PolarSSL ChangeLog = Version Trunk Features * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by default! * Added support for wildcard certificates * Added support for multi-domain certificates through the X509 Subject Alternative Name extension * Added preliminary ASN.1 buffer writing support * Added preliminary X509 Certificate Request writing support * Added key_app_writer example application * Added cert_req example application * Added base Galois Counter Mode (GCM) for AES * Added TLS 1.2 support * Added GCM suites to TLS 1.2 (RFC 5288) * Added commandline error code convertor (util/strerror) * Added support for Hardware Acceleration hooking in SSL/TLS * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and example application (programs/ssl/o_p_test) (Requires OpenSSL) * Added X509 CA Path support * Added Thumb assembly optimizations * Added DEFLATE compression support as per RFC3749 (requires zlib) * Added blowfish algorithm (Generic and cipher layer) Changes * Removed redundant POLARSSL_DEBUG_MSG define * AES code only check for Padlock once * Fixed const-correctness mpi_get_bit() * Documentation for mpi_lsb() and mpi_msb() * Moved out_msg to out_hdr + 32 to support hardware acceleration * Changed certificate verify behaviour to comply with RFC 6125 section 6.3 to not match CN if subjectAltName extension is present (Closes ticket #56) * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to POLARSSL_MODE_CFB, to also handle different block size CFB modes. Bugfix * Fixed handling error in mpi_cmp_mpi() on longer B values (found by Hui Dong) * Fixed potential heap corruption in x509_name allocation * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54) * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket #52) * Handle encryption with private key and decryption with public key as per RFC 2313 * Handle empty certificate subject names * Prevent reading over buffer boundaries on X509 certificate parsing Security * Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST) * Fixed generation of DHM parameters to correct length (found by Ruslan Yushchenko) * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi Vanderbeken) = Version 1.1.3 released on 2012-04-29 Bugfix * Fixed random MPI generation to not generate more size than requested. = Version 1.1.2 released on 2012-04-26 Bugfix * Fixed handling error in mpi_cmp_mpi() on longer B values (found by Hui Dong) Security * Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST) * Fixed generation of DHM parameters to correct length (found by Ruslan Yushchenko) = Version 1.1.1 released on 2012-01-23 Bugfix * Check for failed malloc() in ssl_set_hostname() and x509_get_entries() (Closes ticket #47, found by Hugo Leisink) * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50) * Fixed multiple compiler warnings for VS6 and armcc * Fixed bug in CTR_CRBG selftest = Version 1.1.0 released on 2011-12-22 Features * Added ssl_session_reset() to allow better multi-connection pools of SSL contexts without needing to set all non-connection-specific data and pointers again. Adapted ssl_server to use this functionality. * Added ssl_set_max_version() to allow clients to offer a lower maximum supported version to a server to help buggy server implementations. (Closes ticket #36) * Added cipher_get_cipher_mode() and cipher_get_cipher_operation() introspection functions (Closes ticket #40) * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator * Added a generic entropy accumulator that provides support for adding custom entropy sources and added some generic and platform dependent entropy sources Changes * Documentation for AES and Camellia in modes CTR and CFB128 clarified. * Fixed rsa_encrypt and rsa_decrypt examples to use public key for encryption and private key for decryption. (Closes ticket #34) * Inceased maximum size of ASN1 length reads to 32-bits. * Added an EXPLICIT tag number parameter to x509_get_ext() * Added a separate CRL entry extension parsing function * Separated the ASN.1 parsing code from the X.509 specific parsing code. So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C. * Changed the defined key-length of DES ciphers in cipher.h to include the parity bits, to prevent mistakes in copying data. (Closes ticket #33) * Loads of minimal changes to better support WINCE as a build target (Credits go to Marco Lizza) * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory trade-off * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size management (Closes ticket #44) * Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs * Moved all examples programs to use the new entropy and CTR_DRBG * Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error. Beware that the meaning of return values has changed! * All error codes are now negative. Even on mermory failures and IO errors. Bugfix * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes ticket #37) * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag before version numbers * Allowed X509 key usage parsing to accept 4 byte values instead of the standard 1 byte version sometimes used by Microsoft. (Closes ticket #38) * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length smaller than the hash length. (Closes ticket #41) * If certificate serial is longer than 32 octets, serial number is now appended with '....' after first 28 octets * Improved build support for s390x and sparc64 in bignum.h * Fixed MS Visual C++ name clash with int64 in sha4.h * Corrected removal of leading "00:" in printing serial numbers in certificates and CRLs = Version 1.0.0 released on 2011-07-27 Features * Expanded cipher layer with support for CFB128 and CTR mode * Added rsa_encrypt and rsa_decrypt simple example programs. Changes * The generic cipher and message digest layer now have normal error codes instead of integers Bugfix * Undid faulty bug fix in ssl_write() when flushing old data (Ticket #18) = Version 0.99-pre5 released on 2011-05-26 Features * Added additional Cipher Block Modes to symmetric ciphers (AES CTR, Camellia CTR, XTEA CBC) including the option to enable and disable individual modes when needed * Functions requiring File System functions can now be disabled by undefining POLARSSL_FS_IO * A error_strerror function() has been added to translate between error codes and their description. * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter functions. * Added ssl_mail_client and ssl_fork_server as example programs. Changes * Major argument / variable rewrite. Introduced use of size_t instead of int for buffer lengths and loop variables for better unsigned / signed use. Renamed internal bigint types t_int and t_dbl to t_uint and t_udbl in the process * mpi_init() and mpi_free() now only accept a single MPI argument and do not accept variable argument lists anymore. * The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative. * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv(). net_recv() now returns 0 on EOF instead of POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function. ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received after the handshake. * Network functions now return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous POLARSSL_ERR_NET_TRY_AGAIN = Version 0.99-pre4 released on 2011-04-01 Features * Added support for PKCS#1 v2.1 encoding and thus support for the RSAES-OAEP and RSASSA-PSS operations. * Reading of Public Key files incorporated into default x509 functionality as well. * Added mpi_fill_random() for centralized filling of big numbers with random data (Fixed ticket #10) Changes * Debug print of MPI now removes leading zero octets and displays actual bit size of the value. * x509parse_key() (and as a consequence x509parse_keyfile()) does not zeroize memory in advance anymore. Use rsa_init() before parsing a key or keyfile! Bugfix * Debug output of MPI's now the same independent of underlying platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads Kiilerich and Mihai Militaru) * Fixed bug in ssl_write() when flushing old data (Fixed ticket #18, found by Nikolay Epifanov) * Fixed proper handling of RSASSA-PSS verification with variable length salt lengths = Version 0.99-pre3 released on 2011-02-28 This release replaces version 0.99-pre2 which had possible copyright issues. Features * Parsing PEM private keys encrypted with DES and AES are now supported as well (Fixes ticket #5) * Added crl_app program to allow easy reading and printing of X509 CRLs from file Changes * Parsing of PEM files moved to separate module (Fixes ticket #13). Also possible to remove PEM support for systems only using DER encoding Bugfixes * Corrected parsing of UTCTime dates before 1990 and after 1950 * Support more exotic OID's when parsing certificates (found by Mads Kiilerich) * Support more exotic name representations when parsing certificates (found by Mads Kiilerich) * Replaced the expired test certificates * Do not bail out if no client certificate specified. Try to negotiate anonymous connection (Fixes ticket #12, found by Boris Krasnovskiy) Security fixes * Fixed a possible Man-in-the-Middle attack on the Diffie Hellman key exchange (thanks to Larry Highsmith, Subreption LLC) = Version 0.99-pre1 released on 2011-01-30 Features Note: Most of these features have been donated by Fox-IT * Added Doxygen source code documentation parts * Added reading of DHM context from memory and file * Improved X509 certificate parsing to include extended certificate fields, including Key Usage * Improved certificate verification and verification against the available CRLs * Detection for DES weak keys and parity bits added * Improvements to support integration in other applications: + Added generic message digest and cipher wrapper + Improved information about current capabilities, status, objects and configuration + Added verification callback on certificate chain verification to allow external blacklisting + Additional example programs to show usage * Added support for PKCS#11 through the use of the libpkcs11-helper library Changes * x509parse_time_expired() checks time in addition to the existing date check * The ciphers member of ssl_context and the cipher member of ssl_session have been renamed to ciphersuites and ciphersuite respectively. This clarifies the difference with the generic cipher layer and is better naming altogether = Version 0.14.0 released on 2010-08-16 Features * Added support for SSL_EDH_RSA_AES_128_SHA and SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites * Added compile-time and run-time version information * Expanded ssl_client2 arguments for more flexibility * Added support for TLS v1.1 Changes * Made Makefile cleaner * Removed dependency on rand() in rsa_pkcs1_encrypt(). Now using random fuction provided to function and changed the prototype of rsa_pkcs1_encrypt(), rsa_init() and rsa_gen_key(). * Some SSL defines were renamed in order to avoid future confusion Bug fixes * Fixed CMake out of source build for tests (found by kkert) * rsa_check_private() now supports PKCS1v2 keys as well * Fixed deadlock in rsa_pkcs1_encrypt() on failing random generator = Version 0.13.1 released on 2010-03-24 Bug fixes * Fixed Makefile in library that was mistakenly merged * Added missing const string fixes = Version 0.13.0 released on 2010-03-21 Features * Added option parsing for host and port selection to ssl_client2 * Added support for GeneralizedTime in X509 parsing * Added cert_app program to allow easy reading and printing of X509 certificates from file or SSL connection. Changes * Added const correctness for main code base * X509 signature algorithm determination is now in a function to allow easy future expansion * Changed symmetric cipher functions to identical interface (returning int result values) * Changed ARC4 to use seperate input/output buffer * Added reset function for HMAC context as speed-up for specific use-cases Bug fixes * Fixed bug resulting in failure to send the last certificate in the chain in ssl_write_certificate() and ssl_write_certificate_request() (found by fatbob) * Added small fixes for compiler warnings on a Mac (found by Frank de Brabander) * Fixed algorithmic bug in mpi_is_prime() (found by Smbat Tonoyan) = Version 0.12.1 released on 2009-10-04 Changes * Coverage test definitions now support 'depends_on' tagging system. * Tests requiring specific hashing algorithms now honor the defines. Bug fixes * Changed typo in #ifdef in x509parse.c (found by Eduardo) = Version 0.12.0 released on 2009-07-28 Features * Added CMake makefiles as alternative to regular Makefiles. * Added preliminary Code Coverage tests for AES, ARC4, Base64, MPI, SHA-family, MD-family, HMAC-SHA-family, Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman and X509parse. Changes * Error codes are not (necessarily) negative. Keep this is mind when checking for errors. * RSA_RAW renamed to SIG_RSA_RAW for consistency. * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE. * Changed interface for AES and Camellia setkey functions to indicate invalid key lengths. Bug fixes * Fixed include location of endian.h on FreeBSD (found by Gabriel) * Fixed include location of endian.h and name clash on Apples (found by Martin van Hensbergen) * Fixed HMAC-MD2 by modifying md2_starts(), so that the required HMAC ipad and opad variables are not cleared. (found by code coverage tests) * Prevented use of long long in bignum if POLARSSL_HAVE_LONGLONG not defined (found by Giles Bathgate). * Fixed incorrect handling of negative strings in mpi_read_string() (found by code coverage tests). * Fixed segfault on handling empty rsa_context in rsa_check_pubkey() and rsa_check_privkey() (found by code coverage tests). * Fixed incorrect handling of one single negative input value in mpi_add_abs() (found by code coverage tests). * Fixed incorrect handling of negative first input value in mpi_sub_abs() (found by code coverage tests). * Fixed incorrect handling of negative first input value in mpi_mod_mpi() and mpi_mod_int(). Resulting change also affects mpi_write_string() (found by code coverage tests). * Corrected is_prime() results for 0, 1 and 2 (found by code coverage tests). * Fixed Camellia and XTEA for 64-bit Windows systems. = Version 0.11.1 released on 2009-05-17 * Fixed missing functionality for SHA-224, SHA-256, SHA384, SHA-512 in rsa_pkcs1_sign() = Version 0.11.0 released on 2009-05-03 * Fixed a bug in mpi_gcd() so that it also works when both input numbers are even and added testcases to check (found by Pierre Habouzit). * Added support for SHA-224, SHA-256, SHA-384 and SHA-512 one way hash functions with the PKCS#1 v1.5 signing and verification. * Fixed minor bug regarding mpi_gcd located within the POLARSSL_GENPRIME block. * Fixed minor memory leak in x509parse_crt() and added better handling of 'full' certificate chains (found by Mathias Olsson). * Centralized file opening and reading for x509 files into load_file() * Made definition of net_htons() endian-clean for big endian systems (Found by Gernot). * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in padlock and timing code. * Fixed an off-by-one buffer allocation in ssl_set_hostname() responsible for crashes and unwanted behaviour. * Added support for Certificate Revocation List (CRL) parsing. * Added support for CRL revocation to x509parse_verify() and SSL/TLS code. * Fixed compatibility of XTEA and Camellia on a 64-bit system (found by Felix von Leitner). = Version 0.10.0 released on 2009-01-12 * Migrated XySSL to PolarSSL * Added XTEA symmetric cipher * Added Camellia symmetric cipher * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA, SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA * Fixed dangerous bug that can cause a heap overflow in rsa_pkcs1_decrypt (found by Christophe Devine) ================================================================ XySSL ChangeLog = Version 0.9 released on 2008-03-16 * Added support for ciphersuite: SSL_RSA_AES_128_SHA * Enabled support for large files by default in aescrypt2.c * Preliminary openssl wrapper contributed by David Barrett * Fixed a bug in ssl_write() that caused the same payload to be sent twice in non-blocking mode when send returns EAGAIN * Fixed ssl_parse_client_hello(): session id and challenge must not be swapped in the SSLv2 ClientHello (found by Greg Robson) * Added user-defined callback debug function (Krystian Kolodziej) * Before freeing a certificate, properly zero out all cert. data * Fixed the "mode" parameter so that encryption/decryption are not swapped on PadLock; also fixed compilation on older versions of gcc (bug reported by David Barrett) * Correctly handle the case in padlock_xcryptcbc() when input or ouput data is non-aligned by falling back to the software implementation, as VIA Nehemiah cannot handle non-aligned buffers * Fixed a memory leak in x509parse_crt() which was reported by Greg Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to Matthew Page who reported several bugs * Fixed x509_get_ext() to accept some rare certificates which have an INTEGER instead of a BOOLEAN for BasicConstraints::cA. * Added support on the client side for the TLS "hostname" extension (patch contributed by David Patino) * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty string is passed as the CN (bug reported by spoofy) * Added an option to enable/disable the BN assembly code * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1) * Disabled obsolete hash functions by default (MD2, MD4); updated selftest and benchmark to not test ciphers that have been disabled * Updated x509parse_cert_info() to correctly display byte 0 of the serial number, setup correct server port in the ssl client example * Fixed a critical denial-of-service with X.509 cert. verification: peer may cause xyssl to loop indefinitely by sending a certificate for which the RSA signature check fails (bug reported by Benoit) * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC, HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin) * Modified ssl_parse_client_key_exchange() to protect against Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack * Updated rsa_gen_key() so that ctx->N is always nbits in size * Fixed assembly PPC compilation errors on Mac OS X, thanks to David Barrett and Dusan Semen = Version 0.8 released on 2007-10-20 * Modified the HMAC functions to handle keys larger than 64 bytes, thanks to Stephane Desneux and gary ng * Fixed ssl_read_record() to properly update the handshake message digests, which fixes IE6/IE7 client authentication * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan * Added user-defined callbacks for handling I/O and sessions * Added lots of debugging output in the SSL/TLS functions * Added preliminary X.509 cert. writing by Pascal Vizeli * Added preliminary support for the VIA PadLock routines * Added AES-CFB mode of operation, contributed by chmike * Added an SSL/TLS stress testing program (ssl_test.c) * Updated the RSA PKCS#1 code to allow choosing between RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett * Updated ssl_read() to skip 0-length records from OpenSSL * Fixed the make install target to comply with *BSD make * Fixed a bug in mpi_read_binary() on 64-bit platforms * mpi_is_prime() speedups, thanks to Kevin McLaughlin * Fixed a long standing memory leak in mpi_is_prime() * Replaced realloc with malloc in mpi_grow(), and set the sign of zero as positive in mpi_init() (reported by Jonathan M. McCune) = Version 0.7 released on 2007-07-07 * Added support for the MicroBlaze soft-core processor * Fixed a bug in ssl_tls.c which sometimes prevented SSL connections from being established with non-blocking I/O * Fixed a couple bugs in the VS6 and UNIX Makefiles * Fixed the "PIC register ebx clobbered in asm" bug * Added HMAC starts/update/finish support functions * Added the SHA-224, SHA-384 and SHA-512 hash functions * Fixed the net_set_*block routines, thanks to Andreas * Added a few demonstration programs: md5sum, sha1sum, dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify * Added new bignum import and export helper functions * Rewrote README.txt in program/ssl/ca to better explain how to create a test PKI = Version 0.6 released on 2007-04-01 * Ciphers used in SSL/TLS can now be disabled at compile time, to reduce the memory footprint on embedded systems * Added multiply assembly code for the TriCore and modified havege_struct for this processor, thanks to David Patiño * Added multiply assembly code for 64-bit PowerPCs, thanks to Peking University and the OSU Open Source Lab * Added experimental support of Quantum Cryptography * Added support for autoconf, contributed by Arnaud Cornet * Fixed "long long" compilation issues on IA-64 and PPC64 * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock was not being correctly defined on ARM and MIPS = Version 0.5 released on 2007-03-01 * Added multiply assembly code for SPARC and Alpha * Added (beta) support for non-blocking I/O operations * Implemented session resuming and client authentication * Fixed some portability issues on WinCE, MINIX 3, Plan9 (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris * Improved the performance of the EDH key exchange * Fixed a bug that caused valid packets with a payload size of 16384 bytes to be rejected = Version 0.4 released on 2007-02-01 * Added support for Ephemeral Diffie-Hellman key exchange * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K * Various improvement to the modular exponentiation code * Rewrote the headers to generate the API docs with doxygen * Fixed a bug in ssl_encrypt_buf (incorrect padding was generated) and in ssl_parse_client_hello (max. client version was not properly set), thanks to Didier Rebeix * Fixed another bug in ssl_parse_client_hello: clients with cipherlists larger than 96 bytes were incorrectly rejected * Fixed a couple memory leak in x509_read.c = Version 0.3 released on 2007-01-01 * Added server-side SSLv3 and TLSv1.0 support * Multiple fixes to enhance the compatibility with g++, thanks to Xosé Antón Otero Ferreira * Fixed a bug in the CBC code, thanks to dowst; also, the bignum code is no longer dependant on long long * Updated rsa_pkcs1_sign to handle arbitrary large inputs * Updated timing.c for improved compatibility with i386 and 486 processors, thanks to Arnaud Cornet = Version 0.2 released on 2006-12-01 * Updated timing.c to support ARM and MIPS arch * Updated the MPI code to support 8086 on MSVC 1.5 * Added the copyright notice at the top of havege.h * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang * Fixed a bug reported by Adrian Rüegsegger in x509_read_key * Fixed a bug reported by Torsten Lauter in ssl_read_record * Fixed a bug in rsa_check_privkey that would wrongly cause valid RSA keys to be dismissed (thanks to oldwolf) * Fixed a bug in mpi_is_prime that caused some primes to fail the Miller-Rabin primality test I'd also like to thank Younès Hafri for the CRUX linux port, Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet who maintains the Debian package :-) = Version 0.1 released on 2006-11-01