forked from Mbed-TLS/mbedtls
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
2084 lines (1887 loc) · 99.1 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.4.1 branch released 2016-12-13
Changes
* Update to CMAC test data, taken from - NIST Special Publication 800-38B -
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication – October 2016
= mbed TLS 2.4.0 branch released 2016-10-17
Security
* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
with RFC-5116 and could lead to session key recovery in very long TLS
sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
https://eprint.iacr.org/2016/475.pdf
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The
issue cannot be triggered remotely. Found by Jethro Beekman.
Features
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
NIST SP 800-38B, RFC-4493 and RFC-4615.
* Added hardware entropy selftest to verify that the hardware entropy source
is functioning correctly.
* Added a script to print build environment info for diagnostic use in test
scripts, which is also now called by all.sh.
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
configure the maximum length of a file path that can be buffered when
calling mbedtls_x509_crt_parse_path().
* Added a configuration file config-no-entropy.h that configures the subset of
library features that do not require an entropy source.
* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
to configure the minimum number of bytes for entropy sources using the
mbedtls_hardware_poll() function.
Bugfix
* Fix for platform time abstraction to avoid dependency issues where a build
may need time but not the standard C library abstraction, and added
configuration consistency checks to check_config.h
* Fix dependency issue in Makefile to allow parallel builds.
* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
when GCM is used. Found by udf2457. #441
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
enabled unless others were also present. Found by David Fernandez. #428
* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
a contribution from Tobias Tangemann. #541
* Fixed cert_app.c sample program for debug output and for use when no root
certificates are provided.
* Fix conditional statement that would cause a 1 byte overread in
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
* Fixed pthread implementation to avoid unintended double initialisations
and double frees. Found by Niklas Amnebratt.
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
data structure until after error checks are successful. Found by
subramanyam-c. #622
* Fix documentation and implementation missmatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
* Fix potential byte overread when verifying malformed SERVER_HELLO in
ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
* Fix check for validity of date when parsing in mbedtls_x509_get_time().
Found by subramanyam-c. #626
* Fix compatibility issue with Internet Explorer client authentication,
where the limited hash choices prevented the client from sending its
certificate. Found by teumas. #513
* Fix compilation without MBEDTLS_SELF_TEST enabled.
Changes
* Extended test coverage of special cases, and added new timing test suite.
* Removed self-tests from the basic-built-test.sh script, and added all
missing self-tests to the test suites, to ensure self-tests are only
executed once.
* Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
* Added support for a Yotta specific configuration file -
through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
* Added optimization for code space for X.509/OID based on configured
features. Contributed by Aviv Palivoda.
* Renamed source file library/net.c to library/net_sockets.c to avoid
naming collision in projects which also have files with the common name
net.c. For consistency, the corresponding header file, net.h, is marked as
deprecated, and its contents moved to net_sockets.h.
* Changed the strategy for X.509 certificate parsing and validation, to no
longer disregard certificates with unrecognised fields.
= mbed TLS 2.3.0 branch released 2016-06-28
Security
* Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
required by PKCS1 v2.2
* Fix potential integer overflow to buffer overflow in
mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
(not triggerable remotely in (D)TLS).
* Fix a potential integer underflow to buffer overread in
mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
SSL/TLS.
Features
* Support for platform abstraction of the standard C library time()
function.
Bugfix
* Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
arguments where the same (in-place doubling). Found and fixed by Janos
Follath. #309
* Fix potential build failures related to the 'apidoc' target, introduced
in the previous patch release. Found by Robert Scheck. #390 #391
* Fix issue in Makefile that prevented building using armar. #386
* Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
ECDSA was disabled in config.h . The leak didn't occur by default.
* Fix an issue that caused valid certificates to be rejected whenever an
expired or not yet valid certificate was parsed before a valid certificate
in the trusted certificate list.
* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer after DER certificates to be included in the raw representation.
* Fix issue that caused a hang when generating RSA keys of odd bitlength
* Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
dereference possible.
* Fix issue that caused a crash if invalid curves were passed to
mbedtls_ssl_conf_curves. #373
* Fix issue in ssl_fork_server which was preventing it from functioning. #429
* Fix memory leaks in test framework
* Fix test in ssl-opt.sh that does not run properly with valgrind
* Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
don't use the optimized assembly for bignum multiplication. This removes
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
* Disabled SSLv3 in the default configuration.
* Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
Skalozub).
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
ignored, as required by RFC6101.
= mbed TLS 2.2.1 released 2016-01-05
Security
* Fix potential double free when mbedtls_asn1_store_named_data() fails to
allocate memory. Only used for certificate generation, not triggerable
remotely in SSL/TLS. Found by Rafał Przywara. #367
* Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
SLOTH attack on TLS 1.2 server authentication (other attacks from the
SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
https://www.mitls.org/pages/attacks/SLOTH
Bugfix
* Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
* Fix bug in certificate validation that caused valid chains to be rejected
when the first intermediate certificate has pathLenConstraint=0. Found by
Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
* Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
JayaraghavendranK. #372
* Fix suboptimal handling of unexpected records that caused interop issues
with some peers over unreliable links. Avoid dropping an entire DTLS
datagram if a single record in a datagram is unexpected, instead only
drop the record and look at subsequent records (if any are present) in
the same datagram. Found by jeannotlapin. #345
= mbed TLS 2.2.0 released 2015-11-04
Security
* Fix potential double free if mbedtls_ssl_conf_psk() is called more than
once and some allocation fails. Cannot be forced remotely. Found by Guido
Vranken, Intelworks.
* Fix potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
triggered remotely. Found by Guido Vranken, Intelworks.
* Fix potential buffer overflow in some asn1_write_xxx() functions.
Cannot be triggered remotely unless you create X.509 certificates based
on untrusted input or write keys of untrusted origin. Found by Guido
Vranken, Intelworks.
* The X509 max_pathlen constraint was not enforced on intermediate
certificates. Found by Nicholas Wilson, fix and tests provided by
Janos Follath. #280 and #319
Features
* Experimental support for EC J-PAKE as defined in Thread 1.0.0.
Disabled by default as the specification might still change.
* Added a key extraction callback to accees the master secret and key
block. (Potential uses include EAP-TLS and Thread.)
Bugfix
* Self-signed certificates were not excluded from pathlen counting,
resulting in some valid X.509 being incorrectly rejected. Found and fix
provided by Janos Follath. #319
* Fix build error with configurations where ECDHE-PSK is the only key
exchange. Found and fix provided by Chris Hammond. #270
* Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
ECHD-ECDSA if the only key exchange. Multiple reports. #310
* Fixed a bug causing some handshakes to fail due to some non-fatal alerts
not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
* mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
size/curve against the profile. Before that, there was no way to set a
minimum key size for end-entity certificates with RSA keys. Found by
Matthew Page of Scannex Electronics Ltd.
* Fix failures in MPI on Sparc(64) due to use of bad assembly code.
Found by Kurt Danielson. #292
* Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
* Fix bug in ASN.1 encoding of booleans that caused generated CA
certificates to be rejected by some applications, including OS X
Keychain. Found and fixed by Jonathan Leroy, Inikup.
Changes
* Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
or -1.
= mbed TLS 2.1.2 released 2015-10-06
Security
* Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
overflow of the hostname or session ticket. Found by Guido Vranken,
Intelworks.
* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
once in the same handhake and mbedtls_ssl_conf_psk() was used.
Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
remotely.
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
Found by Guido Vranken, Intelworks. Not triggerable remotely.
* Fix potential buffer overflow in mbedtls_mpi_read_string().
Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
of TLS, but might be in other uses. On 32 bit machines, requires reading a
string of close to or larger than 1GB to exploit; on 64 bit machines, would
require reading a string of close to or larger than 2^62 bytes.
* Fix potential random memory allocation in mbedtls_pem_read_buffer()
on crafted PEM input data. Found and fix provided by Guido Vranken,
Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
accept PEM data from an untrusted source.
* Fix possible heap buffer overflow in base64_encoded() when the input
buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
Intelworks. Not trigerrable remotely in TLS.
* Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
the same mbedtls_ssl_config object and memory allocation fails. Found by
Guido Vranken, Intelworks. Cannot be forced remotely.
* Fix potential heap buffer overflow in servers that perform client
authentication against a crafted CA cert. Cannot be triggered remotely
unless you allow third parties to pick trust CAs for client auth.
Found by Guido Vranken, Intelworks.
Bugfix
* Fix compile error in net.c with musl libc. Found and patch provided by
zhasha (#278).
* Fix macroization of 'inline' keyword when building as C++. (#279)
Changes
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
domain names are compliant with RFC 1035.
* Fixed paths for check_config.h in example config files. (Found by bachp)
(#291)
= mbed TLS 2.1.1 released 2015-09-17
Security
* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
signatures. (Found by Florian Weimer, Red Hat.)
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
* Fix possible client-side NULL pointer dereference (read) when the client
tries to continue the handshake after it failed (a misuse of the API).
(Found and patch provided by Fabian Foerg, Gotham Digital Science using
afl-fuzz.)
Bugfix
* Fix warning when using a 64bit platform. (found by embedthis) (#275)
* Fix off-by-one error in parsing Supported Point Format extension that
caused some handshakes to fail.
Changes
* Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
use of mbedtls_x509_crt_profile_next. (found by NWilson)
* When a client initiates a reconnect from the same port as a live
connection, if cookie verification is available
(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
detected and mbedtls_ssl_read() will return
MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
handshake with the same context. (See RFC 6347 section 4.2.8.)
= mbed TLS 2.1.0 released 2015-09-04
Features
* Added support for yotta as a build system.
* Primary open source license changed to Apache 2.0 license.
Bugfix
* Fix segfault in the benchmark program when benchmarking DHM.
* Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
Leisink).
* Fix bug when parsing a ServerHello without extensions (found by David
Sears).
* Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
(found by Benoit Lecocq).
* Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
installed (found by Rawi666).
* Fix compile error with armcc 5 with --gnu option.
* Fix bug in Makefile that caused programs not to be installed correctly
(found by robotanarchy) (#232).
* Fix bug in Makefile that prevented from installing without building the
tests (found by robotanarchy) (#232).
* Fix missing -static-libgcc when building shared libraries for Windows
with make.
* Fix link error when building shared libraries for Windows with make.
* Fix error when loading libmbedtls.so.
* Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
be always used (found by dcb314) (#235)
* Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
result trying to unlock an unlocked mutex on invalid input (found by
Fredrik Axelsson) (#257)
* Fix -Wshadow warnings (found by hnrkp) (#240)
* Fix memory corruption on client with overlong PSK identity, around
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
Aleksandrs Saveljevs) (#238)
* Fix unused function warning when using MBEDTLS_MDx_ALT or
MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
* Fix memory corruption in pkey programs (found by yankuncheng) (#210)
Changes
* The PEM parser now accepts a trailing space at end of lines (#226).
* It is now possible to #include a user-provided configuration file at the
end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
compiler's command line.
* When verifying a certificate chain, if an intermediate certificate is
trusted, no later cert is checked. (suggested by hannes-landeholm)
(#220).
* Prepend a "thread identifier" to debug messages (issue pointed out by
Hugo Leisink) (#210).
* Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
length.
= mbed TLS 2.0.0 released 2015-07-13
Features
* Support for DTLS 1.0 and 1.2 (RFC 6347).
* Ability to override core functions from MDx, SHAx, AES and DES modules
with custom implementation (eg hardware accelerated), complementing the
ability to override the whole module.
* New server-side implementation of session tickets that rotate keys to
preserve forward secrecy, and allows sharing across multiple contexts.
* Added a concept of X.509 cerificate verification profile that controls
which algorithms and key sizes (curves for ECDSA) are acceptable.
* Expanded configurability of security parameters in the SSL module with
mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
* Introduced a concept of presets for SSL security-relevant configuration
parameters.
API Changes
* The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
You now need to link to all of them if you use TLS for example.
* All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
Some names have been further changed to make them more consistent.
Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
* Renamings of fields inside structures, not covered by the previous list:
mbedtls_cipher_info_t.key_length -> key_bitlen
mbedtls_cipher_context_t.key_length -> key_bitlen
mbedtls_ecp_curve_info.size -> bit_size
* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
* The following _init() functions that could return errors have
been split into an _init() that returns void and another function that
should generally be the first function called on this context after init:
mbedtls_ssl_init() -> mbedtls_ssl_setup()
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
Note that for mbedtls_ssl_setup(), you need to be done setting up the
ssl_config structure before calling it.
* Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
ssl_set_session() and ssl_set_client_transport_id(), plus
ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
(see rename.pl and compat-1.3.h above) and their first argument's type
changed from ssl_context to ssl_config.
* ssl_set_bio() changed signature (contexts merged, order switched, one
additional callback for read-with-timeout).
* The following functions have been introduced and must be used in callback
implementations (SNI, PSK) instead of their *conf counterparts:
mbedtls_ssl_set_hs_own_cert()
mbedtls_ssl_set_hs_ca_chain()
mbedtls_ssl_set_hs_psk()
* mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
using mbedtls_ssl_set_hostname().
* mbedtls_ssl_conf_session_cache() changed prototype (only one context
pointer, parameters reordered).
* On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
* The SSL debug callback gained two new arguments (file name, line number).
* Debug modes were removed.
* mbedtls_ssl_conf_truncated_hmac() now returns void.
* mbedtls_memory_buffer_alloc_init() now returns void.
* X.509 verification flags are now an uint32_t. Affect the signature of:
mbedtls_ssl_get_verify_result()
mbedtls_x509_ctr_verify_info()
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
* The following functions changed prototype to avoid an in-out length
parameter:
mbedtls_base64_encode()
mbedtls_base64_decode()
mbedtls_mpi_write_string()
mbedtls_dhm_calc_secret()
* In the NET module, all "int" and "int *" arguments for file descriptors
changed type to "mbedtls_net_context *".
* net_accept() gained new arguments for the size of the client_ip buffer.
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
return void.
* ecdsa_write_signature() gained an addtional md_alg argument and
ecdsa_write_signature_det() was deprecated.
* pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
* Last argument of x509_crt_check_key_usage() and
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
* test_ca_list (from certs.h) is renamed to test_cas_pem and is only
available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
* Test certificates in certs.c are no longer guaranteed to be nul-terminated
strings; use the new *_len variables instead of strlen().
* Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
length parameter to include the terminating null byte for PEM input.
* Signature of mpi_mul_mpi() changed to make the last argument unsigned
* calloc() is now used instead of malloc() everywhere. API of platform
layer and the memory_buffer_alloc module changed accordingly.
(Thanks to Mansour Moufid for helping with the replacement.)
* Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
(support for renegotiation now needs explicit enabling in config.h).
* Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
in config.h
* net_connect() and net_bind() have a new 'proto' argument to choose
between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
Their 'port' argument type is changed to a string.
* Some constness fixes
Removals
* Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
* Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
mbedtls_ecp_muladd().
* Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
(use generic functions from md.h)
* Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
waiting function.
* Removed test DHM parameters from the test certs module.
* Removed the PBKDF2 module (use PKCS5).
* Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
* Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
* Removed openssl.h (very partial OpenSSL compatibility layer).
* Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
* Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
been removed (compiler is required to support 32-bit operations).
* Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
* Removed test program o_p_test, the script compat.sh does more.
* Removed test program ssl_test, superseded by ssl-opt.sh.
* Removed helper script active-config.pl
New deprecations
* md_init_ctx() is deprecated in favour of md_setup(), that adds a third
argument (allowing memory savings if HMAC is not used)
Semi-API changes (technically public, morally private)
* Renamed a few headers to include _internal in the name. Those headers are
not supposed to be included by users.
* Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
* Changed pk_info_t into an opaque structure.
* Changed cipher_base_t into an opaque structure.
* Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
* x509_crt.key_usage changed from unsigned char to unsigned int.
* Removed r and s from ecdsa_context
* Removed mode from des_context and des3_context
Default behavior changes
* The default minimum TLS version is now TLS 1.0.
* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
default ciphersuite list returned by ssl_list_ciphersuites()
* Support for receiving SSLv2 ClientHello is now disabled by default at
compile time.
* The default authmode for SSL/TLS clients is now REQUIRED.
* Support for RSA_ALT contexts in the PK layer is now optional. Since is is
enabled in the default configuration, this is only noticeable if using a
custom config.h
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
* A minimum RSA key size of 2048 bits is now enforced during ceritificate
chain verification.
* Negotiation of truncated HMAC is now disabled by default on server too.
* The following functions are now case-sensitive:
mbedtls_cipher_info_from_string()
mbedtls_ecp_curve_info_from_name()
mbedtls_md_info_from_string()
mbedtls_ssl_ciphersuite_from_string()
mbedtls_version_check_feature()
Requirement changes
* The minimum MSVC version required is now 2010 (better C99 support).
* The NET layer now unconditionnaly relies on getaddrinfo() and select().
* Compiler is required to support C99 types such as long long and uint32_t.
API changes from the 1.4 preview branch
* ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
new prototype, and mbedtls_ssl_set_read_timeout().
* The following functions now return void:
mbedtls_ssl_conf_transport()
mbedtls_ssl_conf_max_version()
mbedtls_ssl_conf_min_version()
* DTLS no longer hard-depends on TIMING_C, but uses a callback interface
instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
an example implementation, see mbedtls_timing_delay_context and
mbedtls_timing_set/get_delay().
* With UDP sockets, it is no longer necessary to call net_bind() again
after a successful net_accept().
Changes
* mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
thread-safe if MBEDTLS_THREADING_C is enabled.
* Reduced ROM fooprint of SHA-256 and added an option to reduce it even
more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
= mbed TLS 1.3 branch
Security
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
extendedKeyUsage on the leaf certificate was lost (results not accessible
via ssl_get_verify_results()).
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
https://dl.acm.org/citation.cfm?id=2714625
Features
* Improve ECC performance by using more efficient doubling formulas
(contributed by Peter Dettman).
* Add x509_crt_verify_info() to display certificate verification results.
* Add support for reading DH parameters with privateValueLength included
(contributed by Daniel Kahn Gillmor).
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
* Add support for id-at-uniqueIdentifier in X.509 names.
* Add support for overriding snprintf() (except on Windows) and exit() in
the platform layer.
* Add an option to use macros instead of function pointers in the platform
layer (helps get rid of unwanted references).
* Improved Makefiles for Windows targets by fixing library targets and making
cross-compilation easier (thanks to Alon Bar-Lev).
* The benchmark program also prints heap usage for public-key primitives
if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
* New script ecc-heap.sh helps measuring the impact of ECC parameters on
speed and RAM (heap only for now) usage.
* New script memory.sh helps measuring the ROM and RAM requirements of two
reduced configurations (PSK-CCM and NSA suite B).
* Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
warnings on use of deprecated functions (with GCC and Clang only).
* Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
errors on use of deprecated functions.
Bugfix
* Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
* Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
* Fix bug in entropy.c when THREADING_C is also enabled that caused
entropy_free() to crash (thanks to Rafał Przywara).
* Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
once on the same context.
* Fix bug in ssl_mail_client when password is longer that username (found
by Bruno Pape).
* Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
(detected by Clang's 3.6 UBSan).
* mpi_size() and mpi_msb() would segfault when called on an mpi that is
initialized but not set (found by pravic).
* Fix detection of support for getrandom() on Linux (reported by syzzer) by
doing it at runtime (using uname) rather that compile time.
* Fix handling of symlinks by "make install" (found by Gaël PORTAY).
* Fix potential NULL pointer dereference (not trigerrable remotely) when
ssl_write() is called before the handshake is finished (introduced in
1.3.10) (first reported by Martin Blumenstingl).
* Fix bug in pk_parse_key() that caused some valid private EC keys to be
rejected.
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
* Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
* Fix hardclock() (only used in the benchmarking program) with some
versions of mingw64 (found by kxjhlele).
* Fix warnings from mingw64 in timing.c (found by kxjklele).
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
platforms.
* Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
* Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
in 1.3.10).
* Add missing extern "C" guard in aesni.h (reported by amir zamani).
* Add missing dependency on SHA-256 in some x509 programs (reported by
Gergely Budai).
* Fix bug related to ssl_set_curves(): the client didn't check that the
curve picked by the server was actually allowed.
Changes
* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
* Remove potential sources of timing variations (some contributed by Pascal
Junod).
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
* compat-1.2.h and openssl.h are deprecated.
* Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
more flexible (warning: OFLAGS is not used any more) (see the README)
(contributed by Alon Bar-Lev).
* ssl_set_own_cert() no longer calls pk_check_pair() since the
performance impact was bad for some users (this was introduced in 1.3.10).
* Move from SHA-1 to SHA-256 in example programs using signatures
(suggested by Thorsten Mühlfelder).
* Remove some unneeded inclusions of header files from the standard library
"minimize" others (eg use stddef.h if only size_t is needed).
* Change #include lines in test files to use double quotes instead of angle
brackets for uniformity with the rest of the code.
* Remove dependency on sscanf() in X.509 parsing modules.
= mbed TLS 1.3.10 released 2015-02-09
Security
* NULL pointer dereference in the buffer-based allocator when the buffer is
full and polarssl_free() is called (found by Mark Hasemeyer)
(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
not by default).
* Fix remotely-triggerable uninitialised pointer dereference caused by
crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
client certificate) (found using Codenomicon Defensics).
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix timing difference that could theoretically lead to a
Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
(reported by Sebastian Schinzel).
Features
* Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
* Add support for Extended Master Secret (draft-ietf-tls-session-hash).
* Add support for Encrypt-then-MAC (RFC 7366).
* Add function pk_check_pair() to test if public and private keys match.
* Add x509_crl_parse_der().
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
length of an X.509 verification chain.
* Support for renegotiation can now be disabled at compile-time
* Support for 1/n-1 record splitting, a countermeasure against BEAST.
* Certificate selection based on signature hash, preferring SHA-1 over SHA-2
for pre-1.2 clients when multiple certificates are available.
* Add support for getrandom() syscall on recent Linux kernels with Glibc or
a compatible enough libc (eg uClibc).
* Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
while using the default ciphersuite list.
* Added new error codes and debug messages about selection of
ciphersuite/certificate.
Bugfix
* Stack buffer overflow if ctr_drbg_update() is called with too large
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
if memory_buffer_alloc_init() was called with buf not aligned and len not
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
* User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
by Julian Ospald).
* Fix potential undefined behaviour in Camellia.
* Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
multiple of 8 (found by Gergely Budai).
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
Peter Vaskovic).
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
* ssl_get_verify_result() now works even if the handshake was aborted due
to a failed verification (found by Fredrik Axelsson).
* Skip writing and parsing signature_algorithm extension if none of the
key exchanges enabled needs certificates. This fixes a possible interop
issue with some servers when a zero-length extension was sent. (Reported
by Peter Dettman.)
* On a 0-length input, base64_encode() did not correctly set output length
(found by Hendrik van den Boogaard).
Changes
* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
* Forbid repeated extensions in X.509 certificates.
* debug_print_buf() now prints a text view in addition to hexadecimal.
* A specific error is now returned when there are ciphersuites in common
but none of them is usable due to external factors such as no certificate
with a suitable (extended)KeyUsage or curve or no PSK set.
* It is now possible to disable negotiation of truncated HMAC server-side
at runtime with ssl_set_truncated_hmac().
* Example programs for SSL client and server now disable SSLv3 by default.
* Example programs for SSL client and server now disable RC4 by default.
* Use platform.h in all test suites and programs.
= PolarSSL 1.3.9 released 2014-10-20
Security
* Lowest common hash was selected from signature_algorithms extension in
TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
* Remotely-triggerable memory leak when parsing some X.509 certificates
(server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Remotely-triggerable memory leak when parsing crafted ClientHello
(not affected if ECC support was compiled out) (found using Codenomicon
Defensics).
Bugfix
* Support escaping of commas in x509_string_to_names()
* Fix compile error in ssl_pthread_server (found by Julian Ospald).
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
* Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
* Remove non-existent file from VS projects (found by Peter Vaskovic).
* ssl_read() could return non-application data records on server while
renegotation was pending, and on client when a HelloRequest was received.
* Server-initiated renegotiation would fail with non-blocking I/O if the
write callback returned WANT_WRITE when requesting renegotiation.
* ssl_close_notify() could send more than one message in some circumstances
with non-blocking I/O.
* Fix compiler warnings on iOS (found by Sander Niemeijer).
* x509_crt_parse() did not increase total_failed on PEM error
* Fix compile error with armcc in mpi_is_prime()
* Fix potential bad read in parsing ServerHello (found by Adrien
Vialletelle).
Changes
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
standard defining how to use SHA-2 with SSL 3.0).
* Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
ambiguous on how to encode some packets with SSL 3.0).
* Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
* POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
RSA keys.
* Accept spaces at end of line or end of buffer in base64_decode().
* X.509 certificates with more than one AttributeTypeAndValue per
RelativeDistinguishedName are not accepted any more.
= PolarSSL 1.3.8 released 2014-07-11
Security
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
It was possible to crash the server (and client) using crafted messages
when a GCM suite was chosen.
Features
* Add CCM module and cipher mode to Cipher Layer
* Support for CCM and CCM_8 ciphersuites
* Support for parsing and verifying RSASSA-PSS signatures in the X.509
modules (certificates, CRLs and CSRs).
* Blowfish in the cipher layer now supports variable length keys.
* Add example config.h for PSK with CCM, optimized for low RAM usage.
* Optimize for RAM usage in example config.h for NSA Suite B profile.
* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
from the default list (inactive by default).
* Add server-side enforcement of sent renegotiation requests
(ssl_set_renegotiation_enforced())
* Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
ciphersuites to use and save some memory if the list is small.
Changes
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
required on some platforms (e.g. OpenBSD)
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
against unwanted compiler optimizations
* md_list() now returns hashes strongest first
* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
strongest offered by client.
* All public contexts have _init() and _free() functions now for simpler
usage pattern
Bugfix
* Fix in debug_print_msg()
* Enforce alignment in the buffer allocator even if buffer is not aligned
* Remove less-than-zero checks on unsigned numbers
* Stricter check on SSL ClientHello internal sizes compared to actual packet
size (found by TrustInSoft)
* Fix WSAStartup() return value check (found by Peter Vaskovic)
* Other minor issues (found by Peter Vaskovic)
* Fix symlink command for cross compiling with CMake (found by Andre
Heinecke)
* Fix DER output of gen_key app (found by Gergely Budai)
* Very small records were incorrectly rejected when truncated HMAC was in
use with some ciphersuites and versions (RC4 in all versions, CBC with
versions < TLS 1.1).
* Very large records using more than 224 bytes of padding were incorrectly
rejected with CBC-based ciphersuites and TLS >= 1.1
* Very large records using less padding could cause a buffer overread of up
to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
* Restore ability to use a v1 cert as a CA if trusted locally. (This had
been removed in 1.3.6.)
* Restore ability to locally trust a self-signed cert that is not a proper
CA for use as an end entity certificate. (This had been removed in
1.3.6.)
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
interpret semicolons as comment delimiters (found by Barry K. Nathan).
* Fix off-by-one error in parsing Supported Point Format extension that
caused some handshakes to fail.
* Fix possible miscomputation of the premaster secret with DHE-PSK key
exchange that caused some handshakes to fail with other implementations.
(Failure rate <= 1/255 with common DHM moduli.)
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
* Fix base64_decode() to return and check length correctly (in case of
tight buffers)
* Fix mpi_write_string() to write "00" as hex output for empty MPI (found
by Hui Dong)
= PolarSSL 1.3.7 released on 2014-05-02
Features
* debug_set_log_mode() added to determine raw or full logging
* debug_set_threshold() added to ignore messages over threshold level
* version_check_feature() added to check for compile-time options at
run-time
Changes
* POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
checked and filled in the relevant module headers
* Debug module only outputs full lines instead of parts
* Better support for the different Attribute Types from IETF PKIX (RFC 5280)
* AES-NI now compiles with "old" assemblers too
* Ciphersuites based on RC4 now have the lowest priority by default
Bugfix
* Only iterate over actual certificates in ssl_write_certificate_request()
(found by Matthew Page)
* Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
Karger)
* cert_write app should use subject of issuer certificate as issuer of cert
* Fix false reject in padding check in ssl_decrypt_buf() for CBC
ciphersuites, for full SSL frames of data.
* Improve interoperability by not writing extension length in ClientHello /
ServerHello when no extensions are present (found by Matthew Page)
* rsa_check_pubkey() now allows an E up to N
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
* mpi_fill_random() was creating numbers larger than requested on
big-endian platform when size was not an integer number of limbs
* Fix dependencies issues in X.509 test suite.
* Some parts of ssl_tls.c were compiled even when the module was disabled.
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
* Fix detection of Clang on some Apple platforms with CMake
(found by Barry K. Nathan)
= PolarSSL 1.3.6 released on 2014-04-11
Features
* Support for the ALPN SSL extension
* Add option 'use_dev_random' to gen_key application
* Enable verification of the keyUsage extension for CA and leaf
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
* Enable verification of the extendedKeyUsage extension
(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
Changes
* x509_crt_info() now prints information about parsed extensions as well
* pk_verify() now returns a specific error code when the signature is valid
but shorter than the supplied length.
* Use UTC time to check certificate validity.
* Reject certificates with times not in UTC, per RFC 5280.
Security
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
(Found by Watson Ladd.)
* The notAfter date of some certificates was no longer checked since 1.3.5.
This affects certificates in the user-supplied chain except the top
certificate. If the user-supplied chain contains only one certificates,
it is not affected (ie, its notAfter date is properly checked).
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
TrustInSoft)
Bugfix
* The length of various ClientKeyExchange messages was not properly checked.
* Some example server programs were not sending the close_notify alert.
* Potential memory leak in mpi_exp_mod() when error occurs during
calculation of RR.
* Fixed malloc/free default #define in platform.c (found by Gergely Budai).
* Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
Gergely Budai).
* Fix #include path in ecdsa.h which wasn't accepted by some compilers.
(found by Gergely Budai)
* Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
Shuo Chen).
* oid_get_numeric_string() used to truncate the output without returning an
error if the output buffer was just 1 byte too small.
* dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
* Calling pk_debug() on an RSA-alt key would segfault.
* pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
* Potential buffer overwrite in pem_write_buffer() because of low length
indication (found by Thijs Alkemade)
* EC curves constants, which should be only in ROM since 1.3.3, were also
stored in RAM due to missing 'const's (found by Gergely Budai).
= PolarSSL 1.3.5 released on 2014-03-26
Features
* HMAC-DRBG as a separate module
* Option to set the Curve preference order (disabled by default)
* Single Platform compatilibity layer (for memory / printf / fprintf)
* Ability to provide alternate timing implementation
* Ability to force the entropy module to use SHA-256 as its basis
(POLARSSL_ENTROPY_FORCE_SHA256)
* Testing script ssl-opt.sh added for testing 'live' ssl option
interoperability against OpenSSL and PolarSSL
* Support for reading EC keys that use SpecifiedECDomain in some cases.
* Entropy module now supports seed writing and reading
Changes
* Deprecated the Memory layer
* entropy_add_source(), entropy_update_manual() and entropy_gather()
now thread-safe if POLARSSL_THREADING_C defined
* Improvements to the CMake build system, contributed by Julian Ospald.
* Work around a bug of the version of Clang shipped by Apple with Mavericks
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
* Revamped the compat.sh interoperatibility script to include support for
testing against GnuTLS
* Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
* Improvements to tests/Makefile, contributed by Oden Eriksson.
Security
* Forbid change of server certificate during renegotiation to prevent
"triple handshake" attack when authentication mode is 'optional' (the
attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future.
* Forbid sequence number wrapping
* Fixed possible buffer overflow with overlong PSK
* Possible remotely-triggered out-of-bounds memory access fixed (found by
TrustInSoft)
Bugfix
* ecp_gen_keypair() does more tries to prevent failure because of
statistics
* Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
* Fixed testing with out-of-source builds using cmake
* Fixed version-major intolerance in server
* Fixed CMake symlinking on out-of-source builds
* Fixed dependency issues in test suite
* Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
Alex Wilson.)
* ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
* m_sleep() was sleeping twice too long on most Unix platforms.
* Fixed bug with session tickets and non-blocking I/O in the unlikely case
send() would return an EAGAIN error when sending the ticket.
* ssl_cache was leaking memory when reusing a timed out entry containing a
client certificate.
* ssl_srv was leaking memory when client presented a timed out ticket
containing a client certificate
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
out_ctr failed
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
of one of them failed
* Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
* x509_get_current_time() uses localtime_r() to prevent thread issues
= PolarSSL 1.3.4 released on 2014-01-27
Features
* Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
* Support for RIPEMD-160
* Support for AES CFB8 mode
* Support for deterministic ECDSA (RFC 6979)
Bugfix
* Potential memory leak in bignum_selftest()
* Replaced expired test certificate
* ssl_mail_client now terminates lines with CRLF, instead of LF
* net module handles timeouts on blocking sockets better (found by Tilman
Sauerbeck)
* Assembly format fixes in bn_mul.h
Security
* Missing MPI_CHK calls added around unguarded mpi calls (found by
TrustInSoft)
= PolarSSL 1.3.3 released on 2013-12-31
Features
* EC key generation support in gen_key app
* Support for adhering to client ciphersuite order preference
(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
* Support for Curve25519
* Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
* Support for IPv6 in the NET module
* AES-NI support for AES, AES-GCM and AES key scheduling
* SSL Pthread-based server example added (ssl_pthread_server)
Changes
* gen_prime() speedup
* Speedup of ECP multiplication operation
* Relaxed some SHA2 ciphersuite's version requirements
* Dropped use of readdir_r() instead of readdir() with threading support
* More constant-time checks in the RSA module
* Split off curves from ecp.c into ecp_curves.c
* Curves are now stored fully in ROM
* Memory usage optimizations in ECP module
* Removed POLARSSL_THREADING_DUMMY
Bugfix
* Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
* Fixed X.509 hostname comparison (with non-regular characters)
* SSL now gracefully handles missing RNG
* Missing defines / cases for RSA_PSK key exchange
* crypt_and_hash app checks MAC before final decryption
* Potential memory leak in ssl_ticket_keys_init()
* Memory leak in benchmark application
* Fixed x509_crt_parse_path() bug on Windows platforms
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
TrustInSoft)
* Fixed potential overflow in certificate size verification in