ChangeLog 46.8 KB
Newer Older
Paul Bakker's avatar
Paul Bakker committed
1
PolarSSL ChangeLog (Sorted per branch, date)
2

3 4
ABI Alert: ALPN changes the ABI for the next release.

5 6
= PolarSSL 1.3 branch

7 8
Features
   * Support for the ALPN SSL extension
9
   * Add option 'use_dev_random' to gen_key application
10
   * Enable verification of the keyUsage extension for CA and leaf
11
     certificates (POLARSSL_X509_CHECK_KEY_USAGE)
12 13
   * Enable verification of the extendedKeyUsage extension
     (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
14

15 16
Changes
   * x509_crt_info() now prints information about parsed extensions as well
17 18
   * pk_verify() now returns a specific error code when the signature is valid
     but shorter than the supplied length.
19

20 21 22
Security
   * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
     (Found by Watson Ladd.)
23 24 25 26
   * The notAfter date of some certificates was no longer checked since 1.3.5.
     This affects certificates in the user-supplied chain except the top
     certificate. If the user-supplied chain contains only one certificates,
     it is not affected (ie, its notAfter date is properly checked).
27 28
   * Prevent potential NULL pointer dereference in ssl_read_record() (found by
     TrustInSoft)
29

30 31
Bugfix
   * The length of various ClientKeyExchange messages was not properly checked.
32
   * Some example server programs were not sending the close_notify alert.
33 34
   * Potential memory leak in mpi_exp_mod() when error occurs during
     calculation of RR.
35
   * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
36 37
   * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
     Gergely Budai).
38 39
   * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
     (found by Gergely Budai)
40 41
   * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
     Shuo Chen).
42 43
   * oid_get_numeric_string() used to truncate the output without returning an
     error if the output buffer was just 1 byte too small.
44
   * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
45 46
   * Calling pk_debug() on an RSA-alt key would segfault.
   * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
47

Paul Bakker's avatar
Paul Bakker committed
48
= PolarSSL 1.3.5 released on 2014-03-26
Paul Bakker's avatar
Paul Bakker committed
49 50
Features
   * HMAC-DRBG as a separate module
51
   * Option to set the Curve preference order (disabled by default)
52
   * Single Platform compatilibity layer (for memory / printf / fprintf)
53
   * Ability to provide alternate timing implementation
54 55
   * Ability to force the entropy module to use SHA-256 as its basis
     (POLARSSL_ENTROPY_FORCE_SHA256)
56 57
   * Testing script ssl-opt.sh added for testing 'live' ssl option
     interoperability against OpenSSL and PolarSSL
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
58
   * Support for reading EC keys that use SpecifiedECDomain in some cases.
59
   * Entropy module now supports seed writing and reading
60 61 62

Changes
   * Deprecated the Memory layer
63 64
   * entropy_add_source(), entropy_update_manual() and entropy_gather()
     now thread-safe if POLARSSL_THREADING_C defined
65
   * Improvements to the CMake build system, contributed by Julian Ospald.
66 67
   * Work around a bug of the version of Clang shipped by Apple with Mavericks
     that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
68 69
   * Revamped the compat.sh interoperatibility script to include support for
     testing against GnuTLS
70
   * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
71
   * Improvements to tests/Makefile, contributed by Oden Eriksson.
Paul Bakker's avatar
Paul Bakker committed
72

73 74
Security
   * Forbid change of server certificate during renegotiation to prevent
75
     "triple handshake" attack when authentication mode is 'optional' (the
76
     attack was already impossible when authentication is required).
77
   * Check notBefore timestamp of certificates and CRLs from the future.
78
   * Forbid sequence number wrapping
79
   * Fixed possible buffer overflow with overlong PSK
80 81
   * Possible remotely-triggered out-of-bounds memory access fixed (found by
     TrustInSoft)
82

83 84 85
Bugfix
   * ecp_gen_keypair() does more tries to prevent failure because of
     statistics
86
   * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
87
   * Fixed testing with out-of-source builds using cmake
88
   * Fixed version-major intolerance in server
89
   * Fixed CMake symlinking on out-of-source builds
90
   * Fixed dependency issues in test suite
91
   * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
92 93
   * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
     Alex Wilson.)
94 95
   * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
   * m_sleep() was sleeping twice too long on most Unix platforms.
96
   * Fixed bug with session tickets and non-blocking I/O in the unlikely case
Paul Bakker's avatar
Paul Bakker committed
97
     send() would return an EAGAIN error when sending the ticket.
98
   * ssl_cache was leaking memory when reusing a timed out entry containing a
Paul Bakker's avatar
Paul Bakker committed
99
     client certificate.
100
   * ssl_srv was leaking memory when client presented a timed out ticket
Paul Bakker's avatar
Paul Bakker committed
101
     containing a client certificate
102 103
   * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
     out_ctr failed
104 105
   * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
     of one of them failed
106
   * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
107
   * x509_get_current_time() uses localtime_r() to prevent thread issues
108

Paul Bakker's avatar
Paul Bakker committed
109
= PolarSSL 1.3.4 released on 2014-01-27
110
Features
111
   * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
Paul Bakker's avatar
Paul Bakker committed
112
   * Support for RIPEMD-160
Paul Bakker's avatar
Paul Bakker committed
113
   * Support for AES CFB8 mode
114
   * Support for deterministic ECDSA (RFC 6979)
115 116 117 118

Bugfix
   * Potential memory leak in bignum_selftest()
   * Replaced expired test certificate
119
   * ssl_mail_client now terminates lines with CRLF, instead of LF
120 121
   * net module handles timeouts on blocking sockets better (found by Tilman
     Sauerbeck)
122 123 124
   * Assembly format fixes in bn_mul.h

Security
125 126
   * Missing MPI_CHK calls added around unguarded mpi calls (found by
     TrustInSoft)
127

Paul Bakker's avatar
Paul Bakker committed
128
= PolarSSL 1.3.3 released on 2013-12-31
Paul Bakker's avatar
Paul Bakker committed
129 130
Features
   * EC key generation support in gen_key app
131 132
   * Support for adhering to client ciphersuite order preference
     (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
Paul Bakker's avatar
Paul Bakker committed
133
   * Support for Curve25519
134
   * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
135
   * Support for IPv6 in the NET module
136
   * AES-NI support for AES, AES-GCM and AES key scheduling
137
   * SSL Pthread-based server example added (ssl_pthread_server)
Paul Bakker's avatar
Paul Bakker committed
138

139 140 141 142
Changes
   * gen_prime() speedup
   * Speedup of ECP multiplication operation
   * Relaxed some SHA2 ciphersuite's version requirements
143
   * Dropped use of readdir_r() instead of readdir() with threading support
144
   * More constant-time checks in the RSA module
145
   * Split off curves from ecp.c into ecp_curves.c
146
   * Curves are now stored fully in ROM
147
   * Memory usage optimizations in ECP module
148
   * Removed POLARSSL_THREADING_DUMMY
149

150
Bugfix
151
   * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
152
   * Fixed X.509 hostname comparison (with non-regular characters)
153
   * SSL now gracefully handles missing RNG
154 155
   * Missing defines / cases for RSA_PSK key exchange
   * crypt_and_hash app checks MAC before final decryption
156
   * Potential memory leak in ssl_ticket_keys_init()
157
   * Memory leak in benchmark application
158
   * Fixed x509_crt_parse_path() bug on Windows platforms
159 160
   * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
     TrustInSoft)
161 162
   * Fixed potential overflow in certificate size verification in
     ssl_write_certificate() (found by TrustInSoft)
163

164 165 166 167
Security
   * Possible remotely-triggered out-of-bounds memory access fixed (found by
     TrustInSoft)

Paul Bakker's avatar
Paul Bakker committed
168
= PolarSSL 1.3.2 released on 2013-11-04
Paul Bakker's avatar
Paul Bakker committed
169 170
Features
   * PK tests added to test framework
171
   * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
172
   * Support for Camellia-GCM mode and ciphersuites
Paul Bakker's avatar
Paul Bakker committed
173

174 175
Changes
   * Padding checks in cipher layer are now constant-time
176
   * Value comparisons in SSL layer are now constant-time
177
   * Support for serialNumber, postalAddress and postalCode in X509 names
178
   * SSL Renegotiation was refactored
179

180
Bugfix
181
   * More stringent checks in cipher layer
182
   * Server does not send out extensions not advertised by client
183
   * Prevent possible alignment warnings on casting from char * to 'aligned *'
Paul Bakker's avatar
Paul Bakker committed
184
   * Misc fixes and additions to dependency checks
Paul Bakker's avatar
Paul Bakker committed
185
   * Const correctness
186
   * cert_write with selfsign should use issuer_name as subject_name
187
   * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
188
   * Defines to handle UEFI environment under MSVC
189
   * Server-side initiated renegotiations send HelloRequest
190

Paul Bakker's avatar
Paul Bakker committed
191
= PolarSSL 1.3.1 released on 2013-10-15
192 193
Features
   * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
Paul Bakker's avatar
Paul Bakker committed
194
   * Support for ECDHE-PSK key-exchange and ciphersuites
195
   * Support for RSA-PSK key-exchange and ciphersuites
196

Paul Bakker's avatar
Paul Bakker committed
197 198
Changes
   * RSA blinding locks for a smaller amount of time
199
   * TLS compression only allocates working buffer once
200
   * Introduced POLARSSL_HAVE_READDIR_R for systems without it
Paul Bakker's avatar
Paul Bakker committed
201
   * config.h is more script-friendly
Paul Bakker's avatar
Paul Bakker committed
202 203 204 205 206

Bugfix
   * Missing MSVC defines added
   * Compile errors with POLARSSL_RSA_NO_CRT
   * Header files with 'polarssl/'
Paul Bakker's avatar
Paul Bakker committed
207
   * Const correctness
208
   * Possible naming collision in dhm_context
Paul Bakker's avatar
Paul Bakker committed
209
   * Better support for MSVC
210
   * threading_set_alt() name
211
   * Added missing x509write_crt_set_version()
Paul Bakker's avatar
Paul Bakker committed
212

Paul Bakker's avatar
Paul Bakker committed
213
= PolarSSL 1.3.0 released on 2013-10-01
214 215 216 217 218
Features
   * Elliptic Curve Cryptography module added
   * Elliptic Curve Diffie Hellman module added
   * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
    (ECDHE-based ciphersuites)
219 220
   * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
    (ECDSA-based ciphersuites)
221
   * Ability to specify allowed ciphersuites based on the protocol version.
222
   * PSK and DHE-PSK based ciphersuites added
223 224
   * Memory allocation abstraction layer added
   * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
225
   * Threading abstraction layer added (dummy / pthread / alternate)
Paul Bakker's avatar
Paul Bakker committed
226
   * Public Key abstraction layer added
227 228 229 230
   * Parsing Elliptic Curve keys
   * Parsing Elliptic Curve certificates
   * Support for max_fragment_length extension (RFC 6066)
   * Support for truncated_hmac extension (RFC 6066)
231 232
   * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
     (ISO/IEC 7816-4) padding and zero padding in the cipher layer
233
   * Support for session tickets (RFC 5077)
234 235
   * Certificate Request (CSR) generation with extensions (key_usage,
     ns_cert_type)
236 237
   * X509 Certificate writing with extensions (basic_constraints,
     issuer_key_identifier, etc)
Paul Bakker's avatar
Paul Bakker committed
238
   * Optional blinding for RSA, DHM and EC
239 240
   * Support for multiple active certificate / key pairs in SSL servers for
   	 the same host (Not to be confused with SNI!)
241

242
Changes
243 244
   * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
     individually
245 246
   * Introduced separate SSL Ciphersuites module that is based on
     Cipher and MD information
247 248
   * Internals for SSL module adapted to have separate IV pointer that is
     dynamically set (Better support for hardware acceleration)
249 250
   * Moved all OID functionality to a separate module. RSA function
     prototypes for the RSA sign and verify functions changed as a result
251
   * Split up the GCM module into a starts/update/finish cycle
252 253
   * Client and server now filter sent and accepted ciphersuites on minimum
     and maximum protocol version
254
   * Ability to disable server_name extension (RFC 6066)
255 256
   * Renamed error_strerror() to the less conflicting polarssl_strerror()
     (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
257
   * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
258
   * All RSA operations require a random generator for blinding purposes
259 260
   * X509 core refactored
   * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
Paul Bakker's avatar
Paul Bakker committed
261
   * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
262 263
   * Support faulty X509 v1 certificates with extensions
     (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
264

265
Bugfix
266
   * Fixed parse error in ssl_parse_certificate_request()
267
   * zlib compression/decompression skipped on empty blocks
268
   * Support for AIX header locations in net.c module
269
   * Fixed file descriptor leaks
270

271 272 273 274
Security
   * RSA blinding on CRT operations to counter timing attacks
     (found by Cyril Arnaud and Pierre-Alain Fouque)

Paul Bakker's avatar
Paul Bakker committed
275 276 277 278 279 280 281 282 283
= Version 1.2.10 released 2013-10-07
Changes
   * Changed RSA blinding to a slower but thread-safe version

Bugfix
   * Fixed memory leak in RSA as a result of introduction of blinding
   * Fixed ssl_pkcs11_decrypt() prototype
   * Fixed MSVC project files

Paul Bakker's avatar
Paul Bakker committed
284
= Version 1.2.9 released 2013-10-01
Paul Bakker's avatar
Paul Bakker committed
285 286 287 288 289 290 291 292 293 294 295 296 297 298
Changes
   * x509_verify() now case insensitive for cn (RFC 6125 6.4)

Bugfix
   * Fixed potential memory leak when failing to resume a session
   * Fixed potential file descriptor leaks (found by Remi Gacogne)
   * Minor fixes

Security
   * Fixed potential heap buffer overflow on large hostname setting
   * Fixed potential negative value misinterpretation in load_file()
   * RSA blinding on CRT operations to counter timing attacks
     (found by Cyril Arnaud and Pierre-Alain Fouque)

299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346
= Version 1.2.8 released 2013-06-19
Features
   * Parsing of PKCS#8 encrypted private key files
   * PKCS#12 PBE and derivation functions
   * Centralized module option values in config.h to allow user-defined
     settings without editing header files by using POLARSSL_CONFIG_OPTIONS

Changes
   * HAVEGE random generator disabled by default
   * Internally split up x509parse_key() into a (PEM) handler function
     and specific DER parser functions for the PKCS#1 and unencrypted
     PKCS#8 private key formats
   * Added mechanism to provide alternative implementations for all
     symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
	 config.h)
   * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
     old PBKDF2 module

Bugfix
   * Secure renegotiation extension should only be sent in case client
     supports secure renegotiation
   * Fixed offset for cert_type list in ssl_parse_certificate_request()
   * Fixed const correctness issues that have no impact on the ABI
   * x509parse_crt() now better handles PEM error situations
   * ssl_parse_certificate() now calls x509parse_crt_der() directly
     instead of the x509parse_crt() wrapper that can also parse PEM
	 certificates
   * x509parse_crtpath() is now reentrant and uses more portable stat()
   * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
   * Fixed values for 2-key Triple DES in cipher layer
   * ssl_write_certificate_request() can handle empty ca_chain

Security
   * A possible DoS during the SSL Handshake, due to faulty parsing of
     PEM-encoded certificates has been fixed (found by Jack Lloyd)

= Version 1.2.7 released 2013-04-13
Features
   * Ability to specify allowed ciphersuites based on the protocol version.

Changes
   * Default Blowfish keysize is now 128-bits
   * Test suites made smaller to accommodate Raspberry Pi

Bugfix
   * Fix for MPI assembly for ARM
   * GCM adapted to support sizes > 2^29

347
= Version 1.2.6 released 2013-03-11
348 349
Bugfix
   * Fixed memory leak in ssl_free() and ssl_reset() for active session
350 351
   * Corrected GCM counter incrementation to use only 32-bits instead of
     128-bits (found by Yawning Angel)
352
   * Fixes for 64-bit compilation with MS Visual Studio
353
   * Fixed net_bind() for specified IP addresses on little endian systems
354
   * Fixed assembly code for ARM (Thumb and regular) for some compilers
355

356 357 358 359
Changes
   * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
     rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
     PKCS#1 v2.1 functions
360 361
   * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
     or rsa_rsaes_oaep_decrypt()
362 363
   * Re-added handling for SSLv2 Client Hello when the define
     POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
364 365
   * The SSL session cache module (ssl_cache) now also retains peer_cert
     information (not the entire chain)
366

367 368 369
Security
   * Removed further timing differences during SSL message decryption in
     ssl_decrypt_buf()
370 371 372
   * Removed timing differences due to bad padding from
     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
     operations
373

Paul Bakker's avatar
Paul Bakker committed
374
= Version 1.2.5 released 2013-02-02
375 376
Changes
   * Allow enabling of dummy error_strerror() to support some use-cases
377 378
   * Debug messages about padding errors during SSL message decryption are
     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL 
379 380
   * Sending of security-relevant alert messages that do not break
     interoperability can be switched on/off with the flag
Paul Bakker's avatar
Paul Bakker committed
381
     POLARSSL_SSL_ALL_ALERT_MESSAGES
382

383 384 385 386
Security
   * Removed timing differences during SSL message decryption in
     ssl_decrypt_buf() due to badly formatted padding

Paul Bakker's avatar
Paul Bakker committed
387
= Version 1.2.4 released 2013-01-25
388
Changes
389 390
   * More advanced SSL ciphersuite representation and moved to more dynamic
     SSL core
391 392
   * Added ssl_handshake_step() to allow single stepping the handshake process

393 394
Bugfix
   * Memory leak when using RSA_PKCS_V21 operations fixed
395
   * Handle future version properly in ssl_write_certificate_request()
396 397
   * Correctly handle CertificateRequest message in client for <= TLS 1.1
     without DN list
398

Paul Bakker's avatar
Paul Bakker committed
399 400 401 402
= Version 1.2.3 released 2012-11-26
Bugfix
   * Server not always sending correct CertificateRequest message

Paul Bakker's avatar
Paul Bakker committed
403
= Version 1.2.2 released 2012-11-24
404 405 406
Changes
   * Added p_hw_data to ssl_context for context specific hardware acceleration
     data
Paul Bakker's avatar
Paul Bakker committed
407
   * During verify trust-CA is only checked for expiration and CRL presence  
408

409
Bugfixes
Paul Bakker's avatar
Paul Bakker committed
410 411
   * Fixed client authentication compatibility
   * Fixed dependency on POLARSSL_SHA4_C in SSL modules
412

Paul Bakker's avatar
Paul Bakker committed
413
= Version 1.2.1 released 2012-11-20
414 415 416 417
Changes
   * Depth that the certificate verify callback receives is now numbered
     bottom-up (Peer cert depth is 0)

Paul Bakker's avatar
Paul Bakker committed
418 419
Bugfixes
   * Fixes for MSVC6
420
   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
421 422
   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
     Pégourié-Gonnard)
423 424
   * Fixed possible segfault in mpi_shift_r() (found by Manuel
     Pégourié-Gonnard)
425
   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
Paul Bakker's avatar
Paul Bakker committed
426

Paul Bakker's avatar
Paul Bakker committed
427
= Version 1.2.0 released 2012-10-31
428 429 430 431
Features
   * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
     ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
     default!
432 433 434
   * Added support for wildcard certificates
   * Added support for multi-domain certificates through the X509 Subject
     Alternative Name extension
435 436 437 438
   * Added preliminary ASN.1 buffer writing support
   * Added preliminary X509 Certificate Request writing support
   * Added key_app_writer example application
   * Added cert_req example application
439
   * Added base Galois Counter Mode (GCM) for AES
440
   * Added TLS 1.2 support (RFC 5246)
441
   * Added GCM suites to TLS 1.2 (RFC 5288)
442
   * Added commandline error code convertor (util/strerror)
443
   * Added support for Hardware Acceleration hooking in SSL/TLS
444
   * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
Paul Bakker's avatar
Paul Bakker committed
445
     example application (programs/ssl/o_p_test) (requires OpenSSL)
Paul Bakker's avatar
Paul Bakker committed
446
   * Added X509 CA Path support
447
   * Added Thumb assembly optimizations
448
   * Added DEFLATE compression support as per RFC3749 (requires zlib)
449
   * Added blowfish algorithm (Generic and cipher layer)
450
   * Added PKCS#5 PBKDF2 key derivation function
451
   * Added Secure Renegotiation (RFC 5746)
452
   * Added predefined DHM groups from RFC 5114
453
   * Added simple SSL session cache implementation
454
   * Added ServerName extension parsing (SNI) at server side
455
   * Added option to add minimum accepted SSL/TLS protocol version
456

457 458
Changes
   * Removed redundant POLARSSL_DEBUG_MSG define
459
   * AES code only check for Padlock once
460 461
   * Fixed const-correctness mpi_get_bit()
   * Documentation for mpi_lsb() and mpi_msb()
462
   * Moved out_msg to out_hdr + 32 to support hardware acceleration
463
   * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
Paul Bakker's avatar
Paul Bakker committed
464
     to not match CN if subjectAltName extension is present (Closes ticket #56)
465 466
   * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
     POLARSSL_MODE_CFB, to also handle different block size CFB modes.
467
   * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
468
   * Revamped session resumption handling
469 470
   * Generalized external private key implementation handling (like PKCS#11)
     in SSL/TLS
471
   * Revamped x509_verify() and the SSL f_vrfy callback implementations
472
   * Moved from unsigned long to fixed width uint32_t types throughout code
473
   * Renamed ciphersuites naming scheme to IANA reserved names
474

475
Bugfix
Paul Bakker's avatar
Paul Bakker committed
476 477
   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
     Hui Dong)
478
   * Fixed potential heap corruption in x509_name allocation
Paul Bakker's avatar
Paul Bakker committed
479
   * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
480 481
   * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
     #52)
482 483
   * Handle encryption with private key and decryption with public key as per
   	 RFC 2313
484
   * Handle empty certificate subject names
485
   * Prevent reading over buffer boundaries on X509 certificate parsing
Paul Bakker's avatar
Paul Bakker committed
486
   * mpi_add_abs() now correctly handles adding short numbers to long numbers
Paul Bakker's avatar
Paul Bakker committed
487
     with carry rollover (found by Ruslan Yushchenko)
488
   * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
Paul Bakker's avatar
Paul Bakker committed
489
   * Fixed MPI assembly for SPARC64 platform
490

491
Security
492 493
   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
     Vanderbeken)
494

Paul Bakker's avatar
Paul Bakker committed
495
= Version 1.1.8 released on 2013-10-01
Paul Bakker's avatar
Paul Bakker committed
496 497 498 499 500 501 502 503 504 505
Bugfix
   * Fixed potential memory leak when failing to resume a session
   * Fixed potential file descriptor leaks

Security
   * Potential buffer-overflow for ssl_read_record() (independently found by
     both TrustInSoft and Paul Brodeur of Leviathan Security Group)
   * Potential negative value misinterpretation in load_file()
   * Potential heap buffer overflow on large hostname setting

506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537
= Version 1.1.7 released on 2013-06-19
Changes
   * HAVEGE random generator disabled by default

Bugfix
   * x509parse_crt() now better handles PEM error situations
   * ssl_parse_certificate() now calls x509parse_crt_der() directly
     instead of the x509parse_crt() wrapper that can also parse PEM
	 certificates
   * Fixed values for 2-key Triple DES in cipher layer
   * ssl_write_certificate_request() can handle empty ca_chain

Security
   * A possible DoS during the SSL Handshake, due to faulty parsing of
     PEM-encoded certificates has been fixed (found by Jack Lloyd)

= Version 1.1.6 released on 2013-03-11
Bugfix
   * Fixed net_bind() for specified IP addresses on little endian systems

Changes
   * Allow enabling of dummy error_strerror() to support some use-cases
   * Debug messages about padding errors during SSL message decryption are
     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL

Security
   * Removed timing differences during SSL message decryption in
     ssl_decrypt_buf()
   * Removed timing differences due to bad padding from
     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
     operations

538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561
= Version 1.1.5 released on 2013-01-16
Bugfix
   * Fixed MPI assembly for SPARC64 platform
   * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
   * mpi_add_abs() now correctly handles adding short numbers to long numbers
     with carry rollover
   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
   * Prevent reading over buffer boundaries on X509 certificate parsing
   * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
     #52)
   * Fixed possible segfault in mpi_shift_r() (found by Manuel
     Pégourié-Gonnard)
   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
     Pégourié-Gonnard)
   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
   * Memory leak when using RSA_PKCS_V21 operations fixed
   * Handle encryption with private key and decryption with public key as per
     RFC 2313
   * Fixes for MSVC6

Security
   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
     Vanderbeken)

562 563 564 565 566 567
= Version 1.1.4 released on 2012-05-31
Bugfix
   * Correctly handle empty SSL/TLS packets (Found by James Yonan)
   * Fixed potential heap corruption in x509_name allocation
   * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)

568 569 570 571 572 573 574 575 576 577 578 579 580 581 582
= Version 1.1.3 released on 2012-04-29
Bugfix
   * Fixed random MPI generation to not generate more size than requested.

= Version 1.1.2 released on 2012-04-26
Bugfix
   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
     Hui Dong)

Security
   * Fixed potential memory corruption on miscrafted client messages (found by
     Frama-C team at CEA LIST)
   * Fixed generation of DHM parameters to correct length (found by Ruslan
     Yushchenko)

583
= Version 1.1.1 released on 2012-01-23
584 585 586
Bugfix
   * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
     (Closes ticket #47, found by Hugo Leisink)
587
   * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
588 589
   * Fixed multiple compiler warnings for VS6 and armcc
   * Fixed bug in CTR_CRBG selftest
590

Paul Bakker's avatar
Paul Bakker committed
591
= Version 1.1.0 released on 2011-12-22
592 593 594 595
Features
   * Added ssl_session_reset() to allow better multi-connection pools of
     SSL contexts without needing to set all non-connection-specific
	 data and pointers again. Adapted ssl_server to use this functionality.
596 597 598
   * Added ssl_set_max_version() to allow clients to offer a lower maximum
     supported version to a server to help buggy server implementations.
	 (Closes ticket #36)
599 600
   * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
     introspection functions (Closes ticket #40)
601
   * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
602 603 604
   * Added a generic entropy accumulator that provides support for adding
     custom entropy sources and added some generic and platform dependent
	 entropy sources
605

606 607
Changes
   * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
608 609
   * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
     encryption and private key for decryption. (Closes ticket #34)
610
   * Inceased maximum size of ASN1 length reads to 32-bits.
611
   * Added an EXPLICIT tag number parameter to x509_get_ext()
612
   * Added a separate CRL entry extension parsing function
613 614
   * Separated the ASN.1 parsing code from the X.509 specific parsing code.
     So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
615 616
   * Changed the defined key-length of DES ciphers in cipher.h to include the
     parity bits, to prevent mistakes in copying data. (Closes ticket #33)
617
   * Loads of minimal changes to better support WINCE as a build target
Paul Bakker's avatar
Paul Bakker committed
618
     (Credits go to Marco Lizza)
619 620
   * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
     trade-off
621 622
   * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
     management (Closes ticket #44)
623 624
   * Changed the used random function pointer to more flexible format. Renamed
     havege_rand() to havege_random() to prevent mistakes. Lots of changes as
Paul Bakker's avatar
Paul Bakker committed
625
     a consequence in library code and programs
626
   * Moved all examples programs to use the new entropy and CTR_DRBG
627 628
   * Added permissive certificate parsing to x509parse_crt() and
     x509parse_crtfile(). With permissive parsing the parsing does not stop on
Paul Bakker's avatar
Paul Bakker committed
629 630
     encountering a parse-error. Beware that the meaning of return values has
     changed!
631
   * All error codes are now negative. Even on mermory failures and IO errors.
632

633 634 635
Bugfix
   * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
     ticket #37)
636 637
   * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
     before version numbers
638 639
   * Allowed X509 key usage parsing to accept 4 byte values instead of the
     standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
640 641
   * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
     smaller than the hash length. (Closes ticket #41)
642 643
   * If certificate serial is longer than 32 octets, serial number is now
     appended with '....' after first 28 octets
644
   * Improved build support for s390x and sparc64 in bignum.h
645
   * Fixed MS Visual C++ name clash with int64 in sha4.h
646
   * Corrected removal of leading "00:" in printing serial numbers in
647
     certificates and CRLs
648

649
= Version 1.0.0 released on 2011-07-27
650 651
Features
   * Expanded cipher layer with support for CFB128 and CTR mode
652
   * Added rsa_encrypt and rsa_decrypt simple example programs.
653

654 655 656 657
Changes
   * The generic cipher and message digest layer now have normal error
     codes instead of integers

658 659 660 661
Bugfix
   * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
     #18)

662
= Version 0.99-pre5 released on 2011-05-26
663 664 665
Features
   * Added additional Cipher Block Modes to symmetric ciphers
     (AES CTR, Camellia CTR, XTEA CBC) including the option to
Paul Bakker's avatar
Paul Bakker committed
666
     enable and disable individual modes when needed
667 668
   * Functions requiring File System functions can now be disabled
     by undefining POLARSSL_FS_IO
669 670
   * A error_strerror function() has been added to translate between
     error codes and their description.
671 672
   * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
     functions.
673
   * Added ssl_mail_client and ssl_fork_server as example programs.
674

675 676 677
Changes
   * Major argument / variable rewrite. Introduced use of size_t
     instead of int for buffer lengths and loop variables for
Paul Bakker's avatar
Paul Bakker committed
678 679
     better unsigned / signed use. Renamed internal bigint types
     t_int and t_dbl to t_uint and t_udbl in the process
680 681
   * mpi_init() and mpi_free() now only accept a single MPI
     argument and do not accept variable argument lists anymore.
682 683
   * The error codes have been remapped and combining error codes
     is now done with a PLUS instead of an OR as error codes
Paul Bakker's avatar
Paul Bakker committed
684
     used are negative.
685 686
   * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
     net_recv() now returns 0 on EOF instead of
Paul Bakker's avatar
Paul Bakker committed
687 688 689 690
     POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
     POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
     ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
     after the handshake.
691 692
   * Network functions now return POLARSSL_ERR_NET_WANT_READ or
     POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
Paul Bakker's avatar
Paul Bakker committed
693
     POLARSSL_ERR_NET_TRY_AGAIN
694

Paul Bakker's avatar
Paul Bakker committed
695
= Version 0.99-pre4 released on 2011-04-01
696 697 698
Features
   * Added support for PKCS#1 v2.1 encoding and thus support
     for the RSAES-OAEP and RSASSA-PSS operations.
699 700
   * Reading of Public Key files incorporated into default x509
     functionality as well.
701 702
   * Added mpi_fill_random() for centralized filling of big numbers
     with random data (Fixed ticket #10)
703

704 705 706
Changes
   * Debug print of MPI now removes leading zero octets and 
     displays actual bit size of the value.
707 708
   * x509parse_key() (and as a consequence x509parse_keyfile()) 
     does not zeroize memory in advance anymore. Use rsa_init()
Paul Bakker's avatar
Paul Bakker committed
709
     before parsing a key or keyfile!
710 711 712 713

Bugfix
   * Debug output of MPI's now the same independent of underlying
     platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
Paul Bakker's avatar
Paul Bakker committed
714
     Kiilerich and Mihai Militaru)
715 716
   * Fixed bug in ssl_write() when flushing old data (Fixed ticket
     #18, found by Nikolay Epifanov)
717 718
   * Fixed proper handling of RSASSA-PSS verification with variable
     length salt lengths
719

720 721
= Version 0.99-pre3 released on 2011-02-28
This release replaces version 0.99-pre2 which had possible copyright issues.
722 723 724
Features
   * Parsing PEM private keys encrypted with DES and AES
     are now supported as well (Fixes ticket #5)
725 726
   * Added crl_app program to allow easy reading and
     printing of X509 CRLs from file
727 728 729 730

Changes
   * Parsing of PEM files moved to separate module (Fixes 
     ticket #13). Also possible to remove PEM support for
Paul Bakker's avatar
Paul Bakker committed
731
     systems only using DER encoding
732

733 734 735 736
Bugfixes
   * Corrected parsing of UTCTime dates before 1990 and
     after 1950
   * Support more exotic OID's when parsing certificates
737
   	 (found by Mads Kiilerich)
738
   * Support more exotic name representations when parsing
739
     certificates (found by Mads Kiilerich)
740
   * Replaced the expired test certificates
741 742
   * Do not bail out if no client certificate specified. Try
     to negotiate anonymous connection (Fixes ticket #12,
Paul Bakker's avatar
Paul Bakker committed
743
     found by Boris Krasnovskiy)
744

745 746 747
Security fixes
   * Fixed a possible Man-in-the-Middle attack on the
     Diffie Hellman key exchange (thanks to Larry Highsmith,
Paul Bakker's avatar
Paul Bakker committed
748
     Subreption LLC)
749

750
= Version 0.99-pre1 released on 2011-01-30
751
Features
752 753
Note: Most of these features have been donated by Fox-IT
   * Added Doxygen source code documentation parts
754
   * Added reading of DHM context from memory and file
755
   * Improved X509 certificate parsing to include extended
756 757 758
     certificate fields, including Key Usage
   * Improved certificate verification and verification
     against the available CRLs
759
   * Detection for DES weak keys and parity bits added
760 761 762 763 764 765 766
   * Improvements to support integration in other
     applications:
       + Added generic message digest and cipher wrapper
       + Improved information about current capabilities,
         status, objects and configuration
       + Added verification callback on certificate chain
         verification to allow external blacklisting
767
	   + Additional example programs to show usage
768 769
   * Added support for PKCS#11 through the use of the
     libpkcs11-helper library
770

771 772 773
Changes
   * x509parse_time_expired() checks time in addition to
     the existing date check
774 775
   * The ciphers member of ssl_context and the cipher member
     of ssl_session have been renamed to ciphersuites and
Paul Bakker's avatar
Paul Bakker committed
776 777 778
     ciphersuite respectively. This clarifies the difference
     with the generic cipher layer and is better naming
     altogether
779

780 781 782 783 784 785 786 787 788 789 790 791
= Version 0.14.0 released on 2010-08-16
Features
   * Added support for SSL_EDH_RSA_AES_128_SHA and
     SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
   * Added compile-time and run-time version information
   * Expanded ssl_client2 arguments for more flexibility
   * Added support for TLS v1.1

Changes
   * Made Makefile cleaner
   * Removed dependency on rand() in rsa_pkcs1_encrypt().
     Now using random fuction provided to function and
Paul Bakker's avatar
Paul Bakker committed
792 793
     changed the prototype of rsa_pkcs1_encrypt(),
     rsa_init() and rsa_gen_key().
794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823
   * Some SSL defines were renamed in order to avoid
     future confusion

Bug fixes
   * Fixed CMake out of source build for tests (found by
     kkert)
   * rsa_check_private() now supports PKCS1v2 keys as well
   * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
     generator

= Version 0.13.1 released on 2010-03-24
Bug fixes
   * Fixed Makefile in library that was mistakenly merged
   * Added missing const string fixes

= Version 0.13.0 released on 2010-03-21
Features
   * Added option parsing for host and port selection to
     ssl_client2
   * Added support for GeneralizedTime in X509 parsing
   * Added cert_app program to allow easy reading and
     printing of X509 certificates from file or SSL
     connection.

Changes
   * Added const correctness for main code base
   * X509 signature algorithm determination is now
     in a function to allow easy future expansion
   * Changed symmetric cipher functions to
     identical interface (returning int result values)
824
   * Changed ARC4 to use separate input/output buffer
825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907