PolarSSL 1.3.7 has been released!
This release contains a number of smaller changes and bug fixes, which don't affect the existing API. New features are improvements to the Debug module and the ability for users to detect compiled in capabilities at run-time. In addition it includes improvements to AES-NI portability and support for more X.509 Attribute Types.
On the feature-front this release introduces:
- Debug module improvements
- run-time capabilities checking
- AES-NI improvements
- deprecation of POLARSSL_CONFIG_OPTIONS
- support for more Attribute Types from IETX PKIX (RFC 5280)
- re-prioritization of RC4 ciphersuite
In addition outstanding bugs were fixed.
Debug module improvements
For starters, the debug module now only outputs full lines. Previous version output partial line content for some debug functions, which makes multi-threaded use harder.
In order to offer more flexibility for debug output,
debug_set_log_mode() is introduced which allows you to switch between FULL log mode and RAW log mode. FULL log mode is the default and includes file and line information in the log message. RAW log mode strips the file and line information from the log message and provides cleaner debug messages.
debug_set_threshold() is introduced. Previous versions allow you to filter SSL debug messages in the debug callback function. A disadvantage to that approach is that the message is already fully constructed before a decision is made to not use it.
debug_set_threshold() is a global threshold that drops all messages in debug functions that have a level over the threshold. The default is
0, which drops all messages, so you will have to increment it if you want to receive debug messages in your callback.
Run-time capabilities checking
The Version module is expanded by
version_check_feature() which gives you the ability to check at run-time if certain support is compiled into the library you use. This allows you to detect if the library you is has multi-threaded support compiled in for instance.
The existing AES-NI code is rewritten to be compatible with older versions of
as (from binutils).
If you experienced errors like:
/tmp/ccnZnCzy.s: Assembler messages: /tmp/ccnZnCzy.s:68: Error: no such instruction: `aesenc %xmm1,%xmm0' /tmp/ccnZnCzy.s:73: Error: no such instruction: `aesenclast %xmm1,%xmm0' /tmp/ccnZnCzy.s:77: Error: no such instruction: `aesdec %xmm1,%xmm0' /tmp/ccnZnCzy.s:82: Error: no such instruction: `aesdeclast %xmm1,%xmm0' /tmp/ccnZnCzy.s:320: Error: no such instruction: `aeskeygenassist $0x08,%xmm1,%xmm2' /tmp/ccnZnCzy.s:376: Error: no such instruction: `aeskeygenassist $0x36,%xmm0,%xmm1' /tmp/ccnZnCzy.s:420: Error: no such instruction: `aesimc %xmm0,%xmm0'
You will want to upgrade to 1.3.7.
The use of POLARSSL_CONFIG_OPTIONS is deprecated from 1.3.7 on. It is no longer needed to define this option in order to set module level configuration option.
In short, the definitions in modules have changed from:
#if !defined(POLARSSL_CONFIG_OPTIONS) #define POLARSSL_MODULE_CONFIG_OPTION 10 #endif
#if !defined(POLARSSL_MODULE_CONFIG_OPTION) #define POLARSSL_MODULE_CONFIG_OPTION 10 #endif
Support for more Attribute Types from IETX PKIX (RFC 5280)
In addition to existing Attribute Types we now also parse and support the following Attribute Types in X.509 names:
RC4 ciphersuite re-prioritized
Consensus in the TLS community is increasing about deprecating RC4. As a result the RC4 ciphersuites now have the lowest priority by default.
- Only iterate over actual certificates in
ssl_write_certificate_request()(found by Matthew Page)
- Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan Karger)
- cert_write app should use subject of issuer certificate as issuer of cert
- Fix false reject in padding check in
ssl_decrypt_buf()for CBC ciphersuites, for full SSL frames of data.
- Improve interoperability by not writing extension length in ClientHello / ServerHello when no extensions are present (found by Matthew Page)
rsa_check_pubkey()now allows an E up to N.
- On OpenBSD, use
arc4random_buf()instead of rand() to prevent warnings
mpi_fill_random()was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs
- Fix dependencies issues in X.509 test suite.
- Some parts of ssl_tls.c were compiled even when the module was disabled.
- Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
- Fix detection of Clang on some Apple platforms with CMake (found by Barry K. Nathan)
More details can be found in the ChangeLog.
Who should update
We advise users of PolarSSL to update if they:
- use PolarSSL 1.3.6 as it does not handle full-sized packets well
- want to use one of the new features
Get your copy here: polarssl-1.3.7-gpl.tgz
The hashes for polarssl-1.3.7-gpl.tgz are:
SHA-1 : 4bfce7f2e833bead53ecd38098325a784ada5c39 SHA-256: 6beef0281160bf07fefefd6b412dd1ce4c39261cf5300835aef442253f0400e5