Mbed TLS is now part of TrustedFirmware.org.

PolarSSL 1.3.5 released


PolarSSL 1.3.5 is here!

This release contains a number of larger changes, which don't break existing API and ABI compatibility. For Bitcoin applications we've added support for SpecifiedECDomain elliptic curve keys. And a new and improved platform compatibility layer is introduced.


On the feature-front this release introduces support for:

  • HMAC-DRBG as a seperate module
  • a single Platform Compatibility layer
  • even more improved (live) testing framework
  • support for parsing elliptic curve keys with SpecifiedECDomain format
  • Seed file reading and writing for the Entropy module

In addition outstanding bugs were fixed.


Support for the HMAC-DRBG was added internally when we introduced support deterministic ECDSA.

The HMAC-DRBG is a Deterministic Random Byte Generator specified by NIST in the NIST SP 800-90A publication. The already present CTR-DRBG module is specified in the same publication.

In this release HMAC-DRBG is extracted to its own module that can be found in hmac_drbg.h and hmac_drbg.c and can be enabled from config.h with POLARSSL_HMAC_DRBG_C.

Platform Compatibility Layer

In previous releases an abstraction layer for memory allocation was added. This release adds abstraction for printf() and fprintf(). In order to streamline future additions, we have centralized these abstractions to a single Platform Layer.

The Platform Layer currently lets you provide alternative implementations for printf(), fprintf(), malloc() and free().

Improved testing

We are ever expanding the automated testing of our library in order to provide the highest quality software.

This release revamps the old compat.sh script to be much more robust and thorough. In addition it can now also test connection interoperability against GnuTLS next to our already existing tests with OpenSSL.

Next to compat.sh, this release introduces ssl-opt.sh, which tests different live options, such as the TruncatedHMAC extension, the MaxFragmentLength extension, SNI, resuming with Session Tickets or from the SSL Cache and authentication.

The new versions allow automated memory checking with valgrind for the whole SSL connection, which was not possible before.

All these tests are also run in our automated testing environment. We believe this further improves the trust we can have in the PolarSSL code base.

Support for Elliptic Curve Keys

Up till now PolarSSL could only parse Elliptic Curve keys conforming to RFC5915 or PKIX. Within the Bitcoin community we see usage of Elliptic Curve keys that use the broader standards SEC1 and X9.62. As a result we have added support for SpecifiedECDomain Elliptic Curve keys.

Seed files in the Entropy module

On low-entropy systems it is very useful to have seed files to kick start the Entropy module. Although you could already add seed by using entropy_update_manual(), it required you to do some bookkeeping.

This release introduces the entropy_update_seed_file() and entropy_write_seed_file() functions that allow you to directly write and use a seed file to kick start the Entropy module.

Bug fixes

Fixes include:

  • Deprecation of the original Memory layer
  • Better thread-safety in the Entropy and X509 modules
  • Improvements to the build systems (by Julian Ospald, Oden Eriksson)
  • A workaround for a bug in Clang shipped by Apple with Mavericks
  • More robust ecp_gen_keypair(), that does more tries to prevent failure because of statistics
  • Fixed a bug in RSA PKCS#1 v1.5 "reversed" operations
  • Fixed version-major intolerance in server
  • Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
  • Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.)
  • m_sleep() was sleeping twice too long on most Unix platforms.
  • Fixed bug with session tickets and non-blocking I/O in the unlikely case send() would return an EAGAIN error when sending the ticket.
  • A number of SSL Cache issues related to timing
  • Memory leaks in SSL on non-standard cases
  • Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts

More details can be found in the ChangeLog.


After the last release, the so-called "Triple Handshake" attack against SSL was released.The current release has been tested against the testing systems of the researchers and is secure against this attack. The only situation where PolarSSL was vulnerable before 1.3.5, is when renegotiation is explicitly enabled (off-by-default) and session-resumption is possible (either session-tickets support is enabled or a session cache is provided) and you have verification set at SSL_VERIFY_OPTIONAL.

The security fixes are:

  • Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is 'optional' (the attack was already impossible when authentication is required).
  • Check notBefore timestamp of certificates and CRLs from the future.
  • Forbid sequence number wrapping
  • Fixed possible buffer overflow with overlong PSK (found by Juan Pablo Lopez Yacubian)
  • Possible remotely-triggered out-of-bounds memory access fixed (found by TrustInSoft)

Who should update

We advise users of PolarSSL to update if they:

  • want to use PolarSSL in Bitcoin projects
  • want to be more robust to the "Triple Handshake Attack" in all possible cases
  • want to use one of the new features

Download links

Get your copy here: polarssl-1.3.5-gpl.tgz


The hashes for polarssl-1.3.5-gpl.tgz are:

SHA-1  : 1fbcd11aba76e77e286a59883f4f0fb4d6734ba6
SHA-256: 158e8e9d0f7c1297296f78e913c6634aa221a4fbab684e7441828c8d5f58c07a

Like this?




Last updated:
Mar 27, 2014


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.