ChangeLog

PolarSSL ChangeLog (Sorted per branch, date)

= PolarSSL 1.3 branch
Features
   * debug_set_log_mode() added to determine raw or full logging
   * debug_set_threshold() added to ignore messages over threshold level
   * version_check_feature() added to check for compile-time options at
     run-time

Changes
   * POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
     checked and filled in the relevant module headers
   * Debug module only outputs full lines instead of parts
   * Better support for the different Attribute Types from IETF PKIX (RFC 5280)
   * AES-NI now compiles with "old" assemblers too
   * Ciphersuites based on RC4 now have the lowest priority by default

Bugfix
   * Only iterate over actual certificates in ssl_write_certificate_request()
     (found by Matthew Page)
   * Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
     Karger)
   * cert_write app should use subject of issuer certificate as issuer of cert
   * Fix false reject in padding check in ssl_decrypt_buf() for CBC
     ciphersuites, for full SSL frames of data.
   * Improve interoperability by not writing extension length in ClientHello /
     ServerHello when no extensions are present (found by Matthew Page)
   * rsa_check_pubkey() now allows an E up to N
   * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
   * mpi_fill_random() was creating numbers larger than requested on
     big-endian platform when size was not an integer number of limbs
   * Fix dependencies issues in X.509 test suite.
   * Some parts of ssl_tls.c were compiled even when the module was disabled.

= PolarSSL 1.3.6 released on 2014-04-11

Features
   * Support for the ALPN SSL extension
   * Add option 'use_dev_random' to gen_key application
   * Enable verification of the keyUsage extension for CA and leaf
     certificates (POLARSSL_X509_CHECK_KEY_USAGE)
   * Enable verification of the extendedKeyUsage extension
     (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)

Changes
   * x509_crt_info() now prints information about parsed extensions as well
   * pk_verify() now returns a specific error code when the signature is valid
     but shorter than the supplied length.
   * Use UTC time to check certificate validity.
   * Reject certificates with times not in UTC, per RFC 5280.

Security
   * Avoid potential timing leak in ecdsa_sign() by blinding modular division.
     (Found by Watson Ladd.)
   * The notAfter date of some certificates was no longer checked since 1.3.5.
     This affects certificates in the user-supplied chain except the top
     certificate. If the user-supplied chain contains only one certificates,
     it is not affected (ie, its notAfter date is properly checked).
   * Prevent potential NULL pointer dereference in ssl_read_record() (found by
     TrustInSoft)

Bugfix
   * The length of various ClientKeyExchange messages was not properly checked.
   * Some example server programs were not sending the close_notify alert.
   * Potential memory leak in mpi_exp_mod() when error occurs during
     calculation of RR.
   * Fixed malloc/free default #define in platform.c (found by Gergely Budai).
   * Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
     Gergely Budai).
   * Fix #include path in ecdsa.h which wasn't accepted by some compilers.
     (found by Gergely Budai)
   * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
     Shuo Chen).
   * oid_get_numeric_string() used to truncate the output without returning an
     error if the output buffer was just 1 byte too small.
   * dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
   * Calling pk_debug() on an RSA-alt key would segfault.
   * pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
   * Potential buffer overwrite in pem_write_buffer() because of low length
     indication (found by Thijs Alkemade)
   * EC curves constants, which should be only in ROM since 1.3.3, were also
     stored in RAM due to missing 'const's (found by Gergely Budai).

= PolarSSL 1.3.5 released on 2014-03-26
Features
   * HMAC-DRBG as a separate module
   * Option to set the Curve preference order (disabled by default)
   * Single Platform compatilibity layer (for memory / printf / fprintf)
   * Ability to provide alternate timing implementation
   * Ability to force the entropy module to use SHA-256 as its basis
     (POLARSSL_ENTROPY_FORCE_SHA256)
   * Testing script ssl-opt.sh added for testing 'live' ssl option
     interoperability against OpenSSL and PolarSSL
   * Support for reading EC keys that use SpecifiedECDomain in some cases.
   * Entropy module now supports seed writing and reading

Changes
   * Deprecated the Memory layer
   * entropy_add_source(), entropy_update_manual() and entropy_gather()
     now thread-safe if POLARSSL_THREADING_C defined
   * Improvements to the CMake build system, contributed by Julian Ospald.
   * Work around a bug of the version of Clang shipped by Apple with Mavericks
     that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
   * Revamped the compat.sh interoperatibility script to include support for
     testing against GnuTLS
   * Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
   * Improvements to tests/Makefile, contributed by Oden Eriksson.

Security
   * Forbid change of server certificate during renegotiation to prevent
     "triple handshake" attack when authentication mode is 'optional' (the
     attack was already impossible when authentication is required).
   * Check notBefore timestamp of certificates and CRLs from the future.
   * Forbid sequence number wrapping
   * Fixed possible buffer overflow with overlong PSK
   * Possible remotely-triggered out-of-bounds memory access fixed (found by
     TrustInSoft)

Bugfix
   * ecp_gen_keypair() does more tries to prevent failure because of
     statistics
   * Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
   * Fixed testing with out-of-source builds using cmake
   * Fixed version-major intolerance in server
   * Fixed CMake symlinking on out-of-source builds
   * Fixed dependency issues in test suite
   * Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
   * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
     Alex Wilson.)
   * ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
   * m_sleep() was sleeping twice too long on most Unix platforms.
   * Fixed bug with session tickets and non-blocking I/O in the unlikely case
     send() would return an EAGAIN error when sending the ticket.
   * ssl_cache was leaking memory when reusing a timed out entry containing a
     client certificate.
   * ssl_srv was leaking memory when client presented a timed out ticket
     containing a client certificate
   * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
     out_ctr failed
   * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
     of one of them failed
   * Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
   * x509_get_current_time() uses localtime_r() to prevent thread issues

= PolarSSL 1.3.4 released on 2014-01-27
Features
   * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
   * Support for RIPEMD-160
   * Support for AES CFB8 mode
   * Support for deterministic ECDSA (RFC 6979)

Bugfix
   * Potential memory leak in bignum_selftest()
   * Replaced expired test certificate
   * ssl_mail_client now terminates lines with CRLF, instead of LF
   * net module handles timeouts on blocking sockets better (found by Tilman
     Sauerbeck)
   * Assembly format fixes in bn_mul.h

Security
   * Missing MPI_CHK calls added around unguarded mpi calls (found by
     TrustInSoft)

= PolarSSL 1.3.3 released on 2013-12-31
Features
   * EC key generation support in gen_key app
   * Support for adhering to client ciphersuite order preference
     (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
   * Support for Curve25519
   * Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
   * Support for IPv6 in the NET module
   * AES-NI support for AES, AES-GCM and AES key scheduling
   * SSL Pthread-based server example added (ssl_pthread_server)

Changes
   * gen_prime() speedup
   * Speedup of ECP multiplication operation
   * Relaxed some SHA2 ciphersuite's version requirements
   * Dropped use of readdir_r() instead of readdir() with threading support
   * More constant-time checks in the RSA module
   * Split off curves from ecp.c into ecp_curves.c
   * Curves are now stored fully in ROM
   * Memory usage optimizations in ECP module
   * Removed POLARSSL_THREADING_DUMMY

Bugfix
   * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
   * Fixed X.509 hostname comparison (with non-regular characters)
   * SSL now gracefully handles missing RNG
   * Missing defines / cases for RSA_PSK key exchange
   * crypt_and_hash app checks MAC before final decryption
   * Potential memory leak in ssl_ticket_keys_init()
   * Memory leak in benchmark application
   * Fixed x509_crt_parse_path() bug on Windows platforms
   * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
     TrustInSoft)
   * Fixed potential overflow in certificate size verification in
     ssl_write_certificate() (found by TrustInSoft)

Security
   * Possible remotely-triggered out-of-bounds memory access fixed (found by
     TrustInSoft)

= PolarSSL 1.3.2 released on 2013-11-04
Features
   * PK tests added to test framework
   * Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
   * Support for Camellia-GCM mode and ciphersuites

Changes
   * Padding checks in cipher layer are now constant-time
   * Value comparisons in SSL layer are now constant-time
   * Support for serialNumber, postalAddress and postalCode in X509 names
   * SSL Renegotiation was refactored

Bugfix
   * More stringent checks in cipher layer
   * Server does not send out extensions not advertised by client
   * Prevent possible alignment warnings on casting from char * to 'aligned *'
   * Misc fixes and additions to dependency checks
   * Const correctness
   * cert_write with selfsign should use issuer_name as subject_name
   * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
   * Defines to handle UEFI environment under MSVC
   * Server-side initiated renegotiations send HelloRequest

= PolarSSL 1.3.1 released on 2013-10-15
Features
   * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
   * Support for ECDHE-PSK key-exchange and ciphersuites
   * Support for RSA-PSK key-exchange and ciphersuites

Changes
   * RSA blinding locks for a smaller amount of time
   * TLS compression only allocates working buffer once
   * Introduced POLARSSL_HAVE_READDIR_R for systems without it
   * config.h is more script-friendly

Bugfix
   * Missing MSVC defines added
   * Compile errors with POLARSSL_RSA_NO_CRT
   * Header files with 'polarssl/'
   * Const correctness
   * Possible naming collision in dhm_context
   * Better support for MSVC
   * threading_set_alt() name
   * Added missing x509write_crt_set_version()

= PolarSSL 1.3.0 released on 2013-10-01
Features
   * Elliptic Curve Cryptography module added
   * Elliptic Curve Diffie Hellman module added
   * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
    (ECDHE-based ciphersuites)
   * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
    (ECDSA-based ciphersuites)
   * Ability to specify allowed ciphersuites based on the protocol version.
   * PSK and DHE-PSK based ciphersuites added
   * Memory allocation abstraction layer added
   * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
   * Threading abstraction layer added (dummy / pthread / alternate)
   * Public Key abstraction layer added
   * Parsing Elliptic Curve keys
   * Parsing Elliptic Curve certificates
   * Support for max_fragment_length extension (RFC 6066)
   * Support for truncated_hmac extension (RFC 6066)
   * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
     (ISO/IEC 7816-4) padding and zero padding in the cipher layer
   * Support for session tickets (RFC 5077)
   * Certificate Request (CSR) generation with extensions (key_usage,
     ns_cert_type)
   * X509 Certificate writing with extensions (basic_constraints,
     issuer_key_identifier, etc)
   * Optional blinding for RSA, DHM and EC
   * Support for multiple active certificate / key pairs in SSL servers for
   	 the same host (Not to be confused with SNI!)

Changes
   * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
     individually
   * Introduced separate SSL Ciphersuites module that is based on
     Cipher and MD information
   * Internals for SSL module adapted to have separate IV pointer that is
     dynamically set (Better support for hardware acceleration)
   * Moved all OID functionality to a separate module. RSA function
     prototypes for the RSA sign and verify functions changed as a result
   * Split up the GCM module into a starts/update/finish cycle
   * Client and server now filter sent and accepted ciphersuites on minimum
     and maximum protocol version
   * Ability to disable server_name extension (RFC 6066)
   * Renamed error_strerror() to the less conflicting polarssl_strerror()
     (Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
   * SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
   * All RSA operations require a random generator for blinding purposes
   * X509 core refactored
   * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
   * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
   * Support faulty X509 v1 certificates with extensions
     (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)

Bugfix
   * Fixed parse error in ssl_parse_certificate_request()
   * zlib compression/decompression skipped on empty blocks
   * Support for AIX header locations in net.c module
   * Fixed file descriptor leaks

Security
   * RSA blinding on CRT operations to counter timing attacks
     (found by Cyril Arnaud and Pierre-Alain Fouque)

= Version 1.2.10 released 2013-10-07
Changes
   * Changed RSA blinding to a slower but thread-safe version

Bugfix
   * Fixed memory leak in RSA as a result of introduction of blinding
   * Fixed ssl_pkcs11_decrypt() prototype
   * Fixed MSVC project files

= Version 1.2.9 released 2013-10-01
Changes
   * x509_verify() now case insensitive for cn (RFC 6125 6.4)

Bugfix
   * Fixed potential memory leak when failing to resume a session
   * Fixed potential file descriptor leaks (found by Remi Gacogne)
   * Minor fixes

Security
   * Fixed potential heap buffer overflow on large hostname setting
   * Fixed potential negative value misinterpretation in load_file()
   * RSA blinding on CRT operations to counter timing attacks
     (found by Cyril Arnaud and Pierre-Alain Fouque)

= Version 1.2.8 released 2013-06-19
Features
   * Parsing of PKCS#8 encrypted private key files
   * PKCS#12 PBE and derivation functions
   * Centralized module option values in config.h to allow user-defined
     settings without editing header files by using POLARSSL_CONFIG_OPTIONS

Changes
   * HAVEGE random generator disabled by default
   * Internally split up x509parse_key() into a (PEM) handler function
     and specific DER parser functions for the PKCS#1 and unencrypted
     PKCS#8 private key formats
   * Added mechanism to provide alternative implementations for all
     symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
	 config.h)
   * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
     old PBKDF2 module

Bugfix
   * Secure renegotiation extension should only be sent in case client
     supports secure renegotiation
   * Fixed offset for cert_type list in ssl_parse_certificate_request()
   * Fixed const correctness issues that have no impact on the ABI
   * x509parse_crt() now better handles PEM error situations
   * ssl_parse_certificate() now calls x509parse_crt_der() directly
     instead of the x509parse_crt() wrapper that can also parse PEM
	 certificates
   * x509parse_crtpath() is now reentrant and uses more portable stat()
   * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
   * Fixed values for 2-key Triple DES in cipher layer
   * ssl_write_certificate_request() can handle empty ca_chain

Security
   * A possible DoS during the SSL Handshake, due to faulty parsing of
     PEM-encoded certificates has been fixed (found by Jack Lloyd)

= Version 1.2.7 released 2013-04-13
Features
   * Ability to specify allowed ciphersuites based on the protocol version.

Changes
   * Default Blowfish keysize is now 128-bits
   * Test suites made smaller to accommodate Raspberry Pi

Bugfix
   * Fix for MPI assembly for ARM
   * GCM adapted to support sizes > 2^29

= Version 1.2.6 released 2013-03-11
Bugfix
   * Fixed memory leak in ssl_free() and ssl_reset() for active session
   * Corrected GCM counter incrementation to use only 32-bits instead of
     128-bits (found by Yawning Angel)
   * Fixes for 64-bit compilation with MS Visual Studio
   * Fixed net_bind() for specified IP addresses on little endian systems
   * Fixed assembly code for ARM (Thumb and regular) for some compilers

Changes
   * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
     rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
     PKCS#1 v2.1 functions
   * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
     or rsa_rsaes_oaep_decrypt()
   * Re-added handling for SSLv2 Client Hello when the define
     POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
   * The SSL session cache module (ssl_cache) now also retains peer_cert
     information (not the entire chain)

Security
   * Removed further timing differences during SSL message decryption in
     ssl_decrypt_buf()
   * Removed timing differences due to bad padding from
     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
     operations

= Version 1.2.5 released 2013-02-02
Changes
   * Allow enabling of dummy error_strerror() to support some use-cases
   * Debug messages about padding errors during SSL message decryption are
     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL 
   * Sending of security-relevant alert messages that do not break
     interoperability can be switched on/off with the flag
     POLARSSL_SSL_ALL_ALERT_MESSAGES

Security
   * Removed timing differences during SSL message decryption in
     ssl_decrypt_buf() due to badly formatted padding

= Version 1.2.4 released 2013-01-25
Changes
   * More advanced SSL ciphersuite representation and moved to more dynamic
     SSL core
   * Added ssl_handshake_step() to allow single stepping the handshake process

Bugfix
   * Memory leak when using RSA_PKCS_V21 operations fixed
   * Handle future version properly in ssl_write_certificate_request()
   * Correctly handle CertificateRequest message in client for <= TLS 1.1
     without DN list

= Version 1.2.3 released 2012-11-26
Bugfix
   * Server not always sending correct CertificateRequest message

= Version 1.2.2 released 2012-11-24
Changes
   * Added p_hw_data to ssl_context for context specific hardware acceleration
     data
   * During verify trust-CA is only checked for expiration and CRL presence  

Bugfixes
   * Fixed client authentication compatibility
   * Fixed dependency on POLARSSL_SHA4_C in SSL modules

= Version 1.2.1 released 2012-11-20
Changes
   * Depth that the certificate verify callback receives is now numbered
     bottom-up (Peer cert depth is 0)

Bugfixes
   * Fixes for MSVC6
   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
     Pégourié-Gonnard)
   * Fixed possible segfault in mpi_shift_r() (found by Manuel
     Pégourié-Gonnard)
   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1

= Version 1.2.0 released 2012-10-31
Features
   * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
     ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
     default!
   * Added support for wildcard certificates
   * Added support for multi-domain certificates through the X509 Subject
     Alternative Name extension
   * Added preliminary ASN.1 buffer writing support
   * Added preliminary X509 Certificate Request writing support
   * Added key_app_writer example application
   * Added cert_req example application
   * Added base Galois Counter Mode (GCM) for AES
   * Added TLS 1.2 support (RFC 5246)
   * Added GCM suites to TLS 1.2 (RFC 5288)
   * Added commandline error code convertor (util/strerror)
   * Added support for Hardware Acceleration hooking in SSL/TLS
   * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
     example application (programs/ssl/o_p_test) (requires OpenSSL)
   * Added X509 CA Path support
   * Added Thumb assembly optimizations
   * Added DEFLATE compression support as per RFC3749 (requires zlib)
   * Added blowfish algorithm (Generic and cipher layer)
   * Added PKCS#5 PBKDF2 key derivation function
   * Added Secure Renegotiation (RFC 5746)
   * Added predefined DHM groups from RFC 5114
   * Added simple SSL session cache implementation
   * Added ServerName extension parsing (SNI) at server side
   * Added option to add minimum accepted SSL/TLS protocol version

Changes
   * Removed redundant POLARSSL_DEBUG_MSG define
   * AES code only check for Padlock once
   * Fixed const-correctness mpi_get_bit()
   * Documentation for mpi_lsb() and mpi_msb()
   * Moved out_msg to out_hdr + 32 to support hardware acceleration
   * Changed certificate verify behaviour to comply with RFC 6125 section 6.3
     to not match CN if subjectAltName extension is present (Closes ticket #56)
   * Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
     POLARSSL_MODE_CFB, to also handle different block size CFB modes.
   * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
   * Revamped session resumption handling
   * Generalized external private key implementation handling (like PKCS#11)
     in SSL/TLS
   * Revamped x509_verify() and the SSL f_vrfy callback implementations
   * Moved from unsigned long to fixed width uint32_t types throughout code
   * Renamed ciphersuites naming scheme to IANA reserved names

Bugfix
   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
     Hui Dong)
   * Fixed potential heap corruption in x509_name allocation
   * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
   * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
     #52)
   * Handle encryption with private key and decryption with public key as per
   	 RFC 2313
   * Handle empty certificate subject names
   * Prevent reading over buffer boundaries on X509 certificate parsing
   * mpi_add_abs() now correctly handles adding short numbers to long numbers
     with carry rollover (found by Ruslan Yushchenko)
   * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
   * Fixed MPI assembly for SPARC64 platform

Security
   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
     Vanderbeken)

= Version 1.1.8 released on 2013-10-01
Bugfix
   * Fixed potential memory leak when failing to resume a session
   * Fixed potential file descriptor leaks

Security
   * Potential buffer-overflow for ssl_read_record() (independently found by
     both TrustInSoft and Paul Brodeur of Leviathan Security Group)
   * Potential negative value misinterpretation in load_file()
   * Potential heap buffer overflow on large hostname setting

= Version 1.1.7 released on 2013-06-19
Changes
   * HAVEGE random generator disabled by default

Bugfix
   * x509parse_crt() now better handles PEM error situations
   * ssl_parse_certificate() now calls x509parse_crt_der() directly
     instead of the x509parse_crt() wrapper that can also parse PEM
	 certificates
   * Fixed values for 2-key Triple DES in cipher layer
   * ssl_write_certificate_request() can handle empty ca_chain

Security
   * A possible DoS during the SSL Handshake, due to faulty parsing of
     PEM-encoded certificates has been fixed (found by Jack Lloyd)

= Version 1.1.6 released on 2013-03-11
Bugfix
   * Fixed net_bind() for specified IP addresses on little endian systems

Changes
   * Allow enabling of dummy error_strerror() to support some use-cases
   * Debug messages about padding errors during SSL message decryption are
     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL

Security
   * Removed timing differences during SSL message decryption in
     ssl_decrypt_buf()
   * Removed timing differences due to bad padding from
     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
     operations

= Version 1.1.5 released on 2013-01-16
Bugfix
   * Fixed MPI assembly for SPARC64 platform
   * Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
   * mpi_add_abs() now correctly handles adding short numbers to long numbers
     with carry rollover
   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
   * Prevent reading over buffer boundaries on X509 certificate parsing
   * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
     #52)
   * Fixed possible segfault in mpi_shift_r() (found by Manuel
     Pégourié-Gonnard)
   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
     Pégourié-Gonnard)
   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
   * Memory leak when using RSA_PKCS_V21 operations fixed
   * Handle encryption with private key and decryption with public key as per
     RFC 2313
   * Fixes for MSVC6

Security
   * Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
     Vanderbeken)

= Version 1.1.4 released on 2012-05-31
Bugfix
   * Correctly handle empty SSL/TLS packets (Found by James Yonan)
   * Fixed potential heap corruption in x509_name allocation
   * Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)

= Version 1.1.3 released on 2012-04-29
Bugfix
   * Fixed random MPI generation to not generate more size than requested.

= Version 1.1.2 released on 2012-04-26
Bugfix
   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
     Hui Dong)

Security
   * Fixed potential memory corruption on miscrafted client messages (found by
     Frama-C team at CEA LIST)
   * Fixed generation of DHM parameters to correct length (found by Ruslan
     Yushchenko)

= Version 1.1.1 released on 2012-01-23
Bugfix
   * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
     (Closes ticket #47, found by Hugo Leisink)
   * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
   * Fixed multiple compiler warnings for VS6 and armcc
   * Fixed bug in CTR_CRBG selftest

= Version 1.1.0 released on 2011-12-22
Features
   * Added ssl_session_reset() to allow better multi-connection pools of
     SSL contexts without needing to set all non-connection-specific
	 data and pointers again. Adapted ssl_server to use this functionality.
   * Added ssl_set_max_version() to allow clients to offer a lower maximum
     supported version to a server to help buggy server implementations.
	 (Closes ticket #36)
   * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
     introspection functions (Closes ticket #40)
   * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
   * Added a generic entropy accumulator that provides support for adding
     custom entropy sources and added some generic and platform dependent
	 entropy sources

Changes
   * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
   * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
     encryption and private key for decryption. (Closes ticket #34)
   * Inceased maximum size of ASN1 length reads to 32-bits.
   * Added an EXPLICIT tag number parameter to x509_get_ext()
   * Added a separate CRL entry extension parsing function
   * Separated the ASN.1 parsing code from the X.509 specific parsing code.
     So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
   * Changed the defined key-length of DES ciphers in cipher.h to include the
     parity bits, to prevent mistakes in copying data. (Closes ticket #33)
   * Loads of minimal changes to better support WINCE as a build target
     (Credits go to Marco Lizza)
   * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
     trade-off
   * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
     management (Closes ticket #44)
   * Changed the used random function pointer to more flexible format. Renamed
     havege_rand() to havege_random() to prevent mistakes. Lots of changes as
     a consequence in library code and programs
   * Moved all examples programs to use the new entropy and CTR_DRBG
   * Added permissive certificate parsing to x509parse_crt() and
     x509parse_crtfile(). With permissive parsing the parsing does not stop on
     encountering a parse-error. Beware that the meaning of return values has
     changed!
   * All error codes are now negative. Even on mermory failures and IO errors.

Bugfix
   * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
     ticket #37)
   * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
     before version numbers
   * Allowed X509 key usage parsing to accept 4 byte values instead of the
     standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
   * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
     smaller than the hash length. (Closes ticket #41)
   * If certificate serial is longer than 32 octets, serial number is now
     appended with '....' after first 28 octets
   * Improved build support for s390x and sparc64 in bignum.h
   * Fixed MS Visual C++ name clash with int64 in sha4.h
   * Corrected removal of leading "00:" in printing serial numbers in
     certificates and CRLs

= Version 1.0.0 released on 2011-07-27
Features
   * Expanded cipher layer with support for CFB128 and CTR mode
   * Added rsa_encrypt and rsa_decrypt simple example programs.

Changes
   * The generic cipher and message digest layer now have normal error
     codes instead of integers

Bugfix
   * Undid faulty bug fix in ssl_write() when flushing old data (Ticket
     #18)

= Version 0.99-pre5 released on 2011-05-26
Features
   * Added additional Cipher Block Modes to symmetric ciphers
     (AES CTR, Camellia CTR, XTEA CBC) including the option to
     enable and disable individual modes when needed
   * Functions requiring File System functions can now be disabled
     by undefining POLARSSL_FS_IO
   * A error_strerror function() has been added to translate between
     error codes and their description.
   * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
     functions.
   * Added ssl_mail_client and ssl_fork_server as example programs.

Changes
   * Major argument / variable rewrite. Introduced use of size_t
     instead of int for buffer lengths and loop variables for
     better unsigned / signed use. Renamed internal bigint types
     t_int and t_dbl to t_uint and t_udbl in the process
   * mpi_init() and mpi_free() now only accept a single MPI
     argument and do not accept variable argument lists anymore.
   * The error codes have been remapped and combining error codes
     is now done with a PLUS instead of an OR as error codes
     used are negative.
   * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
     net_recv() now returns 0 on EOF instead of
     POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
     POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
     ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
     after the handshake.
   * Network functions now return POLARSSL_ERR_NET_WANT_READ or
     POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
     POLARSSL_ERR_NET_TRY_AGAIN

= Version 0.99-pre4 released on 2011-04-01
Features
   * Added support for PKCS#1 v2.1 encoding and thus support
     for the RSAES-OAEP and RSASSA-PSS operations.
   * Reading of Public Key files incorporated into default x509
     functionality as well.
   * Added mpi_fill_random() for centralized filling of big numbers
     with random data (Fixed ticket #10)

Changes
   * Debug print of MPI now removes leading zero octets and 
     displays actual bit size of the value.
   * x509parse_key() (and as a consequence x509parse_keyfile()) 
     does not zeroize memory in advance anymore. Use rsa_init()
     before parsing a key or keyfile!

Bugfix
   * Debug output of MPI's now the same independent of underlying
     platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
     Kiilerich and Mihai Militaru)
   * Fixed bug in ssl_write() when flushing old data (Fixed ticket
     #18, found by Nikolay Epifanov)
   * Fixed proper handling of RSASSA-PSS verification with variable
     length salt lengths

= Version 0.99-pre3 released on 2011-02-28
This release replaces version 0.99-pre2 which had possible copyright issues.
Features
   * Parsing PEM private keys encrypted with DES and AES
     are now supported as well (Fixes ticket #5)
   * Added crl_app program to allow easy reading and
     printing of X509 CRLs from file

Changes
   * Parsing of PEM files moved to separate module (Fixes 
     ticket #13). Also possible to remove PEM support for
     systems only using DER encoding

Bugfixes
   * Corrected parsing of UTCTime dates before 1990 and
     after 1950
   * Support more exotic OID's when parsing certificates
   	 (found by Mads Kiilerich)
   * Support more exotic name representations when parsing
     certificates (found by Mads Kiilerich)
   * Replaced the expired test certificates
   * Do not bail out if no client certificate specified. Try
     to negotiate anonymous connection (Fixes ticket #12,
     found by Boris Krasnovskiy)

Security fixes
   * Fixed a possible Man-in-the-Middle attack on the
     Diffie Hellman key exchange (thanks to Larry Highsmith,
     Subreption LLC)

= Version 0.99-pre1 released on 2011-01-30
Features
Note: Most of these features have been donated by Fox-IT
   * Added Doxygen source code documentation parts
   * Added reading of DHM context from memory and file
   * Improved X509 certificate parsing to include extended
     certificate fields, including Key Usage
   * Improved certificate verification and verification
     against the available CRLs
   * Detection for DES weak keys and parity bits added
   * Improvements to support integration in other
     applications:
       + Added generic message digest and cipher wrapper
       + Improved information about current capabilities,
         status, objects and configuration
       + Added verification callback on certificate chain
         verification to allow external blacklisting
	   + Additional example programs to show usage
   * Added support for PKCS#11 through the use of the
     libpkcs11-helper library

Changes
   * x509parse_time_expired() checks time in addition to
     the existing date check
   * The ciphers member of ssl_context and the cipher member
     of ssl_session have been renamed to ciphersuites and
     ciphersuite respectively. This clarifies the difference
     with the generic cipher layer and is better naming
     altogether

= Version 0.14.0 released on 2010-08-16
Features
   * Added support for SSL_EDH_RSA_AES_128_SHA and
     SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
   * Added compile-time and run-time version information
   * Expanded ssl_client2 arguments for more flexibility
   * Added support for TLS v1.1

Changes
   * Made Makefile cleaner
   * Removed dependency on rand() in rsa_pkcs1_encrypt().
     Now using random fuction provided to function and
     changed the prototype of rsa_pkcs1_encrypt(),
     rsa_init() and rsa_gen_key().
   * Some SSL defines were renamed in order to avoid
     future confusion

Bug fixes
   * Fixed CMake out of source build for tests (found by
     kkert)
   * rsa_check_private() now supports PKCS1v2 keys as well
   * Fixed deadlock in rsa_pkcs1_encrypt() on failing random
     generator

= Version 0.13.1 released on 2010-03-24
Bug fixes
   * Fixed Makefile in library that was mistakenly merged
   * Added missing const string fixes

= Version 0.13.0 released on 2010-03-21
Features
   * Added option parsing for host and port selection to
     ssl_client2
   * Added support for GeneralizedTime in X509 parsing
   * Added cert_app program to allow easy reading and
     printing of X509 certificates from file or SSL
     connection.

Changes
   * Added const correctness for main code base
   * X509 signature algorithm determination is now
     in a function to allow easy future expansion
   * Changed symmetric cipher functions to
     identical interface (returning int result values)
   * Changed ARC4 to use separate input/output buffer
   * Added reset function for HMAC context as speed-up
     for specific use-cases

Bug fixes
   * Fixed bug resulting in failure to send the last
     certificate in the chain in ssl_write_certificate() and
     ssl_write_certificate_request() (found by fatbob)
   * Added small fixes for compiler warnings on a Mac
     (found by Frank de Brabander)
   * Fixed algorithmic bug in mpi_is_prime() (found by
     Smbat Tonoyan)

= Version 0.12.1 released on 2009-10-04
Changes
   * Coverage test definitions now support 'depends_on'
     tagging system.
   * Tests requiring specific hashing algorithms now honor
     the defines.

Bug fixes
   * Changed typo in #ifdef in x509parse.c (found
     by Eduardo)

= Version 0.12.0 released on 2009-07-28
Features
   * Added CMake makefiles as alternative to regular Makefiles.
   * Added preliminary Code Coverage tests for AES, ARC4,
     Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
     Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
     and X509parse.

Changes
   * Error codes are not (necessarily) negative. Keep
     this is mind when checking for errors.
   * RSA_RAW renamed to SIG_RSA_RAW for consistency.
   * Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
   * Changed interface for AES and Camellia setkey functions
     to indicate invalid key lengths.

Bug fixes
   * Fixed include location of endian.h on FreeBSD (found by
     Gabriel)
   * Fixed include location of endian.h and name clash on
     Apples (found by Martin van Hensbergen)
   * Fixed HMAC-MD2 by modifying md2_starts(), so that the
     required HMAC ipad and opad variables are not cleared.
     (found by code coverage tests)
   * Prevented use of long long in bignum if 
     POLARSSL_HAVE_LONGLONG not defined (found by Giles
     Bathgate).
   * Fixed incorrect handling of negative strings in
     mpi_read_string() (found by code coverage tests).
   * Fixed segfault on handling empty rsa_context in
     rsa_check_pubkey() and rsa_check_privkey() (found by
     code coverage tests).
   * Fixed incorrect handling of one single negative input
     value in mpi_add_abs() (found by code coverage tests).
   * Fixed incorrect handling of negative first input
     value in mpi_sub_abs() (found by code coverage tests).
   * Fixed incorrect handling of negative first input
     value in mpi_mod_mpi() and mpi_mod_int(). Resulting
     change also affects mpi_write_string() (found by code
     coverage tests).
   * Corrected is_prime() results for 0, 1 and 2 (found by
     code coverage tests).
   * Fixed Camellia and XTEA for 64-bit Windows systems.

= Version 0.11.1 released on 2009-05-17
   * Fixed missing functionality for SHA-224, SHA-256, SHA384,
     SHA-512 in rsa_pkcs1_sign()

= Version 0.11.0 released on 2009-05-03
   * Fixed a bug in mpi_gcd() so that it also works when both
     input numbers are even and added testcases to check
     (found by Pierre Habouzit).
   * Added support for SHA-224, SHA-256, SHA-384 and SHA-512
     one way hash functions with the PKCS#1 v1.5 signing and
     verification.
   * Fixed minor bug regarding mpi_gcd located within the
     POLARSSL_GENPRIME block.
   * Fixed minor memory leak in x509parse_crt() and added better
     handling of 'full' certificate chains (found by Mathias
     Olsson).
   * Centralized file opening and reading for x509 files into
     load_file()
   * Made definition of net_htons() endian-clean for big endian
     systems (Found by Gernot).
   * Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
     padlock and timing code. 
   * Fixed an off-by-one buffer allocation in ssl_set_hostname()
     responsible for crashes and unwanted behaviour.
   * Added support for Certificate Revocation List (CRL) parsing.
   * Added support for CRL revocation to x509parse_verify() and
     SSL/TLS code.
   * Fixed compatibility of XTEA and Camellia on a 64-bit system
     (found by Felix von Leitner).

= Version 0.10.0 released on 2009-01-12
   * Migrated XySSL to PolarSSL
   * Added XTEA symmetric cipher
   * Added Camellia symmetric cipher
   * Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
     SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
   * Fixed dangerous bug that can cause a heap overflow in
     rsa_pkcs1_decrypt (found by Christophe Devine)

================================================================
XySSL ChangeLog

= Version 0.9 released on 2008-03-16

    * Added support for ciphersuite: SSL_RSA_AES_128_SHA
    * Enabled support for large files by default in aescrypt2.c
    * Preliminary openssl wrapper contributed by David Barrett
    * Fixed a bug in ssl_write() that caused the same payload to
      be sent twice in non-blocking mode when send returns EAGAIN
    * Fixed ssl_parse_client_hello(): session id and challenge must
      not be swapped in the SSLv2 ClientHello (found by Greg Robson)
    * Added user-defined callback debug function (Krystian Kolodziej)
    * Before freeing a certificate, properly zero out all cert. data
    * Fixed the "mode" parameter so that encryption/decryption are
      not swapped on PadLock; also fixed compilation on older versions
      of gcc (bug reported by David Barrett)
    * Correctly handle the case in padlock_xcryptcbc() when input or
      ouput data is non-aligned by falling back to the software
      implementation, as VIA Nehemiah cannot handle non-aligned buffers
    * Fixed a memory leak in x509parse_crt() which was reported by Greg
      Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
      Matthew Page who reported several bugs
    * Fixed x509_get_ext() to accept some rare certificates which have
      an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
    * Added support on the client side for the TLS "hostname" extension
      (patch contributed by David Patino)
    * Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
      string is passed as the CN (bug reported by spoofy)
    * Added an option to enable/disable the BN assembly code
    * Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
    * Disabled obsolete hash functions by default (MD2, MD4); updated
      selftest and benchmark to not test ciphers that have been disabled
    * Updated x509parse_cert_info() to correctly display byte 0 of the
      serial number, setup correct server port in the ssl client example
    * Fixed a critical denial-of-service with X.509 cert. verification:
      peer may cause xyssl to loop indefinitely by sending a certificate
      for which the RSA signature check fails (bug reported by Benoit)
    * Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
      HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
    * Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
    * Modified ssl_parse_client_key_exchange() to protect against
      Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
      as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
    * Updated rsa_gen_key() so that ctx->N is always nbits in size
    * Fixed assembly PPC compilation errors on Mac OS X, thanks to
      David Barrett and Dusan Semen

= Version 0.8 released on 2007-10-20

    * Modified the HMAC functions to handle keys larger
      than 64 bytes, thanks to Stephane Desneux and gary ng
    * Fixed ssl_read_record() to properly update the handshake
      message digests, which fixes IE6/IE7 client authentication
    * Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
    * Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
    * Added user-defined callbacks for handling I/O and sessions
    * Added lots of debugging output in the SSL/TLS functions
    * Added preliminary X.509 cert. writing by Pascal Vizeli
    * Added preliminary support for the VIA PadLock routines
    * Added AES-CFB mode of operation, contributed by chmike
    * Added an SSL/TLS stress testing program (ssl_test.c)
    * Updated the RSA PKCS#1 code to allow choosing between
      RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
    * Updated ssl_read() to skip 0-length records from OpenSSL
    * Fixed the make install target to comply with *BSD make
    * Fixed a bug in mpi_read_binary() on 64-bit platforms
    * mpi_is_prime() speedups, thanks to Kevin McLaughlin
    * Fixed a long standing memory leak in mpi_is_prime()
    * Replaced realloc with malloc in mpi_grow(), and set
      the sign of zero as positive in mpi_init() (reported
      by Jonathan M. McCune)

= Version 0.7 released on 2007-07-07

    * Added support for the MicroBlaze soft-core processor
    * Fixed a bug in ssl_tls.c which sometimes prevented SSL
      connections from being established with non-blocking I/O
    * Fixed a couple bugs in the VS6 and UNIX Makefiles
    * Fixed the "PIC register ebx clobbered in asm" bug
    * Added HMAC starts/update/finish support functions
    * Added the SHA-224, SHA-384 and SHA-512 hash functions
    * Fixed the net_set_*block routines, thanks to Andreas
    * Added a few demonstration programs: md5sum, sha1sum,
      dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
    * Added new bignum import and export helper functions
    * Rewrote README.txt in program/ssl/ca to better explain
      how to create a test PKI

= Version 0.6 released on 2007-04-01

    * Ciphers used in SSL/TLS can now be disabled at compile
      time, to reduce the memory footprint on embedded systems
    * Added multiply assembly code for the TriCore and modified
      havege_struct for this processor, thanks to David Patiño
    * Added multiply assembly code for 64-bit PowerPCs,
      thanks to Peking University and the OSU Open Source Lab
    * Added experimental support of Quantum Cryptography
    * Added support for autoconf, contributed by Arnaud Cornet
    * Fixed "long long" compilation issues on IA-64 and PPC64
    * Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
      was not being correctly defined on ARM and MIPS

= Version 0.5 released on 2007-03-01

    * Added multiply assembly code for SPARC and Alpha
    * Added (beta) support for non-blocking I/O operations
    * Implemented session resuming and client authentication
    * Fixed some portability issues on WinCE, MINIX 3, Plan9
      (thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
    * Improved the performance of the EDH key exchange
    * Fixed a bug that caused valid packets with a payload
      size of 16384 bytes to be rejected

= Version 0.4 released on 2007-02-01

    * Added support for Ephemeral Diffie-Hellman key exchange
    * Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
    * Various improvement to the modular exponentiation code
    * Rewrote the headers to generate the API docs with doxygen
    * Fixed a bug in ssl_encrypt_buf (incorrect padding was
      generated) and in ssl_parse_client_hello (max. client
      version was not properly set), thanks to Didier Rebeix
    * Fixed another bug in ssl_parse_client_hello: clients with
      cipherlists larger than 96 bytes were incorrectly rejected
    * Fixed a couple memory leak in x509_read.c

= Version 0.3 released on 2007-01-01

    * Added server-side SSLv3 and TLSv1.0 support
    * Multiple fixes to enhance the compatibility with g++,
      thanks to Xosé Antón Otero Ferreira
    * Fixed a bug in the CBC code, thanks to dowst; also,
      the bignum code is no longer dependent on long long
    * Updated rsa_pkcs1_sign to handle arbitrary large inputs
    * Updated timing.c for improved compatibility with i386
      and 486 processors, thanks to Arnaud Cornet

= Version 0.2 released on 2006-12-01

    * Updated timing.c to support ARM and MIPS arch
    * Updated the MPI code to support 8086 on MSVC 1.5
    * Added the copyright notice at the top of havege.h
    * Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
    * Fixed a bug reported by Adrian Rüegsegger in x509_read_key
    * Fixed a bug reported by Torsten Lauter in ssl_read_record
    * Fixed a bug in rsa_check_privkey that would wrongly cause
      valid RSA keys to be dismissed (thanks to oldwolf)
    * Fixed a bug in mpi_is_prime that caused some primes to fail
      the Miller-Rabin primality test

    I'd also like to thank Younès Hafri for the CRUX linux port,
    Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
    who maintains the Debian package :-)

= Version 0.1 released on 2006-11-01