Fresh from the oven: PolarSSL 1.3.6 is here!
This release contains a number of smaller changes and bug fixes, which don't affect the existing API. Primarily, support for the ALPN extension is added, and extra checks are introduced to mitigate some semantic discrepancies that were reported. In addition a security issue introduced in 1.3.5 has been fixed.
On the feature-front this release introduces support for:
- ALPN extension support
- verification of keyUsage and extendedKeyUsage extensions
- Enabling /dev/random in gen_key
In addition outstanding bugs were fixed.
ALPN extension support
Although the RFC is not yet an official standard, more and more applications are starting to use ALPN support. We have added ALPN in this release to help those projects.
Support for ALPN (POLARSSL_SSL_ALPN) is enabled by default and allows you to set the list of acceptable protocols with
ssl_set_alpn_protocols() and retrieve the negotiated protocol with
Cerification of keyUsage and extendedKeyUsage extensions
The so-called Frankencert report revealed some semantic discrepancies between libraries and standards. PolarSSL 1.3.5 already fixed some of those affecting PolarSSL. This release adds support for automatically verifying the keyUsage extension in certificates (POLARSSL_X509_CHECK_KEY_USAGE) and the extendedKeyUsage extension in certificates (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE).
This fixes all the possible security issues revealed in the report. One issue (a false negative not affecting security) is still left and we are working with the authors of the report to clarify it.
/dev/random in gen_key
Because of the Heartbleed bug, a lot of people are re-issuing keys, generating certificate requests and certificates.
In some cases you might want to add /dev/random to your entropy sources. This was always an option for users, but we now provided it built-in into the programs/pkey/gen_key application.
If you use
use_dev_random=1 with programs/pkey/gen_key on a system it will add /dev/random to the entropy sources for the entropy pool.
Warning: /dev/random is not always able to provide enough entropy, so this can be blocking in your app!
- The length of various ClientKeyExchange messages was not properly checked.
- Some example server programs were not sending the close_notify alert.
- Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR.
- Fixed malloc/free default #define in platform.c (found by Gergely Budai).
- Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by Gergely Budai).
- Fix #include path in ecdsa.h which wasn't accepted by some compilers. (found by Gergely Budai)
- Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by Shuo Chen).
- oid_get_numeric_string() used to truncate the output without returning an error if the output buffer was just 1 byte too small.
- dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
- Calling pk_debug() on an RSA-alt key would segfault.
- pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
- Potential buffer overwrite in pem_write_buffer() because of low length indication (found by Thijs Alkemade)
- EC curves constants, which should be only in ROM since 1.3.3, were also stored in RAM due to missing 'const's (found by Gergely Budai).
More details can be found in the ChangeLog.
In the last release, we introduced a new issue with checking the time validity for certificates (except the top certificate). If the user-supplied chain contains only one certificates, it is not affected by this issue.
In addition a potential timing leak in
ecdsa_sign() was reported by Watson Ladd and fixed by blinding the modular division.
And a potential NULL pointer dereference in
ssl_read_record() was eliminated that was found by TrustInSoft.
Who should update
We advise users of PolarSSL to update if they:
- use PolarSSL version 1.3.5
- use ECDSA in a high-risk environment
- want to use one of the new features
Get your copy here: polarssl-1.3.6-gpl.tgz
The hashes for polarssl-1.3.6-gpl.tgz are:
SHA-1 : 0f76709a1679ba91d929891db2e60d5bcf1388eb SHA-256: b97965c1a052df41201d35e01f91c4ac0bf28e443a56ddf461be63b20c85ae09