xref: /optee_os/lib/libmbedtls/mbedtls/ChangeLog (revision 12941fdcbaa31bd0c6ab241022a7eba66c801467) 
1mbed TLS ChangeLog (Sorted per branch, date)
2
3= mbed TLS 2.6.1 branch released 2017-10-08
4
5Bugfix
6   * Parse signature algorithm extension when renegotiating. Previously,
7     renegotiated handshakes would only accept signatures using SHA-1
8     regardless of the peer's preferences, or fail if SHA-1 was disabled.
9
10= mbed TLS 2.6.0 branch released 2017-08-10
11
12Security
13   * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
14     mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
15     X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
16     (default: 8) intermediates, even when it was not trusted. This could be
17     triggered remotely from either side. (With authmode set to 'required'
18     (the default), the handshake was correctly aborted).
19   * Reliably wipe sensitive data after use in the AES example applications
20     programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
21     Found by Laurent Simon.
22
23Features
24   * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
25     and the context struct mbedtls_platform_context to perform
26     platform-specific setup and teardown operations. The macro
27     MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
28     by the user in a platform_alt.h file. These new functions are required in
29     some embedded environments to provide a means of initialising underlying
30     cryptographic acceleration hardware.
31
32API Changes
33   * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
34     API consistent with mbed TLS 2.5.0. Specifically removed the inline
35     qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
36     mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found
37     by James Cowgill. #978
38   * Certificate verification functions now set flags to -1 in case the full
39     chain was not verified due to an internal error (including in the verify
40     callback) or chain length limitations.
41   * With authmode set to optional, the TLS handshake is now aborted if the
42     verification of the peer's certificate failed due to an overlong chain or
43     a fatal error in the verify callback.
44
45Bugfix
46   * Add a check if iv_len is zero in GCM, and return an error if it is zero.
47     Reported by roberto. #716
48   * Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
49     to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
50     always be implemented by pthread support. #696
51   * Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
52     in the case of an error. Found by redplait. #590
53   * Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
54     Reported and fix suggested by guidovranken. #740
55   * Fix conditional preprocessor directives in bignum.h to enable 64-bit
56     compilation when using ARM Compiler 6.
57   * Fix a potential integer overflow in the version verification for DER
58     encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs
59     to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
60     KNOX Security, Samsung Research America
61   * Fix potential integer overflow in the version verification for DER
62     encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs
63     to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
64     KNOX Security, Samsung Research America
65   * Fix a potential integer overflow in the version verification for DER
66     encoded X.509 certificates. The overflow could enable maliciously
67     constructed certificates to bypass the certificate verification check.
68   * Fix a call to the libc function time() to call the platform abstraction
69     function mbedtls_time() instead. Found by wairua. #666
70   * Avoid shadowing of time and index functions through mbed TLS function
71     arguments. Found by inestlerode. #557.
72
73Changes
74   * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
75     64-bit division. This is useful on embedded platforms where 64-bit division
76     created a dependency on external libraries. #708
77   * Removed mutexes from ECP hardware accelerator code. Now all hardware
78     accelerator code in the library leaves concurrency handling to the
79     platform. Reported by Steven Cooreman. #863
80   * Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
81     config-no-entropy.h to reduce the RAM footprint.
82   * Added a test script that can be hooked into git that verifies commits
83     before they are pushed.
84   * Improve documentation of PKCS1 decryption functions.
85
86= mbed TLS 2.5.1 released 2017-06-21
87
88Security
89   * Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
90     The issue could only happen client-side with renegotiation enabled.
91     Could result in DoS (application crash) or information leak
92     (if the application layer sent data read from mbedtls_ssl_read()
93     back to the server or to a third party). Can be triggered remotely.
94   * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
95     certificate verification. SHA-1 can be turned back on with a compile-time
96     option if needed.
97   * Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
98     detect it sometimes. Reported by Hugo Leisink. #810
99   * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
100     potential Bleichenbacher/BERserk-style attack.
101
102Bugfix
103   * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
104     valid C and they prevented the test from compiling in Visual Studio 2015
105     and with GCC using the -Wpedantic compilation option.
106   * Fix insufficient support for signature-hash-algorithm extension,
107     resulting in compatibility problems with Chrome. Found by hfloyrd. #823
108   * Fix behaviour that hid the original cause of fatal alerts in some cases
109     when sending the alert failed. The fix makes sure not to hide the error
110     that triggered the alert.
111   * Fix SSLv3 renegotiation behaviour and stop processing data received from
112     peer after sending a fatal alert to refuse a renegotiation attempt.
113     Previous behaviour was to keep processing data even after the alert has
114     been sent.
115   * Accept empty trusted CA chain in authentication mode
116     MBEDTLS_SSL_VERIFY_OPTIONAL.
117     Found by jethrogb. #864
118   * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
119     fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
120     reflect bad EC curves within verification result.
121   * Fix bug that caused the modular inversion function to accept the invalid
122     modulus 1 and therefore to hang. Found by blaufish. #641.
123   * Fix incorrect sign computation in modular exponentiation when the base is
124     a negative MPI. Previously the result was always negative. Found by Guido
125     Vranken.
126   * Fix a numerical underflow leading to stack overflow in mpi_read_file()
127     that was triggered uppon reading an empty line. Found by Guido Vranken.
128
129Changes
130   * Send fatal alerts in more cases. The previous behaviour was to skip
131     sending the fatal alert and just drop the connection.
132   * Clarify ECDSA documentation and improve the sample code to avoid
133     misunderstanding and potentially dangerous use of the API. Pointed out
134     by Jean-Philippe Aumasson.
135
136= mbed TLS 2.5.0 branch released 2017-05-17
137
138Security
139   * Wipe stack buffers in RSA private key operations
140     (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
141     Simon.
142   * Add exponent blinding to RSA private operations as a countermeasure
143     against side-channel attacks like the cache attack described in
144     https://arxiv.org/abs/1702.08719v2.
145     Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
146     Clémentine Maurice and Stefan Mangard.
147
148Features
149   * Add hardware acceleration support for the Elliptic Curve Point module.
150     This involved exposing parts of the internal interface to enable
151     replacing the core functions and adding and alternative, module level
152     replacement support for enabling the extension of the interface.
153   * Add a new configuration option to 'mbedtls_ssl_config' to enable
154     suppressing the CA list in Certificate Request messages. The default
155     behaviour has not changed, namely every configured CAs name is included.
156
157API Changes
158   * The following functions in the AES module have been deprecated and replaced
159     by the functions shown below. The new functions change the return type from
160     void to int to allow returning error codes when using MBEDTLS_AES_ALT,
161     MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT.
162     mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
163     mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
164
165Bugfix
166   * Remove macros from compat-1.3.h that correspond to deleted items from most
167     recent versions of the library. Found by Kyle Keen.
168   * Fixed issue in the Threading module that prevented mutexes from
169     initialising. Found by sznaider. #667 #843
170   * Add checks in the PK module for the RSA functions on 64-bit systems.
171     The PK and RSA modules use different types for passing hash length and
172     without these checks the type cast could lead to data loss. Found by Guido
173     Vranken.
174
175= mbed TLS 2.4.2 branch released 2017-03-08
176
177Security
178   * Add checks to prevent signature forgeries for very large messages while
179     using RSA through the PK module in 64-bit systems. The issue was caused by
180     some data loss when casting a size_t to an unsigned int value in the
181     functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
182     mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
183   * Fixed potential livelock during the parsing of a CRL in PEM format in
184     mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
185     characters after the footer could result in the execution of an infinite
186     loop. The issue can be triggered remotely. Found by Greg Zaverucha,
187     Microsoft.
188   * Removed MD5 from the allowed hash algorithms for CertificateRequest and
189     CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
190     Introduced by interoperability fix for #513.
191   * Fixed a bug that caused freeing a buffer that was allocated on the stack,
192     when verifying the validity of a key on secp224k1. This could be
193     triggered remotely for example with a maliciously constructed certificate
194     and potentially could lead to remote code execution on some platforms.
195     Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
196     team. #569 CVE-2017-2784
197
198Bugfix
199   * Fix output certificate verification flags set by x509_crt_verify_top() when
200     traversing a chain of trusted CA. The issue would cause both flags,
201     MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
202     set when the verification conditions are not met regardless of the cause.
203     Found by Harm Verhagen and inestlerode. #665 #561
204   * Fix the redefinition of macro ssl_set_bio to an undefined symbol
205     mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
206     Found by omlib-lin. #673
207   * Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
208     x509_csr.c that are reported when building mbed TLS with a config.h that
209     does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
210   * Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
211     would compare 64 bits of the record counter instead of 48 bits as indicated
212     in RFC 6347 Section 4.3.1. This could cause the execution of the
213     renegotiation routines at unexpected times when the protocol is DTLS. Found
214     by wariua. #687
215   * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
216     the input string in PEM format to extract the different components. Found
217     by Eyal Itkin.
218   * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
219     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
220   * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
221     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
222   * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
223     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
224   * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
225     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
226   * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
227     Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
228   * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
229     by missing calls to mbedtls_pem_free() in cases when a
230     MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
231     fix proposed by Guido Vranken. #722
232   * Fixed the templates used to generate project and solution files for Visual
233     Studio 2015 as well as the files themselves, to remove a build warning
234     generated in Visual Studio 2015. Reported by Steve Valliere. #742
235   * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
236     Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
237   * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
238     number to write in hexadecimal is negative and requires an odd number of
239     digits. Found and fixed by Guido Vranken.
240   * Fix unlisted DES configuration dependency in some pkparse test cases. Found
241     by inestlerode. #555
242
243= mbed TLS 2.4.1 branch released 2016-12-13
244
245Changes
246   * Update to CMAC test data, taken from - NIST Special Publication 800-38B -
247     Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
248     Authentication – October  2016
249
250= mbed TLS 2.4.0 branch released 2016-10-17
251
252Security
253   * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
254     with RFC-5116 and could lead to session key recovery in very long TLS
255     sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
256     TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
257     https://eprint.iacr.org/2016/475.pdf
258   * Fixed potential stack corruption in mbedtls_x509write_crt_der() and
259     mbedtls_x509write_csr_der() when the signature is copied to the buffer
260     without checking whether there is enough space in the destination. The
261     issue cannot be triggered remotely. Found by Jethro Beekman.
262
263Features
264   * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
265     NIST SP 800-38B, RFC-4493 and RFC-4615.
266   * Added hardware entropy selftest to verify that the hardware entropy source
267     is functioning correctly.
268   * Added a script to print build environment info for diagnostic use in test
269     scripts, which is also now called by all.sh.
270   * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
271     configure the maximum length of a file path that can be buffered when
272     calling mbedtls_x509_crt_parse_path().
273   * Added a configuration file config-no-entropy.h that configures the subset of
274     library features that do not require an entropy source.
275   * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
276     to configure the minimum number of bytes for entropy sources using the
277     mbedtls_hardware_poll() function.
278
279Bugfix
280   * Fix for platform time abstraction to avoid dependency issues where a build
281     may need time but not the standard C library abstraction, and added
282     configuration consistency checks to check_config.h
283   * Fix dependency issue in Makefile to allow parallel builds.
284   * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
285     when GCM is used. Found by udf2457. #441
286   * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
287     enabled unless others were also present. Found by David Fernandez. #428
288   * Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
289     a contribution from Tobias Tangemann. #541
290   * Fixed cert_app.c sample program for debug output and for use when no root
291     certificates are provided.
292   * Fix conditional statement that would cause a 1 byte overread in
293     mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
294   * Fixed pthread implementation to avoid unintended double initialisations
295     and double frees. Found by Niklas Amnebratt.
296   * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
297     builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
298     by inestlerode. #559.
299   * Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
300     data structure until after error checks are successful. Found by
301     subramanyam-c. #622
302   * Fix documentation and implementation missmatch for function arguments of
303     mbedtls_gcm_finish(). Found by cmiatpaar. #602
304   * Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
305   * Fix potential byte overread when verifying malformed SERVER_HELLO in
306     ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
307   * Fix check for validity of date when parsing in mbedtls_x509_get_time().
308     Found by subramanyam-c. #626
309   * Fix compatibility issue with Internet Explorer client authentication,
310     where the limited hash choices prevented the client from sending its
311     certificate. Found by teumas. #513
312   * Fix compilation without MBEDTLS_SELF_TEST enabled.
313
314Changes
315   * Extended test coverage of special cases, and added new timing test suite.
316   * Removed self-tests from the basic-built-test.sh script, and added all
317     missing self-tests to the test suites, to ensure self-tests are only
318     executed once.
319   * Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
320   * Added support for a Yotta specific configuration file -
321     through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
322   * Added optimization for code space for X.509/OID based on configured
323     features. Contributed by Aviv Palivoda.
324   * Renamed source file library/net.c to library/net_sockets.c to avoid
325     naming collision in projects which also have files with the common name
326     net.c. For consistency, the corresponding header file, net.h, is marked as
327     deprecated, and its contents moved to net_sockets.h.
328   * Changed the strategy for X.509 certificate parsing and validation, to no
329     longer disregard certificates with unrecognised fields.
330
331= mbed TLS 2.3.0 branch released 2016-06-28
332
333Security
334   * Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
335     required by PKCS1 v2.2
336   * Fix potential integer overflow to buffer overflow in
337     mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
338     (not triggerable remotely in (D)TLS).
339   * Fix a potential integer underflow to buffer overread in
340     mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
341     SSL/TLS.
342
343Features
344   * Support for platform abstraction of the standard C library time()
345     function.
346
347Bugfix
348   * Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
349     arguments where the same (in-place doubling). Found and fixed by Janos
350     Follath. #309
351   * Fix potential build failures related to the 'apidoc' target, introduced
352     in the previous patch release. Found by Robert Scheck. #390 #391
353   * Fix issue in Makefile that prevented building using armar. #386
354   * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
355     ECDSA was disabled in config.h . The leak didn't occur by default.
356   * Fix an issue that caused valid certificates to be rejected whenever an
357     expired or not yet valid certificate was parsed before a valid certificate
358     in the trusted certificate list.
359   * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
360     buffer after DER certificates to be included in the raw representation.
361   * Fix issue that caused a hang when generating RSA keys of odd bitlength
362   * Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
363     dereference possible.
364   * Fix issue that caused a crash if invalid curves were passed to
365     mbedtls_ssl_conf_curves. #373
366   * Fix issue in ssl_fork_server which was preventing it from functioning. #429
367   * Fix memory leaks in test framework
368   * Fix test in ssl-opt.sh that does not run properly with valgrind
369   * Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
370
371Changes
372   * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
373     don't use the optimized assembly for bignum multiplication. This removes
374     the need to pass -fomit-frame-pointer to avoid a build error with -O0.
375   * Disabled SSLv3 in the default configuration.
376   * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
377     Skalozub).
378   * Fix non-compliance server extension handling. Extensions for SSLv3 are now
379     ignored, as required by RFC6101.
380
381= mbed TLS 2.2.1 released 2016-01-05
382
383Security
384   * Fix potential double free when mbedtls_asn1_store_named_data() fails to
385     allocate memory. Only used for certificate generation, not triggerable
386     remotely in SSL/TLS. Found by Rafał Przywara. #367
387   * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
388     SLOTH attack on TLS 1.2 server authentication (other attacks from the
389     SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
390     https://www.mitls.org/pages/attacks/SLOTH
391
392Bugfix
393   * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
394   * Fix bug in certificate validation that caused valid chains to be rejected
395     when the first intermediate certificate has pathLenConstraint=0. Found by
396     Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
397   * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
398     JayaraghavendranK. #372
399   * Fix suboptimal handling of unexpected records that caused interop issues
400     with some peers over unreliable links. Avoid dropping an entire DTLS
401     datagram if a single record in a datagram is unexpected, instead only
402     drop the record and look at subsequent records (if any are present) in
403     the same datagram. Found by jeannotlapin. #345
404
405= mbed TLS 2.2.0 released 2015-11-04
406
407Security
408   * Fix potential double free if mbedtls_ssl_conf_psk() is called more than
409     once and some allocation fails. Cannot be forced remotely. Found by Guido
410     Vranken, Intelworks.
411   * Fix potential heap corruption on Windows when
412     mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
413     triggered remotely. Found by Guido Vranken, Intelworks.
414   * Fix potential buffer overflow in some asn1_write_xxx() functions.
415     Cannot be triggered remotely unless you create X.509 certificates based
416     on untrusted input or write keys of untrusted origin. Found by Guido
417     Vranken, Intelworks.
418   * The X509 max_pathlen constraint was not enforced on intermediate
419     certificates. Found by Nicholas Wilson, fix and tests provided by
420     Janos Follath. #280 and #319
421
422Features
423   * Experimental support for EC J-PAKE as defined in Thread 1.0.0.
424     Disabled by default as the specification might still change.
425   * Added a key extraction callback to accees the master secret and key
426     block. (Potential uses include EAP-TLS and Thread.)
427
428Bugfix
429   * Self-signed certificates were not excluded from pathlen counting,
430     resulting in some valid X.509 being incorrectly rejected. Found and fix
431     provided by Janos Follath. #319
432   * Fix build error with configurations where ECDHE-PSK is the only key
433     exchange. Found and fix provided by Chris Hammond. #270
434   * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
435     ECHD-ECDSA if the only key exchange. Multiple reports. #310
436   * Fixed a bug causing some handshakes to fail due to some non-fatal alerts
437     not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
438   * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
439     size/curve against the profile. Before that, there was no way to set a
440     minimum key size for end-entity certificates with RSA keys. Found by
441     Matthew Page of Scannex Electronics Ltd.
442   * Fix failures in MPI on Sparc(64) due to use of bad assembly code.
443     Found by Kurt Danielson. #292
444   * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
445   * Fix bug in ASN.1 encoding of booleans that caused generated CA
446     certificates to be rejected by some applications, including OS X
447     Keychain. Found and fixed by Jonathan Leroy, Inikup.
448
449Changes
450   * Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
451     or -1.
452
453= mbed TLS 2.1.2 released 2015-10-06
454
455Security
456   * Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
457     overflow of the hostname or session ticket. Found by Guido Vranken,
458     Intelworks.
459   * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
460     once in the same handhake and mbedtls_ssl_conf_psk() was used.
461     Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
462     remotely.
463   * Fix stack buffer overflow in pkcs12 decryption (used by
464     mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
465     Found by Guido Vranken, Intelworks. Not triggerable remotely.
466   * Fix potential buffer overflow in mbedtls_mpi_read_string().
467     Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
468     of TLS, but might be in other uses. On 32 bit machines, requires reading a
469     string of close to or larger than 1GB to exploit; on 64 bit machines, would
470     require reading a string of close to or larger than 2^62 bytes.
471   * Fix potential random memory allocation in mbedtls_pem_read_buffer()
472     on crafted PEM input data. Found and fix provided by Guido Vranken,
473     Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
474     accept PEM data from an untrusted source.
475   * Fix possible heap buffer overflow in base64_encoded() when the input
476     buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
477     Intelworks. Not trigerrable remotely in TLS.
478   * Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
479     the same mbedtls_ssl_config object and memory allocation fails. Found by
480     Guido Vranken, Intelworks. Cannot be forced remotely.
481   * Fix potential heap buffer overflow in servers that perform client
482     authentication against a crafted CA cert. Cannot be triggered remotely
483     unless you allow third parties to pick trust CAs for client auth.
484     Found by Guido Vranken, Intelworks.
485
486Bugfix
487   * Fix compile error in net.c with musl libc. Found and patch provided by
488     zhasha (#278).
489   * Fix macroization of 'inline' keyword when building as C++. (#279)
490
491Changes
492   * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
493     domain names are compliant with RFC 1035.
494   * Fixed paths for check_config.h in example config files. (Found by bachp)
495     (#291)
496
497= mbed TLS 2.1.1 released 2015-09-17
498
499Security
500   * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
501     signatures. (Found by Florian Weimer, Red Hat.)
502     https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
503   * Fix possible client-side NULL pointer dereference (read) when the client
504     tries to continue the handshake after it failed (a misuse of the API).
505     (Found and patch provided by Fabian Foerg, Gotham Digital Science using
506     afl-fuzz.)
507
508Bugfix
509   * Fix warning when using a 64bit platform. (found by embedthis) (#275)
510   * Fix off-by-one error in parsing Supported Point Format extension that
511     caused some handshakes to fail.
512
513Changes
514   * Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
515     use of mbedtls_x509_crt_profile_next. (found by NWilson)
516   * When a client initiates a reconnect from the same port as a live
517     connection, if cookie verification is available
518     (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
519     callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
520     detected and mbedtls_ssl_read() will return
521     MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
522     handshake with the same context. (See RFC 6347 section 4.2.8.)
523
524= mbed TLS 2.1.0 released 2015-09-04
525
526Features
527   * Added support for yotta as a build system.
528   * Primary open source license changed to Apache 2.0 license.
529
530Bugfix
531   * Fix segfault in the benchmark program when benchmarking DHM.
532   * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
533     Leisink).
534   * Fix bug when parsing a ServerHello without extensions (found by David
535     Sears).
536   * Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
537     (found by Benoit Lecocq).
538   * Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
539     installed (found by Rawi666).
540   * Fix compile error with armcc 5 with --gnu option.
541   * Fix bug in Makefile that caused programs not to be installed correctly
542     (found by robotanarchy) (#232).
543   * Fix bug in Makefile that prevented from installing without building the
544     tests (found by robotanarchy) (#232).
545   * Fix missing -static-libgcc when building shared libraries for Windows
546     with make.
547   * Fix link error when building shared libraries for Windows with make.
548   * Fix error when loading libmbedtls.so.
549   * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
550     be always used (found by dcb314) (#235)
551   * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
552     result trying to unlock an unlocked mutex on invalid input (found by
553     Fredrik Axelsson) (#257)
554   * Fix -Wshadow warnings (found by hnrkp) (#240)
555   * Fix memory corruption on client with overlong PSK identity, around
556     SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
557     Aleksandrs Saveljevs) (#238)
558   * Fix unused function warning when using MBEDTLS_MDx_ALT or
559     MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
560   * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
561
562Changes
563   * The PEM parser now accepts a trailing space at end of lines (#226).
564   * It is now possible to #include a user-provided configuration file at the
565     end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
566     compiler's command line.
567   * When verifying a certificate chain, if an intermediate certificate is
568     trusted, no later cert is checked. (suggested by hannes-landeholm)
569     (#220).
570   * Prepend a "thread identifier" to debug messages (issue pointed out by
571     Hugo Leisink) (#210).
572   * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
573     length.
574
575= mbed TLS 2.0.0 released 2015-07-13
576
577Features
578   * Support for DTLS 1.0 and 1.2 (RFC 6347).
579   * Ability to override core functions from MDx, SHAx, AES and DES modules
580     with custom implementation (eg hardware accelerated), complementing the
581     ability to override the whole module.
582   * New server-side implementation of session tickets that rotate keys to
583     preserve forward secrecy, and allows sharing across multiple contexts.
584   * Added a concept of X.509 cerificate verification profile that controls
585     which algorithms and key sizes (curves for ECDSA) are acceptable.
586   * Expanded configurability of security parameters in the SSL module with
587     mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
588   * Introduced a concept of presets for SSL security-relevant configuration
589     parameters.
590
591API Changes
592   * The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
593     You now need to link to all of them if you use TLS for example.
594   * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
595     Some names have been further changed to make them more consistent.
596     Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
597     provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
598   * Renamings of fields inside structures, not covered by the previous list:
599     mbedtls_cipher_info_t.key_length -> key_bitlen
600     mbedtls_cipher_context_t.key_length -> key_bitlen
601     mbedtls_ecp_curve_info.size -> bit_size
602   * Headers are now found in the 'mbedtls' directory (previously 'polarssl').
603   * The following _init() functions that could return errors have
604     been split into an _init() that returns void and another function that
605     should generally be the first function called on this context after init:
606     mbedtls_ssl_init() -> mbedtls_ssl_setup()
607     mbedtls_ccm_init() -> mbedtls_ccm_setkey()
608     mbedtls_gcm_init() -> mbedtls_gcm_setkey()
609     mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
610     mbedtls_ctr_drbg_init()  -> mbedtls_ctr_drbg_seed()
611     Note that for mbedtls_ssl_setup(), you need to be done setting up the
612     ssl_config structure before calling it.
613   * Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
614     ssl_set_session() and ssl_set_client_transport_id(), plus
615     ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
616     (see rename.pl and compat-1.3.h above) and their first argument's type
617     changed from ssl_context to ssl_config.
618   * ssl_set_bio() changed signature (contexts merged, order switched, one
619     additional callback for read-with-timeout).
620   * The following functions have been introduced and must be used in callback
621     implementations (SNI, PSK) instead of their *conf counterparts:
622     mbedtls_ssl_set_hs_own_cert()
623     mbedtls_ssl_set_hs_ca_chain()
624     mbedtls_ssl_set_hs_psk()
625   * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
626     using mbedtls_ssl_set_hostname().
627   * mbedtls_ssl_conf_session_cache() changed prototype (only one context
628     pointer, parameters reordered).
629   * On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
630     place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
631   * The SSL debug callback gained two new arguments (file name, line number).
632   * Debug modes were removed.
633   * mbedtls_ssl_conf_truncated_hmac() now returns void.
634   * mbedtls_memory_buffer_alloc_init() now returns void.
635   * X.509 verification flags are now an uint32_t. Affect the signature of:
636     mbedtls_ssl_get_verify_result()
637     mbedtls_x509_ctr_verify_info()
638     mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
639     mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
640   * The following functions changed prototype to avoid an in-out length
641     parameter:
642     mbedtls_base64_encode()
643     mbedtls_base64_decode()
644     mbedtls_mpi_write_string()
645     mbedtls_dhm_calc_secret()
646   * In the NET module, all "int" and "int *" arguments for file descriptors
647     changed type to "mbedtls_net_context *".
648   * net_accept() gained new arguments for the size of the client_ip buffer.
649   * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
650     return void.
651   * ecdsa_write_signature() gained an addtional md_alg argument and
652     ecdsa_write_signature_det() was deprecated.
653   * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
654   * Last argument of x509_crt_check_key_usage() and
655     mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
656   * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
657     available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
658   * Test certificates in certs.c are no longer guaranteed to be nul-terminated
659     strings; use the new *_len variables instead of strlen().
660   * Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
661     mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
662     length parameter to include the terminating null byte for PEM input.
663   * Signature of mpi_mul_mpi() changed to make the last argument unsigned
664   * calloc() is now used instead of malloc() everywhere. API of platform
665     layer and the memory_buffer_alloc module changed accordingly.
666     (Thanks to Mansour Moufid for helping with the replacement.)
667   * Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
668     (support for renegotiation now needs explicit enabling in config.h).
669   * Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
670     in config.h
671   * net_connect() and net_bind() have a new 'proto' argument to choose
672     between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
673     Their 'port' argument type is changed to a string.
674   * Some constness fixes
675
676Removals
677   * Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
678   * Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
679     mbedtls_ecp_muladd().
680   * Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
681     (use generic functions from md.h)
682   * Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
683     waiting function.
684   * Removed test DHM parameters from the test certs module.
685   * Removed the PBKDF2 module (use PKCS5).
686   * Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
687   * Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
688   * Removed openssl.h (very partial OpenSSL compatibility layer).
689   * Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
690   * Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
691     been removed (compiler is required to support 32-bit operations).
692   * Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
693   * Removed test program o_p_test, the script compat.sh does more.
694   * Removed test program ssl_test, superseded by ssl-opt.sh.
695   * Removed helper script active-config.pl
696
697New deprecations
698   * md_init_ctx() is deprecated in favour of md_setup(), that adds a third
699     argument (allowing memory savings if HMAC is not used)
700
701Semi-API changes (technically public, morally private)
702   * Renamed a few headers to include _internal in the name. Those headers are
703     not supposed to be included by users.
704   * Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
705   * Changed pk_info_t into an opaque structure.
706   * Changed cipher_base_t into an opaque structure.
707   * Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
708   * x509_crt.key_usage changed from unsigned char to unsigned int.
709   * Removed r and s from ecdsa_context
710   * Removed mode from des_context and des3_context
711
712Default behavior changes
713   * The default minimum TLS version is now TLS 1.0.
714   * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
715     default ciphersuite list returned by ssl_list_ciphersuites()
716   * Support for receiving SSLv2 ClientHello is now disabled by default at
717     compile time.
718   * The default authmode for SSL/TLS clients is now REQUIRED.
719   * Support for RSA_ALT contexts in the PK layer is now optional. Since is is
720     enabled in the default configuration, this is only noticeable if using a
721     custom config.h
722   * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
723   * A minimum RSA key size of 2048 bits is now enforced during ceritificate
724     chain verification.
725   * Negotiation of truncated HMAC is now disabled by default on server too.
726   * The following functions are now case-sensitive:
727     mbedtls_cipher_info_from_string()
728     mbedtls_ecp_curve_info_from_name()
729     mbedtls_md_info_from_string()
730     mbedtls_ssl_ciphersuite_from_string()
731     mbedtls_version_check_feature()
732
733Requirement changes
734   * The minimum MSVC version required is now 2010 (better C99 support).
735   * The NET layer now unconditionnaly relies on getaddrinfo() and select().
736   * Compiler is required to support C99 types such as long long and uint32_t.
737
738API changes from the 1.4 preview branch
739   * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
740     new prototype, and mbedtls_ssl_set_read_timeout().
741   * The following functions now return void:
742     mbedtls_ssl_conf_transport()
743     mbedtls_ssl_conf_max_version()
744     mbedtls_ssl_conf_min_version()
745   * DTLS no longer hard-depends on TIMING_C, but uses a callback interface
746     instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
747     an example implementation, see mbedtls_timing_delay_context and
748     mbedtls_timing_set/get_delay().
749   * With UDP sockets, it is no longer necessary to call net_bind() again
750     after a successful net_accept().
751
752Changes
753   * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
754     thread-safe if MBEDTLS_THREADING_C is enabled.
755   * Reduced ROM fooprint of SHA-256 and added an option to reduce it even
756     more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
757
758= mbed TLS 1.3 branch
759
760Security
761   * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
762     extendedKeyUsage on the leaf certificate was lost (results not accessible
763     via ssl_get_verify_results()).
764   * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
765     https://dl.acm.org/citation.cfm?id=2714625
766
767Features
768   * Improve ECC performance by using more efficient doubling formulas
769     (contributed by Peter Dettman).
770   * Add x509_crt_verify_info() to display certificate verification results.
771   * Add support for reading DH parameters with privateValueLength included
772     (contributed by Daniel Kahn Gillmor).
773   * Add support for bit strings in X.509 names (request by Fredrik Axelsson).
774   * Add support for id-at-uniqueIdentifier in X.509 names.
775   * Add support for overriding snprintf() (except on Windows) and exit() in
776     the platform layer.
777   * Add an option to use macros instead of function pointers in the platform
778     layer (helps get rid of unwanted references).
779   * Improved Makefiles for Windows targets by fixing library targets and making
780     cross-compilation easier (thanks to Alon Bar-Lev).
781   * The benchmark program also prints heap usage for public-key primitives
782     if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
783   * New script ecc-heap.sh helps measuring the impact of ECC parameters on
784     speed and RAM (heap only for now) usage.
785   * New script memory.sh helps measuring the ROM and RAM requirements of two
786     reduced configurations (PSK-CCM and NSA suite B).
787   * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
788     warnings on use of deprecated functions (with GCC and Clang only).
789   * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
790     errors on use of deprecated functions.
791
792Bugfix
793   * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
794   * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
795   * Fix bug in entropy.c when THREADING_C is also enabled that caused
796     entropy_free() to crash (thanks to Rafał Przywara).
797   * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
798     once on the same context.
799   * Fix bug in ssl_mail_client when password is longer that username (found
800     by Bruno Pape).
801   * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
802     (detected by Clang's 3.6 UBSan).
803   * mpi_size() and mpi_msb() would segfault when called on an mpi that is
804     initialized but not set (found by pravic).
805   * Fix detection of support for getrandom() on Linux (reported by syzzer) by
806     doing it at runtime (using uname) rather that compile time.
807   * Fix handling of symlinks by "make install" (found by Gaël PORTAY).
808   * Fix potential NULL pointer dereference (not trigerrable remotely) when
809     ssl_write() is called before the handshake is finished (introduced in
810     1.3.10) (first reported by Martin Blumenstingl).
811   * Fix bug in pk_parse_key() that caused some valid private EC keys to be
812     rejected.
813   * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
814   * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
815   * Fix hardclock() (only used in the benchmarking program) with some
816     versions of mingw64 (found by kxjhlele).
817   * Fix warnings from mingw64 in timing.c (found by kxjklele).
818   * Fix potential unintended sign extension in asn1_get_len() on 64-bit
819     platforms.
820   * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
821   * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
822     POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
823     in 1.3.10).
824   * Add missing extern "C" guard in aesni.h (reported by amir zamani).
825   * Add missing dependency on SHA-256 in some x509 programs (reported by
826     Gergely Budai).
827   * Fix bug related to ssl_set_curves(): the client didn't check that the
828     curve picked by the server was actually allowed.
829
830Changes
831   * Remove bias in mpi_gen_prime (contributed by Pascal Junod).
832   * Remove potential sources of timing variations (some contributed by Pascal
833     Junod).
834   * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
835   * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
836   * compat-1.2.h and openssl.h are deprecated.
837   * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
838     more flexible (warning: OFLAGS is not used any more) (see the README)
839     (contributed by Alon Bar-Lev).
840   * ssl_set_own_cert() no longer calls pk_check_pair() since the
841     performance impact was bad for some users (this was introduced in 1.3.10).
842   * Move from SHA-1 to SHA-256 in example programs using signatures
843     (suggested by Thorsten Mühlfelder).
844   * Remove some unneeded inclusions of header files from the standard library
845     "minimize" others (eg use stddef.h if only size_t is needed).
846   * Change #include lines in test files to use double quotes instead of angle
847     brackets for uniformity with the rest of the code.
848   * Remove dependency on sscanf() in X.509 parsing modules.
849
850= mbed TLS 1.3.10 released 2015-02-09
851Security
852   * NULL pointer dereference in the buffer-based allocator when the buffer is
853     full and polarssl_free() is called (found by Mark Hasemeyer)
854     (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
855     not by default).
856   * Fix remotely-triggerable uninitialised pointer dereference caused by
857     crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
858     client certificate) (found using Codenomicon Defensics).
859   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
860     (TLS server is not affected if it doesn't ask for a client certificate)
861     (found using Codenomicon Defensics).
862   * Fix potential stack overflow while parsing crafted X.509 certificates
863     (TLS server is not affected if it doesn't ask for a client certificate)
864     (found using Codenomicon Defensics).
865   * Fix timing difference that could theoretically lead to a
866     Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
867     (reported by Sebastian Schinzel).
868
869Features
870   * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
871   * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
872   * Add support for Encrypt-then-MAC (RFC 7366).
873   * Add function pk_check_pair() to test if public and private keys match.
874   * Add x509_crl_parse_der().
875   * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
876     length of an X.509 verification chain.
877   * Support for renegotiation can now be disabled at compile-time
878   * Support for 1/n-1 record splitting, a countermeasure against BEAST.
879   * Certificate selection based on signature hash, preferring SHA-1 over SHA-2
880     for pre-1.2 clients when multiple certificates are available.
881   * Add support for getrandom() syscall on recent Linux kernels with Glibc or
882     a compatible enough libc (eg uClibc).
883   * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
884     while using the default ciphersuite list.
885   * Added new error codes and debug messages about selection of
886     ciphersuite/certificate.
887
888Bugfix
889   * Stack buffer overflow if ctr_drbg_update() is called with too large
890     add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
891   * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
892     if memory_buffer_alloc_init() was called with buf not aligned and len not
893     a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
894   * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
895     by Julian Ospald).
896   * Fix potential undefined behaviour in Camellia.
897   * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
898     multiple of 8 (found by Gergely Budai).
899   * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
900     Peter Vaskovic).
901   * Fix assembly selection for MIPS64 (thanks to James Cowgill).
902   * ssl_get_verify_result() now works even if the handshake was aborted due
903     to a failed verification (found by Fredrik Axelsson).
904   * Skip writing and parsing signature_algorithm extension if none of the
905     key exchanges enabled needs certificates. This fixes a possible interop
906     issue with some servers when a zero-length extension was sent. (Reported
907     by Peter Dettman.)
908   * On a 0-length input, base64_encode() did not correctly set output length
909     (found by Hendrik van den Boogaard).
910
911Changes
912   * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
913     switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
914   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
915   * ssl_set_own_cert() now returns an error on key-certificate mismatch.
916   * Forbid repeated extensions in X.509 certificates.
917   * debug_print_buf() now prints a text view in addition to hexadecimal.
918   * A specific error is now returned when there are ciphersuites in common
919     but none of them is usable due to external factors such as no certificate
920     with a suitable (extended)KeyUsage or curve or no PSK set.
921   * It is now possible to disable negotiation of truncated HMAC server-side
922     at runtime with ssl_set_truncated_hmac().
923   * Example programs for SSL client and server now disable SSLv3 by default.
924   * Example programs for SSL client and server now disable RC4 by default.
925   * Use platform.h in all test suites and programs.
926
927= PolarSSL 1.3.9 released 2014-10-20
928Security
929   * Lowest common hash was selected from signature_algorithms extension in
930     TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
931   * Remotely-triggerable memory leak when parsing some X.509 certificates
932     (server is not affected if it doesn't ask for a client certificate)
933     (found using Codenomicon Defensics).
934   * Remotely-triggerable memory leak when parsing crafted ClientHello
935     (not affected if ECC support was compiled out) (found using Codenomicon
936     Defensics).
937
938Bugfix
939   * Support escaping of commas in x509_string_to_names()
940   * Fix compile error in ssl_pthread_server (found by Julian Ospald).
941   * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
942   * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
943   * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
944   * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
945     are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
946   * Remove non-existent file from VS projects (found by Peter Vaskovic).
947   * ssl_read() could return non-application data records on server while
948     renegotation was pending, and on client when a HelloRequest was received.
949   * Server-initiated renegotiation would fail with non-blocking I/O if the
950     write callback returned WANT_WRITE when requesting renegotiation.
951   * ssl_close_notify() could send more than one message in some circumstances
952     with non-blocking I/O.
953   * Fix compiler warnings on iOS (found by Sander Niemeijer).
954   * x509_crt_parse() did not increase total_failed on PEM error
955   * Fix compile error with armcc in mpi_is_prime()
956   * Fix potential bad read in parsing ServerHello (found by Adrien
957     Vialletelle).
958
959Changes
960   * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
961     standard defining how to use SHA-2 with SSL 3.0).
962   * Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
963     ambiguous on how to encode some packets with SSL 3.0).
964   * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
965     RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
966   * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
967     POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
968   * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
969     RSA keys.
970   * Accept spaces at end of line or end of buffer in base64_decode().
971   * X.509 certificates with more than one AttributeTypeAndValue per
972     RelativeDistinguishedName are not accepted any more.
973
974= PolarSSL 1.3.8 released 2014-07-11
975Security
976   * Fix length checking for AEAD ciphersuites (found by Codenomicon).
977     It was possible to crash the server (and client) using crafted messages
978     when a GCM suite was chosen.
979
980Features
981   * Add CCM module and cipher mode to Cipher Layer
982   * Support for CCM and CCM_8 ciphersuites
983   * Support for parsing and verifying RSASSA-PSS signatures in the X.509
984     modules (certificates, CRLs and CSRs).
985   * Blowfish in the cipher layer now supports variable length keys.
986   * Add example config.h for PSK with CCM, optimized for low RAM usage.
987   * Optimize for RAM usage in example config.h for NSA Suite B profile.
988   * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
989     from the default list (inactive by default).
990   * Add server-side enforcement of sent renegotiation requests
991     (ssl_set_renegotiation_enforced())
992   * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
993     ciphersuites to use and save some memory if the list is small.
994
995Changes
996   * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
997     required on some platforms (e.g. OpenBSD)
998   * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
999     against unwanted compiler optimizations
1000   * md_list() now returns hashes strongest first
1001   * Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
1002     strongest offered by client.
1003   * All public contexts have _init() and _free() functions now for simpler
1004     usage pattern
1005
1006Bugfix
1007   * Fix in debug_print_msg()
1008   * Enforce alignment in the buffer allocator even if buffer is not aligned
1009   * Remove less-than-zero checks on unsigned numbers
1010   * Stricter check on SSL ClientHello internal sizes compared to actual packet
1011     size (found by TrustInSoft)
1012   * Fix WSAStartup() return value check (found by Peter Vaskovic)
1013   * Other minor issues (found by Peter Vaskovic)
1014   * Fix symlink command for cross compiling with CMake (found by Andre
1015     Heinecke)
1016   * Fix DER output of gen_key app (found by Gergely Budai)
1017   * Very small records were incorrectly rejected when truncated HMAC was in
1018     use with some ciphersuites and versions (RC4 in all versions, CBC with
1019     versions < TLS 1.1).
1020   * Very large records using more than 224 bytes of padding were incorrectly
1021     rejected with CBC-based ciphersuites and TLS >= 1.1
1022   * Very large records using less padding could cause a buffer overread of up
1023     to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
1024   * Restore ability to use a v1 cert as a CA if trusted locally. (This had
1025     been removed in 1.3.6.)
1026   * Restore ability to locally trust a self-signed cert that is not a proper
1027     CA for use as an end entity certificate. (This had been removed in
1028     1.3.6.)
1029   * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
1030   * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
1031     interpret semicolons as comment delimiters (found by Barry K. Nathan).
1032   * Fix off-by-one error in parsing Supported Point Format extension that
1033     caused some handshakes to fail.
1034   * Fix possible miscomputation of the premaster secret with DHE-PSK key
1035     exchange that caused some handshakes to fail with other implementations.
1036     (Failure rate <= 1/255 with common DHM moduli.)
1037   * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
1038   * Fix base64_decode() to return and check length correctly (in case of
1039     tight buffers)
1040   * Fix mpi_write_string() to write "00" as hex output for empty MPI (found
1041     by Hui Dong)
1042
1043= PolarSSL 1.3.7 released on 2014-05-02
1044Features
1045   * debug_set_log_mode() added to determine raw or full logging
1046   * debug_set_threshold() added to ignore messages over threshold level
1047   * version_check_feature() added to check for compile-time options at
1048     run-time
1049
1050Changes
1051   * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
1052     checked and filled in the relevant module headers
1053   * Debug module only outputs full lines instead of parts
1054   * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
1055   * AES-NI now compiles with "old" assemblers too
1056   * Ciphersuites based on RC4 now have the lowest priority by default
1057
1058Bugfix
1059   * Only iterate over actual certificates in ssl_write_certificate_request()
1060     (found by Matthew Page)
1061   * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
1062     Karger)
1063   * cert_write app should use subject of issuer certificate as issuer of cert
1064   * Fix false reject in padding check in ssl_decrypt_buf() for CBC
1065     ciphersuites, for full SSL frames of data.
1066   * Improve interoperability by not writing extension length in ClientHello /
1067     ServerHello when no extensions are present (found by Matthew Page)
1068   * rsa_check_pubkey() now allows an E up to N
1069   * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
1070   * mpi_fill_random() was creating numbers larger than requested on
1071     big-endian platform when size was not an integer number of limbs
1072   * Fix dependencies issues in X.509 test suite.
1073   * Some parts of ssl_tls.c were compiled even when the module was disabled.
1074   * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
1075   * Fix detection of Clang on some Apple platforms with CMake
1076     (found by Barry K. Nathan)
1077
1078= PolarSSL 1.3.6 released on 2014-04-11
1079
1080Features
1081   * Support for the ALPN SSL extension
1082   * Add option 'use_dev_random' to gen_key application
1083   * Enable verification of the keyUsage extension for CA and leaf
1084     certificates (POLARSSL_X509_CHECK_KEY_USAGE)
1085   * Enable verification of the extendedKeyUsage extension
1086     (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
1087
1088Changes
1089   * x509_crt_info() now prints information about parsed extensions as well
1090   * pk_verify() now returns a specific error code when the signature is valid
1091     but shorter than the supplied length.
1092   * Use UTC time to check certificate validity.
1093   * Reject certificates with times not in UTC, per RFC 5280.
1094
1095Security
1096   * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
1097     (Found by Watson Ladd.)
1098   * The notAfter date of some certificates was no longer checked since 1.3.5.
1099     This affects certificates in the user-supplied chain except the top
1100     certificate. If the user-supplied chain contains only one certificates,
1101     it is not affected (ie, its notAfter date is properly checked).
1102   * Prevent potential NULL pointer dereference in ssl_read_record() (found by
1103     TrustInSoft)
1104
1105Bugfix
1106   * The length of various ClientKeyExchange messages was not properly checked.
1107   * Some example server programs were not sending the close_notify alert.
1108   * Potential memory leak in mpi_exp_mod() when error occurs during
1109     calculation of RR.
1110   * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
1111   * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
1112     Gergely Budai).
1113   * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
1114     (found by Gergely Budai)
1115   * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
1116     Shuo Chen).
1117   * oid_get_numeric_string() used to truncate the output without returning an
1118     error if the output buffer was just 1 byte too small.
1119   * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
1120   * Calling pk_debug() on an RSA-alt key would segfault.
1121   * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
1122   * Potential buffer overwrite in pem_write_buffer() because of low length
1123     indication (found by Thijs Alkemade)
1124   * EC curves constants, which should be only in ROM since 1.3.3, were also
1125     stored in RAM due to missing 'const's (found by Gergely Budai).
1126
1127= PolarSSL 1.3.5 released on 2014-03-26
1128Features
1129   * HMAC-DRBG as a separate module
1130   * Option to set the Curve preference order (disabled by default)
1131   * Single Platform compatilibity layer (for memory / printf / fprintf)
1132   * Ability to provide alternate timing implementation
1133   * Ability to force the entropy module to use SHA-256 as its basis
1134     (POLARSSL_ENTROPY_FORCE_SHA256)
1135   * Testing script ssl-opt.sh added for testing 'live' ssl option
1136     interoperability against OpenSSL and PolarSSL
1137   * Support for reading EC keys that use SpecifiedECDomain in some cases.
1138   * Entropy module now supports seed writing and reading
1139
1140Changes
1141   * Deprecated the Memory layer
1142   * entropy_add_source(), entropy_update_manual() and entropy_gather()
1143     now thread-safe if POLARSSL_THREADING_C defined
1144   * Improvements to the CMake build system, contributed by Julian Ospald.
1145   * Work around a bug of the version of Clang shipped by Apple with Mavericks
1146     that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
1147   * Revamped the compat.sh interoperatibility script to include support for
1148     testing against GnuTLS
1149   * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
1150   * Improvements to tests/Makefile, contributed by Oden Eriksson.
1151
1152Security
1153   * Forbid change of server certificate during renegotiation to prevent
1154     "triple handshake" attack when authentication mode is 'optional' (the
1155     attack was already impossible when authentication is required).
1156   * Check notBefore timestamp of certificates and CRLs from the future.
1157   * Forbid sequence number wrapping
1158   * Fixed possible buffer overflow with overlong PSK
1159   * Possible remotely-triggered out-of-bounds memory access fixed (found by
1160     TrustInSoft)
1161
1162Bugfix
1163   * ecp_gen_keypair() does more tries to prevent failure because of
1164     statistics
1165   * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
1166   * Fixed testing with out-of-source builds using cmake
1167   * Fixed version-major intolerance in server
1168   * Fixed CMake symlinking on out-of-source builds
1169   * Fixed dependency issues in test suite
1170   * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
1171   * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
1172     Alex Wilson.)
1173   * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
1174   * m_sleep() was sleeping twice too long on most Unix platforms.
1175   * Fixed bug with session tickets and non-blocking I/O in the unlikely case
1176     send() would return an EAGAIN error when sending the ticket.
1177   * ssl_cache was leaking memory when reusing a timed out entry containing a
1178     client certificate.
1179   * ssl_srv was leaking memory when client presented a timed out ticket
1180     containing a client certificate
1181   * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
1182     out_ctr failed
1183   * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
1184     of one of them failed
1185   * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
1186   * x509_get_current_time() uses localtime_r() to prevent thread issues
1187
1188= PolarSSL 1.3.4 released on 2014-01-27
1189Features
1190   * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
1191   * Support for RIPEMD-160
1192   * Support for AES CFB8 mode
1193   * Support for deterministic ECDSA (RFC 6979)
1194
1195Bugfix
1196   * Potential memory leak in bignum_selftest()
1197   * Replaced expired test certificate
1198   * ssl_mail_client now terminates lines with CRLF, instead of LF
1199   * net module handles timeouts on blocking sockets better (found by Tilman
1200     Sauerbeck)
1201   * Assembly format fixes in bn_mul.h
1202
1203Security
1204   * Missing MPI_CHK calls added around unguarded mpi calls (found by
1205     TrustInSoft)
1206
1207= PolarSSL 1.3.3 released on 2013-12-31
1208Features
1209   * EC key generation support in gen_key app
1210   * Support for adhering to client ciphersuite order preference
1211     (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1212   * Support for Curve25519
1213   * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
1214   * Support for IPv6 in the NET module
1215   * AES-NI support for AES, AES-GCM and AES key scheduling
1216   * SSL Pthread-based server example added (ssl_pthread_server)
1217
1218Changes
1219   * gen_prime() speedup
1220   * Speedup of ECP multiplication operation
1221   * Relaxed some SHA2 ciphersuite's version requirements
1222   * Dropped use of readdir_r() instead of readdir() with threading support
1223   * More constant-time checks in the RSA module
1224   * Split off curves from ecp.c into ecp_curves.c
1225   * Curves are now stored fully in ROM
1226   * Memory usage optimizations in ECP module
1227   * Removed POLARSSL_THREADING_DUMMY
1228
1229Bugfix
1230   * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
1231   * Fixed X.509 hostname comparison (with non-regular characters)
1232   * SSL now gracefully handles missing RNG
1233   * Missing defines / cases for RSA_PSK key exchange
1234   * crypt_and_hash app checks MAC before final decryption
1235   * Potential memory leak in ssl_ticket_keys_init()
1236   * Memory leak in benchmark application
1237   * Fixed x509_crt_parse_path() bug on Windows platforms
1238   * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
1239     TrustInSoft)
1240   * Fixed potential overflow in certificate size verification in
1241     ssl_write_certificate() (found by TrustInSoft)
1242
1243Security
1244   * Possible remotely-triggered out-of-bounds memory access fixed (found by
1245     TrustInSoft)
1246
1247= PolarSSL 1.3.2 released on 2013-11-04
1248Features
1249   * PK tests added to test framework
1250   * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
1251   * Support for Camellia-GCM mode and ciphersuites
1252
1253Changes
1254   * Padding checks in cipher layer are now constant-time
1255   * Value comparisons in SSL layer are now constant-time
1256   * Support for serialNumber, postalAddress and postalCode in X509 names
1257   * SSL Renegotiation was refactored
1258
1259Bugfix
1260   * More stringent checks in cipher layer
1261   * Server does not send out extensions not advertised by client
1262   * Prevent possible alignment warnings on casting from char * to 'aligned *'
1263   * Misc fixes and additions to dependency checks
1264   * Const correctness
1265   * cert_write with selfsign should use issuer_name as subject_name
1266   * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
1267   * Defines to handle UEFI environment under MSVC
1268   * Server-side initiated renegotiations send HelloRequest
1269
1270= PolarSSL 1.3.1 released on 2013-10-15
1271Features
1272   * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
1273   * Support for ECDHE-PSK key-exchange and ciphersuites
1274   * Support for RSA-PSK key-exchange and ciphersuites
1275
1276Changes
1277   * RSA blinding locks for a smaller amount of time
1278   * TLS compression only allocates working buffer once
1279   * Introduced POLARSSL_HAVE_READDIR_R for systems without it
1280   * config.h is more script-friendly
1281
1282Bugfix
1283   * Missing MSVC defines added
1284   * Compile errors with POLARSSL_RSA_NO_CRT
1285   * Header files with 'polarssl/'
1286   * Const correctness
1287   * Possible naming collision in dhm_context
1288   * Better support for MSVC
1289   * threading_set_alt() name
1290   * Added missing x509write_crt_set_version()
1291
1292= PolarSSL 1.3.0 released on 2013-10-01
1293Features
1294   * Elliptic Curve Cryptography module added
1295   * Elliptic Curve Diffie Hellman module added
1296   * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
1297    (ECDHE-based ciphersuites)
1298   * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
1299    (ECDSA-based ciphersuites)
1300   * Ability to specify allowed ciphersuites based on the protocol version.
1301   * PSK and DHE-PSK based ciphersuites added
1302   * Memory allocation abstraction layer added
1303   * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
1304   * Threading abstraction layer added (dummy / pthread / alternate)
1305   * Public Key abstraction layer added
1306   * Parsing Elliptic Curve keys
1307   * Parsing Elliptic Curve certificates
1308   * Support for max_fragment_length extension (RFC 6066)
1309   * Support for truncated_hmac extension (RFC 6066)
1310   * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
1311     (ISO/IEC 7816-4) padding and zero padding in the cipher layer
1312   * Support for session tickets (RFC 5077)
1313   * Certificate Request (CSR) generation with extensions (key_usage,
1314     ns_cert_type)
1315   * X509 Certificate writing with extensions (basic_constraints,
1316     issuer_key_identifier, etc)
1317   * Optional blinding for RSA, DHM and EC
1318   * Support for multiple active certificate / key pairs in SSL servers for
1319   	 the same host (Not to be confused with SNI!)
1320
1321Changes
1322   * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
1323     individually
1324   * Introduced separate SSL Ciphersuites module that is based on
1325     Cipher and MD information
1326   * Internals for SSL module adapted to have separate IV pointer that is
1327     dynamically set (Better support for hardware acceleration)
1328   * Moved all OID functionality to a separate module. RSA function
1329     prototypes for the RSA sign and verify functions changed as a result
1330   * Split up the GCM module into a starts/update/finish cycle
1331   * Client and server now filter sent and accepted ciphersuites on minimum
1332     and maximum protocol version
1333   * Ability to disable server_name extension (RFC 6066)
1334   * Renamed error_strerror() to the less conflicting polarssl_strerror()
1335     (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
1336   * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
1337   * All RSA operations require a random generator for blinding purposes
1338   * X509 core refactored
1339   * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
1340   * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
1341   * Support faulty X509 v1 certificates with extensions
1342     (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
1343
1344Bugfix
1345   * Fixed parse error in ssl_parse_certificate_request()
1346   * zlib compression/decompression skipped on empty blocks
1347   * Support for AIX header locations in net.c module
1348   * Fixed file descriptor leaks
1349
1350Security
1351   * RSA blinding on CRT operations to counter timing attacks
1352     (found by Cyril Arnaud and Pierre-Alain Fouque)
1353
1354
1355= Version 1.2.14 released 2015-05-??
1356
1357Security
1358   * Fix potential invalid memory read in the server, that allows a client to
1359     crash it remotely (found by Caj Larsson).
1360   * Fix potential invalid memory read in certificate parsing, that allows a
1361     client to crash the server remotely if client authentication is enabled
1362     (found using Codenomicon Defensics).
1363   * Add countermeasure against "Lucky 13 strikes back" cache-based attack,
1364     https://dl.acm.org/citation.cfm?id=2714625
1365
1366Bugfix
1367   * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
1368   * Fix hardclock() (only used in the benchmarking program) with some
1369     versions of mingw64 (found by kxjhlele).
1370   * Fix warnings from mingw64 in timing.c (found by kxjklele).
1371   * Fix potential unintended sign extension in asn1_get_len() on 64-bit
1372     platforms (found with Coverity Scan).
1373
1374= Version 1.2.13 released 2015-02-16
1375Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
1376      this will be made in the 1.2 branch at this point.
1377
1378Security
1379   * Fix remotely-triggerable uninitialised pointer dereference caused by
1380     crafted X.509 certificate (TLS server is not affected if it doesn't ask
1381     for a client certificate) (found using Codenomicon Defensics).
1382   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
1383     (TLS server is not affected if it doesn't ask for a client certificate)
1384     (found using Codenomicon Defensics).
1385   * Fix potential stack overflow while parsing crafted X.509 certificates
1386     (TLS server is not affected if it doesn't ask for a client certificate)
1387     found using Codenomicon Defensics).
1388   * Fix buffer overread of size 1 when parsing crafted X.509 certificates
1389     (TLS server is not affected if it doesn't ask for a client certificate).
1390
1391Bugfix
1392   * Fix potential undefined behaviour in Camellia.
1393   * Fix memory leaks in PKCS#5 and PKCS#12.
1394   * Stack buffer overflow if ctr_drbg_update() is called with too large
1395     add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
1396   * Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
1397     in 1.2.12).
1398   * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
1399     Peter Vaskovic).
1400   * Fix assembly selection for MIPS64 (thanks to James Cowgill).
1401   * ssl_get_verify_result() now works even if the handshake was aborted due
1402     to a failed verification (found by Fredrik Axelsson).
1403   * Skip writing and parsing signature_algorithm extension if none of the
1404     key exchanges enabled needs certificates. This fixes a possible interop
1405     issue with some servers when a zero-length extension was sent. (Reported
1406     by Peter Dettman.)
1407   * On a 0-length input, base64_encode() did not correctly set output length
1408     (found by Hendrik van den Boogaard).
1409
1410Changes
1411   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
1412   * Forbid repeated extensions in X.509 certificates.
1413   * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
1414     length of an X.509 verification chain (default = 8).
1415= Version 1.2.12 released 2014-10-24
1416
1417Security
1418   * Remotely-triggerable memory leak when parsing some X.509 certificates
1419     (server is not affected if it doesn't ask for a client certificate).
1420     (Found using Codenomicon Defensics.)
1421
1422Bugfix
1423   * Fix potential bad read in parsing ServerHello (found by Adrien
1424     Vialletelle).
1425   * ssl_close_notify() could send more than one message in some circumstances
1426     with non-blocking I/O.
1427   * x509_crt_parse() did not increase total_failed on PEM error
1428   * Fix compiler warnings on iOS (found by Sander Niemeijer).
1429   * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
1430   * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
1431   * ssl_read() could return non-application data records on server while
1432     renegotation was pending, and on client when a HelloRequest was received.
1433   * Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
1434
1435Changes
1436   * X.509 certificates with more than one AttributeTypeAndValue per
1437     RelativeDistinguishedName are not accepted any more.
1438   * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
1439     POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
1440   * Accept spaces at end of line or end of buffer in base64_decode().
1441
1442= Version 1.2.11 released 2014-07-11
1443Features
1444   * Entropy module now supports seed writing and reading
1445
1446Changes
1447   * Introduced POLARSSL_HAVE_READDIR_R for systems without it
1448   * Improvements to the CMake build system, contributed by Julian Ospald.
1449   * Work around a bug of the version of Clang shipped by Apple with Mavericks
1450     that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
1451   * Improvements to tests/Makefile, contributed by Oden Eriksson.
1452   * Use UTC time to check certificate validity.
1453   * Reject certificates with times not in UTC, per RFC 5280.
1454   * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
1455     against unwanted compiler optimizations
1456
1457Security
1458   * Forbid change of server certificate during renegotiation to prevent
1459     "triple handshake" attack when authentication mode is optional (the
1460     attack was already impossible when authentication is required).
1461   * Check notBefore timestamp of certificates and CRLs from the future.
1462   * Forbid sequence number wrapping
1463   * Prevent potential NULL pointer dereference in ssl_read_record() (found by
1464     TrustInSoft)
1465   * Fix length checking for AEAD ciphersuites (found by Codenomicon).
1466     It was possible to crash the server (and client) using crafted messages
1467     when a GCM suite was chosen.
1468
1469Bugfix
1470   * Fixed X.509 hostname comparison (with non-regular characters)
1471   * SSL now gracefully handles missing RNG
1472   * crypt_and_hash app checks MAC before final decryption
1473   * Fixed x509_crt_parse_path() bug on Windows platforms
1474   * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
1475     TrustInSoft)
1476   * Fixed potential overflow in certificate size verification in
1477     ssl_write_certificate() (found by TrustInSoft)
1478   * Fix ASM format in bn_mul.h
1479   * Potential memory leak in bignum_selftest()
1480   * Replaced expired test certificate
1481   * ssl_mail_client now terminates lines with CRLF, instead of LF
1482   * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
1483   * Fixed testing with out-of-source builds using cmake
1484   * Fixed version-major intolerance in server
1485   * Fixed CMake symlinking on out-of-source builds
1486   * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
1487     Alex Wilson.)
1488   * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
1489     out_ctr failed
1490   * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
1491     of one of them failed
1492   * x509_get_current_time() uses localtime_r() to prevent thread issues
1493   * Some example server programs were not sending the close_notify alert.
1494   * Potential memory leak in mpi_exp_mod() when error occurs during
1495     calculation of RR.
1496   * Improve interoperability by not writing extension length in ClientHello
1497     when no extensions are present (found by Matthew Page)
1498   * rsa_check_pubkey() now allows an E up to N
1499   * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
1500   * mpi_fill_random() was creating numbers larger than requested on
1501     big-endian platform when size was not an integer number of limbs
1502   * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
1503   * Stricter check on SSL ClientHello internal sizes compared to actual packet
1504     size (found by TrustInSoft)
1505   * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
1506   * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
1507     interpret semicolons as comment delimiters (found by Barry K. Nathan).
1508   * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
1509   * Fix base64_decode() to return and check length correctly (in case of
1510     tight buffers)
1511
1512= Version 1.2.10 released 2013-10-07
1513Changes
1514   * Changed RSA blinding to a slower but thread-safe version
1515
1516Bugfix
1517   * Fixed memory leak in RSA as a result of introduction of blinding
1518   * Fixed ssl_pkcs11_decrypt() prototype
1519   * Fixed MSVC project files
1520
1521= Version 1.2.9 released 2013-10-01
1522Changes
1523   * x509_verify() now case insensitive for cn (RFC 6125 6.4)
1524
1525Bugfix
1526   * Fixed potential memory leak when failing to resume a session
1527   * Fixed potential file descriptor leaks (found by Remi Gacogne)
1528   * Minor fixes
1529
1530Security
1531   * Fixed potential heap buffer overflow on large hostname setting
1532   * Fixed potential negative value misinterpretation in load_file()
1533   * RSA blinding on CRT operations to counter timing attacks
1534     (found by Cyril Arnaud and Pierre-Alain Fouque)
1535
1536= Version 1.2.8 released 2013-06-19
1537Features
1538   * Parsing of PKCS#8 encrypted private key files
1539   * PKCS#12 PBE and derivation functions
1540   * Centralized module option values in config.h to allow user-defined
1541     settings without editing header files by using POLARSSL_CONFIG_OPTIONS
1542
1543Changes
1544   * HAVEGE random generator disabled by default
1545   * Internally split up x509parse_key() into a (PEM) handler function
1546     and specific DER parser functions for the PKCS#1 and unencrypted
1547     PKCS#8 private key formats
1548   * Added mechanism to provide alternative implementations for all
1549     symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
1550	 config.h)
1551   * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
1552     old PBKDF2 module
1553
1554Bugfix
1555   * Secure renegotiation extension should only be sent in case client
1556     supports secure renegotiation
1557   * Fixed offset for cert_type list in ssl_parse_certificate_request()
1558   * Fixed const correctness issues that have no impact on the ABI
1559   * x509parse_crt() now better handles PEM error situations
1560   * ssl_parse_certificate() now calls x509parse_crt_der() directly
1561     instead of the x509parse_crt() wrapper that can also parse PEM
1562	 certificates
1563   * x509parse_crtpath() is now reentrant and uses more portable stat()
1564   * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
1565   * Fixed values for 2-key Triple DES in cipher layer
1566   * ssl_write_certificate_request() can handle empty ca_chain
1567
1568Security
1569   * A possible DoS during the SSL Handshake, due to faulty parsing of
1570     PEM-encoded certificates has been fixed (found by Jack Lloyd)
1571
1572= Version 1.2.7 released 2013-04-13
1573Features
1574   * Ability to specify allowed ciphersuites based on the protocol version.
1575
1576Changes
1577   * Default Blowfish keysize is now 128-bits
1578   * Test suites made smaller to accommodate Raspberry Pi
1579
1580Bugfix
1581   * Fix for MPI assembly for ARM
1582   * GCM adapted to support sizes > 2^29
1583
1584= Version 1.2.6 released 2013-03-11
1585Bugfix
1586   * Fixed memory leak in ssl_free() and ssl_reset() for active session
1587   * Corrected GCM counter incrementation to use only 32-bits instead of
1588     128-bits (found by Yawning Angel)
1589   * Fixes for 64-bit compilation with MS Visual Studio
1590   * Fixed net_bind() for specified IP addresses on little endian systems
1591   * Fixed assembly code for ARM (Thumb and regular) for some compilers
1592
1593Changes
1594   * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
1595     rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
1596     PKCS#1 v2.1 functions
1597   * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
1598     or rsa_rsaes_oaep_decrypt()
1599   * Re-added handling for SSLv2 Client Hello when the define
1600     POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
1601   * The SSL session cache module (ssl_cache) now also retains peer_cert
1602     information (not the entire chain)
1603
1604Security
1605   * Removed further timing differences during SSL message decryption in
1606     ssl_decrypt_buf()
1607   * Removed timing differences due to bad padding from
1608     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
1609     operations
1610
1611= Version 1.2.5 released 2013-02-02
1612Changes
1613   * Allow enabling of dummy error_strerror() to support some use-cases
1614   * Debug messages about padding errors during SSL message decryption are
1615     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
1616   * Sending of security-relevant alert messages that do not break
1617     interoperability can be switched on/off with the flag
1618     POLARSSL_SSL_ALL_ALERT_MESSAGES
1619
1620Security
1621   * Removed timing differences during SSL message decryption in
1622     ssl_decrypt_buf() due to badly formatted padding
1623
1624= Version 1.2.4 released 2013-01-25
1625Changes
1626   * More advanced SSL ciphersuite representation and moved to more dynamic
1627     SSL core
1628   * Added ssl_handshake_step() to allow single stepping the handshake process
1629
1630Bugfix
1631   * Memory leak when using RSA_PKCS_V21 operations fixed
1632   * Handle future version properly in ssl_write_certificate_request()
1633   * Correctly handle CertificateRequest message in client for <= TLS 1.1
1634     without DN list
1635
1636= Version 1.2.3 released 2012-11-26
1637Bugfix
1638   * Server not always sending correct CertificateRequest message
1639
1640= Version 1.2.2 released 2012-11-24
1641Changes
1642   * Added p_hw_data to ssl_context for context specific hardware acceleration
1643     data
1644   * During verify trust-CA is only checked for expiration and CRL presence
1645
1646Bugfixes
1647   * Fixed client authentication compatibility
1648   * Fixed dependency on POLARSSL_SHA4_C in SSL modules
1649
1650= Version 1.2.1 released 2012-11-20
1651Changes
1652   * Depth that the certificate verify callback receives is now numbered
1653     bottom-up (Peer cert depth is 0)
1654
1655Bugfixes
1656   * Fixes for MSVC6
1657   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
1658   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
1659     Pégourié-Gonnard)
1660   * Fixed possible segfault in mpi_shift_r() (found by Manuel
1661     Pégourié-Gonnard)
1662   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
1663
1664= Version 1.2.0 released 2012-10-31
1665Features
1666   * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
1667     ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
1668     default!
1669   * Added support for wildcard certificates
1670   * Added support for multi-domain certificates through the X509 Subject
1671     Alternative Name extension
1672   * Added preliminary ASN.1 buffer writing support
1673   * Added preliminary X509 Certificate Request writing support
1674   * Added key_app_writer example application
1675   * Added cert_req example application
1676   * Added base Galois Counter Mode (GCM) for AES
1677   * Added TLS 1.2 support (RFC 5246)
1678   * Added GCM suites to TLS 1.2 (RFC 5288)
1679   * Added commandline error code convertor (util/strerror)
1680   * Added support for Hardware Acceleration hooking in SSL/TLS
1681   * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
1682     example application (programs/ssl/o_p_test) (requires OpenSSL)
1683   * Added X509 CA Path support
1684   * Added Thumb assembly optimizations
1685   * Added DEFLATE compression support as per RFC3749 (requires zlib)
1686   * Added blowfish algorithm (Generic and cipher layer)
1687   * Added PKCS#5 PBKDF2 key derivation function
1688   * Added Secure Renegotiation (RFC 5746)
1689   * Added predefined DHM groups from RFC 5114
1690   * Added simple SSL session cache implementation
1691   * Added ServerName extension parsing (SNI) at server side
1692   * Added option to add minimum accepted SSL/TLS protocol version
1693
1694Changes
1695   * Removed redundant POLARSSL_DEBUG_MSG define
1696   * AES code only check for Padlock once
1697   * Fixed const-correctness mpi_get_bit()
1698   * Documentation for mpi_lsb() and mpi_msb()
1699   * Moved out_msg to out_hdr + 32 to support hardware acceleration
1700   * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
1701     to not match CN if subjectAltName extension is present (Closes ticket #56)
1702   * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
1703     POLARSSL_MODE_CFB, to also handle different block size CFB modes.
1704   * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
1705   * Revamped session resumption handling
1706   * Generalized external private key implementation handling (like PKCS#11)
1707     in SSL/TLS
1708   * Revamped x509_verify() and the SSL f_vrfy callback implementations
1709   * Moved from unsigned long to fixed width uint32_t types throughout code
1710   * Renamed ciphersuites naming scheme to IANA reserved names
1711
1712Bugfix
1713   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
1714     Hui Dong)
1715   * Fixed potential heap corruption in x509_name allocation
1716   * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
1717   * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
1718     #52)
1719   * Handle encryption with private key and decryption with public key as per
1720   	 RFC 2313
1721   * Handle empty certificate subject names
1722   * Prevent reading over buffer boundaries on X509 certificate parsing
1723   * mpi_add_abs() now correctly handles adding short numbers to long numbers
1724     with carry rollover (found by Ruslan Yushchenko)
1725   * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
1726   * Fixed MPI assembly for SPARC64 platform
1727
1728Security
1729   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
1730     Vanderbeken)
1731
1732= Version 1.1.8 released on 2013-10-01
1733Bugfix
1734   * Fixed potential memory leak when failing to resume a session
1735   * Fixed potential file descriptor leaks
1736
1737Security
1738   * Potential buffer-overflow for ssl_read_record() (independently found by
1739     both TrustInSoft and Paul Brodeur of Leviathan Security Group)
1740   * Potential negative value misinterpretation in load_file()
1741   * Potential heap buffer overflow on large hostname setting
1742
1743= Version 1.1.7 released on 2013-06-19
1744Changes
1745   * HAVEGE random generator disabled by default
1746
1747Bugfix
1748   * x509parse_crt() now better handles PEM error situations
1749   * ssl_parse_certificate() now calls x509parse_crt_der() directly
1750     instead of the x509parse_crt() wrapper that can also parse PEM
1751	 certificates
1752   * Fixed values for 2-key Triple DES in cipher layer
1753   * ssl_write_certificate_request() can handle empty ca_chain
1754
1755Security
1756   * A possible DoS during the SSL Handshake, due to faulty parsing of
1757     PEM-encoded certificates has been fixed (found by Jack Lloyd)
1758
1759= Version 1.1.6 released on 2013-03-11
1760Bugfix
1761   * Fixed net_bind() for specified IP addresses on little endian systems
1762
1763Changes
1764   * Allow enabling of dummy error_strerror() to support some use-cases
1765   * Debug messages about padding errors during SSL message decryption are
1766     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
1767
1768Security
1769   * Removed timing differences during SSL message decryption in
1770     ssl_decrypt_buf()
1771   * Removed timing differences due to bad padding from
1772     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
1773     operations
1774
1775= Version 1.1.5 released on 2013-01-16
1776Bugfix
1777   * Fixed MPI assembly for SPARC64 platform
1778   * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
1779   * mpi_add_abs() now correctly handles adding short numbers to long numbers
1780     with carry rollover
1781   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
1782   * Prevent reading over buffer boundaries on X509 certificate parsing
1783   * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
1784     #52)
1785   * Fixed possible segfault in mpi_shift_r() (found by Manuel
1786     Pégourié-Gonnard)
1787   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
1788     Pégourié-Gonnard)
1789   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
1790   * Memory leak when using RSA_PKCS_V21 operations fixed
1791   * Handle encryption with private key and decryption with public key as per
1792     RFC 2313
1793   * Fixes for MSVC6
1794
1795Security
1796   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
1797     Vanderbeken)
1798
1799= Version 1.1.4 released on 2012-05-31
1800Bugfix
1801   * Correctly handle empty SSL/TLS packets (Found by James Yonan)
1802   * Fixed potential heap corruption in x509_name allocation
1803   * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
1804
1805= Version 1.1.3 released on 2012-04-29
1806Bugfix
1807   * Fixed random MPI generation to not generate more size than requested.
1808
1809= Version 1.1.2 released on 2012-04-26
1810Bugfix
1811   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
1812     Hui Dong)
1813
1814Security
1815   * Fixed potential memory corruption on miscrafted client messages (found by
1816     Frama-C team at CEA LIST)
1817   * Fixed generation of DHM parameters to correct length (found by Ruslan
1818     Yushchenko)
1819
1820= Version 1.1.1 released on 2012-01-23
1821Bugfix
1822   * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
1823     (Closes ticket #47, found by Hugo Leisink)
1824   * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
1825   * Fixed multiple compiler warnings for VS6 and armcc
1826   * Fixed bug in CTR_CRBG selftest
1827
1828= Version 1.1.0 released on 2011-12-22
1829Features
1830   * Added ssl_session_reset() to allow better multi-connection pools of
1831     SSL contexts without needing to set all non-connection-specific
1832	 data and pointers again. Adapted ssl_server to use this functionality.
1833   * Added ssl_set_max_version() to allow clients to offer a lower maximum
1834     supported version to a server to help buggy server implementations.
1835	 (Closes ticket #36)
1836   * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
1837     introspection functions (Closes ticket #40)
1838   * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
1839   * Added a generic entropy accumulator that provides support for adding
1840     custom entropy sources and added some generic and platform dependent
1841	 entropy sources
1842
1843Changes
1844   * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
1845   * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
1846     encryption and private key for decryption. (Closes ticket #34)
1847   * Inceased maximum size of ASN1 length reads to 32-bits.
1848   * Added an EXPLICIT tag number parameter to x509_get_ext()
1849   * Added a separate CRL entry extension parsing function
1850   * Separated the ASN.1 parsing code from the X.509 specific parsing code.
1851     So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
1852   * Changed the defined key-length of DES ciphers in cipher.h to include the
1853     parity bits, to prevent mistakes in copying data. (Closes ticket #33)
1854   * Loads of minimal changes to better support WINCE as a build target
1855     (Credits go to Marco Lizza)
1856   * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
1857     trade-off
1858   * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
1859     management (Closes ticket #44)
1860   * Changed the used random function pointer to more flexible format. Renamed
1861     havege_rand() to havege_random() to prevent mistakes. Lots of changes as
1862     a consequence in library code and programs
1863   * Moved all examples programs to use the new entropy and CTR_DRBG
1864   * Added permissive certificate parsing to x509parse_crt() and
1865     x509parse_crtfile(). With permissive parsing the parsing does not stop on
1866     encountering a parse-error. Beware that the meaning of return values has
1867     changed!
1868   * All error codes are now negative. Even on mermory failures and IO errors.
1869
1870Bugfix
1871   * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
1872     ticket #37)
1873   * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
1874     before version numbers
1875   * Allowed X509 key usage parsing to accept 4 byte values instead of the
1876     standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
1877   * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
1878     smaller than the hash length. (Closes ticket #41)
1879   * If certificate serial is longer than 32 octets, serial number is now
1880     appended with '....' after first 28 octets
1881   * Improved build support for s390x and sparc64 in bignum.h
1882   * Fixed MS Visual C++ name clash with int64 in sha4.h
1883   * Corrected removal of leading "00:" in printing serial numbers in
1884     certificates and CRLs
1885
1886= Version 1.0.0 released on 2011-07-27
1887Features
1888   * Expanded cipher layer with support for CFB128 and CTR mode
1889   * Added rsa_encrypt and rsa_decrypt simple example programs.
1890
1891Changes
1892   * The generic cipher and message digest layer now have normal error
1893     codes instead of integers
1894
1895Bugfix
1896   * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
1897     #18)
1898
1899= Version 0.99-pre5 released on 2011-05-26
1900Features
1901   * Added additional Cipher Block Modes to symmetric ciphers
1902     (AES CTR, Camellia CTR, XTEA CBC) including the option to
1903     enable and disable individual modes when needed
1904   * Functions requiring File System functions can now be disabled
1905     by undefining POLARSSL_FS_IO
1906   * A error_strerror function() has been added to translate between
1907     error codes and their description.
1908   * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
1909     functions.
1910   * Added ssl_mail_client and ssl_fork_server as example programs.
1911
1912Changes
1913   * Major argument / variable rewrite. Introduced use of size_t
1914     instead of int for buffer lengths and loop variables for
1915     better unsigned / signed use. Renamed internal bigint types
1916     t_int and t_dbl to t_uint and t_udbl in the process
1917   * mpi_init() and mpi_free() now only accept a single MPI
1918     argument and do not accept variable argument lists anymore.
1919   * The error codes have been remapped and combining error codes
1920     is now done with a PLUS instead of an OR as error codes
1921     used are negative.
1922   * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
1923     net_recv() now returns 0 on EOF instead of
1924     POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
1925     POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
1926     ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
1927     after the handshake.
1928   * Network functions now return POLARSSL_ERR_NET_WANT_READ or
1929     POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
1930     POLARSSL_ERR_NET_TRY_AGAIN
1931
1932= Version 0.99-pre4 released on 2011-04-01
1933Features
1934   * Added support for PKCS#1 v2.1 encoding and thus support
1935     for the RSAES-OAEP and RSASSA-PSS operations.
1936   * Reading of Public Key files incorporated into default x509
1937     functionality as well.
1938   * Added mpi_fill_random() for centralized filling of big numbers
1939     with random data (Fixed ticket #10)
1940
1941Changes
1942   * Debug print of MPI now removes leading zero octets and
1943     displays actual bit size of the value.
1944   * x509parse_key() (and as a consequence x509parse_keyfile())
1945     does not zeroize memory in advance anymore. Use rsa_init()
1946     before parsing a key or keyfile!
1947
1948Bugfix
1949   * Debug output of MPI's now the same independent of underlying
1950     platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
1951     Kiilerich and Mihai Militaru)
1952   * Fixed bug in ssl_write() when flushing old data (Fixed ticket
1953     #18, found by Nikolay Epifanov)
1954   * Fixed proper handling of RSASSA-PSS verification with variable
1955     length salt lengths
1956
1957= Version 0.99-pre3 released on 2011-02-28
1958This release replaces version 0.99-pre2 which had possible copyright issues.
1959Features
1960   * Parsing PEM private keys encrypted with DES and AES
1961     are now supported as well (Fixes ticket #5)
1962   * Added crl_app program to allow easy reading and
1963     printing of X509 CRLs from file
1964
1965Changes
1966   * Parsing of PEM files moved to separate module (Fixes
1967     ticket #13). Also possible to remove PEM support for
1968     systems only using DER encoding
1969
1970Bugfixes
1971   * Corrected parsing of UTCTime dates before 1990 and
1972     after 1950
1973   * Support more exotic OID's when parsing certificates
1974   	 (found by Mads Kiilerich)
1975   * Support more exotic name representations when parsing
1976     certificates (found by Mads Kiilerich)
1977   * Replaced the expired test certificates
1978   * Do not bail out if no client certificate specified. Try
1979     to negotiate anonymous connection (Fixes ticket #12,
1980     found by Boris Krasnovskiy)
1981
1982Security fixes
1983   * Fixed a possible Man-in-the-Middle attack on the
1984     Diffie Hellman key exchange (thanks to Larry Highsmith,
1985     Subreption LLC)
1986
1987= Version 0.99-pre1 released on 2011-01-30
1988Features
1989Note: Most of these features have been donated by Fox-IT
1990   * Added Doxygen source code documentation parts
1991   * Added reading of DHM context from memory and file
1992   * Improved X509 certificate parsing to include extended
1993     certificate fields, including Key Usage
1994   * Improved certificate verification and verification
1995     against the available CRLs
1996   * Detection for DES weak keys and parity bits added
1997   * Improvements to support integration in other
1998     applications:
1999       + Added generic message digest and cipher wrapper
2000       + Improved information about current capabilities,
2001         status, objects and configuration
2002       + Added verification callback on certificate chain
2003         verification to allow external blacklisting
2004	   + Additional example programs to show usage
2005   * Added support for PKCS#11 through the use of the
2006     libpkcs11-helper library
2007
2008Changes
2009   * x509parse_time_expired() checks time in addition to
2010     the existing date check
2011   * The ciphers member of ssl_context and the cipher member
2012     of ssl_session have been renamed to ciphersuites and
2013     ciphersuite respectively. This clarifies the difference
2014     with the generic cipher layer and is better naming
2015     altogether
2016
2017= Version 0.14.0 released on 2010-08-16
2018Features
2019   * Added support for SSL_EDH_RSA_AES_128_SHA and
2020     SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
2021   * Added compile-time and run-time version information
2022   * Expanded ssl_client2 arguments for more flexibility
2023   * Added support for TLS v1.1
2024
2025Changes
2026   * Made Makefile cleaner
2027   * Removed dependency on rand() in rsa_pkcs1_encrypt().
2028     Now using random fuction provided to function and
2029     changed the prototype of rsa_pkcs1_encrypt(),
2030     rsa_init() and rsa_gen_key().
2031   * Some SSL defines were renamed in order to avoid
2032     future confusion
2033
2034Bug fixes
2035   * Fixed CMake out of source build for tests (found by
2036     kkert)
2037   * rsa_check_private() now supports PKCS1v2 keys as well
2038   * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
2039     generator
2040
2041= Version 0.13.1 released on 2010-03-24
2042Bug fixes
2043   * Fixed Makefile in library that was mistakenly merged
2044   * Added missing const string fixes
2045
2046= Version 0.13.0 released on 2010-03-21
2047Features
2048   * Added option parsing for host and port selection to
2049     ssl_client2
2050   * Added support for GeneralizedTime in X509 parsing
2051   * Added cert_app program to allow easy reading and
2052     printing of X509 certificates from file or SSL
2053     connection.
2054
2055Changes
2056   * Added const correctness for main code base
2057   * X509 signature algorithm determination is now
2058     in a function to allow easy future expansion
2059   * Changed symmetric cipher functions to
2060     identical interface (returning int result values)
2061   * Changed ARC4 to use separate input/output buffer
2062   * Added reset function for HMAC context as speed-up
2063     for specific use-cases
2064
2065Bug fixes
2066   * Fixed bug resulting in failure to send the last
2067     certificate in the chain in ssl_write_certificate() and
2068     ssl_write_certificate_request() (found by fatbob)
2069   * Added small fixes for compiler warnings on a Mac
2070     (found by Frank de Brabander)
2071   * Fixed algorithmic bug in mpi_is_prime() (found by
2072     Smbat Tonoyan)
2073
2074= Version 0.12.1 released on 2009-10-04
2075Changes
2076   * Coverage test definitions now support 'depends_on'
2077     tagging system.
2078   * Tests requiring specific hashing algorithms now honor
2079     the defines.
2080
2081Bug fixes
2082   * Changed typo in #ifdef in x509parse.c (found
2083     by Eduardo)
2084
2085= Version 0.12.0 released on 2009-07-28
2086Features
2087   * Added CMake makefiles as alternative to regular Makefiles.
2088   * Added preliminary Code Coverage tests for AES, ARC4,
2089     Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
2090     Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
2091     and X509parse.
2092
2093Changes
2094   * Error codes are not (necessarily) negative. Keep
2095     this is mind when checking for errors.
2096   * RSA_RAW renamed to SIG_RSA_RAW for consistency.
2097   * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
2098   * Changed interface for AES and Camellia setkey functions
2099     to indicate invalid key lengths.
2100
2101Bug fixes
2102   * Fixed include location of endian.h on FreeBSD (found by
2103     Gabriel)
2104   * Fixed include location of endian.h and name clash on
2105     Apples (found by Martin van Hensbergen)
2106   * Fixed HMAC-MD2 by modifying md2_starts(), so that the
2107     required HMAC ipad and opad variables are not cleared.
2108     (found by code coverage tests)
2109   * Prevented use of long long in bignum if
2110     POLARSSL_HAVE_LONGLONG not defined (found by Giles
2111     Bathgate).
2112   * Fixed incorrect handling of negative strings in
2113     mpi_read_string() (found by code coverage tests).
2114   * Fixed segfault on handling empty rsa_context in
2115     rsa_check_pubkey() and rsa_check_privkey() (found by
2116     code coverage tests).
2117   * Fixed incorrect handling of one single negative input
2118     value in mpi_add_abs() (found by code coverage tests).
2119   * Fixed incorrect handling of negative first input
2120     value in mpi_sub_abs() (found by code coverage tests).
2121   * Fixed incorrect handling of negative first input
2122     value in mpi_mod_mpi() and mpi_mod_int(). Resulting
2123     change also affects mpi_write_string() (found by code
2124     coverage tests).
2125   * Corrected is_prime() results for 0, 1 and 2 (found by
2126     code coverage tests).
2127   * Fixed Camellia and XTEA for 64-bit Windows systems.
2128
2129= Version 0.11.1 released on 2009-05-17
2130   * Fixed missing functionality for SHA-224, SHA-256, SHA384,
2131     SHA-512 in rsa_pkcs1_sign()
2132
2133= Version 0.11.0 released on 2009-05-03
2134   * Fixed a bug in mpi_gcd() so that it also works when both
2135     input numbers are even and added testcases to check
2136     (found by Pierre Habouzit).
2137   * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
2138     one way hash functions with the PKCS#1 v1.5 signing and
2139     verification.
2140   * Fixed minor bug regarding mpi_gcd located within the
2141     POLARSSL_GENPRIME block.
2142   * Fixed minor memory leak in x509parse_crt() and added better
2143     handling of 'full' certificate chains (found by Mathias
2144     Olsson).
2145   * Centralized file opening and reading for x509 files into
2146     load_file()
2147   * Made definition of net_htons() endian-clean for big endian
2148     systems (Found by Gernot).
2149   * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
2150     padlock and timing code.
2151   * Fixed an off-by-one buffer allocation in ssl_set_hostname()
2152     responsible for crashes and unwanted behaviour.
2153   * Added support for Certificate Revocation List (CRL) parsing.
2154   * Added support for CRL revocation to x509parse_verify() and
2155     SSL/TLS code.
2156   * Fixed compatibility of XTEA and Camellia on a 64-bit system
2157     (found by Felix von Leitner).
2158
2159= Version 0.10.0 released on 2009-01-12
2160   * Migrated XySSL to PolarSSL
2161   * Added XTEA symmetric cipher
2162   * Added Camellia symmetric cipher
2163   * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
2164     SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
2165   * Fixed dangerous bug that can cause a heap overflow in
2166     rsa_pkcs1_decrypt (found by Christophe Devine)
2167
2168================================================================
2169XySSL ChangeLog
2170
2171= Version 0.9 released on 2008-03-16
2172
2173    * Added support for ciphersuite: SSL_RSA_AES_128_SHA
2174    * Enabled support for large files by default in aescrypt2.c
2175    * Preliminary openssl wrapper contributed by David Barrett
2176    * Fixed a bug in ssl_write() that caused the same payload to
2177      be sent twice in non-blocking mode when send returns EAGAIN
2178    * Fixed ssl_parse_client_hello(): session id and challenge must
2179      not be swapped in the SSLv2 ClientHello (found by Greg Robson)
2180    * Added user-defined callback debug function (Krystian Kolodziej)
2181    * Before freeing a certificate, properly zero out all cert. data
2182    * Fixed the "mode" parameter so that encryption/decryption are
2183      not swapped on PadLock; also fixed compilation on older versions
2184      of gcc (bug reported by David Barrett)
2185    * Correctly handle the case in padlock_xcryptcbc() when input or
2186      ouput data is non-aligned by falling back to the software
2187      implementation, as VIA Nehemiah cannot handle non-aligned buffers
2188    * Fixed a memory leak in x509parse_crt() which was reported by Greg
2189      Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
2190      Matthew Page who reported several bugs
2191    * Fixed x509_get_ext() to accept some rare certificates which have
2192      an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
2193    * Added support on the client side for the TLS "hostname" extension
2194      (patch contributed by David Patino)
2195    * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
2196      string is passed as the CN (bug reported by spoofy)
2197    * Added an option to enable/disable the BN assembly code
2198    * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
2199    * Disabled obsolete hash functions by default (MD2, MD4); updated
2200      selftest and benchmark to not test ciphers that have been disabled
2201    * Updated x509parse_cert_info() to correctly display byte 0 of the
2202      serial number, setup correct server port in the ssl client example
2203    * Fixed a critical denial-of-service with X.509 cert. verification:
2204      peer may cause xyssl to loop indefinitely by sending a certificate
2205      for which the RSA signature check fails (bug reported by Benoit)
2206    * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
2207      HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
2208    * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
2209    * Modified ssl_parse_client_key_exchange() to protect against
2210      Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
2211      as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
2212    * Updated rsa_gen_key() so that ctx->N is always nbits in size
2213    * Fixed assembly PPC compilation errors on Mac OS X, thanks to
2214      David Barrett and Dusan Semen
2215
2216= Version 0.8 released on 2007-10-20
2217
2218    * Modified the HMAC functions to handle keys larger
2219      than 64 bytes, thanks to Stephane Desneux and gary ng
2220    * Fixed ssl_read_record() to properly update the handshake
2221      message digests, which fixes IE6/IE7 client authentication
2222    * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
2223    * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
2224    * Added user-defined callbacks for handling I/O and sessions
2225    * Added lots of debugging output in the SSL/TLS functions
2226    * Added preliminary X.509 cert. writing by Pascal Vizeli
2227    * Added preliminary support for the VIA PadLock routines
2228    * Added AES-CFB mode of operation, contributed by chmike
2229    * Added an SSL/TLS stress testing program (ssl_test.c)
2230    * Updated the RSA PKCS#1 code to allow choosing between
2231      RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
2232    * Updated ssl_read() to skip 0-length records from OpenSSL
2233    * Fixed the make install target to comply with *BSD make
2234    * Fixed a bug in mpi_read_binary() on 64-bit platforms
2235    * mpi_is_prime() speedups, thanks to Kevin McLaughlin
2236    * Fixed a long standing memory leak in mpi_is_prime()
2237    * Replaced realloc with malloc in mpi_grow(), and set
2238      the sign of zero as positive in mpi_init() (reported
2239      by Jonathan M. McCune)
2240
2241= Version 0.7 released on 2007-07-07
2242
2243    * Added support for the MicroBlaze soft-core processor
2244    * Fixed a bug in ssl_tls.c which sometimes prevented SSL
2245      connections from being established with non-blocking I/O
2246    * Fixed a couple bugs in the VS6 and UNIX Makefiles
2247    * Fixed the "PIC register ebx clobbered in asm" bug
2248    * Added HMAC starts/update/finish support functions
2249    * Added the SHA-224, SHA-384 and SHA-512 hash functions
2250    * Fixed the net_set_*block routines, thanks to Andreas
2251    * Added a few demonstration programs: md5sum, sha1sum,
2252      dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
2253    * Added new bignum import and export helper functions
2254    * Rewrote README.txt in program/ssl/ca to better explain
2255      how to create a test PKI
2256
2257= Version 0.6 released on 2007-04-01
2258
2259    * Ciphers used in SSL/TLS can now be disabled at compile
2260      time, to reduce the memory footprint on embedded systems
2261    * Added multiply assembly code for the TriCore and modified
2262      havege_struct for this processor, thanks to David Patiño
2263    * Added multiply assembly code for 64-bit PowerPCs,
2264      thanks to Peking University and the OSU Open Source Lab
2265    * Added experimental support of Quantum Cryptography
2266    * Added support for autoconf, contributed by Arnaud Cornet
2267    * Fixed "long long" compilation issues on IA-64 and PPC64
2268    * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
2269      was not being correctly defined on ARM and MIPS
2270
2271= Version 0.5 released on 2007-03-01
2272
2273    * Added multiply assembly code for SPARC and Alpha
2274    * Added (beta) support for non-blocking I/O operations
2275    * Implemented session resuming and client authentication
2276    * Fixed some portability issues on WinCE, MINIX 3, Plan9
2277      (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
2278    * Improved the performance of the EDH key exchange
2279    * Fixed a bug that caused valid packets with a payload
2280      size of 16384 bytes to be rejected
2281
2282= Version 0.4 released on 2007-02-01
2283
2284    * Added support for Ephemeral Diffie-Hellman key exchange
2285    * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
2286    * Various improvement to the modular exponentiation code
2287    * Rewrote the headers to generate the API docs with doxygen
2288    * Fixed a bug in ssl_encrypt_buf (incorrect padding was
2289      generated) and in ssl_parse_client_hello (max. client
2290      version was not properly set), thanks to Didier Rebeix
2291    * Fixed another bug in ssl_parse_client_hello: clients with
2292      cipherlists larger than 96 bytes were incorrectly rejected
2293    * Fixed a couple memory leak in x509_read.c
2294
2295= Version 0.3 released on 2007-01-01
2296
2297    * Added server-side SSLv3 and TLSv1.0 support
2298    * Multiple fixes to enhance the compatibility with g++,
2299      thanks to Xosé Antón Otero Ferreira
2300    * Fixed a bug in the CBC code, thanks to dowst; also,
2301      the bignum code is no longer dependent on long long
2302    * Updated rsa_pkcs1_sign to handle arbitrary large inputs
2303    * Updated timing.c for improved compatibility with i386
2304      and 486 processors, thanks to Arnaud Cornet
2305
2306= Version 0.2 released on 2006-12-01
2307
2308    * Updated timing.c to support ARM and MIPS arch
2309    * Updated the MPI code to support 8086 on MSVC 1.5
2310    * Added the copyright notice at the top of havege.h
2311    * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
2312    * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
2313    * Fixed a bug reported by Torsten Lauter in ssl_read_record
2314    * Fixed a bug in rsa_check_privkey that would wrongly cause
2315      valid RSA keys to be dismissed (thanks to oldwolf)
2316    * Fixed a bug in mpi_is_prime that caused some primes to fail
2317      the Miller-Rabin primality test
2318
2319    I'd also like to thank Younès Hafri for the CRUX linux port,
2320    Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
2321    who maintains the Debian package :-)
2322
2323= Version 0.1 released on 2006-11-01
2324