02:00
|
|
|
Bugfix
|
2017-10-19 17:46:14 +02:00
|
|
|
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
|
|
|
|
accepted. Generating these signatures required the private key.
|
2017-07-05 14:27:17 +02:00
|
|
|
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
|
|
|
|
as recommended in RFC 6347 Section 4.1.2.7.
|
2017-10-01 00:51:44 +02:00
|
|
|
* Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
|
|
|
|
Found by projectgus and jethrogb, #836.
|
2017-10-02 20:12:54 +02:00
|
|
|
* Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
|
2017-10-03 14:58:26 +02:00
|
|
|
* Parse signature algorithm extension when renegotiating. Previously,
|
|
|
|
renegotiated handshakes would only accept signatures using SHA-1
|
|
|
|
regardless of the peer's preferences, or fail if SHA-1 was disabled.
|
2016-11-21 16:38:02 +01:00
|
|
|
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
|
|
|
|
dates on leap years with 100 and 400 intervals are handled correctly. Found
|
|
|
|
by Nicholas Wilson. #694
|
2017-09-28 17:20:54 +02:00
|
|
|
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
|
|
|
|
Found independently by Florian in the mbed TLS forum and by Mishamax.
|
|
|
|
#878, #1019.
|
2017-02-22 17:23:26 +01:00
|
|
|
* Fix unchecked return codes from AES, DES and 3DES functions in
|
|
|
|
pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively.
|
|
|
|
If a call to one of the functions of the cryptographic primitive modules
|
|
|
|
failed, the error may not be noticed by the function
|
|
|
|
mbedtls_pem_read_buffer() causing it to return invalid values. Found by
|
|
|
|
Guido Vranken. #756
|
2017-08-22 13:50:14 +02:00
|
|
|
* Include configuration file in md.h, to fix compilation warnings.
|
|
|
|
Reported by aaronmdjones in #1001
|
2017-09-28 15:37:48 +02:00
|
|
|
* Correct extraction of signature-type from PK instance in X.509 CRT and CSR
|
|
|
|
writing routines that prevented these functions to work with alternative
|
|
|
|
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
|
2017-10-05 10:08:06 +02:00
|
|
|
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
|
|
|
non-v3 CRT's.
|
2017-11-28 18:33:50 +01:00
|
|
|
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
|
2018-02-05 02:11:05 +01:00
|
|
|
* Fix net_would_block() to avoid modification by errno through fcntl() call.
|
2017-05-04 14:39:22 +02:00
|
|
|
Found by nkolban. Fixes #845.
|
2018-02-05 02:11:05 +01:00
|
|
|
* Fix handling of handshake messages in mbedtls_ssl_read() in case
|
2017-10-24 12:56:58 +02:00
|
|
|
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
|
2018-02-05 02:11:05 +01:00
|
|
|
* Add a check for invalid private parameters in ecdsa_sign().
|
2017-11-20 18:11:17 +01:00
|
|
|
Reported by Yolan Romailler.
|
2017-12-04 17:29:28 +01:00
|
|
|
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
|
2017-09-18 12:07:25 +02:00
|
|
|
* Add size-checks for record and handshake message content, securing
|
|
|
|
fragile yet non-exploitable code-paths.
|
2017-10-17 17:15:41 +02:00
|
|
|
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
|
|
|
|
MilenkoMitrovic, #1104
|
2018-01-29 10:16:30 +01:00
|
|
|
* Fix mbedtls_timing_alarm(0) on Unix and MinGw.
|
2018-02-05 02:11:05 +01:00
|
|
|
* Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
|
2018-01-10 11:48:53 +01:00
|
|
|
* Fix issue in RSA key generation program programs/x509/rsa_genkey
|
|
|
|
where the failure of CTR DRBG initialization lead to freeing an
|
|
|
|
RSA context without proper initialization beforehand.
|
2018-02-05 02:11:05 +01:00
|
|
|
* Fix an issue in the cipher decryption with the mode
|
|
|
|
MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
|
|
|
|
Note, this padding mode is not used by the TLS protocol. Found and fixed by
|
|
|
|
Micha Kraus.
|
2017-10-05 10:08:06 +02:00
|
|
|
|
|
|
|
Changes
|
|
|
|
* Extend cert_write example program by options to set the CRT version
|
|
|
|
and the message digest. Further, allow enabling/disabling of authority
|
|
|
|
identifier, subject identifier and basic constraints extensions.
|
2017-10-06 13:29:50 +02:00
|
|
|
* Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
|
|
|
|
throughout the library.
|
2017-07-05 14:27:17 +02:00
|
|
|
|
2017-08-10 12:51:47 +02:00
|
|
|
= mbed TLS 2.1.9 branch released 2017-08-10
|
2017-07-20 00:30:44 +02:00
|
|
|
|
2017-07-20 00:30:44 +02:00
|
|
|
Security
|
2017-08-10 11:48:33 +02:00
|
|
|
* Fix authentication bypass in SSL/TLS: when authmode is set to optional,
|
2017-07-20 00:30:44 +02:00
|
|
|
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
|
|
|
|
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
|
2017-08-10 11:48:33 +02:00
|
|
|
(default: 8) intermediates, even when it was not trusted. This could be
|
|
|
|
triggered remotely from either side. (With authmode set to 'required'
|
|
|
|
(the default), the handshake was correctly aborted).
|
|
|
|
* Reliably zeroize sensitive data after use in AES example applications
|
2017-06-27 09:26:53 +02:00
|
|
|
programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
|
|
|
|
Found by Laurent Simon.
|
2017-07-20 00:30:44 +02:00
|
|
|
|
|
|
|
API Changes
|
|
|
|
* Certificate verification functions now set flags to -1 in case the full
|
|
|
|
chain was not verified due to an internal error (including in the verify
|
|
|
|
callback) or chain length limitations.
|
2017-08-10 11:48:33 +02:00
|
|
|
* With authmode set to optional, the TLS handshake is now aborted if the
|
2017-07-20 00:30:44 +02:00
|
|
|
verification of the peer's certificate failed due to an overlong chain or
|
2017-08-10 11:48:33 +02:00
|
|
|
a fatal error in the verify callback.
|
2017-07-20 00:30:44 +02:00
|
|
|
|
2017-07-20 00:30:44 +02:00
|
|
|
Bugfix
|
2017-08-10 11:48:33 +02:00
|
|
|
* Add a check if iv_len is zero in GCM, and return an error if it is zero.
|
|
|
|
Reported by roberto. #716
|
|
|
|
* Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
|
2017-01-09 18:27:59 +01:00
|
|
|
to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
|
|
|
|
always be implemented by pthread support. Fix for #696
|
2017-08-10 11:48:33 +02:00
|
|
|
* Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
|
|
|
|
in the case of an error. Found by redplait. #590
|
2017-01-12 13:50:50 +01:00
|
|
|
* Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
|
|
|
|
Reported and fix suggested by guidovranken in #740
|
2017-02-10 15:39:58 +01:00
|
|
|
* Fix a potential integer overflow in the version verification for DER
|
|
|
|
encoded X509 CRLs. The overflow would enable maliciously constructed CRLs
|
|
|
|
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
|
|
|
KNOX Security, Samsung Research America
|
2017-02-17 14:54:43 +01:00
|
|
|
* Fix a potential integer overflow in the version verification for DER
|
|
|
|
encoded X509 certificates. The overflow would enable maliciously
|
|
|
|
constructed certificates to bypass the certificate verification check.
|
|
|
|
* Fix potential integer overflow in the version verification for DER
|
|
|
|
encoded X509 CSRs. The overflow would enable maliciously constructed CSRs
|
|
|
|
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
|
|
|
KNOX Security, Samsung Research America
|
2017-06-22 12:19:27 +02:00
|
|
|
|
2017-07-27 16:43:32 +02:00
|
|
|
Changes
|
|
|
|
* Avoid shadowing of time and index functions through mbed TLS function
|
|
|
|
arguments. Found by inestlerode. Fixes #557.
|
2017-08-01 23:59:01 +02:00
|
|
|
* Improve documentation of PKCS1 decryption functions.
|
2017-07-27 16:43:32 +02:00
|
|
|
|
2017-07-20 00:30:44 +02:00
|
|
|
= mbed TLS 2.1.8 branch released 2017-06-21
|
2017-05-14 00:00:05 +02:00
|
|
|
|
2017-03-23 11:41:56 +01:00
|
|
|
Security
|
2017-06-09 12:30:33 +02:00
|
|
|
* Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
|
|
|
|
The issue could only happen client-side with renegotiation enabled.
|
|
|
|
Could result in DoS (application crash) or information leak
|
|
|
|
(if the application layer sent data read from mbedtls_ssl_read()
|
|
|
|
back to the server or to a third party). Can be triggered remotely.
|
2017-03-23 11:41:56 +01:00
|
|
|
* Add exponent blinding to RSA private operations as a countermeasure
|
|
|
|
against side-channel attacks like the cache attack described in
|
|
|
|
https://arxiv.org/abs/1702.08719v2.
|
|
|
|
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
|
|
|
|
Clémentine Maurice and Stefan Mangard.
|
2017-03-23 14:37:37 +01:00
|
|
|
* Wipe stack buffers in RSA private key operations
|
2017-06-16 15:04:08 +02:00
|
|
|
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
|
|
|
|
Simon.
|
2017-05-12 13:16:40 +02:00
|
|
|
* Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
|
|
|
|
certificate verification. SHA-1 can be turned back on with a compile-time
|
|
|
|
option if needed.
|
2017-05-16 17:53:03 +02:00
|
|
|
* Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
|
|
|
|
detect it sometimes. Reported by Hugo Leisink. #810
|
2017-05-11 12:49:51 +02:00
|
|
|
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
|
|
|
|
potential Bleichenbacher/BERserk-style attack.
|
2017-03-23 11:41:56 +01:00
|
|
|
|
2017-05-14 00:00:05 +02:00
|
|
|
Bugfix
|
2017-05-02 17:01:20 +02:00
|
|
|
* Remove macros from compat-1.3.h that correspond to deleted items from most
|
|
|
|
recent versions of the library. Found by Kyle Keen.
|
2017-06-16 15:04:08 +02:00
|
|
|
* Fixed issue in the Threading module that prevented mutexes from
|
|
|
|
initialising. Found by sznaider. #667 #843
|
2017-04-28 18:15:26 +02:00
|
|
|
* Fix insufficient support for signature-hash-algorithm extension,
|
|
|
|
resulting in compatibility problems with Chrome. Found by hfloyrd. #823
|
2017-05-08 17:31:14 +02:00
|
|
|
* Accept empty trusted CA chain in authentication mode
|
2017-06-16 15:04:08 +02:00
|
|
|
MBEDTLS_SSL_VERIFY_OPTIONAL. Found by jethrogb. #864
|
|
|
|
* Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
|
2017-07-27 16:10:21 +02:00
|
|
|
fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
|
2017-06-16 15:04:08 +02:00
|
|
|
reflect bad EC curves within verification result.
|
|
|
|
* Fix bug that caused the modular inversion function to accept the invalid
|
|
|
|
modulus 1 and therefore to hang. Found by blaufish. #641.
|
|
|
|
* Fix incorrect sign computation in modular exponentiation when the base is
|
|
|
|
a negative MPI. Previously the result was always negative. Found by Guido
|
|
|
|
Vranken.
|
|
|
|
* Fix a numerical underflow leading to stack overflow in mpi_read_file()
|
|
|
|
that was triggered uppon reading an empty line. Found by Guido Vranken.
|
2017-05-14 00:00:05 +02:00
|
|
|
|
2017-03-10 12:31:41 +01:00
|
|
|
Changes
|
|
|
|
* Clarify ECDSA documentation and improve the sample code to avoid
|
2017-06-16 15:04:08 +02:00
|
|
|
misunderstanding and potentially dangerous use of the API. Pointed out
|
2017-03-10 12:31:41 +01:00
|
|
|
by Jean-Philippe Aumasson.
|
|
|
|
|
2017-03-08 17:29:31 +01:00
|
|
|
= mbed TLS 2.1.7 branch released 2017-03-08
|
2016-10-24 12:23:36 +02:00
|
|
|
|
2017-01-19 12:24:33 +01:00
|
|
|
Security
|
2017-02-26 03:01:22 +01:00
|
|
|
* Add checks to prevent signature forgeries for very large messages while
|
|
|
|
using RSA through the PK module in 64-bit systems. The issue was caused by
|
|
|
|
some data loss when casting a size_t to an unsigned int value in the
|
|
|
|
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
|
|
|
|
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
|
2016-12-08 18:08:44 +01:00
|
|
|
* Fixed potential livelock during the parsing of a CRL in PEM format in
|
|
|
|
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
|
|
|
|
characters after the footer could result in the execution of an infinite
|
|
|
|
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
|
|
|
|
Microsoft.
|
2017-01-27 17:05:20 +01:00
|
|
|
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
|
|
|
|
when verifying the validity of a key on secp224k1. This could be
|
|
|
|
triggered remotely for example with a maliciously constructed certificate
|
2017-02-28 19:47:27 +01:00
|
|
|
and potentially could lead to remote code execution on some platforms.
|
2017-03-07 13:37:14 +01:00
|
|
|
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
|
|
|
|
team. #569 CVE-2017-2784
|
2017-01-19 12:24:33 +01:00
|
|
|
|
2016-10-24 12:23:36 +02:00
|
|
|
Bugfix
|
2016-12-09 18:26:23 +01:00
|
|
|
* Fix output certificate verification flags set by x509_crt_verify_top() when
|
|
|
|
traversing a chain of trusted CA. The issue would cause both flags,
|
|
|
|
MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
|
|
|
|
set when the verification conditions are not met regardless of the cause.
|
|
|
|
Found by Harm Verhagen and inestlerode. #665 #561
|
2017-02-02 14:08:37 +01:00
|
|
|
* Fix the redefinition of macro ssl_set_bio to an undefined symbol
|
|
|
|
mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
|
|
|
|
Found by omlib-lin. #673
|
2016-12-07 16:05:53 +01:00
|
|
|
* Fix unused variable/function compilation warnings in pem.c and x509_csr.c
|
|
|
|
that are reported when building mbed TLS with a config.h that does not
|
2017-02-02 17:36:59 +01:00
|
|
|
define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
|
2016-12-15 18:01:16 +01:00
|
|
|
* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
|
|
|
|
would compare 64 bits of the record counter instead of 48 bits as indicated
|
|
|
|
in RFC 6347 Section 4.3.1. This could cause the execution of the
|
|
|
|
renegotiation routines at unexpected times when the protocol is DTLS. Found
|
|
|
|
by wariua. #687
|
2016-10-24 12:23:36 +02:00
|
|
|
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
|
2016-10-24 15:31:54 +02:00
|
|
|
the input string in PEM format to extract the different components. Found
|
2016-10-24 12:23:36 +02:00
|
|
|
by Eyal Itkin.
|
2017-01-18 00:24:02 +01:00
|
|
|
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
|
|
|
|
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
|
|
|
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
|
|
|
|
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
|
|
|
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
|
|
|
|
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
2017-01-18 18:21:03 +01:00
|
|
|
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
|
|
|
|
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
2017-02-03 13:36:59 +01:00
|
|
|
* Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
|
|
|
|
Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
|
2016-12-08 18:19:21 +01:00
|
|
|
* Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
|
|
|
|
by missing calls to mbedtls_pem_free() in cases when a
|
2017-02-28 17:36:22 +01:00
|
|
|
MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
|
|
|
|
fix proposed by Guido Vranken. #722
|
2017-03-02 10:18:09 +01:00
|
|
|
* Fixed the templates used to generate project and solution files for Visual
|
|
|
|
Studio 2015 as well as the files themselves, to remove a build warning
|
|
|
|
generated in Visual Studio 2015. Reported by Steve Valliere. #742
|
2017-01-29 17:51:35 +01:00
|
|
|
* Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
|
|
|
|
Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
|
2017-01-06 14:17:35 +01:00
|
|
|
* Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
|
|
|
|
number to write in hexadecimal is negative and requires an odd number of
|
|
|
|
digits. Found and fixed by Guido Vranken.
|
2017-03-07 20:35:49 +01:00
|
|
|
* Fix unlisted DES configuration dependency in some pkparse test cases. Found
|
|
|
|
by inestlerode. #555
|
2016-10-24 12:23:36 +02:00
|
|
|
|
2016-10-17 16:44:26 +02:00
|
|
|
= mbed TLS 2.1.6 branch released 2016-10-17
|
2016-09-02 16:23:48 +02:00
|
|
|
|
|
|
|
Security
|
2016-10-16 01:18:54 +02:00
|
|
|
* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
|
|
|
|
with RFC-5116 and could lead to session key recovery in very long TLS
|
|
|
|
sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
|
|
|
|
TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
|
|
|
|
https://eprint.iacr.org/2016/475.pdf
|
|
|
|
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
|
2016-09-02 16:23:48 +02:00
|
|
|
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
2016-09-07 12:09:44 +02:00
|
|
|
without checking whether there is enough space in the destination. The
|
2016-10-16 01:18:54 +02:00
|
|
|
issue cannot be triggered remotely. Found by Jethro Beekman.
|
2016-02-19 16:58:21 +01:00
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fix an issue that caused valid certificates being rejected whenever an
|
2016-09-02 23:10:39 +02:00
|
|
|
expired or not yet valid version of the trusted certificate was before the
|
|
|
|
valid version in the trusted certificate list.
|
2016-10-16 01:18:54 +02:00
|
|
|
* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
|
|
|
|
when GCM is used. Found by udf2457. #441
|
2016-09-05 08:02:42 +02:00
|
|
|
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
|
|
|
|
enabled unless others were also present. Found by David Fernandez. #428
|
2016-10-16 01:18:54 +02:00
|
|
|
* Fixed cert_app.c sample program for debug output and for use when no root
|
2016-09-26 21:51:34 +02:00
|
|
|
certificates are provided.
|
2016-09-26 10:52:41 +02:00
|
|
|
* Fix conditional statement that would cause a 1 byte overread in
|
2016-10-12 17:37:59 +02:00
|
|
|
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
|
|
|
|
* Fixed pthread implementation to avoid unintended double initialisations
|
2016-10-16 01:18:54 +02:00
|
|
|
and double frees. Found by Niklas Amnebratt.
|
2016-10-07 16:56:07 +02:00
|
|
|
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
|
|
|
|
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
|
|
|
|
by inestlerode. #559.
|
2016-10-13 16:27:09 +02:00
|
|
|
* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
|
|
|
|
data structure until after error checks are successful. Found by
|
|
|
|
subramanyam-c. #622
|
2016-09-26 11:09:30 +02:00
|
|
|
* Fix documentation and implementation missmatch for function arguments of
|
2016-10-12 20:47:29 +02:00
|
|
|
mbedtls_gcm_finish(). Found by cmiatpaar. #602
|
2016-10-13 01:14:37 +02:00
|
|
|
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
|
2016-09-26 15:53:05 +02:00
|
|
|
* Fix potential byte overread when verifying malformed SERVER_HELLO in
|
|
|
|
ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
|
2016-09-23 14:16:02 +02:00
|
|
|
* Fix check for validity of date when parsing in mbedtls_x509_get_time().
|
2016-10-13 17:30:19 +02:00
|
|
|
Found by subramanyam-c. #626
|
2016-09-05 15:03:20 +02:00
|
|
|
* Fix missing return code check after call to mbedtls_md_setup() that could
|
|
|
|
result in usage of invalid md_ctx in mbedtls_rsa_rsaes_oaep_encrypt(),
|
|
|
|
mbedtls_rsa_rsaes_oaep_decrypt(), mbedtls_rsa_rsassa_pss_sign() and
|
2016-10-14 02:04:51 +02:00
|
|
|
mbedtls_rsa_rsassa_pss_verify_ext(). Fixed by Brian J. Murray. #502
|
2016-02-19 16:58:21 +01:00
|
|
|
|
2016-06-27 20:49:04 +02:00
|
|
|
= mbed TLS 2.1.5 branch released 2016-06-28
|
2016-01-07 13:26:11 +01:00
|
|
|
|
2016-02-10 17:14:10 +01:00
|
|
|
Security
|
2017-07-27 16:10:21 +02:00
|
|
|
* Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
|
2016-02-10 17:14:10 +01:00
|
|
|
required by PKCS1 v2.2
|
2017-07-27 16:10:21 +02:00
|
|
|
* Fix a potential integer underflow to buffer overread in
|
2016-02-11 12:15:44 +01:00
|
|
|
mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
|
|
|
|
SSL/TLS.
|
2016-02-10 17:25:55 +01:00
|
|
|
* Fix potential integer overflow to buffer overflow in
|
|
|
|
mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
|
|
|
|
|
2016-01-07 13:26:11 +01:00
|
|
|
Bugfix
|
|
|
|
* Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
|
|
|
|
arguments where the same (in-place doubling). Found and fixed by Janos
|
2016-01-07 13:06:51 +01:00
|
|
|
Follath. #309
|
|
|
|
* Fix issue in Makefile that prevented building using armar. #386
|
2016-02-17 15:34:12 +01:00
|
|
|
* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
|
|
|
|
buffer after DER certificates to be included in the raw representation.
|
2016-04-15 20:06:59 +02:00
|
|
|
* Fix issue that caused a hang when generating RSA keys of odd bitlength
|
2016-03-18 12:45:44 +01:00
|
|
|
* Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
|
|
|
|
dereference possible.
|
2016-04-22 00:37:09 +02:00
|
|
|
* Fix issue that caused a crash if invalid curves were passed to
|
|
|
|
mbedtls_ssl_conf_curves. #373
|
2016-04-29 01:15:34 +02:00
|
|
|
* Fix issue in ssl_fork_server which was preventing it from functioning. #429
|
2016-01-07 13:26:11 +01:00
|
|
|
|
2016-01-08 14:29:11 +01:00
|
|
|
Changes
|
|
|
|
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
|
|
|
|
don't use the optimized assembly for bignum multiplication. This removes
|
|
|
|
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
|
2016-05-23 15:27:02 +02:00
|
|
|
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
|
|
|
|
ignored, as required by RFC6101.
|
2016-01-08 14:29:11 +01:00
|
|
|
|
2016-01-04 23:41:11 +01:00
|
|
|
= mbed TLS 2.1.4 released 2016-01-05
|
2015-12-16 02:51:01 +01:00
|
|
|
|
2015-12-10 10:50:51 +01:00
|
|
|
Security
|
|
|
|
* Fix potential double free when mbedtls_asn1_store_named_data() fails to
|
|
|
|
allocate memory. Only used for certificate generation, not triggerable
|
|
|
|
remotely in SSL/TLS. Found by Rafał Przywara. #367
|
2016-01-07 13:18:01 +01:00
|
|
|
* Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
|
|
|
|
SLOTH attack on TLS 1.2 server authentication (other attacks from the
|
|
|
|
SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
|
|
|
|
https://www.mitls.org/pages/attacks/SLOTH
|
2015-12-10 10:50:51 +01:00
|
|
|
|
2015-12-10 14:46:25 +01:00
|
|
|
Bugfix
|
2015-12-22 20:38:55 +01:00
|
|
|
* Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
|
2015-11-19 09:23:06 +01:00
|
|
|
* Fix bug in certificate validation that caused valid chains to be rejected
|
|
|
|
when the first intermediate certificate has pathLenConstraint=0. Found by
|
2016-01-04 23:41:11 +01:00
|
|
|
Nicholas Wilson. Introduced in mbed TLS 2.1.3. #280
|
2016-01-01 22:42:47 +01:00
|
|
|
* Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
|
|
|
|
JayaraghavendranK. #372
|
2016-01-04 17:36:44 +01:00
|
|
|
* Fix suboptimal handling of unexpected records that caused interop issues
|
|
|
|
with some peers over unreliable links. Avoid dropping an entire DTLS
|
|
|
|
datagram if a single record in a datagram is unexpected, instead only
|
|
|
|
drop the record and look at subsequent records (if any are present) in
|
|
|
|
the same datagram. Found by jeannotlapin. #345
|
2015-12-16 02:51:01 +01:00
|
|
|
|
2015-11-04 23:08:33 +01:00
|
|
|
= mbed TLS 2.1.3 released 2015-11-04
|
2015-10-27 10:24:54 +01:00
|
|
|
|
2015-10-30 09:35:03 +01:00
|
|
|
Security
|
2015-10-20 19:56:45 +02:00
|
|
|
* Fix potential double free if mbedtls_ssl_conf_psk() is called more than
|
|
|
|
once and some allocation fails. Cannot be forced remotely. Found by Guido
|
|
|
|
Vranken, Intelworks.
|
2015-10-21 10:16:29 +02:00
|
|
|
* Fix potential heap corruption on Windows when
|
|
|
|
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
|
2015-11-04 00:12:36 +01:00
|
|
|
triggered remotely. Found by Guido Vranken, Intelworks.
|
2015-10-21 12:07:47 +02:00
|
|
|
* Fix potential buffer overflow in some asn1_write_xxx() functions.
|
|
|
|
Cannot be triggered remotely unless you create X.509 certificates based
|
|
|
|
on untrusted input or write keys of untrusted origin. Found by Guido
|
2015-11-04 00:12:36 +01:00
|
|
|
Vranken, Intelworks.
|
2015-10-30 09:35:03 +01:00
|
|
|
* The X509 max_pathlen constraint was not enforced on intermediate
|
|
|
|
certificates. Found by Nicholas Wilson, fix and tests provided by
|
|
|
|
Janos Follath. #280 and #319
|
|
|
|
|
2015-10-09 15:47:17 +02:00
|
|
|
Bugfix
|
2015-10-30 09:35:03 +01:00
|
|
|
* Self-signed certificates were not excluded from pathlen counting,
|
|
|
|
resulting in some valid X.509 being incorrectly rejected. Found and fix
|
|
|
|
provided by Janos Follath. #319
|
2015-10-09 15:47:17 +02:00
|
|
|
* Fix build error with configurations where ECDHE-PSK is the only key
|
|
|
|
exchange. Found and fix provided by Chris Hammond. #270
|
2015-10-22 17:01:15 +02:00
|
|
|
* Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
|
|
|
|
ECHD-ECDSA if the only key exchange. Multiple reports. #310
|
2015-10-28 13:55:28 +01:00
|
|
|
* Fixed a bug causing some handshakes to fail due to some non-fatal alerts
|
|
|
|
not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
|
2015-10-23 14:08:48 +02:00
|
|
|
* mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
|
|
|
|
size/curve against the profile. Before that, there was no way to set a
|
|
|
|
minimum key size for end-entity certificates with RSA keys. Found by
|
2015-10-28 13:55:28 +01:00
|
|
|
Matthew Page of Scannex Electronics Ltd.
|
2015-10-21 14:52:24 +02:00
|
|
|
* Fix failures in MPI on Sparc(64) due to use of bad assembly code.
|
|
|
|
Found by Kurt Danielson. #292
|
2015-10-21 16:40:29 +02:00
|
|
|
* Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
|
2015-11-01 22:00:02 +01:00
|
|
|
* Fix bug in ASN.1 encoding of booleans that caused generated CA
|
|
|
|
certificates to be rejected by some applications, including OS X
|
|
|
|
Keychain. Found and fixed by Jonathan Leroy, Inikup.
|
2015-10-23 11:13:28 +02:00
|
|
|
|
|
|
|
Changes
|
|
|
|
* Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
|
|
|
|
or -1.
|
2015-10-09 15:47:17 +02:00
|
|
|
|
|
|
|
= mbed TLS 2.1.2 released 2015-10-06
|
|
|
|
|
2015-09-29 01:31:09 +02:00
|
|
|
Security
|
2015-10-05 19:21:34 +02:00
|
|
|
* Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
|
2015-10-05 11:18:17 +02:00
|
|
|
overflow of the hostname or session ticket. Found by Guido Vranken,
|
|
|
|
Intelworks.
|
2015-10-04 23:06:51 +02:00
|
|
|
* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
|
|
|
|
once in the same handhake and mbedtls_ssl_conf_psk() was used.
|
2015-10-05 11:18:17 +02:00
|
|
|
Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
|
|
|
|
remotely.
|
2015-09-28 18:34:48 +02:00
|
|
|
* Fix stack buffer overflow in pkcs12 decryption (used by
|
|
|
|
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
|
2015-10-05 11:18:17 +02:00
|
|
|
Found by Guido Vranken, Intelworks. Not triggerable remotely.
|
2015-09-28 13:48:04 +02:00
|
|
|
* Fix potential buffer overflow in mbedtls_mpi_read_string().
|
2015-10-05 11:18:17 +02:00
|
|
|
Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
|
|
|
|
of TLS, but might be in other uses. On 32 bit machines, requires reading a
|
|
|
|
string of close to or larger than 1GB to exploit; on 64 bit machines, would
|
|
|
|
require reading a string of close to or larger than 2^62 bytes.
|
2015-10-05 01:26:36 +02:00
|
|
|
* Fix potential random memory allocation in mbedtls_pem_read_buffer()
|
2015-10-05 11:18:17 +02:00
|
|
|
on crafted PEM input data. Found and fix provided by Guido Vranken,
|
|
|
|
Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
|
|
|
|
accept PEM data from an untrusted source.
|
|
|
|
* Fix possible heap buffer overflow in base64_encoded() when the input
|
|
|
|
buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
|
|
|
|
Intelworks. Not trigerrable remotely in TLS.
|
2015-09-28 18:09:45 +02:00
|
|
|
* Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
|
2015-10-05 11:40:31 +02:00
|
|
|
the same mbedtls_ssl_config object and memory allocation fails. Found by
|
|
|
|
Guido Vranken, Intelworks. Cannot be forced remotely.
|
2015-10-02 11:16:47 +02:00
|
|
|
* Fix potential heap buffer overflow in servers that perform client
|
|
|
|
authentication against a crafted CA cert. Cannot be triggered remotely
|
|
|
|
unless you allow third parties to pick trust CAs for client auth.
|
2015-10-05 12:57:54 +02:00
|
|
|
Found by Guido Vranken, Intelworks.
|
2015-09-29 01:31:09 +02:00
|
|
|
|
2015-10-05 13:16:06 +02:00
|
|
|
Bugfix
|
|
|
|
* Fix compile error in net.c with musl libc. Found and patch provided by
|
|
|
|
zhasha (#278).
|
2015-10-05 16:44:18 +02:00
|
|
|
* Fix macroization of 'inline' keyword when building as C++. (#279)
|
2015-10-05 13:16:06 +02:00
|
|
|
|
2015-09-29 01:31:09 +02:00
|
|
|
Changes
|
|
|
|
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
|
|
|
domain names are compliant with RFC 1035.
|
2015-10-01 02:59:33 +02:00
|
|
|
* Fixed paths for check_config.h in example config files. (Found by bachp)
|
|
|
|
(#291)
|
2015-09-29 01:31:09 +02:00
|
|
|
|
2015-09-29 02:06:06 +02:00
|
|
|
= mbed TLS 2.1.1 released 2015-09-17
|
2015-07-19 15:01:28 +02:00
|
|
|
|
2015-09-03 20:03:15 +02:00
|
|
|
Security
|
|
|
|
* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
|
|
|
|
signatures. (Found by Florian Weimer, Red Hat.)
|
|
|
|
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
|
2015-09-09 12:15:13 +02:00
|
|
|
* Fix possible client-side NULL pointer dereference (read) when the client
|
|
|
|
tries to continue the handshake after it failed (a misuse of the API).
|
2015-10-04 23:06:51 +02:00
|
|
|
(Found and patch provided by Fabian Foerg, Gotham Digital Science using
|
|
|
|
afl-fuzz.)
|
2015-09-09 12:15:13 +02:00
|
|
|
|
2015-09-14 22:30:40 +02:00
|
|
|
Bugfix
|
|
|
|
* Fix warning when using a 64bit platform. (found by embedthis) (#275)
|
2015-09-16 11:32:18 +02:00
|
|
|
* Fix off-by-one error in parsing Supported Point Format extension that
|
|
|
|
caused some handshakes to fail.
|
|
|
|
|
2015-09-11 21:00:20 +02:00
|
|
|
Changes
|
|
|
|
* Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
|
|
|
|
use of mbedtls_x509_crt_profile_next. (found by NWilson)
|
2015-09-08 15:12:45 +02:00
|
|
|
* When a client initiates a reconnect from the same port as a live
|
|
|
|
connection, if cookie verification is available
|
|
|
|
(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
|
|
|
|
callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
|
|
|
|
detected and mbedtls_ssl_read() will return
|
|
|
|
MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
|
|
|
|
handshake with the same context. (See RFC 6347 section 4.2.8.)
|
2015-09-11 21:00:20 +02:00
|
|
|
|
2015-09-09 12:15:13 +02:00
|
|
|
= mbed TLS 2.1.0 released 2015-09-04
|
2015-09-03 20:03:15 +02:00
|
|
|
|
2015-07-31 15:52:30 +02:00
|
|
|
Features
|
2015-09-04 14:38:26 +02:00
|
|
|
* Added support for yotta as a build system.
|
|
|
|
* Primary open source license changed to Apache 2.0 license.
|
2015-07-31 15:52:30 +02:00
|
|
|
|
2015-07-19 15:01:28 +02:00
|
|
|
Bugfix
|
|
|
|
* Fix segfault in the benchmark program when benchmarking DHM.
|
2015-07-19 16:00:04 +02:00
|
|
|
* Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
|
|
|
|
Leisink).
|
2015-07-23 12:14:13 +02:00
|
|
|
* Fix bug when parsing a ServerHello without extensions (found by David
|
|
|
|
Sears).
|
2015-07-27 10:36:12 +02:00
|
|
|
* Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
|
2015-07-24 16:53:46 +02:00
|
|
|
(found by Benoit Lecocq).
|
2015-07-27 10:36:12 +02:00
|
|
|
* Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
|
|
|
|
installed (found by Rawi666).
|
2015-07-30 22:46:55 +02:00
|
|
|
* Fix compile error with armcc 5 with --gnu option.
|
2015-08-03 10:24:05 +02:00
|
|
|
* Fix bug in Makefile that caused programs not to be installed correctly
|
|
|
|
(found by robotanarchy) (#232).
|
2015-08-03 10:34:09 +02:00
|
|
|
* Fix bug in Makefile that prevented from installing without building the
|
|
|
|
tests (found by robotanarchy) (#232).
|
2015-08-07 13:17:23 +02:00
|
|
|
* Fix missing -static-libgcc when building shared libraries for Windows
|
|
|
|
with make.
|
|
|
|
* Fix link error when building shared libraries for Windows with make.
|
2015-08-10 10:17:32 +02:00
|
|
|
* Fix error when loading libmbedtls.so.
|
2015-08-11 04:21:01 +02:00
|
|
|
* Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
|
|
|
|
be always used (found by dcb314) (#235)
|
2015-08-27 11:30:58 +02:00
|
|
|
* Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
|
|
|
|
result trying to unlock an unlocked mutex on invalid input (found by
|
|
|
|
Fredrik Axelsson) (#257)
|
2015-09-03 14:06:01 +02:00
|
|
|
* Fix -Wshadow warnings (found by hnrkp) (#240)
|
|
|
|
* Fix memory corruption on client with overlong PSK identity, around
|
|
|
|
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
|
|
|
|
Aleksandrs Saveljevs) (#238)
|
|
|
|
* Fix unused function warning when using MBEDTLS_MDx_ALT or
|
|
|
|
MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
|
|
|
|
* Fix memory corruption in pkey programs (found by yankuncheng) (#210)
|
2015-07-27 10:36:12 +02:00
|
|
|
|
2015-07-31 11:09:59 +02:00
|
|
|
Changes
|
|
|
|
* The PEM parser now accepts a trailing space at end of lines (#226).
|
2015-07-31 15:52:30 +02:00
|
|
|
* It is now possible to #include a user-provided configuration file at the
|
|
|
|
end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
|
|
|
|
compiler's command line.
|
2015-09-01 19:37:32 +02:00
|
|
|
* When verifying a certificate chain, if an intermediate certificate is
|
|
|
|
trusted, no later cert is checked. (suggested by hannes-landeholm)
|
|
|
|
(#220).
|
2015-09-03 14:06:01 +02:00
|
|
|
* Prepend a "thread identifier" to debug messages (issue pointed out by
|
|
|
|
Hugo Leisink) (#210).
|
|
|
|
* Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
|
|
|
|
length.
|
2015-07-19 15:01:28 +02:00
|
|
|
|
2015-07-10 15:09:43 +02:00
|
|
|
= mbed TLS 2.0.0 released 2015-07-13
|
2015-02-16 16:18:33 +01:00
|
|
|
|
2014-10-15 15:40:55 +02:00
|
|
|
Features
|
2015-05-25 19:41:37 +02:00
|
|
|
* Support for DTLS 1.0 and 1.2 (RFC 6347).
|
|
|
|
* Ability to override core functions from MDx, SHAx, AES and DES modules
|
|
|
|
with custom implementation (eg hardware accelerated), complementing the
|
|
|
|
ability to override the whole module.
|
|
|
|
* New server-side implementation of session tickets that rotate keys to
|
|
|
|
preserve forward secrecy, and allows sharing across multiple contexts.
|
2015-06-17 14:26:49 +02:00
|
|
|
* Added a concept of X.509 cerificate verification profile that controls
|
|
|
|
which algorithms and key sizes (curves for ECDSA) are acceptable.
|
|
|
|
* Expanded configurability of security parameters in the SSL module with
|
|
|
|
mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
|
|
|
|
* Introduced a concept of presets for SSL security-relevant configuration
|
|
|
|
parameters.
|
2014-10-15 15:40:55 +02:00
|
|
|
|
2014-09-17 10:56:54 +02:00
|
|
|
API Changes
|
2015-06-25 12:01:16 +02:00
|
|
|
* The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
|
|
|
|
You now need to link to all of them if you use TLS for example.
|
2015-04-28 17:56:12 +02:00
|
|
|
* All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
|
2015-05-06 18:53:08 +02:00
|
|
|
Some names have been further changed to make them more consistent.
|
2015-04-28 17:56:12 +02:00
|
|
|
Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
|
2015-05-06 18:53:08 +02:00
|
|
|
provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
|
2015-06-18 15:28:12 +02:00
|
|
|
* Renamings of fields inside structures, not covered by the previous list:
|
2015-06-18 15:45:05 +02:00
|
|
|
mbedtls_cipher_info_t.key_length -> key_bitlen
|
|
|
|
mbedtls_cipher_context_t.key_length -> key_bitlen
|
|
|
|
mbedtls_ecp_curve_info.size -> bit_size
|
2015-04-28 17:56:12 +02:00
|
|
|
* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
|
2015-04-28 18:02:54 +02:00
|
|
|
* The following _init() functions that could return errors have
|
2015-05-11 09:52:24 +02:00
|
|
|
been split into an _init() that returns void and another function that
|
2015-05-11 11:25:46 +02:00
|
|
|
should generally be the first function called on this context after init:
|
2015-04-29 00:48:22 +02:00
|
|
|
mbedtls_ssl_init() -> mbedtls_ssl_setup()
|
2015-04-28 18:02:54 +02:00
|
|
|
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
|
2015-04-28 21:42:17 +02:00
|
|
|
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
|
2015-05-11 09:52:24 +02:00
|
|
|
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
|
|
|
|
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
|
2015-09-25 04:27:22 +02:00
|
|
|
Note that for mbedtls_ssl_setup(), you need to be done setting up the
|
2015-05-11 11:25:46 +02:00
|
|
|
ssl_config structure before calling it.
|
2015-06-02 16:14:15 +02:00
|
|
|
* Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
|
2015-05-11 09:57:11 +02:00
|
|
|
ssl_set_session() and ssl_set_client_transport_id(), plus
|
|
|
|
ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
|
|
|
|
(see rename.pl and compat-1.3.h above) and their first argument's type
|
|
|
|
changed from ssl_context to ssl_config.
|
2015-06-02 16:14:15 +02:00
|
|
|
* ssl_set_bio() changed signature (contexts merged, order switched, one
|
|
|
|
additional callback for read-with-timeout).
|
2015-05-11 10:35:53 +02:00
|
|
|
* The following functions have been introduced and must be used in callback
|
|
|
|
implementations (SNI, PSK) instead of their *conf counterparts:
|
|
|
|
mbedtls_ssl_set_hs_own_cert()
|
|
|
|
mbedtls_ssl_set_hs_ca_chain()
|
|
|
|
mbedtls_ssl_set_hs_psk()
|
2015-05-11 09:57:11 +02:00
|
|
|
* mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
|
2015-05-06 12:14:19 +02:00
|
|
|
using mbedtls_ssl_set_hostname().
|
2015-05-11 10:11:56 +02:00
|
|
|
* mbedtls_ssl_conf_session_cache() changed prototype (only one context
|
2015-05-06 19:06:26 +02:00
|
|
|
pointer, parameters reordered).
|
2015-05-25 19:41:37 +02:00
|
|
|
* On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
|
|
|
|
place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
|
2015-06-23 16:34:24 +02:00
|
|
|
* The SSL debug callback gained two new arguments (file name, line number).
|
|
|
|
* Debug modes were removed.
|
2015-05-11 10:11:56 +02:00
|
|
|
* mbedtls_ssl_conf_truncated_hmac() now returns void.
|
2015-06-02 16:14:15 +02:00
|
|
|
* mbedtls_memory_buffer_alloc_init() now returns void.
|
2015-05-11 19:54:43 +02:00
|
|
|
* X.509 verification flags are now an uint32_t. Affect the signature of:
|
|
|
|
mbedtls_ssl_get_verify_result()
|
|
|
|
mbedtls_x509_ctr_verify_info()
|
2015-06-02 16:14:15 +02:00
|
|
|
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
|
2015-05-11 19:54:43 +02:00
|
|
|
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
|
2015-06-02 17:33:08 +02:00
|
|
|
* The following functions changed prototype to avoid an in-out length
|
|
|
|
parameter:
|
|
|
|
mbedtls_base64_encode()
|
|
|
|
mbedtls_base64_decode()
|
|
|
|
mbedtls_mpi_write_string()
|
|
|
|
mbedtls_dhm_calc_secret()
|
2015-06-30 13:34:45 +02:00
|
|
|
* In the NET module, all "int" and "int *" arguments for file descriptors
|
|
|
|
changed type to "mbedtls_net_context *".
|
2015-05-14 21:52:40 +02:00
|
|
|
* net_accept() gained new arguments for the size of the client_ip buffer.
|
2015-04-24 14:42:34 +02:00
|
|
|
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
|
|
|
|
return void.
|
2015-03-31 11:41:42 +02:00
|
|
|
* ecdsa_write_signature() gained an addtional md_alg argument and
|
|
|
|
ecdsa_write_signature_det() was deprecated.
|
2015-03-31 11:04:45 +02:00
|
|
|
* pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
|
2015-06-23 11:07:37 +02:00
|
|
|
* Last argument of x509_crt_check_key_usage() and
|
|
|
|
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
|
2015-03-27 10:23:53 +01:00
|
|
|
* test_ca_list (from certs.h) is renamed to test_cas_pem and is only
|
|
|
|
available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
|
|
|
|
* Test certificates in certs.c are no longer guaranteed to be nul-terminated
|
2015-03-27 09:56:18 +01:00
|
|
|
strings; use the new *_len variables instead of strlen().
|
2015-05-12 11:20:10 +02:00
|
|
|
* Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
|
|
|
|
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
|
|
|
|
length parameter to include the terminating null byte for PEM input.
|
2015-03-19 13:42:40 +01:00
|
|
|
* Signature of mpi_mul_mpi() changed to make the last argument unsigned
|
2015-05-26 17:46:09 +02:00
|
|
|
* calloc() is now used instead of malloc() everywhere. API of platform
|
|
|
|
layer and the memory_buffer_alloc module changed accordingly.
|
2015-05-27 16:49:37 +02:00
|
|
|
(Thanks to Mansour Moufid for helping with the replacement.)
|
2015-03-10 15:02:33 +01:00
|
|
|
* Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
|
|
|
|
(support for renegotiation now needs explicit enabling in config.h).
|
2015-06-18 20:52:58 +02:00
|
|
|
* Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
|
|
|
|
in config.h
|
2014-09-17 10:56:54 +02:00
|
|
|
* net_connect() and net_bind() have a new 'proto' argument to choose
|
|
|
|
between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
|
2015-06-23 12:30:57 +02:00
|
|
|
Their 'port' argument type is changed to a string.
|
2015-04-28 17:56:12 +02:00
|
|
|
* Some constness fixes
|
|
|
|
|
|
|
|
Removals
|
2015-05-11 18:11:57 +02:00
|
|
|
* Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
|
2015-05-11 18:40:45 +02:00
|
|
|
* Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
|
|
|
|
mbedtls_ecp_muladd().
|
2015-05-28 14:56:20 +02:00
|
|
|
* Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
|
|
|
|
(use generic functions from md.h)
|
|
|
|
* Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
|
2015-05-14 18:22:47 +02:00
|
|
|
waiting function.
|
2015-06-25 08:52:25 +02:00
|
|
|
* Removed test DHM parameters from the test certs module.
|
2015-04-28 17:56:12 +02:00
|
|
|
* Removed the PBKDF2 module (use PKCS5).
|
|
|
|
* Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
|
|
|
|
* Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
|
|
|
|
* Removed openssl.h (very partial OpenSSL compatibility layer).
|
|
|
|
* Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
|
|
|
|
* Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
|
|
|
|
been removed (compiler is required to support 32-bit operations).
|
|
|
|
* Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
|
|
|
|
* Removed test program o_p_test, the script compat.sh does more.
|
|
|
|
* Removed test program ssl_test, superseded by ssl-opt.sh.
|
|
|
|
* Removed helper script active-config.pl
|
2015-03-27 16:30:47 +01:00
|
|
|
|
|
|
|
New deprecations
|
|
|
|
* md_init_ctx() is deprecated in favour of md_setup(), that adds a third
|
|
|
|
argument (allowing memory savings if HMAC is not used)
|
2014-09-17 10:56:54 +02:00
|
|
|
|
2015-03-27 16:30:47 +01:00
|
|
|
Semi-API changes (technically public, morally private)
|
2015-05-26 11:04:15 +02:00
|
|
|
* Renamed a few headers to include _internal in the name. Those headers are
|
|
|
|
not supposed to be included by users.
|
2015-03-31 14:43:19 +02:00
|
|
|
* Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
|
|
|
|
* Changed pk_info_t into an opaque structure.
|
2015-05-26 11:04:15 +02:00
|
|
|
* Changed cipher_base_t into an opaque structure.
|
|
|
|
* Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
|
2015-03-27 16:50:00 +01:00
|
|
|
* x509_crt.key_usage changed from unsigned char to unsigned int.
|
2015-05-26 11:04:15 +02:00
|
|
|
* Removed r and s from ecdsa_context
|
|
|
|
* Removed mode from des_context and des3_context
|
2015-03-27 16:30:47 +01:00
|
|
|
|
2015-03-27 17:13:17 +01:00
|
|
|
Default behavior changes
|
2015-03-31 14:21:11 +02:00
|
|
|
* The default minimum TLS version is now TLS 1.0.
|
2015-03-27 17:13:17 +01:00
|
|
|
* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
|
|
|
|
default ciphersuite list returned by ssl_list_ciphersuites()
|
2015-03-10 15:02:33 +01:00
|
|
|
* Support for receiving SSLv2 ClientHello is now disabled by default at
|
|
|
|
compile time.
|
2015-03-27 17:52:25 +01:00
|
|
|
* The default authmode for SSL/TLS clients is now REQUIRED.
|
2015-03-31 14:01:33 +02:00
|
|
|
* Support for RSA_ALT contexts in the PK layer is now optional. Since is is
|
|
|
|
enabled in the default configuration, this is only noticeable if using a
|
|
|
|
custom config.h
|
2015-05-06 18:33:07 +02:00
|
|
|
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
|
2015-06-17 14:26:49 +02:00
|
|
|
* A minimum RSA key size of 2048 bits is now enforced during ceritificate
|
|
|
|
chain verification.
|
2015-05-06 18:39:23 +02:00
|
|
|
* Negotiation of truncated HMAC is now disabled by default on server too.
|
2015-05-28 17:06:07 +02:00
|
|
|
* The following functions are now case-sensitive:
|
|
|
|
mbedtls_cipher_info_from_string()
|
|
|
|
mbedtls_ecp_curve_info_from_name()
|
|
|
|
mbedtls_md_info_from_string()
|
|
|
|
mbedtls_ssl_ciphersuite_from_string()
|
|
|
|
mbedtls_version_check_feature()
|
2015-03-27 17:13:17 +01:00
|
|
|
|
2015-05-11 18:11:57 +02:00
|
|
|
Requirement changes
|
2015-04-15 11:53:16 +02:00
|
|
|
* The minimum MSVC version required is now 2010 (better C99 support).
|
2015-05-14 18:58:17 +02:00
|
|
|
* The NET layer now unconditionnaly relies on getaddrinfo() and select().
|
2015-05-06 18:08:54 +02:00
|
|
|
* Compiler is required to support C99 types such as long long and uint32_t.
|
2015-03-10 15:02:33 +01:00
|
|
|
|
2015-05-11 10:11:56 +02:00
|
|
|
API changes from the 1.4 preview branch
|
2015-05-06 16:54:23 +02:00
|
|
|
* ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
|
|
|
|
new prototype, and mbedtls_ssl_set_read_timeout().
|
2015-05-11 10:11:56 +02:00
|
|
|
* The following functions now return void:
|
|
|
|
mbedtls_ssl_conf_transport()
|
|
|
|
mbedtls_ssl_conf_max_version()
|
|
|
|
mbedtls_ssl_conf_min_version()
|
2015-05-13 10:28:41 +02:00
|
|
|
* DTLS no longer hard-depends on TIMING_C, but uses a callback interface
|
|
|
|
instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
|
|
|
|
an example implementation, see mbedtls_timing_delay_context and
|
|
|
|
mbedtls_timing_set/get_delay().
|
2015-07-01 01:28:24 +02:00
|
|
|
* With UDP sockets, it is no longer necessary to call net_bind() again
|
|
|
|
after a successful net_accept().
|
2015-05-06 16:54:23 +02:00
|
|
|
|
2015-05-07 13:50:31 +02:00
|
|
|
Changes
|
|
|
|
* mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
|
|
|
|
thread-safe if MBEDTLS_THREADING_C is enabled.
|
2015-06-17 14:26:49 +02:00
|
|
|
* Reduced ROM fooprint of SHA-256 and added an option to reduce it even
|
|
|
|
more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
|
2015-05-07 13:50:31 +02:00
|
|
|
|
2015-02-10 11:09:37 +01:00
|
|
|
= mbed TLS 1.3 branch
|
|
|
|
|
|
|
|
Security
|
2015-04-17 16:55:53 +02:00
|
|
|
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
2015-04-20 12:01:48 +02:00
|
|
|
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
|
|
|
via ssl_get_verify_results()).
|
2015-04-29 01:35:48 +02:00
|
|
|
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
|
|
|
|
https://dl.acm.org/citation.cfm?id=2714625
|
2015-02-10 11:09:37 +01:00
|
|
|
|
|
|
|
Features
|
2015-05-11 21:05:36 +02:00
|
|
|
* Improve ECC performance by using more efficient doubling formulas
|
|
|
|
(contributed by Peter Dettman).
|
2015-04-17 16:14:32 +02:00
|
|
|
* Add x509_crt_verify_info() to display certificate verification results.
|
2015-04-15 14:12:05 +02:00
|
|
|
* Add support for reading DH parameters with privateValueLength included
|
2015-04-17 16:16:52 +02:00
|
|
|
(contributed by Daniel Kahn Gillmor).
|
2015-03-27 13:09:21 +01:00
|
|
|
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
|
|
|
|
* Add support for id-at-uniqueIdentifier in X.509 names.
|
2015-02-13 16:14:10 +01:00
|
|
|
* Add support for overriding snprintf() (except on Windows) and exit() in
|
|
|
|
the platform layer.
|
|
|
|
* Add an option to use macros instead of function pointers in the platform
|
|
|
|
layer (helps get rid of unwanted references).
|
2015-02-16 16:42:16 +01:00
|
|
|
* Improved Makefiles for Windows targets by fixing library targets and making
|
|
|
|
cross-compilation easier (thanks to Alon Bar-Lev).
|
2015-02-16 18:45:35 +01:00
|
|
|
* The benchmark program also prints heap usage for public-key primitives
|
|
|
|
if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
|
|
|
|
* New script ecc-heap.sh helps measuring the impact of ECC parameters on
|
|
|
|
speed and RAM (heap only for now) usage.
|
|
|
|
* New script memory.sh helps measuring the ROM and RAM requirements of two
|
|
|
|
reduced configurations (PSK-CCM and NSA suite B).
|
2015-04-09 14:10:26 +02:00
|
|
|
* Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
|
2015-03-23 14:20:04 +01:00
|
|
|
warnings on use of deprecated functions (with GCC and Clang only).
|
2015-04-09 14:10:26 +02:00
|
|
|
* Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
|
2015-03-23 14:20:04 +01:00
|
|
|
errors on use of deprecated functions.
|
2015-02-10 11:09:37 +01:00
|
|
|
|
|
|
|
Bugfix
|
2015-06-03 11:20:33 +02:00
|
|
|
* Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
|
2015-06-03 10:50:07 +02:00
|
|
|
* Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
|
2015-06-03 10:48:26 +02:00
|
|
|
* Fix bug in entropy.c when THREADING_C is also enabled that caused
|
|
|
|
entropy_free() to crash (thanks to Rafał Przywara).
|
2015-05-27 17:59:46 +02:00
|
|
|
* Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
|
|
|
|
once on the same context.
|
2015-04-30 12:50:22 +02:00
|
|
|
* Fix bug in ssl_mail_client when password is longer that username (found
|
|
|
|
by Bruno Pape).
|
2015-04-30 11:15:22 +02:00
|
|
|
* Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
|
|
|
|
(detected by Clang's 3.6 UBSan).
|
2015-04-29 17:02:01 +02:00
|
|
|
* mpi_size() and mpi_msb() would segfault when called on an mpi that is
|
|
|
|
initialized but not set (found by pravic).
|
2015-04-29 14:03:28 +02:00
|
|
|
* Fix detection of support for getrandom() on Linux (reported by syzzer) by
|
|
|
|
doing it at runtime (using uname) rather that compile time.
|
2015-04-29 09:58:00 +02:00
|
|
|
* Fix handling of symlinks by "make install" (found by Gaël PORTAY).
|
2015-04-15 19:09:03 +02:00
|
|
|
* Fix potential NULL pointer dereference (not trigerrable remotely) when
|
|
|
|
ssl_write() is called before the handshake is finished (introduced in
|
|
|
|
1.3.10) (first reported by Martin Blumenstingl).
|
2015-04-14 11:18:04 +02:00
|
|
|
* Fix bug in pk_parse_key() that caused some valid private EC keys to be
|
|
|
|
rejected.
|
2015-04-02 11:46:55 +02:00
|
|
|
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
|
2015-03-27 15:06:07 +01:00
|
|
|
* Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
|
2015-02-11 12:35:58 +01:00
|
|
|
* Fix hardclock() (only used in the benchmarking program) with some
|
|
|
|
versions of mingw64 (found by kxjhlele).
|
2015-02-11 12:36:31 +01:00
|
|
|
* Fix warnings from mingw64 in timing.c (found by kxjklele).
|
2015-02-13 18:15:18 +01:00
|
|
|
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
|
|
|
|
platforms.
|
2015-02-18 11:11:06 +01:00
|
|
|
* Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
|
2015-03-10 17:09:08 +01:00
|
|
|
* Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
|
|
|
|
POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
|
|
|
|
in 1.3.10).
|
2015-03-10 17:12:29 +01:00
|
|
|
* Add missing extern "C" guard in aesni.h (reported by amir zamani).
|
2015-03-31 15:13:29 +02:00
|
|
|
* Add missing dependency on SHA-256 in some x509 programs (reported by
|
|
|
|
Gergely Budai).
|
2015-04-03 17:26:50 +02:00
|
|
|
* Fix bug related to ssl_set_curves(): the client didn't check that the
|
|
|
|
curve picked by the server was actually allowed.
|
2015-02-10 11:09:37 +01:00
|
|
|
|
|
|
|
Changes
|
2015-04-15 14:20:14 +02:00
|
|
|
* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
|
|
|
|
* Remove potential sources of timing variations (some contributed by Pascal
|
|
|
|
Junod).
|
2015-04-09 14:51:51 +02:00
|
|
|
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
|
2015-04-09 14:40:46 +02:00
|
|
|
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
|
2015-04-09 14:10:26 +02:00
|
|
|
* compat-1.2.h and openssl.h are deprecated.
|
2015-04-15 11:14:22 +02:00
|
|
|
* Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
|
2015-03-13 14:49:26 +01:00
|
|
|
more flexible (warning: OFLAGS is not used any more) (see the README)
|
|
|
|
(contributed by Alon Bar-Lev).
|
2015-04-15 11:14:22 +02:00
|
|
|
* ssl_set_own_cert() no longer calls pk_check_pair() since the
|
2015-03-10 16:35:29 +01:00
|
|
|
performance impact was bad for some users (this was introduced in 1.3.10).
|
2015-02-10 11:47:03 +01:00
|
|
|
* Move from SHA-1 to SHA-256 in example programs using signatures
|
|
|
|
(suggested by Thorsten Mühlfelder).
|
2015-02-10 12:41:57 +01:00
|
|
|
* Remove some unneeded inclusions of header files from the standard library
|
|
|
|
"minimize" others (eg use stddef.h if only size_t is needed).
|
|
|
|
* Change #include lines in test files to use double quotes instead of angle
|
|
|
|
brackets for uniformity with the rest of the code.
|
2015-02-13 16:14:10 +01:00
|
|
|
* Remove dependency on sscanf() in X.509 parsing modules.
|
2014-10-20 14:56:56 +02:00
|
|
|
|
2015-02-08 15:49:54 +01:00
|
|
|
= mbed TLS 1.3.10 released 2015-02-09
|
2014-11-26 15:42:16 +01:00
|
|
|
Security
|
|
|
|
* NULL pointer dereference in the buffer-based allocator when the buffer is
|
2015-01-28 15:02:38 +01:00
|
|
|
full and polarssl_free() is called (found by Mark Hasemeyer)
|
2014-11-26 15:42:16 +01:00
|
|
|
(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
|
|
|
|
not by default).
|
2014-11-11 22:17:26 +01:00
|
|
|
* Fix remotely-triggerable uninitialised pointer dereference caused by
|
2014-11-12 01:25:31 +01:00
|
|
|
crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
|
2014-11-11 22:17:26 +01:00
|
|
|
client certificate) (found using Codenomicon Defensics).
|
2014-11-11 23:11:16 +01:00
|
|
|
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
|
2014-11-12 01:25:31 +01:00
|
|
|
(TLS server is not affected if it doesn't ask for a client certificate)
|
|
|
|
(found using Codenomicon Defensics).
|
|
|
|
* Fix potential stack overflow while parsing crafted X.509 certificates
|
|
|
|
(TLS server is not affected if it doesn't ask for a client certificate)
|
2014-11-11 23:11:16 +01:00
|
|
|
(found using Codenomicon Defensics).
|
2015-02-06 11:30:58 +01:00
|
|
|
* Fix timing difference that could theoretically lead to a
|
|
|
|
Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
|
|
|
|
(reported by Sebastian Schinzel).
|
2014-11-11 22:17:26 +01:00
|
|
|
|
2014-11-08 17:58:24 +01:00
|
|
|
Features
|
2015-01-14 16:59:23 +01:00
|
|
|
* Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
|
|
|
|
* Add support for Extended Master Secret (draft-ietf-tls-session-hash).
|
|
|
|
* Add support for Encrypt-then-MAC (RFC 7366).
|
2014-11-08 17:58:24 +01:00
|
|
|
* Add function pk_check_pair() to test if public and private keys match.
|
2014-11-19 16:58:28 +01:00
|
|
|
* Add x509_crl_parse_der().
|
2014-11-20 16:34:20 +01:00
|
|
|
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
|
|
|
length of an X.509 verification chain.
|
2014-11-04 19:57:55 +01:00
|
|
|
* Support for renegotiation can now be disabled at compile-time
|
2015-01-08 11:15:09 +01:00
|
|
|
* Support for 1/n-1 record splitting, a countermeasure against BEAST.
|
2015-04-14 15:00:09 +02:00
|
|
|
* Certificate selection based on signature hash, preferring SHA-1 over SHA-2
|
2015-01-08 16:43:07 +01:00
|
|
|
for pre-1.2 clients when multiple certificates are available.
|
2015-01-09 14:34:13 +01:00
|
|
|
* Add support for getrandom() syscall on recent Linux kernels with Glibc or
|
|
|
|
a compatible enough libc (eg uClibc).
|
2015-01-14 16:59:23 +01:00
|
|
|
* Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
|
2015-01-12 13:43:29 +01:00
|
|
|
while using the default ciphersuite list.
|
2015-01-26 12:17:20 +01:00
|
|
|
* Added new error codes and debug messages about selection of
|
|
|
|
ciphersuite/certificate.
|
2014-11-26 15:42:16 +01:00
|
|
|
|
2014-11-25 17:41:50 +01:00
|
|
|
Bugfix
|
|
|
|
* Stack buffer overflow if ctr_drbg_update() is called with too large
|
|
|
|
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
|
2014-11-27 13:57:42 +01:00
|
|
|
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
|
|
|
|
if memory_buffer_alloc_init() was called with buf not aligned and len not
|
2015-01-14 16:59:23 +01:00
|
|
|
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
|
|
|
|
* User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
|
2014-11-10 12:15:39 +01:00
|
|
|
by Julian Ospald).
|
2014-11-10 13:05:43 +01:00
|
|
|
* Fix potential undefined behaviour in Camellia.
|
2014-11-10 13:43:55 +01:00
|
|
|
* Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
|
|
|
|
multiple of 8 (found by Gergely Budai).
|
2015-01-23 18:50:34 +01:00
|
|
|
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
|
|
|
|
Peter Vaskovic).
|
2015-01-19 18:16:54 +01:00
|
|
|
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
|
2015-01-23 15:30:57 +01:00
|
|
|
* ssl_get_verify_result() now works even if the handshake was aborted due
|
|
|
|
to a failed verification (found by Fredrik Axelsson).
|
2015-01-28 15:13:30 +01:00
|
|
|
* Skip writing and parsing signature_algorithm extension if none of the
|
|
|
|
key exchanges enabled needs certificates. This fixes a possible interop
|
|
|
|
issue with some servers when a zero-length extension was sent. (Reported
|
|
|
|
by Peter Dettman.)
|
2015-02-02 10:30:45 +01:00
|
|
|
* On a 0-length input, base64_encode() did not correctly set output length
|
|
|
|
(found by Hendrik van den Boogaard).
|
2014-11-10 12:15:39 +01:00
|
|
|
|
2014-10-29 22:29:20 +01:00
|
|
|
Changes
|
|
|
|
* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
|
|
|
|
switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
|
2014-11-06 18:15:12 +01:00
|
|
|
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
2014-11-08 17:58:24 +01:00
|
|
|
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
|
2014-11-12 17:47:28 +01:00
|
|
|
* Forbid repeated extensions in X.509 certificates.
|
2014-11-19 10:17:21 +01:00
|
|
|
* debug_print_buf() now prints a text view in addition to hexadecimal.
|
2015-01-08 17:06:16 +01:00
|
|
|
* A specific error is now returned when there are ciphersuites in common
|
|
|
|
but none of them is usable due to external factors such as no certificate
|
2015-01-14 16:12:48 +01:00
|
|
|
with a suitable (extended)KeyUsage or curve or no PSK set.
|
2015-01-14 16:59:23 +01:00
|
|
|
* It is now possible to disable negotiation of truncated HMAC server-side
|
2015-01-09 12:39:35 +01:00
|
|
|
at runtime with ssl_set_truncated_hmac().
|
2015-01-14 16:26:54 +01:00
|
|
|
* Example programs for SSL client and server now disable SSLv3 by default.
|
|
|
|
* Example programs for SSL client and server now disable RC4 by default.
|
2015-01-19 17:24:23 +01:00
|
|
|
* Use platform.h in all test suites and programs.
|
2014-11-25 17:41:50 +01:00
|
|
|
|
2014-10-20 13:56:15 +02:00
|
|
|
= PolarSSL 1.3.9 released 2014-10-20
|
2014-08-21 19:38:32 +02:00
|
|
|
Security
|
|
|
|
* Lowest common hash was selected from signature_algorithms extension in
|
|
|
|
TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
|
2014-10-17 12:41:41 +02:00
|
|
|
* Remotely-triggerable memory leak when parsing some X.509 certificates
|
2014-10-20 13:37:51 +02:00
|
|
|
(server is not affected if it doesn't ask for a client certificate)
|
|
|
|
(found using Codenomicon Defensics).
|
2014-10-17 12:42:11 +02:00
|
|
|
* Remotely-triggerable memory leak when parsing crafted ClientHello
|
2014-10-20 13:37:51 +02:00
|
|
|
(not affected if ECC support was compiled out) (found using Codenomicon
|
|
|
|
Defensics).
|
2014-08-21 19:38:32 +02:00
|
|
|
|
2014-08-08 12:22:30 +02:00
|
|
|
Bugfix
|
|
|
|
* Support escaping of commas in x509_string_to_names()
|
2014-07-12 01:27:34 +02:00
|
|
|
* Fix compile error in ssl_pthread_server (found by Julian Ospald).
|
2014-07-21 13:42:54 +02:00
|
|
|
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
|
2014-07-21 13:55:54 +02:00
|
|
|
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
|
2014-07-21 14:18:17 +02:00
|
|
|
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
|
2014-07-21 17:37:01 +02:00
|
|
|
* Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
|
|
|
|
are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
|
2014-07-21 18:15:22 +02:00
|
|
|
* Remove non-existent file from VS projects (found by Peter Vaskovic).
|
2014-08-19 12:28:50 +02:00
|
|
|
* ssl_read() could return non-application data records on server while
|
|
|
|
renegotation was pending, and on client when a HelloRequest was received.
|
2014-08-15 19:04:47 +02:00
|
|
|
* Server-initiated renegotiation would fail with non-blocking I/O if the
|
|
|
|
write callback returned WANT_WRITE when requesting renegotiation.
|
2014-08-19 16:14:04 +02:00
|
|
|
* ssl_close_notify() could send more than one message in some circumstances
|
|
|
|
with non-blocking I/O.
|
2014-08-16 12:45:52 +02:00
|
|
|
* Fix compiler warnings on iOS (found by Sander Niemeijer).
|
2014-09-26 14:53:04 +02:00
|
|
|
* x509_crt_parse() did not increase total_failed on PEM error
|
2014-10-14 20:56:02 +02:00
|
|
|
* Fix compile error with armcc in mpi_is_prime()
|
2014-10-17 17:02:10 +02:00
|
|
|
* Fix potential bad read in parsing ServerHello (found by Adrien
|
|
|
|
Vialletelle).
|
2014-08-08 12:22:30 +02:00
|
|
|
|
2014-07-13 14:43:28 +02:00
|
|
|
Changes
|
|
|
|
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
|
|
|
|
standard defining how to use SHA-2 with SSL 3.0).
|
2014-07-13 16:16:44 +02:00
|
|
|
* Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
|
|
|
|
ambiguous on how to encode some packets with SSL 3.0).
|
2014-07-21 16:37:15 +02:00
|
|
|
* Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
|
|
|
|
RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
|
2014-08-19 12:28:50 +02:00
|
|
|
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
|
|
|
|
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
|
2014-09-08 17:03:50 +02:00
|
|
|
* POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
|
|
|
|
RSA keys.
|
2014-10-15 21:45:39 +02:00
|
|
|
* Accept spaces at end of line or end of buffer in base64_decode().
|
2014-10-17 12:41:41 +02:00
|
|
|
* X.509 certificates with more than one AttributeTypeAndValue per
|
|
|
|
RelativeDistinguishedName are not accepted any more.
|
2014-07-13 14:43:28 +02:00
|
|
|
|
2014-07-11 11:28:56 +02:00
|
|
|
= PolarSSL 1.3.8 released 2014-07-11
|
2014-06-17 10:54:17 +02:00
|
|
|
Security
|
|
|
|
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
|
|
|
|
It was possible to crash the server (and client) using crafted messages
|
|
|
|
when a GCM suite was chosen.
|
|
|
|
|
2014-05-22 15:45:03 +02:00
|
|
|
Features
|
|
|
|
* Add CCM module and cipher mode to Cipher Layer
|
|
|
|
* Support for CCM and CCM_8 ciphersuites
|
2014-06-06 18:10:44 +02:00
|
|
|
* Support for parsing and verifying RSASSA-PSS signatures in the X.509
|
|
|
|
modules (certificates, CRLs and CSRs).
|
2014-06-23 12:10:59 +02:00
|
|
|
* Blowfish in the cipher layer now supports variable length keys.
|
2014-06-24 17:33:54 +02:00
|
|
|
* Add example config.h for PSK with CCM, optimized for low RAM usage.
|
|
|
|
* Optimize for RAM usage in example config.h for NSA Suite B profile.
|
2014-06-24 22:42:34 +02:00
|
|
|
* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
|
|
|
|
from the default list (inactive by default).
|
2014-07-04 15:00:12 +02:00
|
|
|
* Add server-side enforcement of sent renegotiation requests
|
|
|
|
(ssl_set_renegotiation_enforced())
|
2014-06-30 17:59:55 +02:00
|
|
|
* Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
|
|
|
|
ciphersuites to use and save some memory if the list is small.
|
2014-05-22 15:45:03 +02:00
|
|
|
|
2014-06-12 21:49:01 +02:00
|
|
|
Changes
|
|
|
|
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
|
|
|
|
required on some platforms (e.g. OpenBSD)
|
2014-06-13 17:20:13 +02:00
|
|
|
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
|
|
|
|
against unwanted compiler optimizations
|
2014-07-07 14:02:33 +02:00
|
|
|
* md_list() now returns hashes strongest first
|
2014-07-08 12:56:25 +02:00
|
|
|
* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
|
|
|
|
strongest offered by client.
|
2014-07-01 15:59:04 +02:00
|
|
|
* All public contexts have _init() and _free() functions now for simpler
|
|
|
|
usage pattern
|
2014-06-12 21:49:01 +02:00
|
|
|
|
2014-05-06 10:29:28 +02:00
|
|
|
Bugfix
|
|
|
|
* Fix in debug_print_msg()
|
2014-05-22 15:47:58 +02:00
|
|
|
* Enforce alignment in the buffer allocator even if buffer is not aligned
|
2014-05-22 15:06:41 +02:00
|
|
|
* Remove less-than-zero checks on unsigned numbers
|
2014-05-22 15:12:19 +02:00
|
|
|
* Stricter check on SSL ClientHello internal sizes compared to actual packet
|
|
|
|
size (found by TrustInSoft)
|
2014-06-12 21:46:13 +02:00
|
|
|
* Fix WSAStartup() return value check (found by Peter Vaskovic)
|
|
|
|
* Other minor issues (found by Peter Vaskovic)
|
|
|
|
* Fix symlink command for cross compiling with CMake (found by Andre
|
|
|
|
Heinecke)
|
2014-06-13 17:37:46 +02:00
|
|
|
* Fix DER output of gen_key app (found by Gergely Budai)
|
2014-06-18 23:11:34 +02:00
|
|
|
* Very small records were incorrectly rejected when truncated HMAC was in
|
2014-06-18 16:06:02 +02:00
|
|
|
use with some ciphersuites and versions (RC4 in all versions, CBC with
|
|
|
|
versions < TLS 1.1).
|
2014-06-18 23:11:34 +02:00
|
|
|
* Very large records using more than 224 bytes of padding were incorrectly
|
|
|
|
rejected with CBC-based ciphersuites and TLS >= 1.1
|
|
|
|
* Very large records using less padding could cause a buffer overread of up
|
|
|
|
to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
|
2014-06-19 12:18:08 +02:00
|
|
|
* Restore ability to use a v1 cert as a CA if trusted locally. (This had
|
|
|
|
been removed in 1.3.6.)
|
2014-06-24 11:49:16 +02:00
|
|
|
* Restore ability to locally trust a self-signed cert that is not a proper
|
|
|
|
CA for use as an end entity certificate. (This had been removed in
|
|
|
|
1.3.6.)
|
2014-05-06 08:26:13 +02:00
|
|
|
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
|
2014-06-19 17:20:43 +02:00
|
|
|
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
|
|
|
|
interpret semicolons as comment delimiters (found by Barry K. Nathan).
|
2014-06-23 14:10:13 +02:00
|
|
|
* Fix off-by-one error in parsing Supported Point Format extension that
|
|
|
|
caused some handshakes to fail.
|
2014-06-23 17:56:08 +02:00
|
|
|
* Fix possible miscomputation of the premaster secret with DHE-PSK key
|
|
|
|
exchange that caused some handshakes to fail with other implementations.
|
|
|
|
(Failure rate <= 1/255 with common DHM moduli.)
|
2014-06-24 17:57:57 +02:00
|
|
|
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
|
2014-07-04 13:50:31 +02:00
|
|
|
* Fix base64_decode() to return and check length correctly (in case of
|
|
|
|
tight buffers)
|
2014-07-10 14:36:19 +02:00
|
|
|
* Fix mpi_write_string() to write "00" as hex output for empty MPI (found
|
|
|
|
by Hui Dong)
|
2014-05-06 10:29:28 +02:00
|
|
|
|
2014-05-02 13:27:13 +02:00
|
|
|
= PolarSSL 1.3.7 released on 2014-05-02
|
2014-04-25 15:04:14 +02:00
|
|
|
Features
|
2014-04-25 16:34:30 +02:00
|
|
|
* debug_set_log_mode() added to determine raw or full logging
|
|
|
|
* debug_set_threshold() added to ignore messages over threshold level
|
2014-04-30 11:49:44 +02:00
|
|
|
* version_check_feature() added to check for compile-time options at
|
|
|
|
run-time
|
2014-04-25 15:18:34 +02:00
|
|
|
|
2014-04-25 11:11:10 +02:00
|
|
|
Changes
|
|
|
|
* POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
|
|
|
|
checked and filled in the relevant module headers
|
2014-04-25 15:18:34 +02:00
|
|
|
* Debug module only outputs full lines instead of parts
|
2014-04-30 15:34:12 +02:00
|
|
|
* Better support for the different Attribute Types from IETF PKIX (RFC 5280)
|
2014-04-26 17:21:07 +02:00
|
|
|
* AES-NI now compiles with "old" assemblers too
|
2014-04-29 18:23:07 +02:00
|
|
|
* Ciphersuites based on RC4 now have the lowest priority by default
|
2014-04-25 11:11:10 +02:00
|
|
|
|
2014-04-18 14:08:26 +02:00
|
|
|
Bugfix
|
|
|
|
* Only iterate over actual certificates in ssl_write_certificate_request()
|
|
|
|
(found by Matthew Page)
|
2014-04-25 11:44:12 +02:00
|
|
|
* Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
|
|
|
|
Karger)
|
2014-04-25 11:48:35 +02:00
|
|
|
* cert_write app should use subject of issuer certificate as issuer of cert
|
2014-04-25 12:59:03 +02:00
|
|
|
* Fix false reject in padding check in ssl_decrypt_buf() for CBC
|
|
|
|
ciphersuites, for full SSL frames of data.
|
2014-04-30 10:15:38 +02:00
|
|
|
* Improve interoperability by not writing extension length in ClientHello /
|
|
|
|
ServerHello when no extensions are present (found by Matthew Page)
|
2014-04-30 13:33:35 +02:00
|
|
|
* rsa_check_pubkey() now allows an E up to N
|
2014-04-30 16:02:38 +02:00
|
|
|
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
|
2014-04-30 16:11:39 +02:00
|
|
|
* mpi_fill_random() was creating numbers larger than requested on
|
|
|
|
big-endian platform when size was not an integer number of limbs
|
2014-04-29 15:06:49 +02:00
|
|
|
* Fix dependencies issues in X.509 test suite.
|
2014-04-29 15:11:17 +02:00
|
|
|
* Some parts of ssl_tls.c were compiled even when the module was disabled.
|
2014-04-22 22:16:15 +02:00
|
|
|
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
|
2014-04-24 02:40:25 +02:00
|
|
|
* Fix detection of Clang on some Apple platforms with CMake
|
|
|
|
(found by Barry K. Nathan)
|
2014-04-18 14:08:26 +02:00
|
|
|
|
2014-04-11 15:33:59 +02:00
|
|
|
= PolarSSL 1.3.6 released on 2014-04-11
|
2014-03-26 19:53:25 +01:00
|
|
|
|
2014-04-08 12:33:37 +02:00
|
|
|
Features
|
|
|
|
* Support for the ALPN SSL extension
|
2014-04-09 15:25:13 +02:00
|
|
|
* Add option 'use_dev_random' to gen_key application
|
2014-04-11 11:32:39 +02:00
|
|
|
* Enable verification of the keyUsage extension for CA and leaf
|
2014-04-09 15:55:20 +02:00
|
|
|
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
|
2014-04-11 11:32:39 +02:00
|
|
|
* Enable verification of the extendedKeyUsage extension
|
|
|
|
(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
2014-04-08 12:33:37 +02:00
|
|
|
|
2014-04-04 15:39:37 +02:00
|
|
|
Changes
|
|
|
|
* x509_crt_info() now prints information about parsed extensions as well
|
2014-04-08 12:40:15 +02:00
|
|
|
* pk_verify() now returns a specific error code when the signature is valid
|
|
|
|
but shorter than the supplied length.
|
2014-04-11 12:25:45 +02:00
|
|
|
* Use UTC time to check certificate validity.
|
2014-04-11 12:29:49 +02:00
|
|
|
* Reject certificates with times not in UTC, per RFC 5280.
|
2014-04-04 15:39:37 +02:00
|
|
|
|
2014-03-31 11:55:42 +02:00
|
|
|
Security
|
|
|
|
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
|
|
|
|
(Found by Watson Ladd.)
|
2014-04-08 11:55:03 +02:00
|
|
|
* The notAfter date of some certificates was no longer checked since 1.3.5.
|
|
|
|
This affects certificates in the user-supplied chain except the top
|
|
|
|
certificate. If the user-supplied chain contains only one certificates,
|
|
|
|
it is not affected (ie, its notAfter date is properly checked).
|
2014-04-08 14:36:50 +02:00
|
|
|
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
|
|
|
|
TrustInSoft)
|
2014-03-31 11:55:42 +02:00
|
|
|
|
2014-03-26 19:53:25 +01:00
|
|
|
Bugfix
|
|
|
|
* The length of various ClientKeyExchange messages was not properly checked.
|
2014-03-25 11:24:43 +01:00
|
|
|
* Some example server programs were not sending the close_notify alert.
|
2014-03-31 12:08:17 +02:00
|
|
|
* Potential memory leak in mpi_exp_mod() when error occurs during
|
|
|
|
calculation of RR.
|
2014-04-02 13:20:00 +02:00
|
|
|
* Fixed malloc/free default #define in platform.c (found by Gergely Budai).
|
2014-04-02 13:50:05 +02:00
|
|
|
* Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
|
|
|
|
Gergely Budai).
|
2014-04-04 13:57:20 +02:00
|
|
|
* Fix #include path in ecdsa.h which wasn't accepted by some compilers.
|
|
|
|
(found by Gergely Budai)
|
2014-04-05 06:04:40 +02:00
|
|
|
* Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
|
|
|
|
Shuo Chen).
|
2014-03-28 16:06:35 +01:00
|
|
|
* oid_get_numeric_string() used to truncate the output without returning an
|
|
|
|
error if the output buffer was just 1 byte too small.
|
2014-03-29 16:42:38 +01:00
|
|
|
* dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
|
2014-04-03 22:09:18 +02:00
|
|
|
* Calling pk_debug() on an RSA-alt key would segfault.
|
|
|
|
* pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
|
2014-04-11 13:28:43 +02:00
|
|
|
* Potential buffer overwrite in pem_write_buffer() because of low length
|
|
|
|
indication (found by Thijs Alkemade)
|
2014-04-10 17:45:07 +02:00
|
|
|
* EC curves constants, which should be only in ROM since 1.3.3, were also
|
|
|
|
stored in RAM due to missing 'const's (found by Gergely Budai).
|
2014-03-26 19:53:25 +01:00
|
|
|
|
2014-03-26 16:55:50 +01:00
|
|
|
= PolarSSL 1.3.5 released on 2014-03-26
|
2014-02-05 15:54:34 +01:00
|
|
|
Features
|
|
|
|
* HMAC-DRBG as a separate module
|
2014-02-26 17:38:55 +01:00
|
|
|
* Option to set the Curve preference order (disabled by default)
|
2014-02-06 13:41:55 +01:00
|
|
|
* Single Platform compatilibity layer (for memory / printf / fprintf)
|
2014-02-06 15:11:55 +01:00
|
|
|
* Ability to provide alternate timing implementation
|
2014-02-06 15:55:25 +01:00
|
|
|
* Ability to force the entropy module to use SHA-256 as its basis
|
|
|
|
(POLARSSL_ENTROPY_FORCE_SHA256)
|
2014-03-17 13:45:06 +01:00
|
|
|
* Testing script ssl-opt.sh added for testing 'live' ssl option
|
|
|
|
interoperability against OpenSSL and PolarSSL
|
2014-03-19 16:55:29 +01:00
|
|
|
* Support for reading EC keys that use SpecifiedECDomain in some cases.
|
2014-03-26 11:54:05 +01:00
|
|
|
* Entropy module now supports seed writing and reading
|
2014-02-06 13:41:55 +01:00
|
|
|
|
|
|
|
Changes
|
|
|
|
* Deprecated the Memory layer
|
2014-02-06 15:01:20 +01:00
|
|
|
* entropy_add_source(), entropy_update_manual() and entropy_gather()
|
|
|
|
now thread-safe if POLARSSL_THREADING_C defined
|
2014-03-11 10:16:25 +01:00
|
|
|
* Improvements to the CMake build system, contributed by Julian Ospald.
|
2014-03-14 09:21:20 +01:00
|
|
|
* Work around a bug of the version of Clang shipped by Apple with Mavericks
|
|
|
|
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
|
2014-03-17 13:45:06 +01:00
|
|
|
* Revamped the compat.sh interoperatibility script to include support for
|
|
|
|
testing against GnuTLS
|
2014-03-25 16:37:27 +01:00
|
|
|
* Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
|
2014-03-26 13:26:52 +01:00
|
|
|
* Improvements to tests/Makefile, contributed by Oden Eriksson.
|
2014-02-05 15:54:34 +01:00
|
|
|
|
2014-03-10 09:34:49 +01:00
|
|
|
Security
|
|
|
|
* Forbid change of server certificate during renegotiation to prevent
|
2014-03-25 16:28:12 +01:00
|
|
|
"triple handshake" attack when authentication mode is 'optional' (the
|
2014-03-10 09:34:49 +01:00
|
|
|
attack was already impossible when authentication is required).
|
2014-03-10 13:15:18 +01:00
|
|
|
* Check notBefore timestamp of certificates and CRLs from the future.
|
2014-03-10 21:20:29 +01:00
|
|
|
* Forbid sequence number wrapping
|
2014-03-25 16:37:27 +01:00
|
|
|
* Fixed possible buffer overflow with overlong PSK
|
2014-03-26 14:06:55 +01:00
|
|
|
* Possible remotely-triggered out-of-bounds memory access fixed (found by
|
|
|
|
TrustInSoft)
|
2014-03-10 09:34:49 +01:00
|
|
|
|
2014-01-28 19:30:56 +01:00
|
|
|
Bugfix
|
|
|
|
* ecp_gen_keypair() does more tries to prevent failure because of
|
|
|
|
statistics
|
2014-03-25 16:37:27 +01:00
|
|
|
* Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
|
2014-02-06 15:43:21 +01:00
|
|
|
* Fixed testing with out-of-source builds using cmake
|
2014-02-12 10:14:54 +01:00
|
|
|
* Fixed version-major intolerance in server
|
2014-03-07 10:33:55 +01:00
|
|
|
* Fixed CMake symlinking on out-of-source builds
|
2014-03-10 11:32:07 +01:00
|
|
|
* Fixed dependency issues in test suite
|
2014-03-10 21:55:35 +01:00
|
|
|
* Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
|
2014-03-05 15:04:09 +01:00
|
|
|
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
|
|
|
|
Alex Wilson.)
|
2014-02-26 17:38:55 +01:00
|
|
|
* ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
|
|
|
|
* m_sleep() was sleeping twice too long on most Unix platforms.
|
2014-02-26 14:23:33 +01:00
|
|
|
* Fixed bug with session tickets and non-blocking I/O in the unlikely case
|
2014-03-17 13:42:23 +01:00
|
|
|
send() would return an EAGAIN error when sending the ticket.
|
2014-02-26 17:38:55 +01:00
|
|
|
* ssl_cache was leaking memory when reusing a timed out entry containing a
|
2014-03-17 13:42:23 +01:00
|
|
|
client certificate.
|
2014-02-26 17:54:07 +01:00
|
|
|
* ssl_srv was leaking memory when client presented a timed out ticket
|
2014-03-17 13:42:23 +01:00
|
|
|
containing a client certificate
|
2014-03-17 13:41:51 +01:00
|
|
|
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
|
|
|
|
out_ctr failed
|
2014-03-26 15:28:55 +01:00
|
|
|
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
|
|
|
|
of one of them failed
|
2014-03-25 15:58:35 +01:00
|
|
|
* Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
|
2014-03-26 15:34:54 +01:00
|
|
|
* x509_get_current_time() uses localtime_r() to prevent thread issues
|
2014-01-28 19:30:56 +01:00
|
|
|
|
2014-01-27 11:49:46 +01:00
|
|
|
= PolarSSL 1.3.4 released on 2014-01-27
|
2014-01-22 13:08:19 +01:00
|
|
|
Features
|
2014-01-22 13:08:44 +01:00
|
|
|
* Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
|
2014-01-22 14:18:03 +01:00
|
|
|
* Support for RIPEMD-160
|
2014-01-24 15:38:12 +01:00
|
|
|
* Support for AES CFB8 mode
|
2014-01-27 11:47:15 +01:00
|
|
|
* Support for deterministic ECDSA (RFC 6979)
|
2014-01-22 13:08:19 +01:00
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Potential memory leak in bignum_selftest()
|
|
|
|
* Replaced expired test certificate
|
2014-01-24 16:11:17 +01:00
|
|
|
* ssl_mail_client now terminates lines with CRLF, instead of LF
|
2014-01-27 12:23:43 +01:00
|
|
|
* net module handles timeouts on blocking sockets better (found by Tilman
|
|
|
|
Sauerbeck)
|
2014-01-27 13:36:23 +01:00
|
|
|
* Assembly format fixes in bn_mul.h
|
|
|
|
|
|
|
|
Security
|
2014-01-27 12:23:43 +01:00
|
|
|
* Missing MPI_CHK calls added around unguarded mpi calls (found by
|
|
|
|
TrustInSoft)
|
2014-01-22 13:08:19 +01:00
|
|
|
|
2013-12-31 10:57:44 +01:00
|
|
|
= PolarSSL 1.3.3 released on 2013-12-31
|
2013-12-02 14:54:01 +01:00
|
|
|
Features
|
|
|
|
* EC key generation support in gen_key app
|
2013-12-02 14:55:28 +01:00
|
|
|
* Support for adhering to client ciphersuite order preference
|
|
|
|
(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
2013-12-05 16:11:38 +01:00
|
|
|
* Support for Curve25519
|
2013-12-17 13:09:31 +01:00
|
|
|
* Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
|
2013-12-17 14:33:42 +01:00
|
|
|
* Support for IPv6 in the NET module
|
2013-12-30 14:09:47 +01:00
|
|
|
* AES-NI support for AES, AES-GCM and AES key scheduling
|
2013-12-19 15:40:58 +01:00
|
|
|
* SSL Pthread-based server example added (ssl_pthread_server)
|
2013-12-02 14:54:01 +01:00
|
|
|
|
2013-11-26 17:37:31 +01:00
|
|
|
Changes
|
|
|
|
* gen_prime() speedup
|
|
|
|
* Speedup of ECP multiplication operation
|
|
|
|
* Relaxed some SHA2 ciphersuite's version requirements
|
2013-12-02 14:50:49 +01:00
|
|
|
* Dropped use of readdir_r() instead of readdir() with threading support
|
2013-12-02 14:52:57 +01:00
|
|
|
* More constant-time checks in the RSA module
|
2013-12-02 22:03:23 +01:00
|
|
|
* Split off curves from ecp.c into ecp_curves.c
|
2013-12-17 13:10:48 +01:00
|
|
|
* Curves are now stored fully in ROM
|
2013-12-31 10:32:50 +01:00
|
|
|
* Memory usage optimizations in ECP module
|
2013-12-31 11:54:08 +01:00
|
|
|
* Removed POLARSSL_THREADING_DUMMY
|
2013-11-26 17:37:31 +01:00
|
|
|
|
2013-11-20 17:23:53 +01:00
|
|
|
Bugfix
|
2013-12-04 18:05:29 +01:00
|
|
|
* Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
|
2013-11-20 17:23:53 +01:00
|
|
|
* Fixed X.509 hostname comparison (with non-regular characters)
|
2013-11-21 17:31:06 +01:00
|
|
|
* SSL now gracefully handles missing RNG
|
2013-11-26 17:37:31 +01:00
|
|
|
* Missing defines / cases for RSA_PSK key exchange
|
|
|
|
* crypt_and_hash app checks MAC before final decryption
|
2013-12-16 15:24:05 +01:00
|
|
|
* Potential memory leak in ssl_ticket_keys_init()
|
2013-12-16 16:43:10 +01:00
|
|
|
* Memory leak in benchmark application
|
2013-12-19 13:51:24 +01:00
|
|
|
* Fixed x509_crt_parse_path() bug on Windows platforms
|
2013-12-31 11:16:03 +01:00
|
|
|
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
|
|
|
|
TrustInSoft)
|
2013-12-31 11:35:16 +01:00
|
|
|
* Fixed potential overflow in certificate size verification in
|
|
|
|
ssl_write_certificate() (found by TrustInSoft)
|
2013-11-20 17:23:53 +01:00
|
|
|
|
2013-12-19 14:42:28 +01:00
|
|
|
Security
|
|
|
|
* Possible remotely-triggered out-of-bounds memory access fixed (found by
|
|
|
|
TrustInSoft)
|
|
|
|
|
2013-11-04 17:29:42 +01:00
|
|
|
= PolarSSL 1.3.2 released on 2013-11-04
|
2013-10-28 14:03:26 +01:00
|
|
|
Features
|
|
|
|
* PK tests added to test framework
|
2013-10-28 14:16:59 +01:00
|
|
|
* Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
|
2013-10-28 14:37:09 +01:00
|
|
|
* Support for Camellia-GCM mode and ciphersuites
|
2013-10-28 14:03:26 +01:00
|
|
|
|
2013-10-28 14:39:49 +01:00
|
|
|
Changes
|
|
|
|
* Padding checks in cipher layer are now constant-time
|
2013-10-31 14:37:37 +01:00
|
|
|
* Value comparisons in SSL layer are now constant-time
|
2013-10-29 14:24:37 +01:00
|
|
|
* Support for serialNumber, postalAddress and postalCode in X509 names
|
2013-10-31 14:37:37 +01:00
|
|
|
* SSL Renegotiation was refactored
|
2013-10-28 14:39:49 +01:00
|
|
|
|
2013-10-28 12:54:26 +01:00
|
|
|
Bugfix
|
2013-10-28 14:37:09 +01:00
|
|
|
* More stringent checks in cipher layer
|
2013-10-28 12:54:26 +01:00
|
|
|
* Server does not send out extensions not advertised by client
|
2013-10-28 12:57:08 +01:00
|
|
|
* Prevent possible alignment warnings on casting from char * to 'aligned *'
|
2013-10-28 14:02:40 +01:00
|
|
|
* Misc fixes and additions to dependency checks
|
2013-10-28 21:19:10 +01:00
|
|
|
* Const correctness
|
2013-10-28 22:28:09 +01:00
|
|
|
* cert_write with selfsign should use issuer_name as subject_name
|
2013-10-29 10:45:28 +01:00
|
|
|
* Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
|
2013-10-28 18:48:30 +01:00
|
|
|
* Defines to handle UEFI environment under MSVC
|
2013-10-31 14:37:37 +01:00
|
|
|
* Server-side initiated renegotiations send HelloRequest
|
2013-10-28 12:54:26 +01:00
|
|
|
|
2013-10-15 13:12:41 +02:00
|
|
|
= PolarSSL 1.3.1 released on 2013-10-15
|
2013-10-11 10:03:27 +02:00
|
|
|
Features
|
|
|
|
* Support for Brainpool curves and TLS ciphersuites (RFC 7027)
|
2013-10-15 12:44:23 +02:00
|
|
|
* Support for ECDHE-PSK key-exchange and ciphersuites
|
2013-10-15 12:46:17 +02:00
|
|
|
* Support for RSA-PSK key-exchange and ciphersuites
|
2013-10-11 10:03:27 +02:00
|
|
|
|
2013-10-11 09:21:56 +02:00
|
|
|
Changes
|
|
|
|
* RSA blinding locks for a smaller amount of time
|
2013-10-11 09:59:44 +02:00
|
|
|
* TLS compression only allocates working buffer once
|
2013-10-14 15:51:50 +02:00
|
|
|
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
|
2013-10-15 11:55:10 +02:00
|
|
|
* config.h is more script-friendly
|
2013-10-11 09:21:56 +02:00
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Missing MSVC defines added
|
|
|
|
* Compile errors with POLARSSL_RSA_NO_CRT
|
|
|
|
* Header files with 'polarssl/'
|
2013-10-11 09:36:52 +02:00
|
|
|
* Const correctness
|
2013-10-11 09:38:49 +02:00
|
|
|
* Possible naming collision in dhm_context
|
2013-10-11 10:49:24 +02:00
|
|
|
* Better support for MSVC
|
2013-10-11 10:51:32 +02:00
|
|
|
* threading_set_alt() name
|
2013-10-11 10:54:28 +02:00
|
|
|
* Added missing x509write_crt_set_version()
|
2013-10-11 09:21:56 +02:00
|
|
|
|
2013-10-15 13:12:41 +02:00
|
|
|
= PolarSSL 1.3.0 released on 2013-10-01
|
2013-03-20 14:39:14 +01:00
|
|
|
Features
|
|
|
|
* Elliptic Curve Cryptography module added
|
|
|
|
* Elliptic Curve Diffie Hellman module added
|
|
|
|
* Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
|
|
|
|
(ECDHE-based ciphersuites)
|
2013-08-28 12:15:11 +02:00
|
|
|
* Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
|
|
|
|
(ECDSA-based ciphersuites)
|
2013-04-15 15:09:54 +02:00
|
|
|
* Ability to specify allowed ciphersuites based on the protocol version.
|
2013-04-19 16:05:16 +02:00
|
|
|
* PSK and DHE-PSK based ciphersuites added
|
2013-07-03 13:37:05 +02:00
|
|
|
* Memory allocation abstraction layer added
|
|
|
|
* Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
|
2013-09-28 14:40:38 +02:00
|
|
|
* Threading abstraction layer added (dummy / pthread / alternate)
|
2013-09-18 21:21:30 +02:00
|
|
|
* Public Key abstraction layer added
|
2013-07-19 14:55:25 +02:00
|
|
|
* Parsing Elliptic Curve keys
|
|
|
|
* Parsing Elliptic Curve certificates
|
|
|
|
* Support for max_fragment_length extension (RFC 6066)
|
|
|
|
* Support for truncated_hmac extension (RFC 6066)
|
2013-08-14 12:24:34 +02:00
|
|
|
* Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
|
|
|
|
(ISO/IEC 7816-4) padding and zero padding in the cipher layer
|
2013-08-14 13:49:20 +02:00
|
|
|
* Support for session tickets (RFC 5077)
|
2013-08-28 16:31:30 +02:00
|
|
|
* Certificate Request (CSR) generation with extensions (key_usage,
|
|
|
|
ns_cert_type)
|
2013-09-12 12:00:52 +02:00
|
|
|
* X509 Certificate writing with extensions (basic_constraints,
|
|
|
|
issuer_key_identifier, etc)
|
2013-09-10 14:53:46 +02:00
|
|
|
* Optional blinding for RSA, DHM and EC
|
2013-09-25 18:03:58 +02:00
|
|
|
* Support for multiple active certificate / key pairs in SSL servers for
|
2018-06-22 12:22:44 +02:00
|
|
|
the same host (Not to be confused with SNI!)
|
2013-03-20 14:39:14 +01:00
|
|
|
|
2013-03-13 13:53:00 +01:00
|
|
|
Changes
|
2013-08-27 21:19:20 +02:00
|
|
|
* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
|
|
|
|
individually
|
2013-01-07 18:20:04 +01:00
|
|
|
* Introduced separate SSL Ciphersuites module that is based on
|
|
|
|
Cipher and MD information
|
2013-03-13 13:53:00 +01:00
|
|
|
* Internals for SSL module adapted to have separate IV pointer that is
|
|
|
|
dynamically set (Better support for hardware acceleration)
|
2013-04-07 22:00:46 +02:00
|
|
|
* Moved all OID functionality to a separate module. RSA function
|
|
|
|
prototypes for the RSA sign and verify functions changed as a result
|
2013-06-26 15:07:16 +02:00
|
|
|
* Split up the GCM module into a starts/update/finish cycle
|
2013-06-29 16:01:15 +02:00
|
|
|
* Client and server now filter sent and accepted ciphersuites on minimum
|
|
|
|
and maximum protocol version
|
2013-08-27 21:55:01 +02:00
|
|
|
* Ability to disable server_name extension (RFC 6066)
|
2013-06-29 18:24:32 +02:00
|
|
|
* Renamed error_strerror() to the less conflicting polarssl_strerror()
|
|
|
|
(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
|
2013-06-30 14:34:05 +02:00
|
|
|
* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
|
2013-08-30 10:30:02 +02:00
|
|
|
* All RSA operations require a random generator for blinding purposes
|
2013-09-18 15:33:49 +02:00
|
|
|
* X509 core refactored
|
|
|
|
* x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
|
2013-09-18 21:21:30 +02:00
|
|
|
* Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
|
2013-09-23 15:01:36 +02:00
|
|
|
* Support faulty X509 v1 certificates with extensions
|
|
|
|
(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
|
2013-03-13 13:53:00 +01:00
|
|
|
|
2013-04-11 17:13:22 +02:00
|
|
|
Bugfix
|
2013-05-22 13:56:26 +02:00
|
|
|
* Fixed parse error in ssl_parse_certificate_request()
|
2013-06-30 14:57:46 +02:00
|
|
|
* zlib compression/decompression skipped on empty blocks
|
2013-07-26 14:10:22 +02:00
|
|
|
* Support for AIX header locations in net.c module
|
2013-09-09 17:26:14 +02:00
|
|
|
* Fixed file descriptor leaks
|
2013-04-11 17:13:22 +02:00
|
|
|
|
2013-08-30 11:00:25 +02:00
|
|
|
Security
|
|
|
|
* RSA blinding on CRT operations to counter timing attacks
|
|
|
|
(found by Cyril Arnaud and Pierre-Alain Fouque)
|
|
|
|
|
2015-04-30 10:16:19 +02:00
|
|
|
|
|
|
|
= Version 1.2.14 released 2015-05-??
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Fix potential invalid memory read in the server, that allows a client to
|
|
|
|
crash it remotely (found by Caj Larsson).
|
|
|
|
* Fix potential invalid memory read in certificate parsing, that allows a
|
|
|
|
client to crash the server remotely if client authentication is enabled
|
|
|
|
(found using Codenomicon Defensics).
|
|
|
|
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
|
|
|
|
https://dl.acm.org/citation.cfm?id=2714625
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
|
|
|
|
* Fix hardclock() (only used in the benchmarking program) with some
|
|
|
|
versions of mingw64 (found by kxjhlele).
|
|
|
|
* Fix warnings from mingw64 in timing.c (found by kxjklele).
|
|
|
|
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
|
|
|
|
platforms (found with Coverity Scan).
|
|
|
|
|
|
|
|
= Version 1.2.13 released 2015-02-16
|
|
|
|
Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
|
|
|
|
this will be made in the 1.2 branch at this point.
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Fix remotely-triggerable uninitialised pointer dereference caused by
|
|
|
|
crafted X.509 certificate (TLS server is not affected if it doesn't ask
|
|
|
|
for a client certificate) (found using Codenomicon Defensics).
|
|
|
|
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
|
|
|
|
(TLS server is not affected if it doesn't ask for a client certificate)
|
|
|
|
(found using Codenomicon Defensics).
|
|
|
|
* Fix potential stack overflow while parsing crafted X.509 certificates
|
|
|
|
(TLS server is not affected if it doesn't ask for a client certificate)
|
|
|
|
found using Codenomicon Defensics).
|
|
|
|
* Fix buffer overread of size 1 when parsing crafted X.509 certificates
|
|
|
|
(TLS server is not affected if it doesn't ask for a client certificate).
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fix potential undefined behaviour in Camellia.
|
|
|
|
* Fix memory leaks in PKCS#5 and PKCS#12.
|
|
|
|
* Stack buffer overflow if ctr_drbg_update() is called with too large
|
|
|
|
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
|
|
|
|
* Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
|
|
|
|
in 1.2.12).
|
|
|
|
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
|
|
|
|
Peter Vaskovic).
|
|
|
|
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
|
|
|
|
* ssl_get_verify_result() now works even if the handshake was aborted due
|
|
|
|
to a failed verification (found by Fredrik Axelsson).
|
|
|
|
* Skip writing and parsing signature_algorithm extension if none of the
|
|
|
|
key exchanges enabled needs certificates. This fixes a possible interop
|
|
|
|
issue with some servers when a zero-length extension was sent. (Reported
|
|
|
|
by Peter Dettman.)
|
|
|
|
* On a 0-length input, base64_encode() did not correctly set output length
|
|
|
|
(found by Hendrik van den Boogaard).
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
|
|
|
* Forbid repeated extensions in X.509 certificates.
|
|
|
|
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
|
|
|
length of an X.509 verification chain (default = 8).
|
2014-10-24 16:26:29 +02:00
|
|
|
= Version 1.2.12 released 2014-10-24
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Remotely-triggerable memory leak when parsing some X.509 certificates
|
|
|
|
(server is not affected if it doesn't ask for a client certificate).
|
|
|
|
(Found using Codenomicon Defensics.)
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fix potential bad read in parsing ServerHello (found by Adrien
|
|
|
|
Vialletelle).
|
|
|
|
* ssl_close_notify() could send more than one message in some circumstances
|
|
|
|
with non-blocking I/O.
|
|
|
|
* x509_crt_parse() did not increase total_failed on PEM error
|
|
|
|
* Fix compiler warnings on iOS (found by Sander Niemeijer).
|
|
|
|
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
|
|
|
|
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
|
|
|
|
* ssl_read() could return non-application data records on server while
|
|
|
|
renegotation was pending, and on client when a HelloRequest was received.
|
|
|
|
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* X.509 certificates with more than one AttributeTypeAndValue per
|
|
|
|
RelativeDistinguishedName are not accepted any more.
|
|
|
|
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
|
|
|
|
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
|
|
|
|
* Accept spaces at end of line or end of buffer in base64_decode().
|
|
|
|
|
2014-07-11 11:28:30 +02:00
|
|
|
= Version 1.2.11 released 2014-07-11
|
|
|
|
Features
|
|
|
|
* Entropy module now supports seed writing and reading
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
|
|
|
|
* Improvements to the CMake build system, contributed by Julian Ospald.
|
|
|
|
* Work around a bug of the version of Clang shipped by Apple with Mavericks
|
|
|
|
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
|
|
|
|
* Improvements to tests/Makefile, contributed by Oden Eriksson.
|
|
|
|
* Use UTC time to check certificate validity.
|
|
|
|
* Reject certificates with times not in UTC, per RFC 5280.
|
|
|
|
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
|
|
|
|
against unwanted compiler optimizations
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Forbid change of server certificate during renegotiation to prevent
|
|
|
|
"triple handshake" attack when authentication mode is optional (the
|
|
|
|
attack was already impossible when authentication is required).
|
|
|
|
* Check notBefore timestamp of certificates and CRLs from the future.
|
|
|
|
* Forbid sequence number wrapping
|
|
|
|
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
|
|
|
|
TrustInSoft)
|
|
|
|
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
|
|
|
|
It was possible to crash the server (and client) using crafted messages
|
|
|
|
when a GCM suite was chosen.
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fixed X.509 hostname comparison (with non-regular characters)
|
|
|
|
* SSL now gracefully handles missing RNG
|
|
|
|
* crypt_and_hash app checks MAC before final decryption
|
|
|
|
* Fixed x509_crt_parse_path() bug on Windows platforms
|
|
|
|
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
|
|
|
|
TrustInSoft)
|
|
|
|
* Fixed potential overflow in certificate size verification in
|
|
|
|
ssl_write_certificate() (found by TrustInSoft)
|
|
|
|
* Fix ASM format in bn_mul.h
|
|
|
|
* Potential memory leak in bignum_selftest()
|
|
|
|
* Replaced expired test certificate
|
|
|
|
* ssl_mail_client now terminates lines with CRLF, instead of LF
|
|
|
|
* Fix bug in RSA PKCS#1 v1.5 "reversed" operations
|
|
|
|
* Fixed testing with out-of-source builds using cmake
|
|
|
|
* Fixed version-major intolerance in server
|
|
|
|
* Fixed CMake symlinking on out-of-source builds
|
|
|
|
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
|
|
|
|
Alex Wilson.)
|
|
|
|
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
|
|
|
|
out_ctr failed
|
|
|
|
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
|
|
|
|
of one of them failed
|
|
|
|
* x509_get_current_time() uses localtime_r() to prevent thread issues
|
|
|
|
* Some example server programs were not sending the close_notify alert.
|
|
|
|
* Potential memory leak in mpi_exp_mod() when error occurs during
|
|
|
|
calculation of RR.
|
|
|
|
* Improve interoperability by not writing extension length in ClientHello
|
|
|
|
when no extensions are present (found by Matthew Page)
|
|
|
|
* rsa_check_pubkey() now allows an E up to N
|
|
|
|
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
|
|
|
|
* mpi_fill_random() was creating numbers larger than requested on
|
|
|
|
big-endian platform when size was not an integer number of limbs
|
|
|
|
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
|
|
|
|
* Stricter check on SSL ClientHello internal sizes compared to actual packet
|
|
|
|
size (found by TrustInSoft)
|
|
|
|
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
|
|
|
|
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
|
|
|
|
interpret semicolons as comment delimiters (found by Barry K. Nathan).
|
|
|
|
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
|
|
|
|
* Fix base64_decode() to return and check length correctly (in case of
|
|
|
|
tight buffers)
|
|
|
|
|
2013-10-07 16:22:05 +02:00
|
|
|
= Version 1.2.10 released 2013-10-07
|
|
|
|
Changes
|
|
|
|
* Changed RSA blinding to a slower but thread-safe version
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fixed memory leak in RSA as a result of introduction of blinding
|
|
|
|
* Fixed ssl_pkcs11_decrypt() prototype
|
|
|
|
* Fixed MSVC project files
|
|
|
|
|
2013-10-01 10:12:42 +02:00
|
|
|
= Version 1.2.9 released 2013-10-01
|
2013-09-26 10:12:19 +02:00
|
|
|
Changes
|
|
|
|
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fixed potential memory leak when failing to resume a session
|
|
|
|
* Fixed potential file descriptor leaks (found by Remi Gacogne)
|
|
|
|
* Minor fixes
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Fixed potential heap buffer overflow on large hostname setting
|
|
|
|
* Fixed potential negative value misinterpretation in load_file()
|
|
|
|
* RSA blinding on CRT operations to counter timing attacks
|
|
|
|
(found by Cyril Arnaud and Pierre-Alain Fouque)
|
|
|
|
|
2013-06-24 19:07:34 +02:00
|
|
|
= Version 1.2.8 released 2013-06-19
|
|
|
|
Features
|
|
|
|
* Parsing of PKCS#8 encrypted private key files
|
|
|
|
* PKCS#12 PBE and derivation functions
|
|
|
|
* Centralized module option values in config.h to allow user-defined
|
|
|
|
settings without editing header files by using POLARSSL_CONFIG_OPTIONS
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* HAVEGE random generator disabled by default
|
|
|
|
* Internally split up x509parse_key() into a (PEM) handler function
|
|
|
|
and specific DER parser functions for the PKCS#1 and unencrypted
|
|
|
|
PKCS#8 private key formats
|
|
|
|
* Added mechanism to provide alternative implementations for all
|
|
|
|
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
|
2018-06-22 12:22:44 +02:00
|
|
|
config.h)
|
2013-06-24 19:07:34 +02:00
|
|
|
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
|
|
|
|
old PBKDF2 module
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Secure renegotiation extension should only be sent in case client
|
|
|
|
supports secure renegotiation
|
|
|
|
* Fixed offset for cert_type list in ssl_parse_certificate_request()
|
|
|
|
* Fixed const correctness issues that have no impact on the ABI
|
|
|
|
* x509parse_crt() now better handles PEM error situations
|
|
|
|
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
|
|
|
instead of the x509parse_crt() wrapper that can also parse PEM
|
2018-06-22 12:22:44 +02:00
|
|
|
certificates
|
2013-06-24 19:07:34 +02:00
|
|
|
* x509parse_crtpath() is now reentrant and uses more portable stat()
|
|
|
|
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
|
|
|
|
* Fixed values for 2-key Triple DES in cipher layer
|
|
|
|
* ssl_write_certificate_request() can handle empty ca_chain
|
|
|
|
|
|
|
|
Security
|
|
|
|
* A possible DoS during the SSL Handshake, due to faulty parsing of
|
|
|
|
PEM-encoded certificates has been fixed (found by Jack Lloyd)
|
|
|
|
|
|
|
|
= Version 1.2.7 released 2013-04-13
|
|
|
|
Features
|
|
|
|
* Ability to specify allowed ciphersuites based on the protocol version.
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Default Blowfish keysize is now 128-bits
|
|
|
|
* Test suites made smaller to accommodate Raspberry Pi
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Fix for MPI assembly for ARM
|
|
|
|
* GCM adapted to support sizes > 2^29
|
|
|
|
|
2013-03-11 11:38:44 +01:00
|
|
|
= Version 1.2.6 released 2013-03-11
|
2013-02-14 11:19:38 +01:00
|
|
|
Bugfix
|
|
|
|
* Fixed memory leak in ssl_free() and ssl_reset() for active session
|
2013-02-27 14:52:37 +01:00
|
|
|
* Corrected GCM counter incrementation to use only 32-bits instead of
|
|
|
|
128-bits (found by Yawning Angel)
|
2013-02-28 10:20:53 +01:00
|
|
|
* Fixes for 64-bit compilation with MS Visual Studio
|
2013-03-06 16:55:11 +01:00
|
|
|
* Fixed net_bind() for specified IP addresses on little endian systems
|
2013-03-06 18:14:52 +01:00
|
|
|
* Fixed assembly code for ARM (Thumb and regular) for some compilers
|
2013-02-14 11:19:38 +01:00
|
|
|
|
2013-02-28 17:21:01 +01:00
|
|
|
Changes
|
|
|
|
* Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
|
|
|
|
rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
|
|
|
|
PKCS#1 v2.1 functions
|
2013-02-28 17:33:49 +01:00
|
|
|
* Added support for custom labels when using rsa_rsaes_oaep_encrypt()
|
|
|
|
or rsa_rsaes_oaep_decrypt()
|
2013-03-06 17:01:52 +01:00
|
|
|
* Re-added handling for SSLv2 Client Hello when the define
|
|
|
|
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
|
2013-03-06 17:40:46 +01:00
|
|
|
* The SSL session cache module (ssl_cache) now also retains peer_cert
|
|
|
|
information (not the entire chain)
|
2013-02-28 17:21:01 +01:00
|
|
|
|
2013-02-27 14:48:00 +01:00
|
|
|
Security
|
|
|
|
* Removed further timing differences during SSL message decryption in
|
|
|
|
ssl_decrypt_buf()
|
2013-02-28 18:06:26 +01:00
|
|
|
* Removed timing differences due to bad padding from
|
|
|
|
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
|
|
|
|
operations
|
2013-02-27 14:48:00 +01:00
|
|
|
|
2013-02-02 19:23:57 +01:00
|
|
|
= Version 1.2.5 released 2013-02-02
|
2013-02-02 12:43:08 +01:00
|
|
|
Changes
|
|
|
|
* Allow enabling of dummy error_strerror() to support some use-cases
|
2013-01-31 16:57:45 +01:00
|
|
|
* Debug messages about padding errors during SSL message decryption are
|
2017-07-27 16:10:21 +02:00
|
|
|
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
|
2013-01-31 17:13:13 +01:00
|
|
|
* Sending of security-relevant alert messages that do not break
|
|
|
|
interoperability can be switched on/off with the flag
|
2013-03-06 17:06:21 +01:00
|
|
|
POLARSSL_SSL_ALL_ALERT_MESSAGES
|
2013-02-02 12:43:08 +01:00
|
|
|
|
2013-01-03 14:52:21 +01:00
|
|
|
Security
|
|
|
|
* Removed timing differences during SSL message decryption in
|
|
|
|
ssl_decrypt_buf() due to badly formatted padding
|
|
|
|
|
2013-01-25 17:11:37 +01:00
|
|
|
= Version 1.2.4 released 2013-01-25
|
2013-01-25 14:49:24 +01:00
|
|
|
Changes
|
2013-01-07 18:20:04 +01:00
|
|
|
* More advanced SSL ciphersuite representation and moved to more dynamic
|
|
|
|
SSL core
|
2013-01-25 14:49:24 +01:00
|
|
|
* Added ssl_handshake_step() to allow single stepping the handshake process
|
|
|
|
|
2013-01-03 10:50:31 +01:00
|
|
|
Bugfix
|
|
|
|
* Memory leak when using RSA_PKCS_V21 operations fixed
|
2013-01-03 11:41:08 +01:00
|
|
|
* Handle future version properly in ssl_write_certificate_request()
|
2013-01-22 13:45:33 +01:00
|
|
|
* Correctly handle CertificateRequest message in client for <= TLS 1.1
|
|
|
|
without DN list
|
2013-01-03 10:50:31 +01:00
|
|
|
|
2012-11-26 16:28:25 +01:00
|
|
|
= Version 1.2.3 released 2012-11-26
|
|
|
|
Bugfix
|
|
|
|
* Server not always sending correct CertificateRequest message
|
|
|
|
|
2012-11-24 12:20:19 +01:00
|
|
|
= Version 1.2.2 released 2012-11-24
|
2012-11-20 13:50:22 +01:00
|
|
|
Changes
|
|
|
|
* Added p_hw_data to ssl_context for context specific hardware acceleration
|
|
|
|
data
|
2017-07-27 16:10:21 +02:00
|
|
|
* During verify trust-CA is only checked for expiration and CRL presence
|
2012-11-20 13:50:22 +01:00
|
|
|
|
2012-11-23 14:02:40 +01:00
|
|
|
Bugfixes
|
2012-11-24 12:20:19 +01:00
|
|
|
* Fixed client authentication compatibility
|
|
|
|
* Fixed dependency on POLARSSL_SHA4_C in SSL modules
|
2012-11-23 14:02:40 +01:00
|
|
|
|
2012-11-20 10:58:09 +01:00
|
|
|
= Version 1.2.1 released 2012-11-20
|
2012-11-14 13:11:38 +01:00
|
|
|
Changes
|
|
|
|
* Depth that the certificate verify callback receives is now numbered
|
|
|
|
bottom-up (Peer cert depth is 0)
|
|
|
|
|
2012-11-02 11:59:36 +01:00
|
|
|
Bugfixes
|
|
|
|
* Fixes for MSVC6
|
2012-11-02 12:02:58 +01:00
|
|
|
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
|
2012-11-13 11:25:21 +01:00
|
|
|
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
|
|
|
|
Pégourié-Gonnard)
|
2012-11-17 12:42:51 +01:00
|
|
|
* Fixed possible segfault in mpi_shift_r() (found by Manuel
|
|
|
|
Pégourié-Gonnard)
|
2012-11-13 13:13:27 +01:00
|
|
|
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
|
2012-11-02 11:59:36 +01:00
|
|
|
|
2012-10-31 14:55:27 +01:00
|
|
|
= Version 1.2.0 released 2012-10-31
|
2012-02-06 17:45:10 +01:00
|
|
|
Features
|
|
|
|
* Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
|
|
|
|
ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
|
|
|
|
default!
|
2012-02-11 17:09:32 +01:00
|
|
|
* Added support for wildcard certificates
|
|
|
|
* Added support for multi-domain certificates through the X509 Subject
|
|
|
|
Alternative Name extension
|
2012-02-14 00:11:30 +01:00
|
|
|
* Added preliminary ASN.1 buffer writing support
|
|
|
|
* Added preliminary X509 Certificate Request writing support
|
|
|
|
* Added key_app_writer example application
|
|
|
|
* Added cert_req example application
|
2012-03-20 14:50:09 +01:00
|
|
|
* Added base Galois Counter Mode (GCM) for AES
|
2012-09-16 21:57:18 +02:00
|
|
|
* Added TLS 1.2 support (RFC 5246)
|
2012-04-18 16:23:57 +02:00
|
|
|
* Added GCM suites to TLS 1.2 (RFC 5288)
|
2012-05-08 10:36:15 +02:00
|
|
|
* Added commandline error code convertor (util/strerror)
|
2012-05-08 11:17:57 +02:00
|
|
|
* Added support for Hardware Acceleration hooking in SSL/TLS
|
2012-05-19 10:43:48 +02:00
|
|
|
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
|
2012-10-31 14:55:27 +01:00
|
|
|
example application (programs/ssl/o_p_test) (requires OpenSSL)
|
2012-06-04 14:46:42 +02:00
|
|
|
* Added X509 CA Path support
|
2012-07-02 10:36:36 +02:00
|
|
|
* Added Thumb assembly optimizations
|
2012-07-03 15:30:23 +02:00
|
|
|
* Added DEFLATE compression support as per RFC3749 (requires zlib)
|
2012-07-04 19:10:40 +02:00
|
|
|
* Added blowfish algorithm (Generic and cipher layer)
|
2012-08-23 15:03:18 +02:00
|
|
|
* Added PKCS#5 PBKDF2 key derivation function
|
2012-09-16 21:57:18 +02:00
|
|
|
* Added Secure Renegotiation (RFC 5746)
|
2012-09-25 11:36:44 +02:00
|
|
|
* Added predefined DHM groups from RFC 5114
|
2012-09-25 23:55:46 +02:00
|
|
|
* Added simple SSL session cache implementation
|
2012-09-27 23:49:42 +02:00
|
|
|
* Added ServerName extension parsing (SNI) at server side
|
2012-09-28 15:28:45 +02:00
|
|
|
* Added option to add minimum accepted SSL/TLS protocol version
|
2012-02-06 17:45:10 +01:00
|
|
|
|
2012-02-11 17:17:43 +01:00
|
|
|
Changes
|
|
|
|
* Removed redundant POLARSSL_DEBUG_MSG define
|
2012-02-12 18:31:04 +01:00
|
|
|
* AES code only check for Padlock once
|
2012-05-08 14:01:43 +02:00
|
|
|
* Fixed const-correctness mpi_get_bit()
|
|
|
|
* Documentation for mpi_lsb() and mpi_msb()
|
2012-05-08 15:16:14 +02:00
|
|
|
* Moved out_msg to out_hdr + 32 to support hardware acceleration
|
2012-05-10 16:12:46 +02:00
|
|
|
* Changed certificate verify behaviour to comply with RFC 6125 section 6.3
|
2012-05-16 09:57:36 +02:00
|
|
|
to not match CN if subjectAltName extension is present (Closes ticket #56)
|
2012-07-04 19:10:40 +02:00
|
|
|
* Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
|
|
|
|
POLARSSL_MODE_CFB, to also handle different block size CFB modes.
|
2012-09-09 21:17:02 +02:00
|
|
|
* Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
|
2012-09-25 23:55:46 +02:00
|
|
|
* Revamped session resumption handling
|
2012-09-27 21:15:01 +02:00
|
|
|
* Generalized external private key implementation handling (like PKCS#11)
|
|
|
|
in SSL/TLS
|
2012-09-28 09:10:55 +02:00
|
|
|
* Revamped x509_verify() and the SSL f_vrfy callback implementations
|
2012-10-01 16:41:15 +02:00
|
|
|
* Moved from unsigned long to fixed width uint32_t types throughout code
|
2012-10-31 13:32:41 +01:00
|
|
|
* Renamed ciphersuites naming scheme to IANA reserved names
|
2012-02-11 17:17:43 +01:00
|
|
|
|
2012-03-22 15:10:22 +01:00
|
|
|
Bugfix
|
2012-03-22 15:19:49 +01:00
|
|
|
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
|
|
|
Hui Dong)
|
2012-05-01 10:14:20 +02:00
|
|
|
* Fixed potential heap corruption in x509_name allocation
|
2012-05-16 09:57:36 +02:00
|
|
|
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
|
2012-05-16 10:02:29 +02:00
|
|
|
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
|
|
|
|
#52)
|
2012-05-19 10:43:48 +02:00
|
|
|
* Handle encryption with private key and decryption with public key as per
|
2018-06-22 12:22:44 +02:00
|
|
|
RFC 2313
|
2012-06-27 13:51:09 +02:00
|
|
|
* Handle empty certificate subject names
|
2012-08-23 12:49:55 +02:00
|
|
|
* Prevent reading over buffer boundaries on X509 certificate parsing
|
2012-09-16 23:35:30 +02:00
|
|
|
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
2012-09-25 10:19:56 +02:00
|
|
|
with carry rollover (found by Ruslan Yushchenko)
|
2012-09-25 14:10:00 +02:00
|
|
|
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
|
2012-10-30 08:29:57 +01:00
|
|
|
* Fixed MPI assembly for SPARC64 platform
|
2012-03-22 15:10:22 +01:00
|
|
|
|
2012-04-05 14:07:34 +02:00
|
|
|
Security
|
2012-07-05 15:58:08 +02:00
|
|
|
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
|
|
|
|
Vanderbeken)
|
2012-04-05 14:07:34 +02:00
|
|
|
|
2013-10-01 10:12:42 +02:00
|
|
|
= Version 1.1.8 released on 2013-10-01
|
2013-09-26 10:12:19 +02:00
|
|
|
Bugfix
|
|
|
|
* Fixed potential memory leak when failing to resume a session
|
|
|
|
* Fixed potential file descriptor leaks
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Potential buffer-overflow for ssl_read_record() (independently found by
|
|
|
|
both TrustInSoft and Paul Brodeur of Leviathan Security Group)
|
|
|
|
* Potential negative value misinterpretation in load_file()
|
|
|
|
* Potential heap buffer overflow on large hostname setting
|
|
|
|
|
2013-06-24 19:08:50 +02:00
|
|
|
= Version 1.1.7 released on 2013-06-19
|
|
|
|
Changes
|
|
|
|
* HAVEGE random generator disabled by default
|
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* x509parse_crt() now better handles PEM error situations
|
|
|
|
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
|
|
|
instead of the x509parse_crt() wrapper that can also parse PEM
|
2018-06-22 12:22:44 +02:00
|
|
|
certificates
|
2013-06-24 19:08:50 +02:00
|
|
|
* Fixed values for 2-key Triple DES in cipher layer
|
|
|
|
* ssl_write_certificate_request() can handle empty ca_chain
|
|
|
|
|
|
|
|
Security
|
|
|
|
* A possible DoS during the SSL Handshake, due to faulty parsing of
|
|
|
|
PEM-encoded certificates has been fixed (found by Jack Lloyd)
|
|
|
|
|
|
|
|
= Version 1.1.6 released on 2013-03-11
|
|
|
|
Bugfix
|
|
|
|
* Fixed net_bind() for specified IP addresses on little endian systems
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Allow enabling of dummy error_strerror() to support some use-cases
|
|
|
|
* Debug messages about padding errors during SSL message decryption are
|
|
|
|
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Removed timing differences during SSL message decryption in
|
|
|
|
ssl_decrypt_buf()
|
|
|
|
* Removed timing differences due to bad padding from
|
|
|
|
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
|
|
|
|
operations
|
|
|
|
|
2013-01-25 16:07:49 +01:00
|
|
|
= Version 1.1.5 released on 2013-01-16
|
|
|
|
Bugfix
|
|
|
|
* Fixed MPI assembly for SPARC64 platform
|
|
|
|
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
|
|
|
|
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
|
|
|
with carry rollover
|
|
|
|
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
|
|
|
|
* Prevent reading over buffer boundaries on X509 certificate parsing
|
|
|
|
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
|
|
|
|
#52)
|
|
|
|
* Fixed possible segfault in mpi_shift_r() (found by Manuel
|
|
|
|
Pégourié-Gonnard)
|
|
|
|
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
|
|
|
|
Pégourié-Gonnard)
|
|
|
|
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
|
|
|
|
* Memory leak when using RSA_PKCS_V21 operations fixed
|
|
|
|
* Handle encryption with private key and decryption with public key as per
|
|
|
|
RFC 2313
|
|
|
|
* Fixes for MSVC6
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
|
|
|
|
Vanderbeken)
|
|
|
|
|
2012-10-02 16:38:56 +02:00
|
|
|
= Version 1.1.4 released on 2012-05-31
|
|
|
|
Bugfix
|
|
|
|
* Correctly handle empty SSL/TLS packets (Found by James Yonan)
|
|
|
|
* Fixed potential heap corruption in x509_name allocation
|
|
|
|
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
|
|
|
|
|
2012-05-08 11:04:04 +02:00
|
|
|
= Version 1.1.3 released on 2012-04-29
|
|
|
|
Bugfix
|
|
|
|
* Fixed random MPI generation to not generate more size than requested.
|
|
|
|
|
|
|
|
= Version 1.1.2 released on 2012-04-26
|
|
|
|
Bugfix
|
|
|
|
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
|
|
|
Hui Dong)
|
|
|
|
|
|
|
|
Security
|
|
|
|
* Fixed potential memory corruption on miscrafted client messages (found by
|
|
|
|
Frama-C team at CEA LIST)
|
|
|
|
* Fixed generation of DHM parameters to correct length (found by Ruslan
|
|
|
|
Yushchenko)
|
|
|
|
|
2012-01-23 10:31:41 +01:00
|
|
|
= Version 1.1.1 released on 2012-01-23
|
2012-01-13 14:44:06 +01:00
|
|
|
Bugfix
|
|
|
|
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
|
|
|
|
(Closes ticket #47, found by Hugo Leisink)
|
2012-01-21 06:41:23 +01:00
|
|
|
* Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
|
2012-01-23 10:31:41 +01:00
|
|
|
* Fixed multiple compiler warnings for VS6 and armcc
|
|
|
|
* Fixed bug in CTR_CRBG selftest
|
2012-01-13 14:44:06 +01:00
|
|
|
|
2011-12-22 10:43:57 +01:00
|
|
|
= Version 1.1.0 released on 2011-12-22
|
2011-10-06 14:37:39 +02:00
|
|
|
Features
|
|
|
|
* Added ssl_session_reset() to allow better multi-connection pools of
|
|
|
|
SSL contexts without needing to set all non-connection-specific
|
2018-06-22 12:22:44 +02:00
|
|
|
data and pointers again. Adapted ssl_server to use this functionality.
|
2011-10-06 15:04:09 +02:00
|
|
|
* Added ssl_set_max_version() to allow clients to offer a lower maximum
|
|
|
|
supported version to a server to help buggy server implementations.
|
2018-06-22 12:22:44 +02:00
|
|
|
(Closes ticket #36)
|
2011-11-11 11:55:02 +01:00
|
|
|
* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
|
|
|
|
introspection functions (Closes ticket #40)
|
2011-11-27 15:46:59 +01:00
|
|
|
* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
|
2011-12-03 22:45:14 +01:00
|
|
|
* Added a generic entropy accumulator that provides support for adding
|
|
|
|
custom entropy sources and added some generic and platform dependent
|
2018-06-22 12:22:44 +02:00
|
|
|
entropy sources
|
2011-10-06 14:37:39 +02:00
|
|
|
|
2011-10-06 15:11:08 +02:00
|
|
|
Changes
|
|
|
|
* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
|
2011-10-06 15:18:27 +02:00
|
|
|
* Fixed rsa_encrypt and rsa_decrypt examples to use public key for
|
|
|
|
encryption and private key for decryption. (Closes ticket #34)
|
2011-10-12 11:52:22 +02:00
|
|
|
* Inceased maximum size of ASN1 length reads to 32-bits.
|
2011-10-12 11:56:41 +02:00
|
|
|
* Added an EXPLICIT tag number parameter to x509_get_ext()
|
2011-10-12 11:58:41 +02:00
|
|
|
* Added a separate CRL entry extension parsing function
|
2011-11-10 15:43:23 +01:00
|
|
|
* Separated the ASN.1 parsing code from the X.509 specific parsing code.
|
|
|
|
So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
|
2011-11-15 16:38:45 +01:00
|
|
|
* Changed the defined key-length of DES ciphers in cipher.h to include the
|
|
|
|
parity bits, to prevent mistakes in copying data. (Closes ticket #33)
|
2011-11-18 15:26:47 +01:00
|
|
|
* Loads of minimal changes to better support WINCE as a build target
|
2011-11-18 15:34:17 +01:00
|
|
|
(Credits go to Marco Lizza)
|
2011-11-25 12:52:11 +01:00
|
|
|
* Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
|
|
|
|
trade-off
|
2011-11-25 13:11:43 +01:00
|
|
|
* Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
|
|
|
|
management (Closes ticket #44)
|
2011-11-27 22:07:34 +01:00
|
|
|
* Changed the used random function pointer to more flexible format. Renamed
|
|
|
|
havege_rand() to havege_random() to prevent mistakes. Lots of changes as
|
2013-03-06 17:06:21 +01:00
|
|
|
a consequence in library code and programs
|
2011-12-04 18:09:26 +01:00
|
|
|
* Moved all examples programs to use the new entropy and CTR_DRBG
|
2011-12-04 13:24:18 +01:00
|
|
|
* Added permissive certificate parsing to x509parse_crt() and
|
|
|
|
x509parse_crtfile(). With permissive parsing the parsing does not stop on
|
2013-03-06 17:06:21 +01:00
|
|
|
encountering a parse-error. Beware that the meaning of return values has
|
|
|
|
changed!
|
2011-12-10 22:55:01 +01:00
|
|
|
* All error codes are now negative. Even on mermory failures and IO errors.
|
2011-10-06 15:11:08 +02:00
|
|
|
|
2011-10-06 16:18:49 +02:00
|
|
|
Bugfix
|
|
|
|
* Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
|
|
|
|
ticket #37)
|
2011-10-12 11:55:01 +02:00
|
|
|
* Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
|
|
|
|
before version numbers
|
2011-11-11 16:01:31 +01:00
|
|
|
* Allowed X509 key usage parsing to accept 4 byte values instead of the
|
|
|
|
standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
|
2011-11-15 16:26:03 +01:00
|
|
|
* Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
|
|
|
|
smaller than the hash length. (Closes ticket #41)
|
2011-11-25 13:37:37 +01:00
|
|
|
* If certificate serial is longer than 32 octets, serial number is now
|
|
|
|
appended with '....' after first 28 octets
|
2011-11-26 10:23:07 +01:00
|
|
|
* Improved build support for s390x and sparc64 in bignum.h
|
2011-12-04 23:10:28 +01:00
|
|
|
* Fixed MS Visual C++ name clash with int64 in sha4.h
|
2011-12-05 15:38:36 +01:00
|
|
|
* Corrected removal of leading "00:" in printing serial numbers in
|
2011-12-05 15:22:49 +01:00
|
|
|
certificates and CRLs
|
2011-10-06 16:18:49 +02:00
|
|
|
|
2011-07-27 19:03:00 +02:00
|
|
|
= Version 1.0.0 released on 2011-07-27
|
2011-06-09 16:27:58 +02:00
|
|
|
Features
|
|
|
|
* Expanded cipher layer with support for CFB128 and CTR mode
|
2011-08-09 12:30:36 +02:00
|
|
|
* Added rsa_encrypt and rsa_decrypt simple example programs.
|
2011-06-09 16:27:58 +02:00
|
|
|
|
2011-06-09 17:55:41 +02:00
|
|
|
Changes
|
|
|
|
* The generic cipher and message digest layer now have normal error
|
|
|
|
codes instead of integers
|
|
|
|
|
2011-06-08 15:10:54 +02:00
|
|
|
Bugfix
|
|
|
|
* Undid faulty bug fix in ssl_write() when flushing old data (Ticket
|
|
|
|
#18)
|
|
|
|
|
2011-05-27 11:25:42 +02:00
|
|
|
= Version 0.99-pre5 released on 2011-05-26
|
2011-04-19 16:29:23 +02:00
|
|
|
Features
|
|
|
|
* Added additional Cipher Block Modes to symmetric ciphers
|
|
|
|
(AES CTR, Camellia CTR, XTEA CBC) including the option to
|
2013-03-06 17:06:21 +01:00
|
|
|
enable and disable individual modes when needed
|
2011-04-25 17:28:35 +02:00
|
|
|
* Functions requiring File System functions can now be disabled
|
|
|
|
by undefining POLARSSL_FS_IO
|
2011-05-09 18:17:09 +02:00
|
|
|
* A error_strerror function() has been added to translate between
|
|
|
|
error codes and their description.
|
2011-05-18 17:47:11 +02:00
|
|
|
* Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
|
|
|
|
functions.
|
2011-05-23 14:07:29 +02:00
|
|
|
* Added ssl_mail_client and ssl_fork_server as example programs.
|
2011-04-19 16:29:23 +02:00
|
|
|
|
2011-04-24 10:57:21 +02:00
|
|
|
Changes
|
|
|
|
* Major argument / variable rewrite. Introduced use of size_t
|
|
|
|
instead of int for buffer lengths and loop variables for
|
2013-03-06 17:06:21 +01:00
|
|
|
better unsigned / signed use. Renamed internal bigint types
|
|
|
|
t_int and t_dbl to t_uint and t_udbl in the process
|
2011-05-05 13:49:20 +02:00
|
|
|
* mpi_init() and mpi_free() now only accept a single MPI
|
|
|
|
argument and do not accept variable argument lists anymore.
|
2011-05-09 18:17:09 +02:00
|
|
|
* The error codes have been remapped and combining error codes
|
|
|
|
is now done with a PLUS instead of an OR as error codes
|
2013-03-06 17:06:21 +01:00
|
|
|
used are negative.
|
2011-05-18 15:32:51 +02:00
|
|
|
* Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
|
|
|
|
net_recv() now returns 0 on EOF instead of
|
2013-03-06 17:06:21 +01:00
|
|
|
POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
|
|
|
|
POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
|
|
|
|
ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
|
|
|
|
after the handshake.
|
2011-05-18 15:32:51 +02:00
|
|
|
* Network functions now return POLARSSL_ERR_NET_WANT_READ or
|
|
|
|
POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
|
2013-03-06 17:06:21 +01:00
|
|
|
POLARSSL_ERR_NET_TRY_AGAIN
|
2011-04-24 10:57:21 +02:00
|
|
|
|
2011-04-01 14:23:26 +02:00
|
|
|
= Version 0.99-pre4 released on 2011-04-01
|
2011-03-08 15:16:06 +01:00
|
|
|
Features
|
|
|
|
* Added support for PKCS#1 v2.1 encoding and thus support
|
|
|
|
for the RSAES-OAEP and RSASSA-PSS operations.
|
2011-03-25 15:01:32 +01:00
|
|
|
* Reading of Public Key files incorporated into default x509
|
|
|
|
functionality as well.
|
2011-03-26 14:18:49 +01:00
|
|
|
* Added mpi_fill_random() for centralized filling of big numbers
|
|
|
|
with random data (Fixed ticket #10)
|
2011-03-08 15:16:06 +01:00
|
|
|
|
2011-03-14 21:41:31 +01:00
|
|
|
Changes
|
2017-07-27 16:10:21 +02:00
|
|
|
* Debug print of MPI now removes leading zero octets and
|
2011-03-14 21:41:31 +01:00
|
|
|
displays actual bit size of the value.
|
2017-07-27 16:10:21 +02:00
|
|
|
* x509parse_key() (and as a consequence x509parse_keyfile())
|
2011-03-26 14:17:12 +01:00
|
|
|
does not zeroize memory in advance anymore. Use rsa_init()
|
2013-03-06 17:06:21 +01:00
|
|
|
before parsing a key or keyfile!
|
2011-03-14 21:41:31 +01:00
|
|
|
|
|
|
|
Bugfix
|
|
|
|
* Debug output of MPI's now the same independent of underlying
|
|
|
|
platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
|
2013-03-06 17:06:21 +01:00
|
|
|
Kiilerich and Mihai Militaru)
|
2011-03-14 21:50:15 +01:00
|
|
|
* Fixed bug in ssl_write() when flushing old data (Fixed ticket
|
|
|
|
#18, found by Nikolay Epifanov)
|
2011-03-25 15:01:32 +01:00
|
|
|
* Fixed proper handling of RSASSA-PSS verification with variable
|
|
|
|
length salt lengths
|
2011-03-14 21:41:31 +01:00
|
|
|
|
2011-02-28 22:20:02 +01:00
|
|
|
= Version 0.99-pre3 released on 2011-02-28
|
|
|
|
This release replaces version 0.99-pre2 which had possible copyright issues.
|
2011-02-12 15:30:57 +01:00
|
|
|
Features
|
|
|
|
* Parsing PEM private keys encrypted with DES and AES
|
|
|
|
are now supported as well (Fixes ticket #5)
|
2011-02-12 16:27:28 +01:00
|
|
|
* Added crl_app program to allow easy reading and
|
|
|
|
printing of X509 CRLs from file
|
2011-02-12 15:30:57 +01:00
|
|
|
|
|
|
|
Changes
|
2017-07-27 16:10:21 +02:00
|
|
|
* Parsing of PEM files moved to separate module (Fixes
|
2011-02-12 15:30:57 +01:00
|
|
|
ticket #13). Also possible to remove PEM support for
|
2013-03-06 17:06:21 +01:00
|
|
|
systems only using DER encoding
|
2011-02-12 15:30:57 +01:00
|
|
|
|
2011-02-20 11:40:16 +01:00
|
|
|
Bugfixes
|
|
|
|
* Corrected parsing of UTCTime dates before 1990 and
|
|
|
|
after 1950
|
|
|
|
* Support more exotic OID's when parsing certificates
|
2018-06-22 12:22:44 +02:00
|
|
|
(found by Mads Kiilerich)
|
2011-02-20 11:40:16 +01:00
|
|
|
* Support more exotic name representations when parsing
|
2011-02-20 14:49:27 +01:00
|
|
|
certificates (found by Mads Kiilerich)
|
2011-02-20 11:40:16 +01:00
|
|
|
* Replaced the expired test certificates
|
2011-02-20 14:49:27 +01:00
|
|
|
* Do not bail out if no client certificate specified. Try
|
|
|
|
to negotiate anonymous connection (Fixes ticket #12,
|
2013-03-06 17:06:21 +01:00
|
|
|
found by Boris Krasnovskiy)
|
2011-02-20 11:40:16 +01:00
|
|
|
|
2011-02-28 22:20:02 +01:00
|
|
|
Security fixes
|
|
|
|
* Fixed a possible Man-in-the-Middle attack on the
|
|
|
|
Diffie Hellman key exchange (thanks to Larry Highsmith,
|
2013-03-06 17:06:21 +01:00
|
|
|
Subreption LLC)
|
2011-02-28 22:20:02 +01:00
|
|
|
|
2011-01-30 17:59:02 +01:00
|
|
|
= Version 0.99-pre1 released on 2011-01-30
|
2011-01-06 13:28:03 +01:00
|
|
|
Features
|
2011-01-13 18:54:59 +01:00
|
|
|
Note: Most of these features have been donated by Fox-IT
|
|
|
|
* Added Doxygen source code documentation parts
|
2011-01-06 16:48:19 +01:00
|
|
|
* Added reading of DHM context from memory and file
|
2011-01-15 17:57:55 +01:00
|
|
|
* Improved X509 certificate parsing to include extended
|
2011-01-16 22:12:10 +01:00
|
|
|
certificate fields, including Key Usage
|
|
|
|
* Improved certificate verification and verification
|
|
|
|
against the available CRLs
|
2011-01-15 18:32:24 +01:00
|
|
|
* Detection for DES weak keys and parity bits added
|
2011-01-16 22:27:44 +01:00
|
|
|
* Improvements to support integration in other
|
|
|
|
applications:
|
|
|
|
+ Added generic message digest and cipher wrapper
|
|
|
|
+ Improved information about current capabilities,
|
|
|
|
status, objects and configuration
|
|
|
|
+ Added verification callback on certificate chain
|
|
|
|
verification to allow external blacklisting
|
2018-06-22 12:22:44 +02:00
|
|
|
+ Additional example programs to show usage
|
2011-01-18 16:27:19 +01:00
|
|
|
* Added support for PKCS#11 through the use of the
|
|
|
|
libpkcs11-helper library
|
2011-01-06 13:28:03 +01:00
|
|
|
|
2011-01-16 22:40:22 +01:00
|
|
|
Changes
|
|
|
|
* x509parse_time_expired() checks time in addition to
|
|
|
|
the existing date check
|
2011-01-27 18:40:50 +01:00
|
|
|
* The ciphers member of ssl_context and the cipher member
|
|
|
|
of ssl_session have been renamed to ciphersuites and
|
2013-03-06 17:06:21 +01:00
|
|
|
ciphersuite respectively. This clarifies the difference
|
|
|
|
with the generic cipher layer and is better naming
|
|
|
|
altogether
|
2011-01-16 22:40:22 +01:00
|
|
|
|
2011-01-05 15:48:42 +01:00
|
|
|
= Version 0.14.0 released on 2010-08-16
|
|
|
|
Features
|
|
|
|
* Added support for SSL_EDH_RSA_AES_128_SHA and
|
|
|
|
SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
|
|
|
|
* Added compile-time and run-time version information
|
|
|
|
* Expanded ssl_client2 arguments for more flexibility
|
|
|
|
* Added support for TLS v1.1
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Made Makefile cleaner
|
|
|
|
* Removed dependency on rand() in rsa_pkcs1_encrypt().
|
|
|
|
Now using random fuction provided to function and
|
2013-03-06 17:06:21 +01:00
|
|
|
changed the prototype of rsa_pkcs1_encrypt(),
|
|
|
|
rsa_init() and rsa_gen_key().
|
2011-01-05 15:48:42 +01:00
|
|
|
* Some SSL defines were renamed in order to avoid
|
|
|
|
future confusion
|
|
|
|
|
|
|
|
Bug fixes
|
|
|
|
* Fixed CMake out of source build for tests (found by
|
|
|
|
kkert)
|
|
|
|
* rsa_check_private() now supports PKCS1v2 keys as well
|
|
|
|
* Fixed deadlock in rsa_pkcs1_encrypt() on failing random
|
|
|
|
generator
|
|
|
|
|
|
|
|
= Version 0.13.1 released on 2010-03-24
|
|
|
|
Bug fixes
|
|
|
|
* Fixed Makefile in library that was mistakenly merged
|
|
|
|
* Added missing const string fixes
|
|
|
|
|
|
|
|
= Version 0.13.0 released on 2010-03-21
|
|
|
|
Features
|
|
|
|
* Added option parsing for host and port selection to
|
|
|
|
ssl_client2
|
|
|
|
* Added support for GeneralizedTime in X509 parsing
|
|
|
|
* Added cert_app program to allow easy reading and
|
|
|
|
printing of X509 certificates from file or SSL
|
|
|
|
connection.
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Added const correctness for main code base
|
|
|
|
* X509 signature algorithm determination is now
|
|
|
|
in a function to allow easy future expansion
|
|
|
|
* Changed symmetric cipher functions to
|
|
|
|
identical interface (returning int result values)
|
2013-10-29 10:02:51 +01:00
|
|
|
* Changed ARC4 to use separate input/output buffer
|
2011-01-05 15:48:42 +01:00
|
|
|
* Added reset function for HMAC context as speed-up
|
|
|
|
for specific use-cases
|
|
|
|
|
|
|
|
Bug fixes
|
|
|
|
* Fixed bug resulting in failure to send the last
|
|
|
|
certificate in the chain in ssl_write_certificate() and
|
|
|
|
ssl_write_certificate_request() (found by fatbob)
|
|
|
|
* Added small fixes for compiler warnings on a Mac
|
|
|
|
(found by Frank de Brabander)
|
|
|
|
* Fixed algorithmic bug in mpi_is_prime() (found by
|
|
|
|
Smbat Tonoyan)
|
|
|
|
|
|
|
|
= Version 0.12.1 released on 2009-10-04
|
|
|
|
Changes
|
|
|
|
* Coverage test definitions now support 'depends_on'
|
|
|
|
tagging system.
|
|
|
|
* Tests requiring specific hashing algorithms now honor
|
|
|
|
the defines.
|
|
|
|
|
|
|
|
Bug fixes
|
|
|
|
* Changed typo in #ifdef in x509parse.c (found
|
|
|
|
by Eduardo)
|
|
|
|
|
|
|
|
= Version 0.12.0 released on 2009-07-28
|
|
|
|
Features
|
|
|
|
* Added CMake makefiles as alternative to regular Makefiles.
|
|
|
|
* Added preliminary Code Coverage tests for AES, ARC4,
|
|
|
|
Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
|
|
|
|
Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
|
|
|
|
and X509parse.
|
|
|
|
|
|
|
|
Changes
|
|
|
|
* Error codes are not (necessarily) negative. Keep
|
|
|
|
this is mind when checking for errors.
|
|
|
|
* RSA_RAW renamed to SIG_RSA_RAW for consistency.
|
|
|
|
* Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
|
|
|
|
* Changed interface for AES and Camellia setkey functions
|
|
|
|
to indicate invalid key lengths.
|
|
|
|
|
|
|
|
Bug fixes
|
|
|
|
* Fixed include location of endian.h on FreeBSD (found by
|
|
|
|
Gabriel)
|
|
|
|
* Fixed include location of endian.h and name clash on
|
|
|
|
Apples (found by Martin van Hensbergen)
|
|
|
|
* Fixed HMAC-MD2 by modifying md2_starts(), so that the
|
|
|
|
required HMAC ipad and opad variables are not cleared.
|
|
|
|
(found by code coverage tests)
|
2017-07-27 16:10:21 +02:00
|
|
|
* Prevented use of long long in bignum if
|
2011-01-05 15:48:42 +01:00
|
|
|
POLARSSL_HAVE_LONGLONG not defined (found by Giles
|
|
|
|
Bathgate).
|
|
|
|
* Fixed incorrect handling of negative strings in
|
|
|
|
mpi_read_string() (found by code coverage tests).
|
|
|
|
* Fixed segfault on handling empty rsa_context in
|
|
|
|
rsa_check_pubkey() and rsa_check_privkey() (found by
|
|
|
|
code coverage tests).
|
|
|
|
* Fixed incorrect handling of one single negative input
|
|
|
|
value in mpi_add_abs() (found by code coverage tests).
|
|
|
|
* Fixed incorrect handling of negative first input
|
|
|
|
value in mpi_sub_abs() (found by code coverage tests).
|
|
|
|
* Fixed incorrect handling of negative first input
|
|
|
|
value in mpi_mod_mpi() and mpi_mod_int(). Resulting
|
|
|
|
change also affects mpi_write_string() (found by code
|
|
|
|
coverage tests).
|
|
|
|
* Corrected is_prime() results for 0, 1 and 2 (found by
|
|
|
|
code coverage tests).
|
|
|
|
* Fixed Camellia and XTEA for 64-bit Windows systems.
|
|
|
|
|
|
|
|
= Version 0.11.1 released on 2009-05-17
|
|
|
|
* Fixed missing functionality for SHA-224, SHA-256, SHA384,
|
|
|
|
SHA-512 in rsa_pkcs1_sign()
|
|
|
|
|
|
|
|
= Version 0.11.0 released on 2009-05-03
|
|
|
|
* Fixed a bug in mpi_gcd() so that it also works when both
|
|
|
|
input numbers are even and added testcases to check
|
|
|
|
(found by Pierre Habouzit).
|
|
|
|
* Added support for SHA-224, SHA-256, SHA-384 and SHA-512
|
|
|
|
one way hash functions with the PKCS#1 v1.5 signing and
|
|
|
|
verification.
|
|
|
|
* Fixed minor bug regarding mpi_gcd located within the
|
|
|
|
POLARSSL_GENPRIME block.
|
|
|
|
* Fixed minor memory leak in x509parse_crt() and added better
|
|
|
|
handling of 'full' certificate chains (found by Mathias
|
|
|
|
Olsson).
|
|
|
|
* Centralized file opening and reading for x509 files into
|
|
|
|
load_file()
|
|
|
|
* Made definition of net_htons() endian-clean for big endian
|
|
|
|
systems (Found by Gernot).
|
|
|
|
* Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
|
2017-07-27 16:10:21 +02:00
|
|
|
padlock and timing code.
|
2011-01-05 15:48:42 +01:00
|
|
|
* Fixed an off-by-one buffer allocation in ssl_set_hostname()
|
|
|
|
responsible for crashes and unwanted behaviour.
|
|
|
|
* Added support for Certificate Revocation List (CRL) parsing.
|
|
|
|
* Added support for CRL revocation to x509parse_verify() and
|
|
|
|
SSL/TLS code.
|
|
|
|
* Fixed compatibility of XTEA and Camellia on a 64-bit system
|
|
|
|
(found by Felix von Leitner).
|
|
|
|
|
|
|
|
= Version 0.10.0 released on 2009-01-12
|
|
|
|
* Migrated XySSL to PolarSSL
|
|
|
|
* Added XTEA symmetric cipher
|
|
|
|
* Added Camellia symmetric cipher
|
|
|
|
* Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
|
|
|
|
SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
|
|
|
|
* Fixed dangerous bug that can cause a heap overflow in
|
|
|
|
rsa_pkcs1_decrypt (found by Christophe Devine)
|
|
|
|
|
|
|
|
================================================================
|
|
|
|
XySSL ChangeLog
|
|
|
|
|
|
|
|
= Version 0.9 released on 2008-03-16
|
|
|
|
|
|
|
|
* Added support for ciphersuite: SSL_RSA_AES_128_SHA
|
|
|
|
* Enabled support for large files by default in aescrypt2.c
|
|
|
|
* Preliminary openssl wrapper contributed by David Barrett
|
|
|
|
* Fixed a bug in ssl_write() that caused the same payload to
|
|
|
|
be sent twice in non-blocking mode when send returns EAGAIN
|
|
|
|
* Fixed ssl_parse_client_hello(): session id and challenge must
|
|
|
|
not be swapped in the SSLv2 ClientHello (found by Greg Robson)
|
|
|
|
* Added user-defined callback debug function (Krystian Kolodziej)
|
|
|
|
* Before freeing a certificate, properly zero out all cert. data
|
|
|
|
* Fixed the "mode" parameter so that encryption/decryption are
|
|
|
|
not swapped on PadLock; also fixed compilation on older versions
|
|
|
|
of gcc (bug reported by David Barrett)
|
|
|
|
* Correctly handle the case in padlock_xcryptcbc() when input or
|
|
|
|
ouput data is non-aligned by falling back to the software
|
|
|
|
implementation, as VIA Nehemiah cannot handle non-aligned buffers
|
|
|
|
* Fixed a memory leak in x509parse_crt() which was reported by Greg
|
|
|
|
Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
|
|
|
|
Matthew Page who reported several bugs
|
|
|
|
* Fixed x509_get_ext() to accept some rare certificates which have
|
|
|
|
an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
|
|
|
|
* Added support on the client side for the TLS "hostname" extension
|
|
|
|
(patch contributed by David Patino)
|
|
|
|
* Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
|
|
|
|
string is passed as the CN (bug reported by spoofy)
|
|
|
|
* Added an option to enable/disable the BN assembly code
|
|
|
|
* Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
|
|
|
|
* Disabled obsolete hash functions by default (MD2, MD4); updated
|
|
|
|
selftest and benchmark to not test ciphers that have been disabled
|
|
|
|
* Updated x509parse_cert_info() to correctly display byte 0 of the
|
|
|
|
serial number, setup correct server port in the ssl client example
|
|
|
|
* Fixed a critical denial-of-service with X.509 cert. verification:
|
|
|
|
peer may cause xyssl to loop indefinitely by sending a certificate
|
|
|
|
for which the RSA signature check fails (bug reported by Benoit)
|
|
|
|
* Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
|
|
|
|
HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
|
|
|
|
* Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
|
|
|
|
* Modified ssl_parse_client_key_exchange() to protect against
|
|
|
|
Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
|
|
|
|
as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
|
|
|
|
* Updated rsa_gen_key() so that ctx->N is always nbits in size
|
|
|
|
* Fixed assembly PPC compilation errors on Mac OS X, thanks to
|
|
|
|
David Barrett and Dusan Semen
|
|
|
|
|
|
|
|
= Version 0.8 released on 2007-10-20
|
|
|
|
|
|
|
|
* Modified the HMAC functions to handle keys larger
|
|
|
|
than 64 bytes, thanks to Stephane Desneux and gary ng
|
|
|
|
* Fixed ssl_read_record() to properly update the handshake
|
|
|
|
message digests, which fixes IE6/IE7 client authentication
|
|
|
|
* Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
|
|
|
|
* Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
|
|
|
|
* Added user-defined callbacks for handling I/O and sessions
|
|
|
|
* Added lots of debugging output in the SSL/TLS functions
|
|
|
|
* Added preliminary X.509 cert. writing by Pascal Vizeli
|
|
|
|
* Added preliminary support for the VIA PadLock routines
|
|
|
|
* Added AES-CFB mode of operation, contributed by chmike
|
|
|
|
* Added an SSL/TLS stress testing program (ssl_test.c)
|
|
|
|
* Updated the RSA PKCS#1 code to allow choosing between
|
|
|
|
RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
|
|
|
|
* Updated ssl_read() to skip 0-length records from OpenSSL
|
|
|
|
* Fixed the make install target to comply with *BSD make
|
|
|
|
* Fixed a bug in mpi_read_binary() on 64-bit platforms
|
|
|
|
* mpi_is_prime() speedups, thanks to Kevin McLaughlin
|
|
|
|
* Fixed a long standing memory leak in mpi_is_prime()
|
|
|
|
* Replaced realloc with malloc in mpi_grow(), and set
|
|
|
|
the sign of zero as positive in mpi_init() (reported
|
|
|
|
by Jonathan M. McCune)
|
|
|
|
|
|
|
|
= Version 0.7 released on 2007-07-07
|
|
|
|
|
|
|
|
* Added support for the MicroBlaze soft-core processor
|
|
|
|
* Fixed a bug in ssl_tls.c which sometimes prevented SSL
|
|
|
|
connections from being established with non-blocking I/O
|
|
|
|
* Fixed a couple bugs in the VS6 and UNIX Makefiles
|
|
|
|
* Fixed the "PIC register ebx clobbered in asm" bug
|
|
|
|
* Added HMAC starts/update/finish support functions
|
|
|
|
* Added the SHA-224, SHA-384 and SHA-512 hash functions
|
|
|
|
* Fixed the net_set_*block routines, thanks to Andreas
|
|
|
|
* Added a few demonstration programs: md5sum, sha1sum,
|
|
|
|
dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
|
|
|
|
* Added new bignum import and export helper functions
|
|
|
|
* Rewrote README.txt in program/ssl/ca to better explain
|
|
|
|
how to create a test PKI
|
|
|
|
|
|
|
|
= Version 0.6 released on 2007-04-01
|
|
|
|
|
|
|
|
* Ciphers used in SSL/TLS can now be disabled at compile
|
|
|
|
time, to reduce the memory footprint on embedded systems
|
|
|
|
* Added multiply assembly code for the TriCore and modified
|
|
|
|
havege_struct for this processor, thanks to David Patiño
|
|
|
|
* Added multiply assembly code for 64-bit PowerPCs,
|
|
|
|
thanks to Peking University and the OSU Open Source Lab
|
|
|
|
* Added experimental support of Quantum Cryptography
|
|
|
|
* Added support for autoconf, contributed by Arnaud Cornet
|
|
|
|
* Fixed "long long" compilation issues on IA-64 and PPC64
|
|
|
|
* Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
|
|
|
|
was not being correctly defined on ARM and MIPS
|
|
|
|
|
|
|
|
= Version 0.5 released on 2007-03-01
|
|
|
|
|
|
|
|
* Added multiply assembly code for SPARC and Alpha
|
|
|
|
* Added (beta) support for non-blocking I/O operations
|
|
|
|
* Implemented session resuming and client authentication
|
|
|
|
* Fixed some portability issues on WinCE, MINIX 3, Plan9
|
|
|
|
(thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
|
|
|
|
* Improved the performance of the EDH key exchange
|
|
|
|
* Fixed a bug that caused valid packets with a payload
|
|
|
|
size of 16384 bytes to be rejected
|
|
|
|
|
|
|
|
= Version 0.4 released on 2007-02-01
|
|
|
|
|
|
|
|
* Added support for Ephemeral Diffie-Hellman key exchange
|
|
|
|
* Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
|
|
|
|
* Various improvement to the modular exponentiation code
|
|
|
|
* Rewrote the headers to generate the API docs with doxygen
|
|
|
|
* Fixed a bug in ssl_encrypt_buf (incorrect padding was
|
|
|
|
generated) and in ssl_parse_client_hello (max. client
|
|
|
|
version was not properly set), thanks to Didier Rebeix
|
|
|
|
* Fixed another bug in ssl_parse_client_hello: clients with
|
|
|
|
cipherlists larger than 96 bytes were incorrectly rejected
|
|
|
|
* Fixed a couple memory leak in x509_read.c
|
|
|
|
|
|
|
|
= Version 0.3 released on 2007-01-01
|
|
|
|
|
|
|
|
* Added server-side SSLv3 and TLSv1.0 support
|
|
|
|
* Multiple fixes to enhance the compatibility with g++,
|
|
|
|
thanks to Xosé Antón Otero Ferreira
|
|
|
|
* Fixed a bug in the CBC code, thanks to dowst; also,
|
2013-10-29 10:02:51 +01:00
|
|
|
the bignum code is no longer dependent on long long
|
2011-01-05 15:48:42 +01:00
|
|
|
* Updated rsa_pkcs1_sign to handle arbitrary large inputs
|
|
|
|
* Updated timing.c for improved compatibility with i386
|
|
|
|
and 486 processors, thanks to Arnaud Cornet
|
|
|
|
|
|
|
|
= Version 0.2 released on 2006-12-01
|
|
|
|
|
|
|
|
* Updated timing.c to support ARM and MIPS arch
|
|
|
|
* Updated the MPI code to support 8086 on MSVC 1.5
|
|
|
|
* Added the copyright notice at the top of havege.h
|
|
|
|
* Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
|
|
|
|
* Fixed a bug reported by Adrian Rüegsegger in x509_read_key
|
|
|
|
* Fixed a bug reported by Torsten Lauter in ssl_read_record
|
|
|
|
* Fixed a bug in rsa_check_privkey that would wrongly cause
|
|
|
|
valid RSA keys to be dismissed (thanks to oldwolf)
|
|
|
|
* Fixed a bug in mpi_is_prime that caused some primes to fail
|
|
|
|
the Miller-Rabin primality test
|
|
|
|
|
|
|
|
I'd also like to thank Younès Hafri for the CRUX linux port,
|
|
|
|
Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
|
|
|
|
who maintains the Debian package :-)
|
|
|
|
|
|
|
|
= Version 0.1 released on 2006-11-01
|