Softpedia >Mac >Development >Libraries >PolarSSL >  Changelog

PolarSSL Changelog

What's new in PolarSSL 1.3.9

Oct 24, 2014
  • Changes:
  • Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no standard defining how to use SHA-2 with SSL 3.0).
  • Ciphersuites using RSA-PSK key exchange now require TLS 1.x (the spec is ambiguous on how to encode some packets with SSL 3.0).
  • Made buffer size in pk_write_(pub)key_pem() more dynamic, e.g. smaller if RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
  • ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
  • POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA keys.
  • Accept spaces at end of line or end of buffer in base64_decode().
  • X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more.
  • Bug fixes:
  • Support escaping of commas in x509_string_to_names().
  • Fix compile error in ssl_pthread_server (found by Julian Ospald).
  • Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
  • Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
  • Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
  • Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
  • Remove non-existent file from VS projects (found by Peter Vaskovic).
  • ssl_read() could return non-application data records on server while renegotation was pending, and on client when a HelloRequest was received.
  • Server-initiated renegotiation would fail with non-blocking I/O if the write callback returned POLARSSL_ERR_NET_WANT_WRITE when requesting renegotiation.
  • ssl_close_notify() could send more than one message in some circumstances with non-blocking I/O.
  • Fix compiler warnings on iOS (found by Sander Niemeijer).
  • x509_crt_parse() did not increase total_failed on PEM error
  • Fix compile error with armcc in mpi_is_prime()
  • Fix potential bad read in parsing ServerHello (found by Adrien Vialletelle).

New in PolarSSL 1.3.8 (Jul 12, 2014)

  • Security:
  • Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen.
  • Features:
  • Add CCM module and cipher mode to Cipher Layer
  • Support for CCM and CCM_8 ciphersuites
  • Support for parsing and verifying RSASSA-PSS signatures in the X.509 modules (certificates, CRLs and CSRs).
  • Blowfish in the cipher layer now supports variable length keys.
  • Add example config.h for PSK with CCM, optimized for low RAM usage.
  • Optimize for RAM usage in example config.h for NSA Suite B profile.
  • Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites from the default list (inactive by default).
  • Add server-side enforcement of sent renegotiation requests (ssl_set_renegotiation_enforced())
  • Add SSL_CIPHERSUITES config.h flag to allow specifying a list of ciphersuites to use and save some memory if the list is small.
  • Changes:
  • Add LINK_WITH_PTHREAD option in CMake for explicit linking that is required on some platforms (e.g. OpenBSD)
  • Migrate zeroizing of data to polarssl_zeroize() instead of memset() against unwanted compiler optimizations
  • md_list() now returns hashes strongest first
  • Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks strongest offered by client.
  • All public contexts have _init() and _free() functions now for simpler usage pattern
  • Bug fix:
  • Fix in debug_print_msg()
  • Enforce alignment in the buffer allocator even if buffer is not aligned
  • Remove less-than-zero checks on unsigned numbers
  • Stricter check on SSL ClientHello internal sizes compared to actual packet size (found by TrustInSoft)
  • Fix WSAStartup() return value check (found by Peter Vaskovic)
  • Other minor issues (found by Peter Vaskovic)
  • Fix symlink command for cross compiling with CMake (found by Andre Heinecke)
  • Fix DER output of gen_key app (found by Gergely Budai)
  • Very small records were incorrectly rejected when truncated HMAC was in use with some ciphersuites and versions (RC4 in all versions, CBC with versions < TLS 1.1).
  • Very large records using more than 224 bytes of padding were incorrectly rejected with CBC-based ciphersuites and TLS >= 1.1
  • Very large records using less padding could cause a buffer overread of up to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
  • Restore ability to use a v1 cert as a CA if trusted locally. (This had been removed in 1.3.6.)
  • Restore ability to locally trust a self-signed cert that is not a proper CA for use as an end entity certificate. (This had been removed in 1.3.6.)
  • Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
  • Use \n\t rather than semicolons for bn_mul asm, since some assemblers interpret semicolons as comment delimiters (found by Barry K. Nathan).
  • Fix off-by-one error in parsing Supported Point Format extension that caused some handshakes to fail.
  • Fix possible miscomputation of the premaster secret with DHE-PSK key exchange that caused some handshakes to fail with other implementations. (Failure rate

New in PolarSSL 1.3.7 (May 5, 2014)

  • Features:
  • debug_set_log_mode() added to determine raw or full logging
  • debug_set_threshold() added to ignore messages over threshold level version_check_feature() added to check for compile-time options at run-time
  • Changes:
  • POLARSSL_CONFIG_OPTIONS has been removed. All values are individually checked and filled in the relevant module headers
  • Debug module only outputs full lines instead of parts
  • Better support for the different Attribute Types from IETF PKIX (RFC 5280)
  • AES-NI now compiles with "old" assemblers too
  • Ciphersuites based on RC4 now have the lowest priority by default
  • Bug fix:
  • Only iterate over actual certificates in ssl_write_certificate_request() (found by Matthew Page)
  • Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan Karger)
  • cert_write app should use subject of issuer certificate as issuer of cert
  • Fix false reject in padding check in ssl_decrypt_buf() for CBC ciphersuites, for full SSL frames of data.
  • Improve interoperability by not writing extension length in ClientHello / ServerHello when no extensions are present (found by Matthew Page)
  • rsa_check_pubkey() now allows an E up to N
  • On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
  • mpi_fill_random() was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs
  • Fix dependencies issues in X.509 test suite.
  • Some parts of ssl_tls.c were compiled even when the module was disabled.
  • Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
  • Fix detection of Clang on some Apple platforms with CMake (found by Barry K. Nathan)

New in PolarSSL 1.3.6 (Apr 29, 2014)

  • Features:
  • Support for the ALPN SSL extension
  • Add option 'use_dev_random' to gen_key application
  • Enable verification of the keyUsage extension for CA and leaf certificates (POLARSSL_X509_CHECK_KEY_USAGE)
  • Enable verification of the extendedKeyUsage extension (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
  • Changes:
  • x509_crt_info() now prints information about parsed extensions as well
  • pk_verify() now returns a specific error code when the signature is valid but shorter than the supplied length.
  • Use UTC time to check certificate validity.
  • Reject certificates with times not in UTC, per RFC 5280.
  • Security:
  • Avoid potential timing leak in ecdsa_sign() by blinding modular division. (Found by Watson Ladd.)
  • The notAfter date of some certificates was no longer checked since 1.3.5. This affects certificates in the user-supplied chain except the top certificate. If the user-supplied chain contains only one certificates, it is not affected (ie, its notAfter date is properly checked).
  • Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft)
  • Bug fix:
  • The length of various ClientKeyExchange messages was not properly checked.
  • Some example server programs were not sending the close_notify alert.
  • Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR.
  • Fixed malloc/free default #define in platform.c (found by Gergely Budai).
  • Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by Gergely Budai).
  • Fix #include path in ecdsa.h which wasn't accepted by some compilers. (found by Gergely Budai)
  • Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by Shuo Chen).
  • oid_get_numeric_string() used to truncate the output without returning an error if the output buffer was just 1 byte too small.
  • dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
  • Calling pk_debug() on an RSA-alt key would segfault.
  • pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
  • Potential buffer overwrite in pem_write_buffer() because of low length indication (found by Thijs Alkemade)
  • EC curves constants, which should be only in ROM since 1.3.3, were also stored in RAM due to missing 'const's (found by Gergely Budai).

New in PolarSSL 1.3.5 (Mar 28, 2014)

  • Features:
  • HMAC-DRBG as a separate module
  • Option to set the Curve preference order (disabled by default)
  • Single Platform compatilibity layer (for memory / printf / fprintf)
  • Ability to provide alternate timing implementation
  • Ability to force the entropy module to use SHA-256 as its basis (POLARSSL_ENTROPY_FORCE_SHA256)
  • Testing script ssl-opt.sh added for testing 'live' ssl option interoperability against OpenSSL and PolarSSL
  • Support for reading EC keys that use SpecifiedECDomain in some cases.
  • Entropy module now supports seed writing and reading
  • Changes:
  • Deprecated the Memory layer
  • entropy_add_source(), entropy_update_manual() and entropy_gather() now thread-safe if POLARSSL_THREADING_C defined
  • Improvements to the CMake build system, contributed by Julian Ospald.
  • Work around a bug of the version of Clang shipped by Apple with Mavericks that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
  • Revamped the compat.sh interoperatibility script to include support for testing against GnuTLS
  • Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
  • Improvements to tests/Makefile, contributed by Oden Eriksson.
  • Security:
  • Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is 'optional' (the attack was already impossible when authentication is required).
  • Check notBefore timestamp of certificates and CRLs from the future.
  • Forbid sequence number wrapping
  • Fixed possible buffer overflow with overlong PSK
  • Possible remotely-triggered out-of-bounds memory access fixed (found by TrustInSoft)
  • Bugfix:
  • ecp_gen_keypair() does more tries to prevent failure because of statistics
  • Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
  • Fixed testing with out-of-source builds using cmake
  • Fixed version-major intolerance in server
  • Fixed CMake symlinking on out-of-source builds
  • Fixed dependency issues in test suite
  • Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
  • Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.)
  • ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
  • m_sleep() was sleeping twice too long on most Unix platforms.
  • Fixed bug with session tickets and non-blocking I/O in the unlikely case send() would return an EAGAIN error when sending the ticket.
  • ssl_cache was leaking memory when reusing a timed out entry containing a client certificate.
  • ssl_srv was leaking memory when client presented a timed out ticket containing a client certificate
  • ssl_init() was leaving a dirty pointer in ssl_context if malloc of out_ctr failed
  • ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc of one of them failed
  • Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
  • x509_get_current_time() uses localtime_r() to prevent thread issues

New in PolarSSL 1.3.2 (Nov 9, 2013)

  • Features:
  • PK tests added to test framework
  • Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
  • Support for Camellia-GCM mode and ciphersuites
  • Changes:
  • Padding checks in cipher layer are now constant-time
  • Value comparisons in SSL layer are now constant-time
  • Support for serialNumber, postalAddress and postalCode in X509 names
  • SSL Renegotiation was refactored
  • Bugfix:
  • More stringent checks in cipher layer
  • Server does not send out extensions not advertised by client
  • Prevent possible alignment warnings on casting from char * to 'aligned *'
  • Misc fixes and additions to dependency checks
  • Const correctness
  • cert_write with selfsign should use issuer_name as subject_name
  • Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
  • Defines to handle UEFI environment under MSVC
  • Server-side initiated renegotiations send HelloRequest

New in PolarSSL 1.3.1 (Oct 17, 2013)

  • Features:
  • Support for Brainpool curves and TLS ciphersuites (RFC 7027)
  • Support for ECDHE-PSK key-exchange and ciphersuites
  • Support for RSA-PSK key-exchange and ciphersuites
  • Changes:
  • RSA blinding locks for a smaller amount of time
  • TLS compression only allocates working buffer once
  • Introduced POLARSSL_HAVE_READDIR_R for systems without it
  • config.h is more script-friendly
  • Bugfix:
  • Missing MSVC defines added
  • Compile errors with POLARSSL_RSA_NO_CRT
  • Header files with 'polarssl/'
  • Const correctness
  • Possible naming collision in dhm_context
  • Better support for MSVC
  • threading_set_alt() name
  • Added missing x509write_crt_set_version()

New in PolarSSL 1.3.0 (Oct 12, 2013)

  • Features:
  • One major feature that has been added is Elliptic Curve cryptography and the support for the ECDHE-RSA and ECDHE-ECDSA ciphersuites, X509 certificates and reading and writing of keys.
  • In addition the Pre-shared key ciphersuites based on PSK and DHE-PSK have both been added to the core. Allowing us to provide even smaller footprint for SSL/TLS binaries.
  • A memory allocation abstraction layer and threading abstraction layer have been added to make it even easier to integrate PolarSSL with existing embedded Operating Systems or bare-metal systems.
  • The X509 writing module now supports generating X509 certificates and using Certificate Signing Requests (CSR).
  • Furthermore the entire codebase has been split up further to allow more granular control over what features and code should be present in your binary.
  • And more. Check out the article on new features in PolarSSL 1.3.0 for more details.
  • Changes:
  • The internals of a lot of modules have undergone reconstruction and have resulted in some changes to the existing API. More details on the changes you can expect can be found in the article on migrating from the PolarSSL 1.2 branch to the PolarSSL 1.3 branch.
  • The SHA2 module has been renamed to SHA256 and the SHA4 module has been renamed to SHA512 in light of the official release of SHA-3.
  • You now have the ability to really disable specific SSL / TLS protocol versions. Thus allowing you to reduce the code size and prevent attacks on those protocol version.
  • Ciphersuites now have their own representation and are all located inside the ssl_ciphersuites module. It is now very easy to add your own custom ciphersuites, based on existing primitives, without needing to add any code except for a ciphersuite definition.
  • Most OID's and search / translate functionality has been moved inside a separate OID database module to create cleaner code in the original modules.
  • Bug fixes:
  • Minor memory leaks, file descriptor leaks and other fixes in uncommon scenarios have been fixed.
  • Security:
  • This release fixes a remote timing attack that can potentially recover the RSA private key (Security Advisory 2013-05).

New in PolarSSL 1.1.0 (Dec 27, 2011)

  • Features:
  • Added ssl_session_reset() to allow better multi-connection pools of SSL contexts without needing to set all non-connection-specific data and pointers again. Adapted ssl_server to use this functionality.
  • Added ssl_set_max_version() to allow clients to offer a lower maximum supported version to a server to help buggy server implementations. (Closes ticket #36)
  • Added cipher_get_cipher_mode() and cipher_get_cipher_operation() introspection functions (Closes ticket #40)
  • Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
  • Added a generic entropy accumulator that provides support for adding custom entropy sources and added some generic and platform dependent entropy sources
  • Changes:
  • Documentation for AES and Camellia in modes CTR and CFB128 clarified.
  • Fixed rsa_encrypt and rsa_decrypt examples to use public key for encryption and private key for decryption. (Closes ticket #34)
  • Inceased maximum size of ASN1 length reads to 32-bits.
  • Added an EXPLICIT tag number parameter to x509_get_ext()
  • Added a separate CRL entry extension parsing function
  • Separated the ASN.1 parsing code from the X.509 specific parsing code. So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
  • Changed the defined key-length of DES ciphers in cipher.h to include the parity bits, to prevent mistakes in copying data. (Closes ticket #33)
  • Loads of minimal changes to better support WINCE as a build target (Credits go to Marco Lizza)
  • Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory trade-off
  • Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size management (Closes ticket #44)
  • Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs
  • Moved all examples programs to use the new entropy and CTR_DRBG
  • Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error. Beware that the meaning of return values has changed!
  • All error codes are now negative. Even on mermory failures and IO errors.
  • Bug fix:
  • Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes ticket #37)
  • Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag before version numbers
  • Allowed X509 key usage parsing to accept 4 byte values instead of the standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
  • Fixed incorrect behaviour in case of RSASSA-PSS with a salt length smaller than the hash length. (Closes ticket #41)
  • If certificate serial is longer than 32 octets, serial number is now appended with '....' after first 28 octets
  • Improved build support for s390x and sparc64 in bignum.h
  • Fixed MS Visual C++ name clash with int64 in sha4.h
  • Corrected removal of leading "00:" in printing serial numbers in certificates and CRLs

New in PolarSSL 0.99 Pre 3 (Mar 1, 2011)

  • Features:
  • Parsing PEM private keys encrypted with DES and AES are now supported as well (Fixes ticket #5)
  • Added crl_app program to allow easy reading and printing of X509 CRLs from file
  • Changes:
  • Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding
  • Bugfixes:
  • Corrected parsing of UTCTime dates before 1990 and after 1950
  • Support more exotic OID's when parsing certificates (found by Mads Kiilerich)
  • Support more exotic name representations when parsing certificates (found by Mads Kiilerich)
  • Replaced the expired test certificates
  • Do not bail out if no client certificate specified. Try to negotiate anonymous connection (Fixes ticket #12, found by Boris Krasnovskiy)
  • Security fixes:
  • Fixed a possible Man-in-the-Middle attack on the Diffie Hellman key exchange (thanks to Larry Highsmith, Subreption LLC)

New in PolarSSL 0.14.2 (Mar 1, 2011)

  • Bugfixes:
  • Corrected parsing of UTCTime dates before 1990 and after 1950
  • Support more exotic OID's when parsing certificates (found by Mads Kiilerich)
  • Support more exotic name representations when parsing certificates (found by Mads Kiilerich)
  • Replaced the expired test certificates
  • Do not bail out if no client certificate specified. Try to negotiate anonymous connection (Fixes ticket #12, found by Boris Krasnovskiy)
  • Security fixes:
  • Fixed a possible Man-in-the-Middle attack on the Diffie Hellman key exchange (thanks to Larry Highsmith, Subreption LLC)

New in PolarSSL 0.99 Pre 2 (Feb 25, 2011)

  • Features:
  • Parsing PEM private keys encrypted with DES and AES are now supported as well (Fixes ticket #5)
  • Added crl_app program to allow easy reading and printing of X509 CRLs from file
  • Changes:
  • Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding
  • Bugfixes:
  • Corrected parsing of UTCTime dates before 1990 and after 1950
  • Support more exotic OID's when parsing certificates (found by Mads Kiilerich)
  • Support more exotic name representations when parsing certificates (found by Mads Kiilerich)
  • Replaced the expired test certificates
  • Do not bail out if no client certificate specified. Try to negotiate anonymous connection (Fixes ticket #12, found by Boris Krasnovskiy)

New in PolarSSL 0.14.0 (Aug 17, 2010)

  • Features:
  • Added support for SSL_EDH_RSA_AES_128_SHA and
  • SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
  • Added compile-time and run-time version information
  • Expanded ssl_client2 arguments for more flexibility
  • Added support for TLS v1.1
  • Changes:
  • Made Makefile cleaner
  • Removed dependency on rand() in rsa_pkcs1_encrypt().
  • Now using random fuction provided to function and
  • changed the prototype of rsa_pkcs1_encrypt(),
  • rsa_init() and rsa_gen_key().
  • Some SSL defines were renamed in order to avoid
  • future confusion
  • Bug fixes:
  • Fixed CMake out of source build for tests (found by
  • kkert)
  • rsa_check_private() now supports PKCS1v2 keys as well
  • Fixed deadlock in rsa_pkcs1_encrypt() on failing random
  • generator

New in PolarSSL 0.13.1 (Mar 24, 2010)

  • Bug fixes:
  • Fixed Makefile in library that was mistakenly merged
  • Added missing const string fixes

New in PolarSSL 0.13.0 (Mar 23, 2010)

  • Features:
  • Added option parsing for host and port selection to ssl_client2
  • Added support for GeneralizedTime in X509 parsing
  • Added cert_app program to allow easy reading and printing of X509 certificates from file or SSL connection.
  • Changes:
  • Added const correctness for main code base
  • X509 signature algorithm determination is now in a function to allow easy future expansion
  • Changed symmetric cipher functions to identical interface (returning int result values)
  • Changed ARC4 to use seperate input/output buffer
  • Added reset function for HMAC context as speed-up for specific use-cases
  • Bug fixes:
  • Fixed bug resulting in failure to send the last certificate in the chain in ssl_write_certificate() and ssl_write_certificate_request() (found by fatbob)
  • Added small fixes for compiler warnings on a Mac (found by Frank de Brabander)
  • Fixed algorithmic bug in mpi_is_prime() (found by Smbat Tonoyan)

New in PolarSSL 0.12.1 (Nov 6, 2009)

  • Changes:
  • Coverage test definitions now support 'depends_on' tagging system.
  • Tests requiring specific hashing algorithms now honor the defines.
  • Bug fixes:
  • Changed typo in #ifdef in x509parse.c (found by Eduardo)