                            MatrixSSL 4.x changelog

Changes between 4.5.0 and 4.5.1 [July 2022]

* Fix a usage of return value of psX509ParseCert when a flag is set

Changes between 4.4.0 and 4.5.0 [June 2022]

* Enabled RSA SHA512 signature algorithm in TLS1.2 certrequest.
* Enabled SHA512 in privRsaEncryptSignedElement.
* Fixed DTLS change cipher spec retransmit epoch.
* Compilation warning fixes.
* Memory leak fixes.

Changes between 4.3.0 and 4.4.0 [December 2021]

* Fixed a type mismatch in matrixCmsParseEnvelopedDataBuf.
* Increased the value of MAX_OID_BYTES to 48.
* Changes to the handling of the validity time in self generated certs.
* Fixed a possible vulnerability in parseAuthorityInfoAccess
  discovered by Tavis Ormandy (Github issue #44).
* Fixed a memory leak in getExplicitExtensions
  discovered by Tavis Ormandy (Github issue #43).
* Fixed vulnerability in SHA256 intialisation discovered by Marcel Maehren,
  Philipp Nieting, Sven Hebrok, Robert Merget, Juraj Somorovsky and
  Jörg Schwenk from Ruhr University Bochum and Paderborn-University.
* Fixes in cross certificate handling.
* Fixed a bug in pkcs1Pad.
* Fixed a bug in psX963KeyDerivation.
* Fixed the default behaviour when TLS version is not explicitly specified.
* Fixed compilation errors when using debugging.
* Memory leak fixes.

Changes between 4.2.2 and 4.3.0 [June 2020]

* Added a constant-time variant of eccMulmod, in response to the Minerva attack.
* Fixed a possible infinite loop in message parsing discovered by
  Andreas Walz (ivESK).
* Timing sidechannel mitigation (Github issue #23).
* Change hard coded values to enums in matrixSslLoadKeys (Github issue #35).
* Disabled TLS 1.3 draft versions by default.
* Fixes TLS 1.2 session ticket based resumption.
* May only enable either PS_PUBKEY_OPTIMIZE_FOR_FASTER_SPEED or
  PS_PUBKEY_OPTIMIZE_FOR_SMALLER_RAM (Github issue #37).
* Channel Bindings for TLS (only for TLS 1.2 and below), new APIs added
    - matrixSslGetFinished
    - matrixSslGetPeerFinished
    - matrixSslGetTlsUniqueChannelBindings
* Added API for accessing MatrixSSL structures without direct access
  to structure members. Use of this API will slightly enlarge the
  MatrixSSL binary but will enable building software that is not
  dependent on exact binary layout of structures such as ssl_t.
* Fixes the bug when NULL keydata was used in sslLoadKeyPair() function.
* Other bug fixes.

Changes between 4.2.1 and 4.2.2 [August 2019]

   This version fixes a few security issues related to DTLS and handshake
   message length. It also defines the size of psBool_t to be equivalent
   to bool on both x86 and ARM platforms.
     * TLS:
          + Fixed vulenerabilities and bugs related to DTLS discovered by
            Jakub Botwicz (Samsung R&D Poland).
          + Limited handshake message length.
     * Crypto
          + Added support for parsing public keys in OpenSSL ECC DER/PEM
            format.
          + Fixed support for SHA224 RSA.

Changes between 4.2.0 and 4.2.1 [June 2019]

   This version fixes an out of bounds read in ASN.1 handling found by
   Tyler Nighswander (ForAllSecure).

Changes between 4.1.0 and 4.2.0 [May 2019]

   This version adds a compile-time option that allows TLS 1.3 only
   builds, adds new getter APIs and fixes several bugs.
     * TLS:
          + Allow TLS 1.3 only builds by introducing the USETLS13ONLY
            compile-time option. This significantly reduces the minimum
            code footprint of TLS 1.3 builds. The example configuration
            tls13-minimal makes use of the new compile-time option.
          + Add the matrixSslGetUserPtr API. This getter API should be
            used instead of raw access to ssl->userPtr.
          + Added the matrixSslGetNegotiatedCiphersuite and
            matrixSslGetActiveCiphersuite APIs.
          + Added the matrixSslGetMasterSecret API. This API requires the
            ENABLEMASTERSECRET_EXPORT compile-time option, which is
            disabled by default.
          + Completely remove support for TLS record compression (unifdef
            USEZLIBCOMPRESSION). TLS record compression is almost never
            used in practice due to serious vulnerabilities associated
            with the feature (see e.g. the CRIME attack).
          + Fixed a bug where decrypting an alert in TLS 1.3 could cause
            matrixSslProcessed data to erroneously indicate that there is
            more application data to process.
          + Allow storing the unparsed certificate DER octets (in the
            unparsedBin member of psX509Cert_t) even in TLS 1.3.
          + Fix segfault when receiving a server certificate without the
            commonName component.
          + Fixed handshake failure with some clients that attempted to
            use a TLS 1.2 session ticket in a TLS 1.3 connection.
          + Fix build error with the USEEXTCERTIFICATEVERIFYSIGNING
            compile-time option.
          + Fix sslTest failure when using the
            USEEXTCERTIFICATEVERIFYSIGNING compile-time option.
          + Fix a bug that caused the server to sometimes select a TLS 1.3
            ciphersuite even when TLS 1.2 or below had been negotiated.
          + Add Ed25519 test keys and certificates.
          + Add Ed25519 testing to sslTest. (Note that Ed25519 is only
            supported in TLS 1.3.)
     * Crypto:
          + (FIPS Edition only): Fix a bug that prevented verification of
            RSA-SHA-1 signatures in FIPS mode. FIPS 140-2 allows
            verification of SHA-1 based signatures, but forbids generating
            such signatures.
          + Store the order of DN attributes in certificate subject and
            issuer fields.
          + Add an option to the psX509GetOnelineDN API that allows
            printing the DN attributes in the original order they were
            encoded in the parsed certificate.
          + Fix parsing of Ed25519 certificates.
          + Fix parsing of ECDSA-SHA224 certificates.

Changes between 4.0.2 and 4.1.0 [April 2019]

     * TLS:
          + (RoT Edition only): Added support for Inside Secure VaultIP
            (Root-of-Trust) crypto provider.
          + Improved the separation of private and public TLS header files
            for better private-public separation. The public headers now
            of the form matrixsslApi*.h, while private headers are of the
            form matrixssllib_*.h.
          + Added client-side support for X25519 in TLS 1.2.
          + Added client-side support for RSASSA-PSS signatures in TLS
            1.2.
          + Added support for RSASSA-PSS key/cert pairs.
          + Fix vulnerabilities reported by Robert Święcki (discovered
            using Hongfuzzer): a server-side heap buffer read overflow
            when parsing maliciously crafted ClientHello extensions and a
            segfault in TLS 1.2 GCM decryption of maliciously crafted
            records with small ciphertext.
          + Added the simpleClient.c and simpleServer.c example
            applications. These are intended as minimalistic examples of
            how to use the top-level TLS API.
          + Fixed bugs in matrixSslSessOptsServerTlsVersionRange and
            matrixSslSessOptsClientTlsVersionRange.
          + Fixed bug that caused non-insitu app data encryption to fail
            in tls13EncodeAppData when using the matrixSslEncodeToOutdata
            API instead of the more standard matrixSslGetWriteBuf +
            matrixSslEncodeWritebuf pattern.
          + Added new minimal example configurations: tls12-minimal,
            tls12-minimal-client-ecc, tls13-minimal,
            tls13-minimal-client-ecc
          + When performing TLS 1.2 renegotiation, re-send the original
            ClientHello cipher list.
          + Added the USELENIENTTLSRECORDVERSION_MATCHING compatibility
            option.

Changes between 4.0.1 and 4.0.2 [February 2019]

   This version fixes a critical vulnerability in RSA signature
   verification. A maliciously crafted certificate can be used to trigger
   a stack buffer overflow, allowing potential remote code execution
   attacks. The vulnerability only affects version 4.0.1 and the standard
   Matrix Crypto provider. Other providers, such as the FIPS crypto
   provider, are not affected by the bug. Thanks to Tavis Ormandy for
   reporting this.

Changes between 4.0.0 and 4.0.1 [November 2018]

   This version improves the security of RSA PKCS #1.5 signature
   verification and adds better support for run-time security
   configuration.
     * TLS:
          + Added a run-time security callback feature
            (matrixSslRegisterSecurityCallback). The security callback can
            allow or deny a cryptographic operation based on the operation
            type and the key size. Currently only authentication and key
            exchange operations are supported. The default security
            callback supports pre-defined security profiles
            (matrixSslSetSecurityProfile).
          + Added an example security profile: WPA3 1.0 Enterprise 192-bit
            mode restrictions for EAP-TLS.
          + Added support for the TLSDHERSAWITHAES256GCM_SHA384
            ciphersuite.
          + Changed the way how protocol version IDs are stored internally
            and rewrote most of the version negotiation code. This is
            almost entirely an internal code refactoring. To the API user,
            the only visible change is that version selection APIs now
            take in an argument of type psProtocolVersiont instead of
            int32t. See the API reference guide for details.
          + Refactored ServerKeyExchange signature generation and
            verification code.
     * Crypto:
          + Changed from a parsing-based to a comparison-based approach in
            DigestInfo validation when verifying RSA PKCS #1.5 signatures.
            There are no known practical attacks against the old code, but
            the comparison-based approach is theoretically more sound.
            Thanks to Sze Yiu Chau from Purdue University for pointing
            this out.
          + (MatrixSSL FIPS Edition only:) Fix DH key exchange when using
            DH parameter files containing optional privateValueLength
            argument.
          + psX509AuthenticateCert now uses the common psVerifySig API for
            signature verification. Previously, CRLs and certificates used
            different code paths for signature verification.

Changes between 3.9.5 and 4.0.0 [August 2018]

   This version adds support for RFC 8446 (TLS 1.3), new APIs for
   configuring session options as well as fixes to security
   vulnerabilities.
     * TLS:
          + Added support for TLS 1.3 (RFC 8446 version) as well as draft
            versions 23, 24, 26 and 28.
          + Supported TLS 1.3 handshake types:
               o Basic handshake with server authentication
               o Incorrect DHE key share (HelloRetryRequest) handshake
               o PSK handshake
               o Resumed handshake
               o 0RTT data handshake
          + Supported TLS 1.3 ciphersuites:
               o TLSAES128GCMSHA256
               o TLSAES256GCMSHA384
               o TLSCHACHA20POLY1305_SHA256
          + Supported key exchange modes in TLS 1.3:
               o DHE with the ffdhe2048, ffdhe3072 and ffdhe4096 groups
               o ECDHE with the P-256, P-384, P-521 and X25519 groups
               o PSK with (EC)DHE
               o PSK only
          + Supported signature algorithms in TLS 1.3:
               o ECDSA with P-256, P-384 and P-521
               o Ed25519
               o RSASSA-PSS
               o RSA PKCS #1.5 (certificates only)
          + Supported PKI features in TLS 1.3:
               o X.509 certificates
               o CRLs
               o OCSP stapling
          + Supported TLS 1.3 extensions:
               o supported_versions
               o supported_groups
               o key_share
               o signature_algorithms
               o signaturealgorithmscert
               o server_name
               o certificate_authorities
               o cookie
               o status_request
               o maxfragmentlength
          + Support for TLS 1.3 record padding
          + Fixed several client-side crashes and undefined behaviours on
            maliciously crafted server messages. The bugs were found using
            TLS-Attacker. Thanks to Robert Merget from the Ruhr-University
            Bochum for reporting these.
          + Added the matrixSslSessOptsSetServerTlsVersions and
            matrixSslSessOptsSetClientTlsVersions APIs for selecting the
            supported protocol versions at run-time. Please consult the
            API reference for details.
          + Added a couple of TLS 1.3 specific APIs:
               o matrixSslSessOptsSetSigAlgsCert
               o matrixSslSessOptsSetKeyExGroups
               o matrixSslGetEarlyDataStatus
               o matrixSslGetMaxEarlyData
               o matrixSslLoadTls13Psks
               o matrixSslSetTls13BlockPadding
          + Added an API for selecting supported signature algorithms:
            (usable in both TLS 1.3 and TLS 1.2):
               o matrixSslSessOptsSetSigAlgs
          + Added new example configurations. The recommended
            configuration for using TLS 1.3 and below is tls13 (Commercial
            Edition) or nonfips-tls13 (FIPS Edition)
          + Updated and improved the Developer Guide and the MatrixSSL
            APIs reference document.
          + Improved the example client and server programs and fixed
            bugs.
          + Resend user extensions (e.g. SNI) when responding to
            HelloRequest
          + sslTest now allows specifying the ciphersuites and protocol
            versions to test via environment variables.
          + Improvements to identity management, including support for
            loading multiple identities (key and cert pairs) during
            initialization and postponed key and cert loading. See the
            MatrixSSL Developer Guide for details.
          + Refactored key loading and protocol version negotiation.
          + Fixed server-side signature algorithm selection when the
            server certificate is signed with a different algorithm (RSA
            or ECDSA) than the public key contain therein.
          + Much improved TLS-level debug prints and logging (tlsTrace.c).
            USESSLHANDSHAKEMSGTRACE now consistently enables messages such
            as "parsing/creating handshake message X or extension Y".
            USESSLINFORMATIONAL_TRACE now prints out more details on the
            contents of handshake messages and extensions.
          + Refactored public header files.
     * Crypto:
          + NCC Group'ss Keegan Ryan has found a side-channel attack
            affecting multiple cryptographic libraries. The "ROHNP" Key
            Extraction Side Channel (CVE-2018-0495) has been fixed.
          + Added support for Ed25519 signatures in TLS 1.3
          + Added support for ECDHE with X25519 in TLS 1.3
          + Added algorithm-independent signature and verification APIs:
            psSign and psVerify.
          + Source file reorganization. New new naming scheme aims for
            better consistency, clarity and makes it easier to ifdef out
            unneeded features.
          + Added psEccWritePrivKeyMem and psEccWritePrivKeyFile the
            public crypto API
     * X.509 and PKCS standards
          + Fixed processing of indefinite expiration date (31.12.9999).
          + Basic Constraints no longer unconditionally added when
            generating CSR data
          + Session option for requesting subrange of allowed tls
            versions.
          + Specify certificate validity dates when generating
            certificate.
          + Support for reading PKCS #12 and CA certificates from memory
            (der encoded).
          + Support for key usage encipher only and decipher only bits in
            generating certificate generation.
          + Option for MD2/MD4/MD5 signatures compatibility on
            certificates.
          + X.509 certificates allow NIL character at the end of
            GeneralName field. This is for compatibility with various
            other products.
          + It is now possible to compile X.509 certificate and CSR
            generation code only ECC or RSA support for smaller footprint.
          + Added Ed25519 specific functions such as
            psEd25519ParsePrivKey, psEd25519Sign, etc.
     * Other changes
          + Added export.mk, which generates example binary packaging of a
            previously compiled MatrixSSL package and includes two of the
            example applications within the package. This package shows
            how to export MatrixSSL includes and libraries outside the
            source tree keeping configuration with the includes.
     * Known issues
          + The TLS 1.3 code has not yet been fully optimized for
            footprint.
          + If the client sends a TLS 1.3 ClientHello with X25519 as the
            key exchange group, the server downgrades to TLS 1.2 but still
            wishes to use X25519, the handshake will fail, because
            MatrixSSL does not yet support X25519 in TLS 1.2 and below.
