PolarSSL news feed

PolarSSL 1.1.1 available

Mon, 22 Jan 2012 11:11:00 +0200

PolarSSL version 1.1.1 available

A minor bugfix release to PolarSSL Version 1.1.0 has been released. Changes include some additional checking for failed malloc's and alterations to prevent compiler warnings with Visual Studio 6.0 and armcc.

From the ChangeLog

Bugfixes

Bugfix
   * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
     (Closes ticket #47, found by Hugo Leisink)
   * Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
   * Fixed multiple compiler warnings for VS6 and armcc
   * Fixed bug in CTR_CRBG selftest

Download links: polarssl-1.1.1-gpl.tgz

polarssl-1.1.1-gpl.tgz:
MD5    : f1f25a261ea677602a0a08c5c4f50166
SHA-1  : f034bddaa2dcea343e67756d10ce60d1e5251296
SHA-256: 8527d74cbf49a4845cfb901f730cc5067f03cde123e6014fa9f821d5042d4767

PolarSSL 1.1.0 available

Mon, 22 Dec 2011 11:31:00 +0200

PolarSSL version 1.1.0 available

With some minor changes, PolarSSL version 1.1.0 is a fact as a pre-Christmas gift.

The changes with Release Candidate 1 are minor. The biggest change is the addition of HAVEGE as a standard entropy source for the entropy pool if HAVEGE is available.

In relation to PolarSSL 1.0.0 more has changed. This release introduces the CTR_DBRG random generator based on AES-256-CTR (NIST SP 800-90) and an generic entropy accumulator, next to the already existing HAVEGE random generator. The behaviour of x509parse_crt() has changed though! It's backwards compatible with pre-1.1.0 code. For permissive parsing you now have to use the return code differently, please read the documentation. A lot of simple error codes (1 and 2) inside the code were changed to 'real errors'. In addition a lot of standing issues where fixed with regards to compatibility and customization. Check out the ChangeLog below for additional information.

Security

Feedback from the security community has triggered an investigation into the quality of PolarSSL's random number generation within virtualized environments.

PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results.

As a result this version contains a new random number generator based on the CTR_DRBG algorithm specified in NIST-SP800-90. We advise everyone to move to the new generator and entropy pool. For more information, please head to the PolarSSL Security Advisory 2011-02.

From the ChangeLog

Features

   * Added ssl_session_reset() to allow better multi-connection pools of
     SSL contexts without needing to set all non-connection-specific
     data and pointers again. Adapted ssl_server to use this functionality.
   * Added ssl_set_max_version() to allow clients to offer a lower maximum
     supported version to a server to help buggy server implementations.
     (Closes ticket #36)
   * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
     introspection functions (Closes ticket #40)
   * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
   * Added a generic entropy accumulator that provides support for adding
     custom entropy sources and added some generic and platform dependent
     entropy sources

Changes

   * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
   * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
     encryption and private key for decryption. (Closes ticket #34)
   * Inceased maximum size of ASN1 length reads to 32-bits.
   * Added an EXPLICIT tag number parameter to x509_get_ext()
   * Added a separate CRL entry extension parsing function
   * Separated the ASN.1 parsing code from the X.509 specific parsing code.
     So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
   * Changed the defined key-length of DES ciphers in cipher.h to include the
     parity bits, to prevent mistakes in copying data. (Closes ticket #33)
   * Loads of minimal changes to better support WINCE as a build target
     (Credits go to Marco Lizza)
   * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
     trade-off
   * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
     management (Closes ticket #44)
   * Changed the used random function pointer to more flexible format. Renamed
     havege_rand() to havege_random() to prevent mistakes. Lots of changes as
     a consequence in library code and programs
   * Moved all examples programs to use the new entropy and CTR_DRBG
   * Added permissive certificate parsing to x509parse_crt() and
     x509parse_crtfile(). With permissive parsing the parsing does not stop on
     encountering a parse-error

Bugfixes

   * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
     ticket #37)
   * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
     before version numbers
   * Allowed X509 key usage parsing to accept 4 byte values instead of the
     standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
   * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
     smaller than the hash length. (Closes ticket #41)
   * If certificate serial is longer than 32 octets, serial number is now
     appended with '....' after first 28 octets
   * Improved build support for s390x and sparc64 in bignum.h
   * Fixed MS Visual C++ name clash with int64 in sha4.h
   * Corrected removal of leading "00:" in printing serial numbers in
     certificates and CRLs

Download links: polarssl-1.1.0-gpl.tgz

polarssl-1.1.0-gpl.tgz:
MD5    : 9d82bf887dc6af2b61a562fbab39737a
SHA-1  : 7682b3d4a78173c4ef4a105e7efcfe50bd6c3b6f
SHA-256: 50f8f50fd02a8b7371ea23317aee51dbb051e7d00efdd1929853f57bb15d3784

PolarSSL 1.1.0-rc1 available

Mon, 11 Dec 2011 18:14:00 +0200

PolarSSL version 1.1.0-rc1 available

The second (and hopefully final) release candidate for PolarSSL 1.1.0 is available. Please test it out, if you can! After three days with no major issues, this release will become final.

This release adds some minor strengthening changes to the entropy accumulator and changes the prototype for x509parse_crt() back to its original form. Behaviour has changed though! It's backwards compatible with pre-1.1.0 code. For permissive parsing you now have to use the return code differently. A lot of simple error codes (1 and 2) inside the code were changed to 'real errors'.

Download links: polarssl-1.1.0-rc1-gpl.tgz

polarssl-1.1.0-rc1-gpl.tgz:
MD5    : 7f825dd8dc821311e6842cfdded30eaa
SHA-1  : 9aff92e91585f3756c18213add33bfe1c224996e
SHA-256: 56dc1d9c42b5e445234e6b36ac15fe3fc9e602efd3da03fd5637a0a57602299f

PolarSSL 1.1.0-rc0 available

Mon, 05 Dec 2011 15:46:00 +0200

PolarSSL version 1.1.0-rc0 available

The first (and hopefully final) release candidate for PolarSSL 1.1.0 is available. Please test it out, if you can! After three days with no major issues, this release will become final.

This release introduces the CTR_DBRG random generator based on AES-256-CTR (NIST SP 800-90) and an generic entropy accumulator, next to the already existing HAVEGE random generator. In addition a lot of standing issues where fixed with regards to compatibility and customization. Check out the ChangeLog below for additional information.

From the ChangeLog

Features

   * Added ssl_session_reset() to allow better multi-connection pools of
     SSL contexts without needing to set all non-connection-specific
     data and pointers again. Adapted ssl_server to use this functionality.
   * Added ssl_set_max_version() to allow clients to offer a lower maximum
     supported version to a server to help buggy server implementations.
     (Closes ticket #36)
   * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
     introspection functions (Closes ticket #40)
   * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
   * Added a generic entropy accumulator that provides support for adding
     custom entropy sources and added some generic and platform dependent
     entropy sources

Changes

   * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
   * Fixed rsa_encrypt and rsa_decrypt examples to use public key for
     encryption and private key for decryption. (Closes ticket #34)
   * Inceased maximum size of ASN1 length reads to 32-bits.
   * Added an EXPLICIT tag number parameter to x509_get_ext()
   * Added a separate CRL entry extension parsing function
   * Separated the ASN.1 parsing code from the X.509 specific parsing code.
     So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
   * Changed the defined key-length of DES ciphers in cipher.h to include the
     parity bits, to prevent mistakes in copying data. (Closes ticket #33)
   * Loads of minimal changes to better support WINCE as a build target
     (Credits go to Marco Lizza)
   * Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
     trade-off
   * Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
     management (Closes ticket #44)
   * Changed the used random function pointer to more flexible format. Renamed
     havege_rand() to havege_random() to prevent mistakes. Lots of changes as
     a consequence in library code and programs
   * Moved all examples programs to use the new entropy and CTR_DRBG
   * Added permissive certificate parsing to x509parse_crt() and
     x509parse_crtfile(). With permissive parsing the parsing does not stop on
     encountering a parse-error

Bugfixes

   * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
     ticket #37)
   * Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
     before version numbers
   * Allowed X509 key usage parsing to accept 4 byte values instead of the
     standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
   * Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
     smaller than the hash length. (Closes ticket #41)
   * If certificate serial is longer than 32 octets, serial number is now
     appended with '....' after first 28 octets
   * Improved build support for s390x and sparc64 in bignum.h
   * Fixed MS Visual C++ name clash with int64 in sha4.h
   * Corrected removal of leading "00:" in printing serial numbers in
     certificates and CRLs

Download links: polarssl-1.1.0-rc0-gpl.tgz

polarssl-1.1.0-rc0-gpl.tgz:
MD5    : 69a84166199fc53d378884c0d9bd721b
SHA-1  : 1cd5474d7ff82e948051a084ce91a4d9f8d604e3
SHA-256: 4ffcb5c693e342442668568a3dbcc91dcc96692f309d07f1c6e941ce7bf7b782

OpenVPN-NL (with PolarSSL) approved by the Dutch Government

Fri, 18 Nov 2011 08:02:00 +0200

OpenVPN-NL released with PolarSSL as crypto-core

It's official! The Dutch government officially approved a hardened version of OpenVPN for use as a 'Departementaal Vertrouwelijk' (Restricted) VPN product. The cool part about it is that it used PolarSSL as the cryptographic core, instead of the standard OpenSSL. The Dutch IT security company Fox-IT adapted the standard OpenVPN to include an abstraction layer and include PolarSSL as it's core.

The resulting OpenVPN-NL is fully open source and available at the official OpenVPN-NL website hosted by Fox-IT. In order to describe all aspects, the Dutch secret service (AIVD) has released an official deployment advisory.

Shout-out

As you can understand, this development is very exciting! The effort that Fox-IT put into adapting both OpenVPN and PolarSSL is amazing! Thank you guys, you rock!

PolarSSL 1.0.0 available

Tue, 09 Aug 2011 13:07:00 +0100

PolarSSL version 1.0.0 available

After a long wait, the release of PolarSSL 1.0.0 is a fact. For people following the 0.99 prereleases, no huge changes have been done. But for the stable track a lot has been done. In short there were a lot of features and functionality added for better integration with third party software, documentation was added, abstraction layers were added, code cleaned up, separation of code into modules, support for PKCS#1 v2.1 EMSA encoding support and thus support for the RSAES-OAEP and RSASSA-PSS operations and a lot of extra examples.

For the full list, please see the aggregated ChangeLog below!

From the ChangeLog

Features

   * Added Doxygen source code documentation parts
   * Added reading of DHM context from memory and file
   * Improved X509 certificate parsing to include extended
     certificate fields, including Key Usage
   * Improved certificate verification and verification
     against the available CRLs
   * Detection for DES weak keys and parity bits added
   * Improvements to support integration in other
     applications:
       + Added generic message digest and cipher wrapper
       + Improved information about current capabilities,
         status, objects and configuration
       + Added verification callback on certificate chain
         verification to allow external blacklisting
       + Additional example programs to show usage
   * Added support for PKCS#11 through the use of the
     libpkcs11-helper library
   * Parsing PEM private keys encrypted with DES and AES
     are now supported as well (Fixes ticket #5)
   * Added crl_app program to allow easy reading and
     printing of X509 CRLs from file
   * Added support for PKCS#1 v2.1 encoding and thus support
     for the RSAES-OAEP and RSASSA-PSS operations.
   * Reading of Public Key files incorporated into default x509
     functionality as well.
   * Added mpi_fill_random() for centralized filling of big numbers
     with random data (Fixed ticket #10)
   * Added additional Cipher Block Modes to symmetric ciphers
     (AES CTR, Camellia CTR, XTEA CBC) including the option to
     enable and disable individual modes when needed
   * Functions requiring File System functions can now be disabled
     by undefining POLARSSL_FS_IO
   * A error_strerror function() has been added to translate between
     error codes and their description.
   * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
     functions.
   * Added ssl_mail_client and ssl_fork_server as example programs.
   * Expanded cipher layer with support for CFB128 and CTR mode
   * Added rsa_encrypt and rsa_decrypt simple example programs.

Changes

   * x509parse_time_expired() checks time in addition to
     the existing date check
   * The ciphers member of ssl_context and the cipher member
     of ssl_session have been renamed to ciphersuites and
     ciphersuite respectively. This clarifies the difference
     with the generic cipher layer and is better naming
     altogether
   * Parsing of PEM files moved to separate module (Fixes
     ticket #13). Also possible to remove PEM support for
         systems only using DER encoding
   * Debug print of MPI now removes leading zero octets and
     displays actual bit size of the value.
   * x509parse_key() (and as a consequence x509parse_keyfile())
     does not zeroize memory in advance anymore. Use rsa_init()
         before parsing a key or keyfile!
   * Major argument / variable rewrite. Introduced use of size_t
     instead of int for buffer lengths and loop variables for
     better unsigned / signed use. Renamed internal bigint types
     t_int and t_dbl to t_uint and t_udbl in the process
   * mpi_init() and mpi_free() now only accept a single MPI
     argument and do not accept variable argument lists anymore.
   * The error codes have been remapped and combining error codes
     is now done with a PLUS instead of an OR as error codes
     used are negative.
   * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
     net_recv() now returns 0 on EOF instead of
     POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
     POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
     ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
     after the handshake.
   * Network functions now return POLARSSL_ERR_NET_WANT_READ or
     POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
     POLARSSL_ERR_NET_TRY_AGAIN
   * The generic cipher and message digest layer now have normal error
     codes instead of integers

Bugfixes

   * Debug output of MPI's now the same independent of underlying
     platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
         Kiilerich and Mihai Militaru)
   * Fixed proper handling of RSASSA-PSS verification with variable
     length salt lengths

Download links: polarssl-1.0.0-gpl.tgz

polarssl-1.0.0-gpl.tgz:
MD5    : 9e0ef5090070ae95363f201851ca62f2
SHA-1  : 029aa736c8941080e043c554906ee991cf09fe45
SHA-256: db42482e8b2121c1bac74cb8520ac941a1fad286c44a99d98189d94c317c6fa9

PolarSSL 0.99-pre5 available

Fri, 27 May 2011 11:24:00 +0100

PolarSSL version 0.99 prerelease 5 available

The fifth prerelease for PolarSSL version 1.0.0 includes some much needed adaptions before the final release. If no severe issues are found in this release, this will culminate in an official version 1.0.0. This release allows you to disable all filesystem related functions, adds printed error string functionality and some extra examples for SMTP clients and forked servers. In addition the signedness/unsignedness of a lot of variables was help under the microscope.

From the ChangeLog

Features

   * Added additional Cipher Block Modes to symmetric ciphers
     (AES CTR, Camellia CTR, XTEA CBC) including the option to
     enable and disable individual modes when needed
   * Functions requiring File System functions can now be disabled
     by undefining POLARSSL_FS_IO
   * A error_strerror function() has been added to translate between
     error codes and their description.
   * Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
     functions.
   * Added ssl_mail_client and ssl_fork_server as example programs.

Changes

   * Major argument / variable rewrite. Introduced use of size_t
     instead of int for buffer lengths and loop variables for
     better unsigned / signed use. Renamed internal bigint types
     t_int and t_dbl to t_uint and t_udbl in the process
   * mpi_init() and mpi_free() now only accept a single MPI
     argument and do not accept variable argument lists anymore.
   * The error codes have been remapped and combining error codes
     is now done with a PLUS instead of an OR as error codes
     used are negative.
   * Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
     net_recv() now returns 0 on EOF instead of
     POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
     POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
     ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
     after the handshake.
   * Network functions now return POLARSSL_ERR_NET_WANT_READ or
     POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
     POLARSSL_ERR_NET_TRY_AGAIN

Download links: polarssl-0.99-pre5-gpl.tgz

polarssl-0.99-pre5-gpl.tgz:
MD5    : f78ef14abd11033c2f1eb7d0faa0b847
SHA-1  : 0c3e3007a08c8041ca046cddad211f1fe2da99ec
SHA-256: 64c21241a79cd429cf96bca0acc45b00155eea93db176c6570d4d14d692b8570

PolarSSL 0.99-pre4 available

Fri, 01 Apr 2011 14:18:00 +0100

PolarSSL version 0.99 prerelease 4 available

Here before you is the fourth and possibly last of a set prereleases that will lead to PolarSSL version 1.0.0. This fourth prerelease adds support for PKCS#1 v2.1 EMSA encoding and thus support for the RSAES-OAEP and RSASSA-PSS operation. In addition a number of smaller changes where the most important to notice is the fact that x509parse_key() (and thus as a consequence x509parse_keyfile()) does not zeroize the memory of the rsa_context it receives anymore! Use rsa_init() before parsing a key or keyfile!

From the ChangeLog

Features

   * Added support for PKCS#1 v2.1 encoding and thus support
     for the RSAES-OAEP and RSASSA-PSS operations.
   * Reading of Public Key files incorporated into default x509
     functionality as well.
   * Added mpi_fill_random() for centralized filling of big numbers
     with random data (Fixed ticket #10)

Changes

   * Debug print of MPI now removes leading zero octets and
     displays actual bit size of the value.
   * x509parse_key() (and as a consequence x509parse_keyfile())
     does not zeroize memory in advance anymore. Use rsa_init()
         before parsing a key or keyfile!

Bugfixes

   * Debug output of MPI's now the same independent of underlying
     platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
         Kiilerich and Mihai Militaru)
   * Fixed bug in ssl_write() when flushing old data (Fixed ticket
     #18, found by Nikolay Epifanov)
   * Fixed proper handling of RSASSA-PSS verification with variable
     length salt lengths

Download links: polarssl-0.99-pre4-gpl.tgz

polarssl-0.99-pre4-gpl.tgz:
MD5    : 3217c5bd8f673a47522c2bfa45b1d628
SHA-1  : f8f5863e78f69feb1f51d541846f80338577ffc0
SHA-256: cfa581aac1f1d1f84a17279472be8f2900f12212932da1623ab654e52789aba6

Bugfix release: PolarSSL 0.14.3

Fri, 01 Apr 2011 12:04:00 +0100

PolarSSL version 0.14.3 is available

This minor release only fixes a faulty certificate that was included in certc.c.

Unless other bug or security issues arise, this will be the last release in the 0.14 branch of the code. Efforts are now focused on releasing version 1.0.0 of PolarSSL in the near future.

Download links: polarssl-0.14.3-gpl.tgz

polarssl-0.14.3-gpl.tgz:
MD5    : f1b2fe9087ab64d7ea40a276a3628583
SHA-1  : a19096888da2b550dbf9bacf14f7156c07825e55
SHA-256: ecde78bb94ec3b289d9d7a2842e0a43e5c6a74b9c32757ce88d724ce8145a486

Security release: PolarSSL 0.14.2 and 0.99-pre3 released

Mon, 28 Feb 2011 22:35:00 +0100

PolarSSL version 0.14.2 and 0.99 prerelease 3 are available!

These versions contain a security fix for a possible man-in-the-middle security vulnerability in the Diffie-Hellman key exchange. The full advisory can be viewed in Security Advisory 2011-01. A big thanks to Larry Highsmith from Subreption LLC for reporting this vulnerability.

The original releases that included the security fix (0.14.1 and 0.99-pre2) have been revoked due to possible copyright issues.

Download links: polarssl-0.14.2-gpl.tgz polarssl-0.99-pre3-gpl.tgz

polarssl-0.14.2-gpl.tgz:
MD5    : 8519ff2bb0ae783a89c297fa1c60c337
SHA-1  : 5665d3d296e24e263156530170e7d303c09de104
SHA-256: 6dfc9400e05eca146f3233a290061545271805f91bbb431ad213c4541f1029a6

polarssl-0.99-pre3-gpl.tgz:
MD5    : 9afc8276310741f4132922ff1627eb96
SHA-1  : edcd64972dbb6ebc8c6187250a5fdb4f45984f59
SHA-256: 9131e581b6d758cb7797799c04a5390fa070b4310df07e3c0a010e0412dac9dc