mbedtls/ChangeLog

569 lines
25 KiB
Plaintext
Raw Normal View History

PolarSSL ChangeLog
= Branch 1.1
Bugfix
* Fixed net_bind() for specified IP addresses on little endian systems
Changes
* Allow enabling of dummy error_strerror() to support some use-cases
* Debug messages about padding errors during SSL message decryption are
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
Security
* Removed further timing differences during SSL message decryption in
ssl_decrypt_buf()
* Removed timing differences due to bad padding from
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
operations
2013-01-16 14:06:28 +01:00
= Version 1.1.5 released on 2013-01-16
Bugfix
* Fixed MPI assembly for SPARC64 platform
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
* mpi_add_abs() now correctly handles adding short numbers to long numbers
with carry rollover
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Prevent reading over buffer boundaries on X509 certificate parsing
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
#52)
* Fixed possible segfault in mpi_shift_r() (found by Manuel
Pégourié-Gonnard)
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
* Memory leak when using RSA_PKCS_V21 operations fixed
* Handle encryption with private key and decryption with public key as per
RFC 2313
* Fixes for MSVC6
Security
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
Vanderbeken)
2012-05-31 12:46:28 +02:00
= Version 1.1.4 released on 2012-05-31
Bugfix
2012-05-31 12:46:28 +02:00
* Correctly handle empty SSL/TLS packets (Found by James Yonan)
* Fixed potential heap corruption in x509_name allocation
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
= Version 1.1.3 released on 2012-04-29
Bugfix
* Fixed random MPI generation to not generate more size than requested.
= Version 1.1.2 released on 2012-04-26
Bugfix
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
Hui Dong)
2012-04-20 15:33:14 +02:00
Security
* Fixed potential memory corruption on miscrafted client messages (found by
Frama-C team at CEA LIST)
2012-04-20 15:58:28 +02:00
* Fixed generation of DHM parameters to correct length (found by Ruslan
Yushchenko)
2012-04-20 15:33:14 +02:00
= Version 1.1.1 released on 2012-01-23
Bugfix
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
(Closes ticket #47, found by Hugo Leisink)
* Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
* Fixed multiple compiler warnings for VS6 and armcc
* Fixed bug in CTR_CRBG selftest
= Version 1.1.0 released on 2011-12-22
Features
* Added ssl_session_reset() to allow better multi-connection pools of
SSL contexts without needing to set all non-connection-specific
data and pointers again. Adapted ssl_server to use this functionality.
* Added ssl_set_max_version() to allow clients to offer a lower maximum
supported version to a server to help buggy server implementations.
(Closes ticket #36)
2011-11-11 11:55:02 +01:00
* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
introspection functions (Closes ticket #40)
* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
* Added a generic entropy accumulator that provides support for adding
custom entropy sources and added some generic and platform dependent
entropy sources
Changes
* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
* Fixed rsa_encrypt and rsa_decrypt examples to use public key for
encryption and private key for decryption. (Closes ticket #34)
* Inceased maximum size of ASN1 length reads to 32-bits.
* Added an EXPLICIT tag number parameter to x509_get_ext()
* Added a separate CRL entry extension parsing function
* Separated the ASN.1 parsing code from the X.509 specific parsing code.
So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
* Changed the defined key-length of DES ciphers in cipher.h to include the
parity bits, to prevent mistakes in copying data. (Closes ticket #33)
* Loads of minimal changes to better support WINCE as a build target
2011-11-18 15:34:17 +01:00
(Credits go to Marco Lizza)
* Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
trade-off
* Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
management (Closes ticket #44)
* Changed the used random function pointer to more flexible format. Renamed
havege_rand() to havege_random() to prevent mistakes. Lots of changes as
a consequence in library code and programs
* Moved all examples programs to use the new entropy and CTR_DRBG
* Added permissive certificate parsing to x509parse_crt() and
x509parse_crtfile(). With permissive parsing the parsing does not stop on
2011-12-11 17:35:09 +01:00
encountering a parse-error. Beware that the meaning of return values has
changed!
* All error codes are now negative. Even on mermory failures and IO errors.
Bugfix
* Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
ticket #37)
* Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
before version numbers
* Allowed X509 key usage parsing to accept 4 byte values instead of the
standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
* Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
smaller than the hash length. (Closes ticket #41)
* If certificate serial is longer than 32 octets, serial number is now
appended with '....' after first 28 octets
* Improved build support for s390x and sparc64 in bignum.h
* Fixed MS Visual C++ name clash with int64 in sha4.h
2011-12-05 15:38:36 +01:00
* Corrected removal of leading "00:" in printing serial numbers in
certificates and CRLs
= Version 1.0.0 released on 2011-07-27
Features
* Expanded cipher layer with support for CFB128 and CTR mode
* Added rsa_encrypt and rsa_decrypt simple example programs.
Changes
* The generic cipher and message digest layer now have normal error
codes instead of integers
Bugfix
* Undid faulty bug fix in ssl_write() when flushing old data (Ticket
#18)
2011-05-27 11:25:42 +02:00
= Version 0.99-pre5 released on 2011-05-26
Features
* Added additional Cipher Block Modes to symmetric ciphers
(AES CTR, Camellia CTR, XTEA CBC) including the option to
enable and disable individual modes when needed
* Functions requiring File System functions can now be disabled
by undefining POLARSSL_FS_IO
* A error_strerror function() has been added to translate between
error codes and their description.
* Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
functions.
* Added ssl_mail_client and ssl_fork_server as example programs.
Changes
* Major argument / variable rewrite. Introduced use of size_t
instead of int for buffer lengths and loop variables for
better unsigned / signed use. Renamed internal bigint types
t_int and t_dbl to t_uint and t_udbl in the process
* mpi_init() and mpi_free() now only accept a single MPI
argument and do not accept variable argument lists anymore.
* The error codes have been remapped and combining error codes
is now done with a PLUS instead of an OR as error codes
used are negative.
* Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
net_recv() now returns 0 on EOF instead of
POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
after the handshake.
* Network functions now return POLARSSL_ERR_NET_WANT_READ or
POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
POLARSSL_ERR_NET_TRY_AGAIN
2011-04-01 14:23:26 +02:00
= Version 0.99-pre4 released on 2011-04-01
Features
* Added support for PKCS#1 v2.1 encoding and thus support
for the RSAES-OAEP and RSASSA-PSS operations.
* Reading of Public Key files incorporated into default x509
functionality as well.
* Added mpi_fill_random() for centralized filling of big numbers
with random data (Fixed ticket #10)
Changes
* Debug print of MPI now removes leading zero octets and
displays actual bit size of the value.
* x509parse_key() (and as a consequence x509parse_keyfile())
does not zeroize memory in advance anymore. Use rsa_init()
before parsing a key or keyfile!
Bugfix
* Debug output of MPI's now the same independent of underlying
platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
Kiilerich and Mihai Militaru)
* Fixed bug in ssl_write() when flushing old data (Fixed ticket
#18, found by Nikolay Epifanov)
* Fixed proper handling of RSASSA-PSS verification with variable
length salt lengths
= Version 0.99-pre3 released on 2011-02-28
This release replaces version 0.99-pre2 which had possible copyright issues.
Features
* Parsing PEM private keys encrypted with DES and AES
are now supported as well (Fixes ticket #5)
* Added crl_app program to allow easy reading and
printing of X509 CRLs from file
Changes
* Parsing of PEM files moved to separate module (Fixes
ticket #13). Also possible to remove PEM support for
systems only using DER encoding
Bugfixes
* Corrected parsing of UTCTime dates before 1990 and
after 1950
* Support more exotic OID's when parsing certificates
(found by Mads Kiilerich)
* Support more exotic name representations when parsing
certificates (found by Mads Kiilerich)
* Replaced the expired test certificates
* Do not bail out if no client certificate specified. Try
to negotiate anonymous connection (Fixes ticket #12,
found by Boris Krasnovskiy)
Security fixes
* Fixed a possible Man-in-the-Middle attack on the
Diffie Hellman key exchange (thanks to Larry Highsmith,
Subreption LLC)
= Version 0.99-pre1 released on 2011-01-30
Features
Note: Most of these features have been donated by Fox-IT
* Added Doxygen source code documentation parts
* Added reading of DHM context from memory and file
* Improved X509 certificate parsing to include extended
certificate fields, including Key Usage
* Improved certificate verification and verification
against the available CRLs
* Detection for DES weak keys and parity bits added
* Improvements to support integration in other
applications:
+ Added generic message digest and cipher wrapper
+ Improved information about current capabilities,
status, objects and configuration
+ Added verification callback on certificate chain
verification to allow external blacklisting
+ Additional example programs to show usage
* Added support for PKCS#11 through the use of the
libpkcs11-helper library
Changes
* x509parse_time_expired() checks time in addition to
the existing date check
* The ciphers member of ssl_context and the cipher member
of ssl_session have been renamed to ciphersuites and
ciphersuite respectively. This clarifies the difference
with the generic cipher layer and is better naming
altogether
= Version 0.14.0 released on 2010-08-16
Features
* Added support for SSL_EDH_RSA_AES_128_SHA and
SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
* Added compile-time and run-time version information
* Expanded ssl_client2 arguments for more flexibility
* Added support for TLS v1.1
Changes
* Made Makefile cleaner
* Removed dependency on rand() in rsa_pkcs1_encrypt().
Now using random fuction provided to function and
changed the prototype of rsa_pkcs1_encrypt(),
rsa_init() and rsa_gen_key().
* Some SSL defines were renamed in order to avoid
future confusion
Bug fixes
* Fixed CMake out of source build for tests (found by
kkert)
* rsa_check_private() now supports PKCS1v2 keys as well
* Fixed deadlock in rsa_pkcs1_encrypt() on failing random
generator
= Version 0.13.1 released on 2010-03-24
Bug fixes
* Fixed Makefile in library that was mistakenly merged
* Added missing const string fixes
= Version 0.13.0 released on 2010-03-21
Features
* Added option parsing for host and port selection to
ssl_client2
* Added support for GeneralizedTime in X509 parsing
* Added cert_app program to allow easy reading and
printing of X509 certificates from file or SSL
connection.
Changes
* Added const correctness for main code base
* X509 signature algorithm determination is now
in a function to allow easy future expansion
* Changed symmetric cipher functions to
identical interface (returning int result values)
* Changed ARC4 to use seperate input/output buffer
* Added reset function for HMAC context as speed-up
for specific use-cases
Bug fixes
* Fixed bug resulting in failure to send the last
certificate in the chain in ssl_write_certificate() and
ssl_write_certificate_request() (found by fatbob)
* Added small fixes for compiler warnings on a Mac
(found by Frank de Brabander)
* Fixed algorithmic bug in mpi_is_prime() (found by
Smbat Tonoyan)
= Version 0.12.1 released on 2009-10-04
Changes
* Coverage test definitions now support 'depends_on'
tagging system.
* Tests requiring specific hashing algorithms now honor
the defines.
Bug fixes
* Changed typo in #ifdef in x509parse.c (found
by Eduardo)
= Version 0.12.0 released on 2009-07-28
Features
* Added CMake makefiles as alternative to regular Makefiles.
* Added preliminary Code Coverage tests for AES, ARC4,
Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
and X509parse.
Changes
* Error codes are not (necessarily) negative. Keep
this is mind when checking for errors.
* RSA_RAW renamed to SIG_RSA_RAW for consistency.
* Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
* Changed interface for AES and Camellia setkey functions
to indicate invalid key lengths.
Bug fixes
* Fixed include location of endian.h on FreeBSD (found by
Gabriel)
* Fixed include location of endian.h and name clash on
Apples (found by Martin van Hensbergen)
* Fixed HMAC-MD2 by modifying md2_starts(), so that the
required HMAC ipad and opad variables are not cleared.
(found by code coverage tests)
* Prevented use of long long in bignum if
POLARSSL_HAVE_LONGLONG not defined (found by Giles
Bathgate).
* Fixed incorrect handling of negative strings in
mpi_read_string() (found by code coverage tests).
* Fixed segfault on handling empty rsa_context in
rsa_check_pubkey() and rsa_check_privkey() (found by
code coverage tests).
* Fixed incorrect handling of one single negative input
value in mpi_add_abs() (found by code coverage tests).
* Fixed incorrect handling of negative first input
value in mpi_sub_abs() (found by code coverage tests).
* Fixed incorrect handling of negative first input
value in mpi_mod_mpi() and mpi_mod_int(). Resulting
change also affects mpi_write_string() (found by code
coverage tests).
* Corrected is_prime() results for 0, 1 and 2 (found by
code coverage tests).
* Fixed Camellia and XTEA for 64-bit Windows systems.
= Version 0.11.1 released on 2009-05-17
* Fixed missing functionality for SHA-224, SHA-256, SHA384,
SHA-512 in rsa_pkcs1_sign()
= Version 0.11.0 released on 2009-05-03
* Fixed a bug in mpi_gcd() so that it also works when both
input numbers are even and added testcases to check
(found by Pierre Habouzit).
* Added support for SHA-224, SHA-256, SHA-384 and SHA-512
one way hash functions with the PKCS#1 v1.5 signing and
verification.
* Fixed minor bug regarding mpi_gcd located within the
POLARSSL_GENPRIME block.
* Fixed minor memory leak in x509parse_crt() and added better
handling of 'full' certificate chains (found by Mathias
Olsson).
* Centralized file opening and reading for x509 files into
load_file()
* Made definition of net_htons() endian-clean for big endian
systems (Found by Gernot).
* Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
padlock and timing code.
* Fixed an off-by-one buffer allocation in ssl_set_hostname()
responsible for crashes and unwanted behaviour.
* Added support for Certificate Revocation List (CRL) parsing.
* Added support for CRL revocation to x509parse_verify() and
SSL/TLS code.
* Fixed compatibility of XTEA and Camellia on a 64-bit system
(found by Felix von Leitner).
= Version 0.10.0 released on 2009-01-12
* Migrated XySSL to PolarSSL
* Added XTEA symmetric cipher
* Added Camellia symmetric cipher
* Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
* Fixed dangerous bug that can cause a heap overflow in
rsa_pkcs1_decrypt (found by Christophe Devine)
================================================================
XySSL ChangeLog
= Version 0.9 released on 2008-03-16
* Added support for ciphersuite: SSL_RSA_AES_128_SHA
* Enabled support for large files by default in aescrypt2.c
* Preliminary openssl wrapper contributed by David Barrett
* Fixed a bug in ssl_write() that caused the same payload to
be sent twice in non-blocking mode when send returns EAGAIN
* Fixed ssl_parse_client_hello(): session id and challenge must
not be swapped in the SSLv2 ClientHello (found by Greg Robson)
* Added user-defined callback debug function (Krystian Kolodziej)
* Before freeing a certificate, properly zero out all cert. data
* Fixed the "mode" parameter so that encryption/decryption are
not swapped on PadLock; also fixed compilation on older versions
of gcc (bug reported by David Barrett)
* Correctly handle the case in padlock_xcryptcbc() when input or
ouput data is non-aligned by falling back to the software
implementation, as VIA Nehemiah cannot handle non-aligned buffers
* Fixed a memory leak in x509parse_crt() which was reported by Greg
Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
Matthew Page who reported several bugs
* Fixed x509_get_ext() to accept some rare certificates which have
an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
* Added support on the client side for the TLS "hostname" extension
(patch contributed by David Patino)
* Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
string is passed as the CN (bug reported by spoofy)
* Added an option to enable/disable the BN assembly code
* Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
* Disabled obsolete hash functions by default (MD2, MD4); updated
selftest and benchmark to not test ciphers that have been disabled
* Updated x509parse_cert_info() to correctly display byte 0 of the
serial number, setup correct server port in the ssl client example
* Fixed a critical denial-of-service with X.509 cert. verification:
peer may cause xyssl to loop indefinitely by sending a certificate
for which the RSA signature check fails (bug reported by Benoit)
* Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
* Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
* Modified ssl_parse_client_key_exchange() to protect against
Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
* Updated rsa_gen_key() so that ctx->N is always nbits in size
* Fixed assembly PPC compilation errors on Mac OS X, thanks to
David Barrett and Dusan Semen
= Version 0.8 released on 2007-10-20
* Modified the HMAC functions to handle keys larger
than 64 bytes, thanks to Stephane Desneux and gary ng
* Fixed ssl_read_record() to properly update the handshake
message digests, which fixes IE6/IE7 client authentication
* Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
* Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
* Added user-defined callbacks for handling I/O and sessions
* Added lots of debugging output in the SSL/TLS functions
* Added preliminary X.509 cert. writing by Pascal Vizeli
* Added preliminary support for the VIA PadLock routines
* Added AES-CFB mode of operation, contributed by chmike
* Added an SSL/TLS stress testing program (ssl_test.c)
* Updated the RSA PKCS#1 code to allow choosing between
RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
* Updated ssl_read() to skip 0-length records from OpenSSL
* Fixed the make install target to comply with *BSD make
* Fixed a bug in mpi_read_binary() on 64-bit platforms
* mpi_is_prime() speedups, thanks to Kevin McLaughlin
* Fixed a long standing memory leak in mpi_is_prime()
* Replaced realloc with malloc in mpi_grow(), and set
the sign of zero as positive in mpi_init() (reported
by Jonathan M. McCune)
= Version 0.7 released on 2007-07-07
* Added support for the MicroBlaze soft-core processor
* Fixed a bug in ssl_tls.c which sometimes prevented SSL
connections from being established with non-blocking I/O
* Fixed a couple bugs in the VS6 and UNIX Makefiles
* Fixed the "PIC register ebx clobbered in asm" bug
* Added HMAC starts/update/finish support functions
* Added the SHA-224, SHA-384 and SHA-512 hash functions
* Fixed the net_set_*block routines, thanks to Andreas
* Added a few demonstration programs: md5sum, sha1sum,
dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
* Added new bignum import and export helper functions
* Rewrote README.txt in program/ssl/ca to better explain
how to create a test PKI
= Version 0.6 released on 2007-04-01
* Ciphers used in SSL/TLS can now be disabled at compile
time, to reduce the memory footprint on embedded systems
* Added multiply assembly code for the TriCore and modified
havege_struct for this processor, thanks to David Patiño
* Added multiply assembly code for 64-bit PowerPCs,
thanks to Peking University and the OSU Open Source Lab
* Added experimental support of Quantum Cryptography
* Added support for autoconf, contributed by Arnaud Cornet
* Fixed "long long" compilation issues on IA-64 and PPC64
* Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
was not being correctly defined on ARM and MIPS
= Version 0.5 released on 2007-03-01
* Added multiply assembly code for SPARC and Alpha
* Added (beta) support for non-blocking I/O operations
* Implemented session resuming and client authentication
* Fixed some portability issues on WinCE, MINIX 3, Plan9
(thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
* Improved the performance of the EDH key exchange
* Fixed a bug that caused valid packets with a payload
size of 16384 bytes to be rejected
= Version 0.4 released on 2007-02-01
* Added support for Ephemeral Diffie-Hellman key exchange
* Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
* Various improvement to the modular exponentiation code
* Rewrote the headers to generate the API docs with doxygen
* Fixed a bug in ssl_encrypt_buf (incorrect padding was
generated) and in ssl_parse_client_hello (max. client
version was not properly set), thanks to Didier Rebeix
* Fixed another bug in ssl_parse_client_hello: clients with
cipherlists larger than 96 bytes were incorrectly rejected
* Fixed a couple memory leak in x509_read.c
= Version 0.3 released on 2007-01-01
* Added server-side SSLv3 and TLSv1.0 support
* Multiple fixes to enhance the compatibility with g++,
thanks to Xosé Antón Otero Ferreira
* Fixed a bug in the CBC code, thanks to dowst; also,
the bignum code is no longer dependant on long long
* Updated rsa_pkcs1_sign to handle arbitrary large inputs
* Updated timing.c for improved compatibility with i386
and 486 processors, thanks to Arnaud Cornet
= Version 0.2 released on 2006-12-01
* Updated timing.c to support ARM and MIPS arch
* Updated the MPI code to support 8086 on MSVC 1.5
* Added the copyright notice at the top of havege.h
* Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
* Fixed a bug reported by Adrian Rüegsegger in x509_read_key
* Fixed a bug reported by Torsten Lauter in ssl_read_record
* Fixed a bug in rsa_check_privkey that would wrongly cause
valid RSA keys to be dismissed (thanks to oldwolf)
* Fixed a bug in mpi_is_prime that caused some primes to fail
the Miller-Rabin primality test
I'd also like to thank Younès Hafri for the CRUX linux port,
Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
who maintains the Debian package :-)
= Version 0.1 released on 2006-11-01