diff --git a/core/osdep/include/osdep-types.h b/core/osdep/include/osdep-types.h
index 9ea9d1b..ef9d614 100644
--- a/core/osdep/include/osdep-types.h
+++ b/core/osdep/include/osdep-types.h
@@ -359,19 +359,35 @@ typedef int32_t psResSize_t;
    a negative value for failure. */
 typedef int32_t psRes_t;
 
+#  ifndef PSBOOL_T
+#   ifndef NO_C99_PSBOOL_T
+#    ifdef __STDC_VERSION__
+#     if __STDC_VERSION__ >= 199901L
+#      include "osdep_stdbool.h"
+#      define PSBOOL_T bool
+
+#      if defined(__arm__) || defined(__aarch32__) || defined(__aarch64__) || defined(__x86_64__) || defined(__i386__)
+extern int ensure_boolean_is_single_byte[2 - sizeof(bool)];
+#      endif
+#     endif
+#    endif
+#   endif
+#  endif
+
+#  ifndef PSBOOL_T
+#   if defined(__arm__) || defined(__aarch32__) || defined(__aarch64__) || defined(__x86_64__) || defined(__i386__)
+#    define PSBOOL_T unsigned char
+#   else
+#    define PSBOOL_T int /* Old default for boolean type. */
+#   endif
+#  endif
+
 /* An integer with boolean value PS_TRUE or PS_FALSE.
    The actual datatype used varies according to platform.
-   On C99 or later stdbool.h is used, otherwise integer. */
-#  ifdef __STDC_VERSION__
-#   if __STDC_VERSION__ >= 199901L
-#    include "osdep_stdbool.h"
-typedef bool psBool_t;
-#   else
-typedef int psBool_t;
-#   endif
-#  else
-typedef int psBool_t;
-#  endif
+   It is possible to provide type to use via PSBOOL_T.
+   On x86 and ARM platforms 8-bit character is used for compatibility
+   between C99 and earlier C standards. */
+typedef PSBOOL_T psBool_t;
 
 /******************************************************************************/
 /*
diff --git a/crypto/common/alg_info.c b/crypto/common/alg_info.c
index c6dd6df..9c223eb 100644
--- a/crypto/common/alg_info.c
+++ b/crypto/common/alg_info.c
@@ -87,6 +87,7 @@ psResSize_t psSigAlgToHashLen(int32_t sigAlg)
     case OID_SHA1_ECDSA_SIG:
     case OID_SHA1_DSA_SIG:
         return SHA1_HASH_SIZE;
+    case OID_SHA224_RSA_SIG:
     case OID_SHA224_ECDSA_SIG:
         return SHA224_HASH_SIZE;
     case OID_SHA256_RSA_SIG:
diff --git a/crypto/keyformat/asn1.c b/crypto/keyformat/asn1.c
index 67769f2..a44adae 100644
--- a/crypto/keyformat/asn1.c
+++ b/crypto/keyformat/asn1.c
@@ -359,6 +359,11 @@ int32_t getAsnInteger(const unsigned char **pp, psSizeL_t size, int32_t *val)
         psTraceCrypto("ASN getInteger had limit failure\n");
         return PS_LIMIT_FAIL;
     }
+    if (vlen == 0)
+    {
+        psTraceCrypto("ASN getInteger parse error: empty V\n");
+        return PS_PARSE_FAIL;
+    }
     ui = 0;
 /*
     If high bit is set, it's a negative integer, so perform the two's compliment
diff --git a/crypto/keyformat/x509.c b/crypto/keyformat/x509.c
index 6f7abfa..aef82f4 100644
--- a/crypto/keyformat/x509.c
+++ b/crypto/keyformat/x509.c
@@ -6629,6 +6629,7 @@ static int32_t ocspParseBasicResponse(psPool_t *pool, uint32_t len,
         if (cert_res < 0)
         {
             psX509FreeCert(res->OCSPResponseCert);
+            res->OCSPResponseCert = NULL;
             return PS_PARSE_FAIL;
         }
         p += cert_res;
diff --git a/crypto/pubkey/pubkey_parse_file.c b/crypto/pubkey/pubkey_parse_file.c
index 74db63f..641d895 100644
--- a/crypto/pubkey/pubkey_parse_file.c
+++ b/crypto/pubkey/pubkey_parse_file.c
@@ -118,6 +118,7 @@ int32_t psParseUnknownPubKey(psPool_t *pool, int pemOrDer, char *keyfile,
     int keytype = -1;
     unsigned char *keyBuf;
     psSizeL_t keyBufLen;
+    psRes_t rc;
 
     /* flps_parseUnknownPubKey() is similar function.
        First try to invoke that. */
@@ -129,24 +130,47 @@ int32_t psParseUnknownPubKey(psPool_t *pool, int pemOrDer, char *keyfile,
         /* PEM file */
         keytype = psTryParsePubKeyFilePEM(pool, keyfile, password, pubkey);
 
-        if (keytype < 0)
+        if (keytype >= 0)
         {
-            psTraceStrCrypto("Unable to parse public key file %s\n", keyfile);
-            return PS_FAILURE;
+            /* psTryParsePubKeyFilePEM() succeeded. */
+            return keytype;
         }
+
+        /* Fallback: Try processing via psGetFileBuf() and
+           psParseUnknownPubKeyMem(). */
     }
-    else
+
+    /* DER file (or PEM file that failed parsing via
+       psTryParsePubKeyFilePEM()). */
+    if (psGetFileBuf(pool, keyfile, &keyBuf, &keyBufLen) < PS_SUCCESS)
     {
-        /* DER file. */
-        if (psGetFileBuf(pool, keyfile, &keyBuf, &keyBufLen) < PS_SUCCESS)
-        {
-            psTraceStrCrypto("Unable to open public key file %s\n", keyfile);
-            return -1;
-        }
-        /* Processing DER files not handled by current implementation of
-           the function the input shall be in PEM format. */
-        psFree(keyBuf, pool);
+        psTraceStrCrypto("Unable to open public key file %s\n", keyfile);
+        return -1;
     }
+    rc = (psRes_t) psParseUnknownPubKeyMem(pool, keyBuf, (int32) keyBufLen,
+                                           NULL, pubkey);
+    if (rc == PS_SUCCESS)
+    {
+#     ifdef USE_RSA
+        if (pubkey->type == PS_RSA)
+        {
+            keytype = 1;
+        }
+#     endif /* USE_RSA */
+#     ifdef USE_ECC
+        if (pubkey->type == PS_ECC)
+        {
+            keytype = 2;
+        }
+#     endif /* USE_ECC */
+        if (keytype == -1)
+        {
+            psTraceIntCrypto("Unexpected keytype identifier: %d\n",
+                             (int) pubkey->type);
+            psClearPubKey(pubkey);
+        }
+    }
+    psFree(keyBuf, pool);
 
     return keytype;
 }
diff --git a/crypto/pubkey/pubkey_parse_mem.c b/crypto/pubkey/pubkey_parse_mem.c
index 31cbbe7..619ba55 100644
--- a/crypto/pubkey/pubkey_parse_mem.c
+++ b/crypto/pubkey/pubkey_parse_mem.c
@@ -302,10 +302,58 @@ psParseUnknownPubKeyMem(psPool_t *pool,
 # ifdef USE_ECC
     if (rc < PS_SUCCESS)
     {
-        rc = getEcPubKey(pool,
-                         (const unsigned char **)&data, data_len,
+        const unsigned char *datac = data;
+        const unsigned char *end;
+
+        /* Typical ECC public key follows this structure (subset of X.509 certificate). */
+        /*
+          SubjectPublicKeyInfo  ::=  SEQUENCE  {
+          algorithm                       AlgorithmIdentifier,
+          subjectPublicKey        BIT STRING      }
+        */
+
+        /* The sequence and algorithm identifier are considered optional. */
+        if (data_len > 0 && *datac == (ASN_CONSTRUCTED | ASN_SEQUENCE))
+        {
+            int32 pubKeyAlgorithm;
+            psSize_t plen;
+
+            if ((rc = getAsnSequence(&datac, (uint32) data_len, &plen)) < 0)
+            {
+                psTraceCrypto("Couldn't get ASN sequence for pubKeyAlgorithm\n");
+                goto exit_free_data;
+            }
+            data_len = plen;
+            /* We will just parse one SEQUENCE.
+               This will allow compatibility with inputs containing multiple
+               keys or other inputs like certificate after the first key. */
+            end = datac + data_len;
+            if ((rc = getAsnAlgorithmIdentifier(&datac, (uint32) data_len,
+                                                &pubKeyAlgorithm, &plen)) < 0)
+            {
+                psTraceCrypto("Couldn't parse algorithm id for pubKeyAlgorithm\n");
+                goto exit_free_data;
+            }
+            data_len = (psSizeL_t) (end - datac);
+        }
+        rc = getEcPubKey(pool, &datac, data_len,
                          &pubkey->key.ecc, hashBuf);
-        if (rc < PS_SUCCESS)
+        if (rc == PS_SUCCESS)
+        {
+            /* keysize will be the size of the public ecc key (2 * privateLen) */
+            pubkey->keysize = psEccSize(&pubkey->key.ecc);
+            if (pubkey->keysize < (MIN_ECC_BITS / 8))
+            {
+                /* Ensure correct key size. */
+                psTraceIntCrypto("ECC key size < %d\n", MIN_ECC_BITS);
+                psClearPubKey(pubkey);
+                rc = PS_PARSE_FAIL;
+                goto exit_free_data;
+            }
+        }
+        /* Fallback: parse Ecc private key structure if
+           algorithm identifier was not found and getEcPubKey failed. */
+        if (rc < PS_SUCCESS && datac == keyBuf)
         {
             rc = psEccParsePrivKey(pool, data, data_len,
                                    &pubkey->key.ecc, NULL);
@@ -315,6 +363,7 @@ psParseUnknownPubKeyMem(psPool_t *pool,
             pubkey->type = PS_ECC;
         }
     }
+exit_free_data:
 # endif
 
 
diff --git a/crypto/test/algorithmTest.c b/crypto/test/algorithmTest.c
index ec436f9..5ef5faa 100644
--- a/crypto/test/algorithmTest.c
+++ b/crypto/test/algorithmTest.c
@@ -7142,6 +7142,279 @@ static int32 psEd25519Test(void)
 }
 #endif /* USE_ED25519 */
 
+# include "osdep_unistd.h"
+# include "osdep_stdio.h"
+
+# if defined(USE_RSA) || defined(USE_ECC)
+#  ifdef MATRIX_USE_FILE_SYSTEM
+#   ifdef USE_PRIVATE_KEY_PARSING
+int32 loadKeyPair(psPool_t *pool,
+    psPubKey_t *keyPair,
+    const char *key_filename)
+{
+    int32 keytype;
+
+    keytype = psParseUnknownPrivKey(pool,
+        1,
+        (char *) key_filename,
+        NULL,
+        keyPair);
+    if (keytype < 0)
+    {
+        Printf("psParseUnknownPrivKey failed\n");
+        return PS_FAILURE;
+    }
+
+    return PS_SUCCESS;
+}
+
+int32 loadKeyPub(psPool_t *pool,
+    psPubKey_t *keyPub,
+    const char *key_filename)
+{
+    int32 keytype;
+
+    keytype = psParseUnknownPubKey(pool,
+        1,
+        (char *) key_filename,
+        NULL,
+        keyPub);
+    if (keytype < 0)
+    {
+        /* Alternative path.
+           In current software either function should work. */
+        psPool_t *pool = NULL;
+        psRes_t rc;
+        unsigned char *buf;
+        psSizeL_t len;
+
+        Printf("(INFORMATIVE: psParseUnknownPubKey failed: "
+               "psParseUnknownPubKeyMem used instead)");
+
+        rc = psGetFileBuf(pool, key_filename, &buf, &len);
+        if (rc != PS_SUCCESS)
+        {
+            return PS_FAILURE;
+        }
+
+        rc = (psRes_t) psParseUnknownPubKeyMem(pool, buf, (int32) len,
+                                               NULL, keyPub);
+        psFree(buf, pool);
+        if (rc != PS_SUCCESS)
+        {
+            /* Successful key loading. */
+            return PS_FAILURE;
+        }
+        keytype = 2;
+    }
+    if (keytype != 2)
+    {
+        Printf("psParseUnknownPubKey(Mem): unexpected key type.\n");
+        return PS_FAILURE;
+    }
+
+    return PS_SUCCESS;
+}
+#   endif /* USE_PRIVATE_KEY_PARSING */
+#  endif /* MATRIX_USE_FILE_SYSTEM */
+# endif /* USE_RSA || USE_ECC */
+
+
+# ifdef USE_ECC
+#  ifdef USE_PEM_DECODE
+static int32_t psEccLoadPub_helper(void)
+{
+    FILE *file = NULL;
+    const char *public_key_filename = "testkeys/EC/256_EC_PUB.pem";
+    const char *private_key_filename = "testkeys/EC/256_EC_KEY.pem";
+    unsigned char testdata1[] = { 'a', 'b', 'c', 'd' };
+    unsigned char testdata2[] = { 'a', 'b', 'c', 'D' };
+    unsigned char sigbuf[128];
+    psPubKey_t public, private;
+    int32 rc;
+    psRes_t res;
+    psRes_t res1a;
+    psRes_t res1b;
+    psRes_t res2a;
+    psRes_t res2b;
+    psSize_t siglen = sizeof sigbuf;
+    psBool_t verify1a = PS_FALSE;
+    psBool_t verify2a = PS_FALSE;
+    psBool_t verify1b = PS_FALSE;
+    psBool_t verify2b = PS_FALSE;
+    unsigned char hashOut[SHA512_HASH_SIZE];
+    psSize_t hashOutLen = PS_SIZEOF(hashOut);
+
+    /* Note: this part of the test is dependent on path. */
+    for (;; )
+    {
+        char cwd_from_buf[512];
+        char cwd_to_buf[512];
+        char *cwd_from = NULL;
+        char *cwd_to = NULL;
+
+        file = Fopen(public_key_filename, "r");
+        if (file)
+        {
+            break;
+        }
+
+        cwd_from = getcwd(cwd_from_buf, sizeof(cwd_from_buf));
+
+        if (cwd_from == NULL) {
+            Printf("psEccLoadPub cannot locate current directory\n");
+            return PS_FAILURE;
+        }
+
+        if (chdir("..") != 0)
+        {
+            Printf("psEccLoadPub cannot locate test key files\n");
+            return PS_FAILURE;
+        }
+
+        cwd_to = getcwd(cwd_to_buf, sizeof(cwd_to_buf));
+
+        if (cwd_to == NULL) {
+            Printf("psEccLoadPub cannot locate current directory\n");
+            return PS_FAILURE;
+        }
+
+        /* If directory did not change, i.e. we are in root */
+        if (Strcmp(cwd_to, cwd_from) == 0) {
+            Printf("psEccLoadPub cannot locate %s\n", public_key_filename);
+            return PS_FAILURE;
+        }
+    }
+    Fclose(file);
+
+    Memset(&private, 0, sizeof private);
+    rc = loadKeyPair(MATRIX_NO_POOL, &private, private_key_filename);
+    if (rc != PS_SUCCESS)
+    {
+        Printf("Failed to load Ecc private key %s\n", private_key_filename);
+        return PS_FAILURE;
+    }
+
+    Memset(&public, 0, sizeof public);
+    rc = loadKeyPub(MATRIX_NO_POOL, &public, public_key_filename);
+    if (rc != PS_SUCCESS)
+    {
+        Printf("Failed to load Ecc private key %s\n", public_key_filename);
+        return PS_FAILURE;
+    }
+
+    /* Pairwise testing procedure: create signature and verify it
+       against proper data and improper data.
+       Do this twice: with public key of key pair and
+       with separate public key. */
+
+    res = psComputeHashForSig(testdata1,
+        PS_SIZEOF32(testdata1),
+        OID_SHA256_ECDSA_SIG,
+        hashOut,
+        &hashOutLen);
+
+    if (res != PS_SUCCESS)
+    {
+        Printf("Hash SHA-256 computation failed\n");
+        return PS_FAILURE;
+    }
+
+    res = psEccDsaSign(MATRIX_NO_POOL,
+        &private.key.ecc,
+        hashOut, hashOutLen,
+        sigbuf, &siglen,
+        0, NULL);
+
+    if (res != PS_SUCCESS)
+    {
+        Printf("ECC signature operation with NIST P-256 failed\n");
+        return PS_FAILURE;
+    }
+
+    res1a = psHashDataAndVerifySig(MATRIX_NO_POOL,
+        testdata1,
+        PS_SIZEOF32(testdata1),
+        sigbuf,
+        siglen,
+        &private,
+        OID_SHA256_ECDSA_SIG,
+        &verify1a,
+        NULL);
+
+    res2a = psHashDataAndVerifySig(MATRIX_NO_POOL,
+        testdata2,
+        PS_SIZEOF32(testdata2),
+        sigbuf,
+        siglen,
+        &private,
+        OID_SHA256_ECDSA_SIG,
+        &verify2a,
+        NULL);
+
+    if (res1a != PS_SUCCESS ||
+        (res2a != PS_FAILURE && res2a != PS_VERIFICATION_FAILED) ||
+        verify1a != PS_TRUE || verify2a != PS_FALSE)
+    {
+        Printf("Verify results unexpected (got %d %d %d %d)\n",
+            (int) res1a, (int) res2a, (int) verify1a, (int) verify2a);
+        return PS_FAILURE;
+    }
+
+    res1b = psHashDataAndVerifySig(MATRIX_NO_POOL,
+        testdata1,
+        PS_SIZEOF32(testdata1),
+        sigbuf,
+        siglen,
+        &public,
+        OID_SHA256_ECDSA_SIG,
+        &verify1b,
+        NULL);
+
+    res2b = psHashDataAndVerifySig(MATRIX_NO_POOL,
+        testdata2,
+        PS_SIZEOF32(testdata2),
+        sigbuf,
+        siglen,
+        &public,
+        OID_SHA256_ECDSA_SIG,
+        &verify2b,
+        NULL);
+
+    if (res1b != PS_SUCCESS ||
+        (res2b != PS_FAILURE && res2b != PS_VERIFICATION_FAILED) ||
+        verify1b != PS_TRUE || verify2b != PS_FALSE)
+    {
+        Printf("Verify results separate pk unexpected (got %d %d %d %d)\n",
+            (int) res1b, (int) res2b, (int) verify1b, (int) verify2b);
+
+        return PS_FAILURE;
+    }
+
+    psClearPubKey(&public);
+    psClearPubKey(&private);
+    return PS_SUCCESS;
+}
+
+static int32_t psEccLoadPub(void)
+{
+    int32_t rc;
+
+    _psTrace("  ECC key loading and usage test... ");
+    rc = psEccLoadPub_helper();
+    if (rc == PS_SUCCESS)
+    {
+        _psTrace(" SUCCESS\n");
+    }
+    else
+    {
+        _psTrace("FAILURE\n");
+    }
+    return rc;
+}
+#  endif /* USE_PEM_DECODE */
+# endif /* USE_ECC */
+
 /******************************************************************************/
 
 typedef struct
@@ -7326,6 +7599,13 @@ static test_t tests[] = {
 #endif
       , "***** ECC TESTS *****" },
 
+#if defined(USE_ECC) && defined(USE_PEM_DECODE)
+    { psEccLoadPub
+#else
+    { NULL
+#endif /* USE_ECC && USE_PEM_DECODE */
+      , "***** ECC LOAD PUBLIC KEY TEST *****" },
+
     { NULL
       , "***** PRF TESTS *****" },
 
diff --git a/doc/CHANGES.html b/doc/CHANGES.html
deleted file mode 100644
index 0484e2d..0000000
--- a/doc/CHANGES.html
+++ /dev/null
@@ -1,617 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-  <style type="text/css">code{white-space: pre;}</style>
-</head>
-<body>
-<h1 id="matrixssl-release-notes">MatrixSSL Release Notes</h1>
-<h2 id="changes-in-3.9.0">Changes in 3.9.0</h2>
-<blockquote>
-<p><strong>Version 3.9.0</strong> March 2017 (C) Copyright 2017 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>BUG FIXES SINCE 3.8.7b</li>
-</ol>
-<ul>
-<li>Fixed server-side handling of client authentication with Server Name Indication</li>
-<li>Constant Time Modular Exponentiation</li>
-</ul>
-<ol start="2" style="list-style-type: decimal">
-<li>NEW FEATURES SINCE 3.8.7b</li>
-</ol>
-<ul>
-<li>RFC 5280 Compliant Certificate Matching</li>
-<li>Certificate Validation Configuration Options</li>
-<li>Client Authentication using an External Security Token</li>
-<li>X.509 Generation Improvements (Commercial Edition Only)</li>
-<li>Added psX509GetOnelineDN API</li>
-<li>Added matrixValidateCertsExt API</li>
-<li>Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing</li>
-<li>ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option</li>
-</ul>
-<ol start="3" style="list-style-type: decimal">
-<li>OTHER CHANGES SINCE 3.8.7b</li>
-</ol>
-<ul>
-<li>Indent style changes</li>
-</ul>
-<h1 id="bug-fixes-since-3.8.7b">1. BUG FIXES SINCE 3.8.7b</h1>
-<h2 id="fixed-server-side-handling-of-client-authentication-with-server-name-indication">Fixed server-side handling of client authentication with Server Name Indication</h2>
-<p>This bug caused client authentication to fail when MatrixSSL was used as the server and the client was sending the Server Name Indication extension.</p>
-<h2 id="constant-time-modular-exponentiation">Constant Time Modular Exponentiation</h2>
-<p>It was reported by Andreas Zankl that Matrix Crypto implementation had a side-channel information leak via instruction cache. In response to the research, Matrix Crypto modular exponentiation was changed to use code that does not leak information via instruction cache and uses constant-time execution. The new code is slower. (Note: The SafeZone CL/CLS cryptography used in MatrixSSL FIPS Edition has been using constant time modular exponention before.)</p>
-<h1 id="new-features-since-3.8.7b">2. NEW FEATURES SINCE 3.8.7b</h1>
-<h2 id="rfc-5280-compliant-certificate-matching">RFC 5280 Compliant Certificate Matching</h2>
-<p>Matching certificate fields in MatrixSSL has been improved. MatrixSSL now implements the requirement from RFC 5280 that Subject Alternative Name is used for matching instead of subject Common Name if alternative name is available. Subject Alternative Name contain more precise information on the type of the field and thus avoids false positive field matches. MatrixSSL now allows RFC 5280 compliant matching of email addresses, where only domain name part is case insensitive. It is now possible to specify the type of name to match with new session options. See the Session Options section in the MatrixSSL APIs manual for details.</p>
-<p>The issues in certificate matching were reported by Suphannee Sivakorn from Columbia University.</p>
-<h2 id="certificate-validation-configuration-options">Certificate Validation Configuration Options</h2>
-<p>New session options have been added for configuring MatrixSSL's internal certificate validation process. These include options for specifying the field in the server certificate against which the expected server name should be matched, an option to limit the maximum certificate chain validation depth and options for retaining the peer certificate after processing. See the Session Options section in the MatrixSSL APIs manual for details.</p>
-<h2 id="client-authentication-using-an-external-security-token">Client Authentication using an External Security Token</h2>
-<p>MatrixSSL's external client authentication feature allows client-side private key operation in TLS client authentication, i.e. the signing of the handshake_messages hash in the CertificateVerify handshake message, to be offloaded from MatrixSSL to an external module such as a security or authentication token. See the MatrixSSL External Module Integration manual for details.</p>
-<h2 id="x.509-generation-improvements-commercial-edition-only">X.509 Generation Improvements (Commercial Edition Only)</h2>
-<p>Support has been added for encoding the netscape-comment certificate extension. The psParseCertReqBufExt API has been added. This version of psParseCertReqBufExt allows storing additional information from the parsed CSR. Another additional API is psX509SetPublicKey, which can be used to set the public key in a psCertConfig_t struct, before it is passed to the CSR or certificate encoding routines. See the MatrixSSL Certificates and Certificate Revocation Lists manual for details.</p>
-<h2 id="added-psx509getonelinedn-api">Added psX509GetOnelineDN API</h2>
-<p>The new psX509GetOnelineDN API can be used to generate a one-line string representation of a Distinguished Name.</p>
-<h2 id="added-matrixvalidatecertsext-api">Added matrixValidateCertsExt API</h2>
-<p>The new matrixValidateCertsExt API has an additional options struct argument for configuring some aspects of the certificate chain validation process. The old matrixValidateCerts API is now deprecated.</p>
-<h2 id="support-for-rsa-md2-and-rsa-md5-signatures-in-csr-and-crl-parsing">Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing</h2>
-<p>Support for RSA-MD2 and RSA-MD5 signature verification has been added to CSR parsing, and support for RSA-MD2 signature verification has been added to CRL parsing. These insecure, legacy algorithms are disabled by default, but they can be enabled by defining USE_MD2 or USE_MD5.</p>
-<h2 id="allow_crl_issuers_without_keyusage-compatibility-option">ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option</h2>
-<p>The ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE build-time option allows CRL authentication to succeed even when signer CA's cert does not have the keyUsage extension and thus no cRLSign bit. This option is for compatibility with old CRL issuer certs. RFC 5280 requires CRL issuer certs to have the keyUsage extension and the cRLSign bit.</p>
-<h1 id="other-changes-since-3.8.7b">3. OTHER CHANGES SINCE 3.8.7b</h1>
-<h2 id="indent-style-changes">Indent style changes</h2>
-<p>Indent style has been changed and made more consistent accross source and header files.</p>
-<h2 id="changes-in-3.8.7b">Changes in 3.8.7b</h2>
-<blockquote>
-<p><strong>Version 3.8.7b</strong> January 2017 (C) Copyright 2017 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>BUG FIXES SINCE 3.8.7</li>
-</ol>
-<ul>
-<li>Fixed compile error if SHA224 was enabled.</li>
-<li>Fixed compile warning around HTTP2 alpn detection.</li>
-<li>Fixed issue where a cipher suite could be negotiated that did not match the authentication type for the keys.</li>
-</ul>
-<h1 id="bug-fixes-since-3.8.7">1. BUG FIXES SINCE 3.8.7</h1>
-<h2 id="fixed-issue-where-a-cipher-suite-could-be-negotiated-that-did-not-match-the-authentication-type-for-the-keys.">Fixed issue where a cipher suite could be negotiated that did not match the authentication type for the keys.</h2>
-<p>This manifested in the default apps/ssl/server.c example when Chrome was connected. It negotiated an ECDSA based cipher even though keys loaded by default were RSA keys.</p>
-<h2 id="changes-in-3.8.7">Changes in 3.8.7</h2>
-<blockquote>
-<p><strong>Version 3.8.7</strong> November 2016 (C) Copyright 2016 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>BUG FIXES SINCE 3.8.6</li>
-</ol>
-<ul>
-<li>Fixed Wrong Computation Results Bug In pstm.c Division</li>
-<li>Fixed Memory Corruption In psDhImportPubKey</li>
-<li>Fixed RSA Public Key Read Overflow</li>
-<li>X.509/CRL/OCSP Timestamp Validation</li>
-<li>Unix Year 2038 Problem Fix</li>
-<li>Stricter OID Comparison</li>
-<li>Multibyte String Handling</li>
-<li>Configuration Robustness Improvements</li>
-<li>X.509 Certificate Parsing Read Overflow</li>
-<li>PKCS #8 Buffer Read Overflow</li>
-<li>OCSP Bug Fixes</li>
-<li>Generic Bug Fixes For Test Programs</li>
-<li>Changes to Recommended Configurations</li>
-<li>psMutex Locking and Unlocking APIs Compiler Warnings Removed</li>
-<li>MD5 and SHA-1 Combined Digest Function</li>
-<li>Coverity Issues Fixed</li>
-<li>Yarrow Build Issues Fixed</li>
-</ul>
-<ol start="2" style="list-style-type: decimal">
-<li>NEW FEATURES SINCE 3.8.6</li>
-</ol>
-<ul>
-<li>SHA-512 for X.509 Certificates Improvements</li>
-<li>OCSP Improvements</li>
-<li>X.509 Certificate Domain Components</li>
-<li>New Configuration: Minimal PSK</li>
-</ul>
-<h1 id="bug-fixes-since-3.8.6">1. BUG FIXES SINCE 3.8.6</h1>
-<h2 id="fixed-wrong-computation-results-bug-in-pstm.c-division">Fixed Wrong Computation Results Bug In pstm.c Division</h2>
-<p>The bug could cause some big number mathematics to return wrong values when divisor and dividend are very far from each other. This issue is related to public key computation problems reported by Security Researcher <a href="https://hboeck.de/">Hanno Böck</a>.</p>
-<h2 id="fixed-memory-corruption-in-psdhimportpubkey">Fixed Memory Corruption In psDhImportPubKey</h2>
-<p>Importing Diffie-Hellman public key cleared some memory beyond end of the key. On some systems this bug may have caused memory corruption.</p>
-<h2 id="fixed-rsa-public-key-read-overflow">Fixed RSA Public Key Read Overflow</h2>
-<p>When importing RSA key from certificate, maliciously crafted RSA public key could cause read buffer overflow and crash.</p>
-<h2 id="x.509crlocsp-timestamp-validation">X.509/CRL/OCSP Timestamp Validation</h2>
-<p>MatrixSSL accepted some X.509 certificates with illegal timestamps, such as leap day in an ordinary year. In additional, some two digit years were parsed incorrectly. Timestamp parsing has been altered everywhere to use new psBrokenDownDate API, which correctly handles these corner cases. Some of X.509 time parsing issues were reported by Sze Yiu Chau.</p>
-<h2 id="unix-year-2038-problem-fix">Unix Year 2038 Problem Fix</h2>
-<p>On 32-bit Unix devices, time_t type, which is signed will overflow in 2038. A workaround was added that will allow timestamps and dates to be processed correctly by MatrixSSL on and after Tuesday 19 January 2038.</p>
-<h2 id="stricter-oid-comparison">Stricter OID Comparison</h2>
-<p>The OID comparison in MatrixSSL uses a simple non-cryptographic digest function, based on sum of bytes, which is not collision free. Comparison of OID binary representation was added to ensure unknown OIDs are not accidentally interpreted the same than some of existing OIDs. This issue was reported by Sze Yiu Chau.</p>
-<h2 id="multibyte-string-handling">Multibyte String Handling</h2>
-<p>The MatrixSSL now includes function to recode strings containing multibyte (BMPString) characters as UTF-8 strings. This handling is applied to X.509 certificate fields, such as Subject Name. This allows code using MatrixSSL to work with BMPString input without actually knowing the encoding used.</p>
-<h2 id="configuration-robustness-improvements">Configuration Robustness Improvements</h2>
-<p>MatrixSSL has been made more robust with configurations: changing configuration options is less likely to cause problems building the software.</p>
-<p>These improvements allow smaller configurations for embedded systems. (E.g. build without DTLS, or build only server-side or client-side support.)</p>
-<h2 id="x.509-certificate-parsing-read-overflow">X.509 Certificate Parsing Read Overflow</h2>
-<p>Fixed read overflow from X.509 certificate date handling and removed possible buffer read overflow in parseGeneralNames(). Without these fixes maliciously crafted X.509 certificate could cause software crash.</p>
-<h2 id="pkcs-8-buffer-read-overflow">PKCS #8 Buffer Read Overflow</h2>
-<p>Fixed reading overly large invalid PKCS #8 encoded private key. Without this fix, maliciously crafted PKCS #8 file could cause software crash.</p>
-<h2 id="ocsp-bug-fixes">OCSP Bug Fixes</h2>
-<p>In lieu of OCSP improvements, small bugs in OCSP implementation have been fixed. The most notable bug was a memory leak.</p>
-<h2 id="generic-bug-fixes-for-test-programs">Generic Bug Fixes For Test Programs</h2>
-<p>Removed some warnings and memory leaks from test programs. Made test programs confirm to Unix/POSIX return value scheme on relevant platforms.</p>
-<h2 id="changes-to-recommended-configurations">Changes to Recommended Configurations</h2>
-<p>The recommended configurations have been edited slightly. Most notably, the tracing is disabled by default on non-debug configurations.</p>
-<h2 id="psmutex-locking-and-unlocking-apis-compiler-warnings-removed">psMutex Locking and Unlocking APIs Compiler Warnings Removed</h2>
-<p>Removed return value from psLockMutex() and psUnlockMutex() APIs. This removes several warnings regarding return values not being used.</p>
-<h2 id="md5-and-sha-1-combined-digest-function">MD5 and SHA-1 Combined Digest Function</h2>
-<p>The MatrixSSL will now invoke combined MD5 and SHA-1 hash function <code>psMd5Sha1</code>, whenever possible instead of separate MD5 and SHA-1 hash functions.</p>
-<h2 id="coverity-issues-fixed">Coverity Issues Fixed</h2>
-<p>Implementation of <code>getTicketKeys</code> and <code>parseSSLHandshake</code> functions was changed to remove issues detected by Coverity.</p>
-<h2 id="yarrow-build-issues-fixed">Yarrow Build Issues Fixed</h2>
-<p>MatrixSSL comes with a version of Yarrow PRNG. Its use has been deprecated, but the PRNG continued to be shipped with MatrixSSL. Unfortunately, the latest versions of MatrixSSL had compilation errors in yarrow.c. Those errors have been fixed, and the source code file has been marked deprecated.</p>
-<h1 id="new-features-since-3.8.6">2. NEW FEATURES SINCE 3.8.6</h1>
-<h2 id="sha-512-for-x.509-certificates-improvements">SHA-512 for X.509 Certificates Improvements</h2>
-<p>MatrixSSL can use SHA-512 to sign self-signed certificate or certificate request. SHA-512 was already previously supported for verification of X.509 certificates. (This feature can be used only on MatrixSSL Commercial Edition.)</p>
-<h2 id="ocsp-improvements">OCSP Improvements</h2>
-<p>OCSP example application apps/crypto/ocsp.c (Commercial Edition Only) and MatrixSSL Developer Guide have been improved to give more documentation regarding OCSP request. OCSP request can now use requestorId feature and request status of list of certificates.</p>
-<h2 id="x.509-certificate-domain-components">X.509 Certificate Domain Components</h2>
-<p>Added Functions for obtaining contents of X.509 certificate Domain Component field(s).</p>
-<h2 id="new-configuration-minimal-psk">New Configuration: Minimal PSK</h2>
-<p>New configuration psk added. This configuration provides small footprint MatrixSSL build with only Pre-Shared Key and TLS 1.2 functionality using Matrix Crypto.</p>
-<h2 id="changes-in-3.8.6">Changes in 3.8.6</h2>
-<blockquote>
-<p><strong>Version 3.8.6</strong> October 2016 (C) Copyright 2016 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>BUG FIXES</li>
-</ol>
-<ul>
-<li>Critical parsing bug for X.509 certificates</li>
-<li>Critical TLS handshake parsing bugs</li>
-<li>4096 bit RSA key generation regression</li>
-<li>General cleanup of build</li>
-<li>MatrixSSH compatibility issue</li>
-</ul>
-<ol start="2" style="list-style-type: decimal">
-<li>FEATURES AND IMPROVEMENTS</li>
-</ol>
-<ul>
-<li>New configuration system for build options</li>
-<li><code>core/</code> changes</li>
-<li>X.509 parsing and generation</li>
-<li><code>crypto/</code> changes</li>
-<li>Removed OpenSSL API Emulation</li>
-</ul>
-<h1 id="bug-fixes">1 BUG FIXES</h1>
-<h2 id="critical-parsing-bug-for-x.509-certificates">Critical parsing bug for X.509 certificates</h2>
-<p>Security Researcher <a href="http://www.tripwire.com/state-of-security/contributors/craig-young/">Craig Young</a> reported two issues related to X.509 certificate parsing. An error in parsing a maliciously formatted Subject Alt Name field in a certificate could cause a crash due to a write beyond buffer and subsequent free of an unallocated block of memory. An error in parsing a maliciously formatted ASN.1 Bit Field primitive could cause a crash due to a memory read beyond allocated memory.</p>
-<h2 id="critical-tls-handshake-parsing-bugs">Critical TLS handshake parsing bugs</h2>
-<p>Security Researcher <a href="http://ivesk.hs-offenburg.de/">Andreas Walz</a> reported three issues related to processing the ClientHello message.</p>
-<ul>
-<li>The length of the TLS record was not being strictly checked against the length of the extensions field, so that additional unparsed data could be added between the end of extensions and the end of the record. This presents some level of uncertainty in how extensions may be interpreted and could present a security issue.</li>
-<li>ClientHello parsing was not verifying that a NULL compression suite was sent by the client, as required by the RFC. This did not present a security issue (NULL compression was always forced), but improves strict adherence to the specification.</li>
-<li>For TLS connections (not DTLS), the major version proposed in the ClientHello suggested by RFC 5246 to only allow the byte value <code>0x03</code>. Now the connection is terminated if a value other than this is suggested. Previously the suggested major version field was simply echoed back in the ServerHello message, and treated as <code>0x03</code>.</li>
-</ul>
-<h2 id="bit-rsa-key-generation-regression">4096 bit RSA key generation regression</h2>
-<p>In some cases RSA key generation of 4096 bit keys would fail and return with an error code. This regression issue has been fixed and key generation will once again succeed.</p>
-<h2 id="general-cleanup-of-build">General cleanup of build</h2>
-<p>Warnings across multiple platforms and compilers were fixed. Various compile time configuration combination build issues were fixed.</p>
-<h2 id="matrixssh-compatibility-issue">MatrixSSH compatibility issue</h2>
-<p>Newer versions of MatrixSSH server were incompatible with the PuTTY client. A fix has been included and enabled by default <code>USE_PUTTY_WORKAROUND</code>. <em>Note this does not affect the standard MatrixSSL codebase</em>.</p>
-<h1 id="features-and-improvements">2 FEATURES AND IMPROVEMENTS</h1>
-<h2 id="new-configuration-system-for-build-options">New configuration system for build options</h2>
-<p>A new top level directory <code>configs/</code> now holds several sets of configuration files for MatrixSSL to simplify configuration sets. This method also allows custom sets to be developed specific to a given use case (for example a RSA only build). The following three configuration files now are copied at build time from the <code>configs</code> directory:</p>
-<pre><code>core/coreConfig.h
-crypto/cryptoConfig.h
-matrixssl/matrixsslConfig.h</code></pre>
-<blockquote>
-<p><strong>The default configuration settings for MatrixSSL may have changed from your current settings. Please confirm all settings in these three files after updating.</strong></p>
-</blockquote>
-<p>From a fresh package, the build process is the same as before: simply type <code>make</code>. It will build the software using the default configuration options.</p>
-<p>To use a different configuration, for example <code>configs/noecc</code>:</p>
-<pre><code>$ make clean &amp;&amp; make all-noecc</code></pre>
-<p>Once a configuration is set, <code>make</code> and <code>make clean</code> will continue to use the same configuration unless a new one is selected as above.</p>
-<h2 id="core-changes"><code>core/</code> changes</h2>
-<ul>
-<li>Added warning helper macros</li>
-<li>Additional <code>PS_</code> return codes</li>
-<li>Buffer helper APIs in <code>psbuf.h</code></li>
-<li>Foundation for <code>PS_NETWORKING</code> support for sockets level API</li>
-<li><code>psMutex_t</code> API return code change, now returns <code>void</code> and will call <code>abort()</code> on POSIX platforms.</li>
-<li><code>test/</code> new self-test directory</li>
-<li>Change in default Linux compile options in <code>common.mk</code></li>
-</ul>
-<h2 id="x.509-parsing-and-generation">X.509 parsing and generation</h2>
-<p>Added additional field parsing support for X.509, including multiple OU support. Commercial release adds additional certificate creation support, as well as an API set and test suite for programmatically creating certificates. See <em>MatrixKeyAndCertGeneration.pdf</em> for full description.</p>
-<h2 id="crypto-changes"><code>crypto/</code> changes</h2>
-<ul>
-<li>Added <code>*PreInit()</code> APIs for hash functions for compatibility with FIPS library and hardware token requirements</li>
-<li>Added <code>psX509GetCertPublicKeyDer()</code> API</li>
-<li>Support <code>dsa_sig</code> OID for certificates`</li>
-<li>Support for <code>ASN_VISIBLE_STRING</code></li>
-<li>Moved CRL functionality into <code>keyformat/crl.c</code></li>
-<li>Support for parsing an implicitly encoded ECC key without a DER header, as sometimes encountered in the wild.</li>
-<li>Added PKCS#8 import</li>
-<li><code>ALLOW_VERSION_1_ROOT_CERT_PARSE</code> configuration option for loading legacy v1 certificates as trusted roots only (default not enabled). Loading as intermediate or leaf certificates is insecure and still not allowed.</li>
-</ul>
-<h2 id="removed-openssl-api-emulation">Removed OpenSSL API Emulation</h2>
-<ul>
-<li><code>opensslApi.c</code> and <code>opensslSocket.c</code> files removed temporarily in anticipation of moving to a more fully supported OpenSSL layer.</li>
-</ul>
-<h2 id="changes-in-3.8.5">Changes in 3.8.5</h2>
-<blockquote>
-<p><strong>Version 3.8.5</strong> September 2016 <em>Note: 3.8.5 was a limited customer release only.</em></p>
-</blockquote>
-<h2 id="changes-in-3.8.4">Changes in 3.8.4</h2>
-<blockquote>
-<p><strong>Version 3.8.4</strong> July 2016 (C) Copyright 2016 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>FEATURES AND IMPROVEMENTS</li>
-</ol>
-<ul>
-<li>Coverity coverage</li>
-<li>HTTP/2 restrictions via ALPN</li>
-<li>Enhanced example apps</li>
-<li>Process shared Session Cache</li>
-<li>Enhanced CRL and OCSP support</li>
-<li>Windows support for certificate date validation</li>
-</ul>
-<ol start="2" style="list-style-type: decimal">
-<li>BUG FIXES</li>
-</ol>
-<ul>
-<li>Critical parsing bug for RSA encrypted blobs</li>
-<li>Additional restrictions on bignum operations</li>
-<li>Fixed error in disabled cipher flags</li>
-<li>Fixed error in DTLS encoding</li>
-<li>SSLv3 only support fixed</li>
-<li>Assembly compatibility with more compilers</li>
-</ul>
-<h1 id="features-and-improvements-1">1 FEATURES AND IMPROVEMENTS</h1>
-<h2 id="coverity-coverage">Coverity coverage</h2>
-<p>MatrixSSL now has zero outstanding defects in <a href="https://scan.coverity.com/projects/matrixssl-matrixssl">Coverity Static Analysis</a>.</p>
-<h2 id="http2-restrictions-via-alpn">HTTP/2 restrictions via ALPN</h2>
-<p>MatrixSSL server code will automatically evaluate the ALPN extension and appropriately restrict the cipher suites and key exchange methods if the HTTP/2 protocol is being used. Per the <a href="https://tools.ietf.org/html/rfc7540#appendix-A">HTTP/2 spec</a>, only AEAD cipher suites and Ephemeral key exchange methods are allowed.</p>
-<h2 id="enhanced-example-apps">Enhanced example apps</h2>
-<p>Example applications now take additional command line options and also support CRL request and response generation.</p>
-<h2 id="process-shared-session-cache">Process shared Session Cache</h2>
-<p>Minimal support for a process-shared server session resumption cache is now supported via process-shared mutexes on Linux.</p>
-<h2 id="enhanced-crl-and-ocsp-support">Enhanced CRL and OCSP support</h2>
-<p>A new file <em>crypto/keyformat/crl.c</em> defines additional apis for more complex CRL (Certificate Revocation List) and OCSP support.</p>
-<h2 id="windows-support-for-certificate-date-validation">Windows support for certificate date validation</h2>
-<p>Previously only Posix based platforms were supported.</p>
-<h1 id="bug-fixes-1">2 BUG FIXES</h1>
-<h2 id="critical-parsing-bug-for-rsa-encrypted-blobs">Critical parsing bug for RSA encrypted blobs</h2>
-<p>Security Researcher <a href="https://hboeck.de/">Hanno Böck</a> reported several issues related to RSA and bignum operations. An error in parsing a maliciously formatted public key block could produce a remotely triggered crash in SSL server parsing. Additional restrictions on the values provided to RSA and DH operations were also added, although an exploit has not been found.</p>
-<h2 id="additional-restrictions-on-bignum-operations">Additional restrictions on bignum operations</h2>
-<p>The MatrixSSL bignum library, located in <em>crypto/math/</em> was optimized and reduced in size to support only key sizes and operations used by standard RSA, ECC and DH operations (those apis present in <em>crypto/cryptoApi.h</em>). Additional constraint checking has been added to the code to prevent unsupported key sizes and values. Users requiring generic bignum operations should take a look at libtomcrypt, GMP, Python or OpenSSL.</p>
-<h2 id="fixed-error-in-disabled-cipher-flags">Fixed error in disabled cipher flags</h2>
-<p>The optional disabling or enabling of specific ciphers at runtime per session was recently broken (now fixed) due to an errant flags calculation using <code>&lt;</code> instead of <code>&lt;&lt;</code>.</p>
-<h2 id="fixed-error-in-dtls-encoding">Fixed error in DTLS encoding</h2>
-<p>An error was returned if attempting to encode a DTLS message exactly the PMTU size.</p>
-<h2 id="sslv3-only-support-fixed">SSLv3 only support fixed</h2>
-<p>SSLv3 mode is not recommended for deployment, but had become broken in a recent build. It can now be enabled again.</p>
-<h2 id="assembly-compatibility-with-more-compilers">Assembly compatibility with more compilers</h2>
-<p>Fixed &quot;invalid register constraints&quot; error on some versions of GCC and LLVM for ARM, MIPS and x86_64.</p>
-<h2 id="changes-in-3.8.3">Changes in 3.8.3</h2>
-<blockquote>
-<p><strong>Version 3.8.3</strong> April 2016 (C) Copyright 2016 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>FEATURES AND IMPROVEMENTS</li>
-</ol>
-<ul>
-<li>Simplified Configuration Options</li>
-<li>DTLS Combined Package</li>
-<li>CHACHA20_POLY1305 Cipher Suites</li>
-<li>Libsodium Crypto Provider</li>
-<li>Extended Master Secret</li>
-<li>Online Certificate Status Protocol</li>
-<li>TLS Fallback SCSV</li>
-<li>Trusted CA Indication Extension</li>
-<li>Removed gmt_unix_time from client and server random</li>
-<li>Removed support for SSLv2 CLIENT_HELLO messages</li>
-<li>Ephemeral ECC Key Caching</li>
-</ul>
-<ol start="2" style="list-style-type: decimal">
-<li>BUG FIXES</li>
-</ol>
-<ul>
-<li>Support for parsing large certificate blobs</li>
-<li>X.509 certificate parse fix for issuerUniqueID and subjectUniqueID</li>
-<li>Diffie-Hellman public key exchange bug</li>
-<li>SHA512 based Server Key Exchange signatures</li>
-<li>Allow independent hashSigAlg identifiers in Certificate Request message</li>
-<li>Improvements to DTLS Cookie handling</li>
-<li>Fixed key type verification for chosen cipher suite</li>
-<li>Validation of RSA Signature Creation</li>
-<li>Side Channel Vulnerability on RSA Cipher Suites</li>
-<li>Access Violation on Malicious TLS Record</li>
-</ul>
-<h1 id="features-and-improvements-2">1 FEATURES AND IMPROVEMENTS</h1>
-<h2 id="simplified-configuration-options">Simplified Configuration Options</h2>
-<p>The configuration files <em>coreConfig.h</em>, <em>cryptoConfig.h</em> and <em>matrixsslConfig.h</em> have been simplified, and the default options have been changed to improve security and code size.</p>
-<ul>
-<li>Many of the insecure algorithms or deprecated options that can be enabled in <em>cryptoConfig.h</em> and <em>matrixsslConfig.h</em> have been moved into <em>cryptolib.h</em> and <em>matrixssllib.h</em>, respectively.<br />
-</li>
-<li>TLS 1.1 is now the default minimum TLS version compiled in. The new <code>USE_TLS_1_1_AND_ABOVE</code> setting enables this.</li>
-<li>Rehandshaking on an existing connection is now disabled completely by default with the <code>USE_REHANDSHAKING</code> configuration option.</li>
-</ul>
-<h2 id="dtls-combined-package">DTLS Combined Package</h2>
-<p>DTLS is now packaged with MatrixSSL, and can be enabled with the <code>USE_DTLS</code> configuration option. TLS and DTLS connections can be made simultaneously with the same application.</p>
-<h2 id="chacha20_poly1305-cipher-suites">CHACHA20_POLY1305 Cipher Suites</h2>
-<p>MatrixSSL now has support for ChaCha20-Poly1305 cipher suites compatible with RFC draft https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305. The supported cipher suites are defined for TLS 1.2 and can be enabled at compile time.</p>
-<dl>
-<dt><em>cryptoConfig.h</em></dt>
-<dd><code>USE_CHACHA20_POLY1305</code>
-</dd>
-<dt><em>matrixsslConfig.h</em></dt>
-<dd><code>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</code> <code>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</code>
-</dd>
-</dl>
-<p>MatrixSSL must be linked with the libsodium library to provide implementation of the crypto primitives.</p>
-<h2 id="libsodium-crypto-provider">Libsodium Crypto Provider</h2>
-<p>MatrixSSL now includes a layer for crypto primitives to the <em>libsodium</em> crypto library, in addition to the <em>OpenSSL libcrypto</em> and the native (default) MatrixSSL crypto library. <em>libsodium</em> provides crypto primitives for ChaCha20 and Poly1305. In addition, enabling the layer will use <em>libsodium</em> primitives for SHA256/SHA384/SHA512 based hashes and AES-256-GCM ciphers that provide high performance on <em>Intel</em> platforms.</p>
-<blockquote>
-<p>As of this release, the current version of libsodium is available here: https://download.libsodium.org/libsodium/releases/libsodium-1.0.8.tar.gz To build libsodium, follow the instructions here: https://download.libsodium.org/doc/installation/index.html</p>
-</blockquote>
-<p>To enable in the MatrixSSL make system, enable the following and rebuild:</p>
-<dl>
-<dt><em>common.mk</em></dt>
-<dd><code>PS_LIBSODIUM:=1</code> <code>LIBSODIUM_ROOT:=</code><em>(path_to_libsodium_build)</em>
-</dd>
-</dl>
-<h2 id="extended-master-secret">Extended Master Secret</h2>
-<p>The “extended master secret” as specified in <a href="https://tools.ietf.org/html/rfc7627">RFC 7627</a> is an important security feature for TLS implementations that use session resumption. The extended master secret feature associates the internal TLS master secret directly to the connection context to prevent man-in-the-middle attacks during session resumption. One such attack is a synchronizing triple handshake as described in <a href="https://mitls.org/pages/attacks/3SHAKE">Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS</a>.</p>
-<p>See the <em>Extended Master Secret</em> section in the <em>MatrixSSL API</em> document for details.</p>
-<h2 id="online-certificate-status-protocol">Online Certificate Status Protocol</h2>
-<p>The Online Certificate Status Protocol (OCSP) is an alternative to the Certificate Revocation List (CRL) mechanism for performing certificate revocation tests on server keys. TLS integrates with OCSP in a mechanism known as “OCSP stapling”. This feature allows the client to request that the server provide a time-stamped OCSP response when presenting the X.509 certificate during the TLS handshake. The primary goal for this scheme is to allow resource constrained clients to perform certificate revocation tests without having to communicate with an OCSP Responder themselves.</p>
-<p>See the <em>OCSP Revocation</em> section in the <em>MatrixSSL API</em> document for details.</p>
-<h2 id="tls-fallback-scsv">TLS Fallback SCSV</h2>
-<p>The RFC for detecting version rollback attacks has been implemented per <a href="https://tools.ietf.org/html/rfc7507">RFC7507</a>. See the <em>MatrixSSL Developer’s Guide</em> for more information.</p>
-<h2 id="trusted-ca-indication-extension">Trusted CA Indication Extension</h2>
-<p>The Trusted CA Indication extension is specified in <a href="https://tools.ietf.org/html/rfc6066">RFC 6066</a>. This feature allows TLS clients to send their list of certificate authorities to servers in the <code>CLIENT_HELLO</code> message.<br />
-See the Trusted CA Indication section in the <em>MatrixSSL_API</em> document for details.</p>
-<h2 id="removed-gmt_unix_time-from-client-and-server-random">Removed gmt_unix_time from client and server random</h2>
-<p>The TLS RFC specifies that the first 4 bytes of the <code>CLIENT_HELLO</code> and <code>SERVER_HELLO</code> random values be the current platform time. Current best practices recommend using random data for all 32 bytes. MatrixSSL now uses all random data by default.</p>
-<h2 id="removed-support-for-sslv2-client_hello-messages">Removed support for SSLv2 CLIENT_HELLO messages</h2>
-<p>SSLv2 <code>CLIENT_HELLO</code> parsing was previously supported to maintain compatibility with very old TLS implementations. Although this does not present a security risk at this time, the code has been removed, and only modern TLS record header parsing is supported.</p>
-<h2 id="ephemeral-ecc-key-caching">Ephemeral ECC Key Caching</h2>
-<p>Previous versions of MatrixSSL generated new, unique ephemeral keys for each connection using <code>ECDHE_</code> cipher suites, as per NIST recommendations. Beginning with this version, ephemeral keys are cached and re-used for connections within a time frame of two hours and a maximum usage of 1000 times. This improves performance of ECDHE suites, and is inline with the configuration current web browsers. This feature can be configured in <em>matrixsslConfig.h</em>.</p>
-<h1 id="bug-fixes-2">2 BUG FIXES</h1>
-<h2 id="support-for-parsing-large-certificate-blobs">Support for parsing large certificate blobs</h2>
-<p>Certificate collections larger than 64KB were not being parsed correctly after a change to some data types (32 bit to 16 bit) in the parsing code. This bug is now fixed and large collections of certificates are now parsing correctly.</p>
-<h2 id="x.509-certificate-parse-fix-for-issueruniqueid-and-subjectuniqueid">X.509 certificate parse fix for issuerUniqueID and subjectUniqueID</h2>
-<p>Previous MatrixSSL versions could not parse these rarely encountered members of X.509 certificates.</p>
-<h2 id="diffie-hellman-public-key-exchange-bug">Diffie-Hellman public key exchange bug</h2>
-<p>MatrixSSL clients would not successfully handshake with servers that sent Diffie-Hellman public keys that were not the same byte length as the DH group Prime parameter. Clients will now successfully handshake with servers that provide shorter length public keys.</p>
-<h2 id="sha512-based-server-key-exchange-signatures">SHA512 based Server Key Exchange signatures</h2>
-<p>SHA512 was not supported for <code>SERVER_KEY_EXCHANGE</code> messages in previous versions.</p>
-<h2 id="allow-independent-hashsigalg-identifiers-in-certificate-request-message">Allow independent hashSigAlg identifiers in Certificate Request message</h2>
-<p>Previous client versions of MatrixSSL would not allow servers to send signature algorithm identifiers that were not already specified by the client in the <code>CLIENT_HELLO</code> message. Now, the client will correctly allow the server to send an independent list of supported algorithms and the client will look for matches from that list.</p>
-<h2 id="improvements-to-dtls-cookie-handling">Improvements to DTLS Cookie handling</h2>
-<p>HMAC-SHA1 or HMAC-SHA256 are now used to generate the DTLS cookie, and additional checking is done on the cookie for Denial-of-Service prevention.</p>
-<h2 id="fixed-key-type-verification-for-chosen-cipher-suite">Fixed key type verification for chosen cipher suite</h2>
-<p>An internal verification function that determined whether the server key type was correct for the chosen cipher suite has now been fixed. Previous versions would sometimes incorrectly determine the server was using the wrong key type if the server was using a certificate chain where parent certificates did not use the same key type. This bug resulted in a failed handshake and is now fixed.</p>
-<h2 id="validation-of-rsa-signature-creation">Validation of RSA Signature Creation</h2>
-<p>An internal RSA validation of created signatures has been added to the library in the <code>psRsaEncryptPriv()</code> function.</p>
-<p>Security researcher Florian Weimer has shown it is possible for RSA private key information to leak under some special failure circumstances. Information on the exploit can be found here: https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf</p>
-<p>The potential leak is only possible if a <code>DHE_RSA</code> based cipher suite is supported on the server side. This is the only handshake combination in which an RSA signature is sent over the wire (during the <code>SERVER_KEY_EXCHANGE</code> message). The signature itself must have been incorrectly generated for the exploit to be possible.</p>
-<p>The additional signature validation test will now cause the TLS handshake to fail prior to a faulty signature being sent to the client.</p>
-<h2 id="side-channel-vulnerability-on-rsa-cipher-suites">Side Channel Vulnerability on RSA Cipher Suites</h2>
-<p>A Bleichenbacher variant attack, where certain information is leaked from the results of a RSA private key operation has been reported by a security researcher. The code has been updated to error without providing any information on the premaster contents. Thank you to Juraj Somorovsky, author of <a href="https://github.com/RUB-NDS/TLS-Attacker">TLS-Attacker</a> &gt; Note that other side channel attacks may still be possible as MatrixSSL non-FIPS crypto is not always constant-time.</p>
-<h2 id="access-violation-on-malicious-tls-record">Access Violation on Malicious TLS Record</h2>
-<p>TLS cipher suites with CBC mode in TLS 1.1 and 1.2 could have an access violation (read beyond memory) with a maliciously crafted message. Thank you to Juraj Somorovsky, author of <a href="https://github.com/RUB-NDS/TLS-Attacker">TLS-Attacker</a></p>
-<h1 id="known-issues">3 KNOWN ISSUES</h1>
-<ul>
-<li><em>Microsoft Windows</em> targets do not support certificate date validation currently. Users requiring this feature can use Windows APIs to get and parse the current date, using the POSIX implementation as a reference.</li>
-<li><em>Arm</em> platforms linking with some versions of <em>OpenSSL</em> <code>libcrypto</code> library may have errors in AES-CBC cipher suites due to the library's inability to handle in-situ encryption within the same block.</li>
-</ul>
-<h2 id="changes-in-3.8.2">Changes in 3.8.2</h2>
-<blockquote>
-<p><strong>Version 3.8.2</strong> December 2015 (C) Copyright 2015 INSIDE Secure - All Rights Reserved</p>
-</blockquote>
-<ol style="list-style-type: decimal">
-<li>FILE/API REORGANIZATION</li>
-</ol>
-<ul>
-<li>File Locations</li>
-<li>Crypto API</li>
-</ul>
-<ol start="2" style="list-style-type: decimal">
-<li>SECURITY IMPROVEMENTS</li>
-</ol>
-<ul>
-<li>Simplified Configuration</li>
-<li>Deprecated Ciphers</li>
-<li>Deprecated TLS Features</li>
-<li>Key Strength</li>
-<li>Ephemeral Cipher Suites Enabled by Default</li>
-<li>ECC Curve List</li>
-<li>Reordered cipher suite preferences</li>
-<li>memset_s()</li>
-<li>Handshake State Machine Improvements</li>
-</ul>
-<ol start="3" style="list-style-type: decimal">
-<li>FEATURES AND IMPROVEMENTS</li>
-</ol>
-<ul>
-<li>DTLS Protocol Included</li>
-<li>Optimized Diffie-Hellman performance</li>
-<li>Optimized EC signature generation performance</li>
-<li>OpenSSL Crypto Primitive Provider</li>
-<li>OpenSSL TLS API layer</li>
-<li>Reduced TLS session footprint</li>
-<li>X.509 Improvements</li>
-<li>PKCS#12 Key Parsing</li>
-<li>Improved certificate callback example</li>
-<li>Per digest control of HMAC algorithms</li>
-<li>Default high resolution timing</li>
-<li>Assert and Error Optimizations</li>
-</ul>
-<ol start="4" style="list-style-type: decimal">
-<li>BUG FIXES</li>
-</ol>
-<ul>
-<li>64 bit little endian platforms</li>
-<li>X.509 KeyUsage extension</li>
-<li>X.509 date validation fix</li>
-<li>Fixed handshake parse issue</li>
-<li>TLS server sending old self-signed certificate</li>
-<li>Fixed ECC variable encoding bugs</li>
-<li>DHE_PSK compatibility</li>
-<li>AES-GCM with AESNI</li>
-<li>Library configuration test</li>
-<li>Windows psGetFileBuf</li>
-</ul>
-<h1 id="fileapi-reorganization">1 FILE/API REORGANIZATION</h1>
-<h2 id="file-locations">File Locations</h2>
-<p>MatrixSSL 3.8.2 introduces directory changes to the distribution since 3.7.2</p>
-<p>TLS/DTLS example apps moved from ./apps to ./apps/ssl and ./apps/dtls. Test keys and certificates moved from ./sampleCerts to ./testkeys. XCode and Visual Studio projects moved to ./xcode and ./visualstudio.</p>
-<p>Several file changes and renames are present as well:</p>
-<p>TLS Decoding moved ./matrixssl/sslDecode.c from ./matrixssl/sslDecode.c, ./matrixssl/hsDecode.c and ./matrixssl/extDecode.c. Private key import/export from ./crypto/pubkey/pkcs.c. to ./crypto/keyformat/pkcs.c. Configuration consistency and sanity checks from ./matrixssl/matrixssllib.h to ./matrixssl/matrixsslCheck.h.</p>
-<h2 id="crypto-api">Crypto API</h2>
-<p>The API layers into the raw cryptographic operations have been significantly changed. The crypto API changes do not affect the main MatrixSSL API for creating TLS sessions, etc. However, developers who interface with crypto directly, or who want to write a custom hardware layer will be interested in the new layer.</p>
-<h3 id="api-model">API Model</h3>
-<p>The cryptography API for symmetric crypto, digests and HMAC follow the common model:</p>
-<dl>
-<dt><strong>Init API</strong></dt>
-<dd>Initializes the cipher and returns an error on failure (typically due to bad input parameters or insufficient memory).
-</dd>
-<dt><strong>Encrypt/Decrypt/Update API</strong></dt>
-<dd>Performs the operation and does not return an error code (previously some APIs would return the number of bytes decrypted).
-</dd>
-<dt><strong>Clear API</strong></dt>
-<dd>Zero and/or free any associated memory associated with the cipher.
-</dd>
-</dl>
-<h3 id="standard-types">Standard Types</h3>
-<p>Standard C99 types from <code>&lt;stdint.h&gt;</code> are used to specify integer parameters.</p>
-<dl>
-<dt><code>uint8_t</code></dt>
-<dd>The length of an IV, password or an AES-GCM tag
-</dd>
-<dt><code>uint16_t</code></dt>
-<dd>The length of an asymmetric key (RSA/DH/ECC), a HMAC key or Additional Authenticated Data (AAD) for an AEAD cipher such as AES-GCM.
-</dd>
-<dt><code>uint32_t</code></dt>
-<dd>The length of data to be processed by the cipher
-</dd>
-</dl>
-<p><code>uint64_t</code>: Internally used by crypto library to store large counter values and when optimizing for 64 bit platforms.</p>
-<h3 id="const-correctness">Const Correctness</h3>
-<p>Pointers to values that are not modified are marked <code>const</code>.</p>
-<h3 id="api-name-changes">API Name changes</h3>
-<p>API names have been standardized as follows:</p>
-<p>Initialization of low level AES block cipher from psAesInitKey to psAesInitBlockKey. AES CBC from psAesInit, psAesDecrypt and psAesEncrypt to psAesInitCBC, psAesDecryptCBC and psAesEncryptCBC. SHA2 HMAC from psHmacSha2 to psHmacSha256 and psHmacSha384. ECC signature creation from psEccSignHash to psEccDsaSign. ECC signature validation from psEcDsaValidateSignature to psEccDsaVerify.</p>
-<h3 id="standardized-context-names">Standardized Context Names</h3>
-<p>Cryptographic functions that used to accept generic “context” identifiers now require the specific key/algorithm structure, for example:</p>
-<p>HMAC family from psHmacContext_t to psHmacSha1_t, psHmacSha256_t, ... Digest family from psDigestContext_t to psSha1_t, psSha256_t, etc... Symmetric family from psCipherContext_t to psAesCbc_t, psAesGcm_t, psDes3Key_t RSA private key parse (pkcs1) from psPubKey_t to psRsaKey_t. ECC private key parse from psPubKey_t to psEccKey_t.</p>
-<h3 id="standardized-return-types">Standardized Return Types</h3>
-<p>In general, Init apis return a standard <code>PS_*</code> status code. A status code that is not <code>PS_SUCCESS</code> typically indicates invalid input parameters or a resource allocation failure. Update and Clear APIs no longer have a return. For example:</p>
-<p>HMAC Init from void to int32_t. HMAC Final from int32_t to void. Digest Init from void to int32_t. Digest Final from int32_t to void.</p>
-<h3 id="memory-model">Memory Model</h3>
-<p>In general, APIs now take an allocated cipher structure, and do not allocate the structure in the Init routine. In the past, the memory allocation model was inconsistent.</p>
-<p>For ECC and DH, there are now additional APIs that allow the key to be allocated and initialized, to complement the APIs which just initialize the keys.</p>
-<p>The Clear API must always be called when done with a context, as some algorithms internally allocate additional memory for operation.</p>
-<h1 id="security-improvements">2 SECURITY IMPROVEMENTS</h1>
-<h2 id="simplified-configuration">Simplified Configuration</h2>
-<p>The configuration of ciphers and cipher suites in <em>crypto/cryptoConfig.h</em> and <em>matrixssl/matrixsslConfig.h</em> has been simplified considerably. Existing and new users of MatrixSSL should take a look at these files to understand the various options and features supported.</p>
-<h2 id="deprecated-ciphers">Deprecated Ciphers</h2>
-<ul>
-<li>ARC4, SEED, IDEA, RC2, MD4 and MD2 are deprecated, and not enabled by default in <em>cryptoConfig.h</em></li>
-<li>MD5 and SHA1 are not recommended for use, but enabled by default because they are required for TLS protocols before version 1.2. Although they are enabled in <em>cryptoConfig.h,</em> their use within the TLS protocol is limited to where required, and they can be independently disabled from use as a certificate signature algorithm and an HMAC algorithm. The new crypto primitive <code>psMd5Sha1_t</code> is intended to replace standalone MD5 or SHA1 use outside of where required in TLS.</li>
-<li>3DES is not deprecated, but be aware of key strength limitations vs. AES-128 and AES-256.</li>
-</ul>
-<h2 id="deprecated-tls-features">Deprecated TLS Features</h2>
-<ul>
-<li>TLS cipher suites that rely on deprecated crypto algorithms have also been deprecated in matrixsslConfig.h</li>
-<li>TLS Compression support is now deprecated and the option removed from the configuration.</li>
-<li>False Start support is now deprecated and the option removed from the configuration.</li>
-</ul>
-<h2 id="key-strength">Key Strength</h2>
-<p>Key strength defines have not changed since previous releases, however it should be noted that the default minimum RSA/DH sizes of 1024 and ECC sizes of 192 do not meet a growing number of security standards and larger keys should be beginning to be deployed.</p>
-<h2 id="ephemeral-cipher-suites-enabled-by-default">Ephemeral Cipher Suites Enabled by Default</h2>
-<p>ECDHE and DHE cipher suites are now enabled by default. Be aware that for embedded platforms, this may require significant additional CPU load.</p>
-<h2 id="ecc-curve-list">ECC Curve List</h2>
-<p>The supported ECC Curve list is now always given in bit-strength order. This ensures that when negotiating EC Parameters, the strongest available will be used.</p>
-<h2 id="reordered-cipher-suite-preferences">Reordered cipher suite preferences</h2>
-<p>Clients send a priority list order of cipher suites during TLS negotiations, and servers use a priority list of ciphers to pick a common cipher for the connection.</p>
-<p>MatrixSSL orders this list using the following rules, resulting in some change to the cipher suite preference order in <em>cipherSuite.c</em>. In order to make as secure a connection as possible, the parameters of Authentication, Data Integrity and Data Security were taken in that order to generate a new cipher preference list. In places where these parameters are of equivalent strength, the faster algorithm is preferred (although the “faster” algorithm often depends on the platform). <em>Currently DHE is prioritized over ECDHE due only to performance. In future releases, ECDHE may be the preferred key exchange mode.</em></p>
-<p>The ordering of the ciphers is grouped and sub-grouped by the following:</p>
-<ol style="list-style-type: decimal">
-<li>Non-deprecated</li>
-<li>Ephemeral</li>
-<li>Authentication Method (PKI &gt; PSK &gt; anon)</li>
-<li>Hash Strength (SHA384 &gt; SHA256 &gt; SHA &gt; MD5)</li>
-<li>Cipher Strength (AES256 &gt; AES128 &gt; 3DES &gt; ARC4 &gt; SEED &gt; IDEA &gt; NULL)</li>
-<li>PKI Key Exchange (DHE* &gt; ECDHE &gt; ECDH &gt; RSA &gt; PSK)</li>
-<li>Cipher Mode (GCM &gt; CBC)</li>
-<li>PKI Authentication Method (ECDSA &gt; RSA &gt; PSK)</li>
-</ol>
-<h2 id="memset_s">memset_s()</h2>
-<p>Use the <code>memset_s()</code> api to zero memory regardless of compiler optimization which might skip zeroing for memory that is not subsequently used. For platforms without a built in implementation, <code>memset_s()</code> is automatically built in <code>core/memset_s.c</code></p>
-<h2 id="handshake-state-machine-improvements">Handshake State Machine Improvements</h2>
-<h3 id="simplified-code-paths">Simplified code paths</h3>
-<p>The handshake decode state machine was split among additional files and functions. Switch statements replace other logic to more clearly show each case and its result. The state machine is still quite complex due to the large number of modes and states that are supported in MatrixSSL. Always consult support when making changes to the state machine.</p>
-<h3 id="multiple-state-tracking">Multiple state tracking</h3>
-<p>Connection state tracking has always been implemented as &quot;expected next state&quot;, with no security issues. However for a double check, MatrixSSL now implements independent tracking of the last state encoded and decoded, as well as the expected next state.</p>
-<h3 id="more-strict-extension-processing">More strict extension processing</h3>
-<p>The extension parsing is more strict in what can be accepted and when.</p>
-<h1 id="features-and-improvements-3">3 FEATURES AND IMPROVEMENTS</h1>
-<h2 id="dtls-protocol-included">DTLS Protocol Included</h2>
-<p>Beginning in the 3.8.2 version of MatrixSSL, the DTLS 1.0 and DTLS 1.2 protocols are included in MatrixSSL open source package.</p>
-<p>Enable <code>USE_DTLS</code> in <em>./matrixssl/matrixsslConfig.h</em> to include it in library. Additional documentation, app examples, and test code is included to aid in development.</p>
-<h2 id="optimized-diffie-hellman-performance">Optimized Diffie-Hellman performance</h2>
-<p>Use smaller generated key sizes for a given DH prime field size per <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf">NIST SP 800-57 Part 1</a>. This provides up to a 9x performance gain for DH operations, greatly increasing the speed of ephemeral ciphers using DH.</p>
-<h2 id="optimized-ec-signature-generation-performance">Optimized EC signature generation performance</h2>
-<p>Improved performance for finding valid ECC key pairs, especially on larger key sizes.</p>
-<h2 id="openssl-crypto-primitive-provider">OpenSSL Crypto Primitive Provider</h2>
-<p>Allows MatrixSSL to be linked against <em>OpenSSL</em> <code>libcrypto</code> as a crypto primitive provider. This allows platforms that use <em>OpenSSL</em> as their crypto API (such as <em>Cavium Octeon</em>) provide hardware acceleration to MatrixSSL applications.</p>
-<h2 id="openssl-tls-api-layer">OpenSSL TLS API layer</h2>
-<p>Users wishing to replace <em>OpenSSL</em> with MatrixSSL often desire a layer that will ease the integration. MatrixSSL 3.8.2 includes an <em>OpenSSL_API layer that was previously provided upon request. This layer is found in the </em>./matrixssl_ directory in the _opensslApi.c_and <em>opensslSocket.c</em> files. The <em>opensslApi.h</em> and <em>opensslSocket.h</em> headers define the interface.</p>
-<h2 id="reduced-tls-session-footprint">Reduced TLS session footprint</h2>
-<p>The size of each TLS session was reduced by 512 bytes for AES cipher suites, and additionally by ~100 bytes for all cipher suites.</p>
-<h2 id="x.509-improvements">X.509 Improvements</h2>
-<p>OID parsing has been improved and provides better feedback on error. SHA-512 signed certificates are now supported.</p>
-<h2 id="pkcs12-key-parsing">PKCS#12 Key Parsing</h2>
-<p>Support for longer passwords and additional private key bag.</p>
-<h2 id="improved-certificate-callback-example">Improved certificate callback example</h2>
-<p>The <em>./apps/ssl/client.c</em> application now has a more robust processing example to help integrators understand the relationship between the incoming <code>alert</code> value and the individual <code>authStatus</code> members of the server’s certificate chain.</p>
-<h2 id="per-digest-control-of-hmac-algorithms">Per digest control of HMAC algorithms</h2>
-<p>Each HMAC algorithm can now be specifically enabled/disabled with <code>USE_HMAC_(digest)</code> defines in <em>cryptoConfig.h</em></p>
-<h2 id="default-high-resolution-timing">Default high resolution timing</h2>
-<p>POSIX platforms will have high-resolution timers active by default</p>
-<h2 id="assert-and-error-optimizations">Assert and Error Optimizations</h2>
-<p><code>USE_CORE_ASSERT</code> and <code>USE_CORE_ERROR</code> can now be disabled in <em>coreConfig.h</em>. This can reduce code size by removing the static strings used in errors and asserts. Recommended for final deployment only.</p>
-<h1 id="bug-fixes-3">4 BUG FIXES</h1>
-<h2 id="bit-little-endian-platforms">64 bit little endian platforms</h2>
-<p>The <code>STORE32L</code> macro in <em>cryptolib.h</em> has been fixed for little endian 64 platforms. The <code>STORE32H</code> macro in <em>cryptolib.h</em> has been fixed for big endian 64 platforms not using assembly language optimizations. Platforms such as <em>MIPS64</em> are now automatically detected by the build system.</p>
-<h2 id="x.509-keyusage-extension">X.509 KeyUsage extension</h2>
-<p>Fixed the parse to allow for <code>BIT_STRING</code> lengths longer than should be expected.</p>
-<h2 id="x.509-date-validation-fix">X.509 date validation fix</h2>
-<p>A bug has been fixed in the <code>validateDateRange()</code> function in <em>x509.c</em>. In previous versions, the time format (<code>ASN_UTCTIME</code>, etc..) of the <code>notAfter</code> date was being set based on the <code>notBefore</code> field. This bug would have caused problems for certificates that used different time formats for the <code>notBefore</code> and <code>notAfter</code> fields.</p>
-<h2 id="fixed-handshake-parse-issue">Fixed handshake parse issue</h2>
-<p>A bug was found on the server side while parsing a specific case of handshake messages from a client. If the cipher suite used a key exchange mechanism of ECDHE or ECHE, and the handshake was using client authentication, and the client was sending the <code>CLIENT_KEY_EXCHANGE</code> message and <code>CERTIFICATE_VERIFY</code> message in a single record, the MatrixSSL server was unable to parse that flight and would close the connection. This is now fixed.</p>
-<h2 id="tls-server-sending-old-self-signed-certificate">TLS server sending old self-signed certificate</h2>
-<p>A bug has been fixed so that if a server sends a self-signed certificate that does not contain the <code>AuthorityKeyIdentifier</code> extension, the authentication logic will detect that and not report an error to the certificate callback. &gt; Servers shouldn’t send self-signed certificates in the <code>CERTIFICATE</code> message. Client must still always have the same self-signed cert loaded in order to authenticate.</p>
-<h2 id="fixed-ecc-variable-encoding-bugs">Fixed ECC variable encoding bugs</h2>
-<p>For Client Auth rehandshakes, the variable signature sizes of ECDSA resulted in an issue when clients were creating the encrypted <code>CERTIFICATE_VERIFY</code> message. <code>secp224r1</code> curves also had an additional bug that could cause an invalid signature in some cases due to the variable encoding rules.</p>
-<h2 id="dhe_psk-compatibility">DHE_PSK compatibility</h2>
-<p>Fixed issue with <code>DHE_PSK</code> ciphers when a <code>PSK_ID</code> was not used. Previously a handshake alert would occur.</p>
-<h2 id="aes-gcm-with-aesni">AES-GCM with AESNI</h2>
-<p>Fixed an issue causing an invalid encoding of large data buffers with aes-gcm on Intel platforms with AESNI.</p>
-<h2 id="library-configuration-test">Library configuration test</h2>
-<p>The mechanism to test that MatrixSSL applications have been compiled using the same configuration as the MatrixSSL static libraries has been fixed.</p>
-<h2 id="windows-psgetfilebuf">Windows psGetFileBuf</h2>
-<p>Parameters to <code>CreateFileA()</code> are now correct for opening existing files.</p>
-<h1 id="known-issues-1">5 KNOWN ISSUES</h1>
-<ul>
-<li><em>Microsoft Windows</em> targets do not support certificate date validation currently. Users requiring this feature can use Windows APIs to get and parse the current date, using the POSIX implementation as a reference.</li>
-<li><em>Arm</em> platforms linking with some versions of <em>OpenSSL</em> <code>libcrypto</code> library may have errors in AES-CBC cipher suites due to the library's inability to handle in-situ encryption within the same block.</li>
-</ul>
-</body>
-</html>
diff --git a/doc/CHANGES.md b/doc/CHANGES.md
deleted file mode 100644
index 3dc14b8..0000000
--- a/doc/CHANGES.md
+++ /dev/null
@@ -1,886 +0,0 @@
-MatrixSSL Release Notes
-=======================
-
-Changes in 3.9.0
-----------------
-
-> **Version 3.9.0**
-> March 2017
-> (C) Copyright 2017 INSIDE Secure - All Rights Reserved
-
-1. BUG FIXES SINCE 3.8.7b
- - Fixed server-side handling of client authentication with Server Name Indication
- - Constant Time Modular Exponentiation
-
-2. NEW FEATURES SINCE 3.8.7b
-
- - RFC 5280 Compliant Certificate Matching
- - Certificate Validation Configuration Options
- - Client Authentication using an External Security Token
- - X.509 Generation Improvements (Commercial Edition Only)
- - Added psX509GetOnelineDN API
- - Added matrixValidateCertsExt API
- - Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing
- - ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option
-
-3. OTHER CHANGES SINCE 3.8.7b
- - Indent style changes
-
-#1. BUG FIXES SINCE 3.8.7b
-
-## Fixed server-side handling of client authentication with Server Name Indication
-
-This bug caused client authentication to fail when MatrixSSL was used
-as the server and the client was sending the Server Name Indication
-extension.
-
-## Constant Time Modular Exponentiation
-
-It was reported by Andreas Zankl that Matrix Crypto implementation had
-a side-channel information leak via instruction cache. In response to
-the research, Matrix Crypto modular exponentiation was changed to use
-code that does not leak information via instruction cache and uses
-constant-time execution.  The new code is slower. (Note: The SafeZone
-CL/CLS cryptography used in MatrixSSL FIPS Edition has been using
-constant time modular exponention before.)
-
-#2. NEW FEATURES SINCE 3.8.7b
-
-## RFC 5280 Compliant Certificate Matching
-
-Matching certificate fields in MatrixSSL has been improved. MatrixSSL
-now implements the requirement from RFC 5280 that Subject Alternative Name
-is used for matching instead of subject Common Name if alternative
-name is available.  Subject Alternative Name contain more precise
-information on the type of the field and thus avoids false positive field
-matches.  MatrixSSL now allows RFC 5280 compliant matching of email
-addresses, where only domain name part is case insensitive.  It is now
-possible to specify the type of name to match with new session
-options. See the Session Options section in the MatrixSSL APIs manual
-for details.
-
-The issues in certificate matching were reported by Suphannee Sivakorn from
-Columbia University.
-
-## Certificate Validation Configuration Options
-
-New session options have been added for configuring MatrixSSL's
-internal certificate validation process. These include options for
-specifying the field in the server certificate against which the
-expected server name should be matched, an option to limit the maximum
-certificate chain validation depth and options for retaining the peer
-certificate after processing. See the Session Options section in the
-MatrixSSL APIs manual for details.
-
-## Client Authentication using an External Security Token
-
-MatrixSSL's external client authentication feature allows
-client-side private key operation in TLS client authentication,
-i.e. the signing of the handshake_messages hash in the
-CertificateVerify handshake message, to be offloaded from MatrixSSL to
-an external module such as a security or authentication token.  See
-the MatrixSSL External Module Integration manual for details.
-
-## X.509 Generation Improvements (Commercial Edition Only)
-
-Support has been added for encoding the netscape-comment certificate
-extension. The psParseCertReqBufExt API has been added. This version
-of psParseCertReqBufExt allows storing additional information from
-the parsed CSR. Another additional API is psX509SetPublicKey, which
-can be used to set the public key in a psCertConfig_t struct, before
-it is passed to the CSR or certificate encoding routines. See the
-MatrixSSL Certificates and Certificate Revocation Lists manual for
-details.
-
-## Added psX509GetOnelineDN API
-
-The new psX509GetOnelineDN API can be used to generate a one-line
-string representation of a Distinguished Name.
-
-## Added matrixValidateCertsExt API
-
-The new matrixValidateCertsExt API has an additional options struct
-argument for configuring some aspects of the certificate chain
-validation process. The old matrixValidateCerts API is now deprecated.
-
-## Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing
-
-Support for RSA-MD2 and RSA-MD5 signature verification has been added
-to CSR parsing, and support for RSA-MD2 signature verification has
-been added to CRL parsing. These insecure, legacy algorithms are
-disabled by default, but they can be enabled by defining USE_MD2 or
-USE_MD5.
-
-## ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option
-
-The ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE build-time option allows CRL
-authentication to succeed even when signer CA's cert does not have the
-keyUsage extension and thus no cRLSign bit. This option is for
-compatibility with old CRL issuer certs. RFC 5280 requires CRL issuer
-certs to have the keyUsage extension and the cRLSign bit.
-
-#3. OTHER CHANGES SINCE 3.8.7b
-
-## Indent style changes
-
-Indent style has been changed and made more consistent accross source
-and header files.
-
-Changes in 3.8.7b
------------------
-
-> **Version 3.8.7b**
-> January 2017
-> (C) Copyright 2017 INSIDE Secure - All Rights Reserved
-
-
-
-1. BUG FIXES SINCE 3.8.7
-- Fixed compile error if SHA224 was enabled.
-- Fixed compile warning around HTTP2 alpn detection.
-- Fixed issue where a cipher suite could be negotiated that did not match the authentication type for the keys.
-
-#1. BUG FIXES SINCE 3.8.7
-
-## Fixed issue where a cipher suite could be negotiated that did not match the authentication type for the keys.
-
-This manifested in the default apps/ssl/server.c example when Chrome was connected. It negotiated an ECDSA based cipher even though keys loaded by default were RSA keys.
-
-
-Changes in 3.8.7
-----------------
-
-> **Version 3.8.7**
-> November 2016
-> (C) Copyright 2016 INSIDE Secure - All Rights Reserved
-
-
-
-1. BUG FIXES SINCE 3.8.6
- - Fixed Wrong Computation Results Bug In pstm.c Division
- - Fixed Memory Corruption In psDhImportPubKey
- - Fixed RSA Public Key Read Overflow
- - X.509/CRL/OCSP Timestamp Validation
- - Unix Year 2038 Problem Fix
- - Stricter OID Comparison
- - Multibyte String Handling
- - Configuration Robustness Improvements
- - X.509 Certificate Parsing Read Overflow
- - PKCS #8 Buffer Read Overflow
- - OCSP Bug Fixes
- - Generic Bug Fixes For Test Programs
- - Changes to Recommended Configurations
- - psMutex Locking and Unlocking APIs Compiler Warnings Removed
- - MD5 and SHA-1 Combined Digest Function
- - Coverity Issues Fixed
- - Yarrow Build Issues Fixed
-
-2. NEW FEATURES SINCE 3.8.6
-  - SHA-512 for X.509 Certificates Improvements
-  - OCSP Improvements
-  - X.509 Certificate Domain Components
-  - New Configuration: Minimal PSK
-
-
-#1. BUG FIXES SINCE 3.8.6
-
-## Fixed Wrong Computation Results Bug In pstm.c Division
-
-The bug could cause some big number mathematics to return wrong values when divisor and dividend are very far from each other.
-This issue is related to public key computation problems
-reported by Security Researcher [Hanno Böck](https://hboeck.de/).
-
-## Fixed Memory Corruption In psDhImportPubKey
-
-Importing Diffie-Hellman public key cleared some memory beyond end of the key.
-On some systems this bug may have caused memory corruption.
-
-## Fixed RSA Public Key Read Overflow
-
-When importing RSA key from certificate, maliciously crafted RSA public key could cause read buffer overflow and crash.
-
-## X.509/CRL/OCSP Timestamp Validation
-
-MatrixSSL accepted some X.509 certificates with illegal timestamps,
-such as leap day in an ordinary year. In additional, some two
-digit years were parsed incorrectly. Timestamp parsing has been
-altered everywhere to use new psBrokenDownDate API, which correctly
-handles these corner cases. Some of X.509 time parsing issues were
-reported by Sze Yiu Chau.
-
-## Unix Year 2038 Problem Fix
-
-On 32-bit Unix devices, time_t type, which is signed will overflow in 2038.
-A workaround was added that will allow timestamps and dates to be processed
-correctly by MatrixSSL on and after Tuesday 19 January 2038.
-
-## Stricter OID Comparison
-
-The OID comparison in MatrixSSL uses a simple non-cryptographic digest
-function, based on sum of bytes, which is not collision free. Comparison of OID
-binary representation was added to ensure unknown OIDs are not accidentally
-interpreted the same than some of existing OIDs.
-This issue was reported by Sze Yiu Chau.
-
-## Multibyte String Handling
-
-The MatrixSSL now includes function to recode strings containing multibyte
-(BMPString) characters as UTF-8 strings. This handling is applied to
-X.509 certificate fields, such as Subject Name. This allows code using
-MatrixSSL to work with BMPString input without actually knowing the encoding
-used.
-
-## Configuration Robustness Improvements
-
-MatrixSSL has been made more robust with configurations: changing
-configuration options is less likely to cause problems building the software.
-
-These improvements allow smaller configurations for embedded systems.
-(E.g. build without DTLS, or build only server-side or client-side support.)
-
-## X.509 Certificate Parsing Read Overflow
-
-Fixed read overflow from X.509 certificate date handling and
-removed possible buffer read overflow in parseGeneralNames().
-Without these fixes maliciously crafted X.509 certificate could
-cause software crash.
-
-
-## PKCS #8 Buffer Read Overflow
-
-Fixed reading overly large invalid PKCS #8 encoded private key.
-Without this fix, maliciously crafted PKCS #8 file could cause
-software crash.
-
-
-## OCSP Bug Fixes
-
-In lieu of OCSP improvements, small bugs in OCSP implementation have
-been fixed. The most notable bug was a memory leak.
-
-
-## Generic Bug Fixes For Test Programs
-
-Removed some warnings and memory leaks from test programs.
-Made test programs confirm to Unix/POSIX return value scheme on relevant
-platforms.
-
-
-## Changes to Recommended Configurations
-
-The recommended configurations have been edited slightly.
-Most notably, the tracing is disabled by default on non-debug configurations.
-
-
-## psMutex Locking and Unlocking APIs Compiler Warnings Removed
-
-Removed return value from psLockMutex() and psUnlockMutex() APIs.
-This removes several warnings regarding return values not being used.
-
-
-## MD5 and SHA-1 Combined Digest Function
-
-The MatrixSSL will now invoke combined MD5 and SHA-1 hash function `psMd5Sha1`,
-whenever possible instead of separate MD5 and SHA-1 hash functions.
-
-## Coverity Issues Fixed
-
-Implementation of `getTicketKeys` and `parseSSLHandshake`
-functions was changed to remove issues detected by Coverity.
-
-## Yarrow Build Issues Fixed
-
-MatrixSSL comes with a version of Yarrow PRNG. Its use has been deprecated,
-but the PRNG continued to be shipped with MatrixSSL. Unfortunately, the
-latest versions of MatrixSSL had compilation errors in yarrow.c.
-Those errors have been fixed, and the source code file has been marked
-deprecated.
-
-#2. NEW FEATURES SINCE 3.8.6
-
-## SHA-512 for X.509 Certificates Improvements
-
-MatrixSSL can use SHA-512 to sign self-signed certificate or certificate request. SHA-512 was already previously supported for verification of X.509 certificates.
-(This feature can be used only on MatrixSSL Commercial Edition.)
-
-## OCSP Improvements
-
-OCSP example application apps/crypto/ocsp.c
-(Commercial Edition Only) and MatrixSSL Developer Guide have
-been improved to give more documentation regarding OCSP request.
-OCSP request can now use requestorId feature and request status of list of certificates.
-
-## X.509 Certificate Domain Components
-
-Added Functions for obtaining contents of X.509 certificate Domain
-Component field(s).
-
-## New Configuration: Minimal PSK
-
-New configuration psk added. This configuration provides small footprint MatrixSSL build with only Pre-Shared Key and TLS 1.2 functionality using Matrix Crypto.
-
-
-Changes in 3.8.6
-----------------
-
-> **Version 3.8.6**
-> October 2016
-> (C) Copyright 2016 INSIDE Secure - All Rights Reserved
-
-1. BUG FIXES
- - Critical parsing bug for X.509 certificates
- - Critical TLS handshake parsing bugs
- - 4096 bit RSA key generation regression
- - General cleanup of build
- - MatrixSSH compatibility issue
-2. FEATURES AND IMPROVEMENTS
- - New configuration system for build options
- - `core/` changes
- - X.509 parsing and generation
- - `crypto/` changes
- - Removed OpenSSL API Emulation
-
-#1 BUG FIXES
-
-##Critical parsing bug for X.509 certificates
-Security Researcher [Craig Young](http://www.tripwire.com/state-of-security/contributors/craig-young/) reported two issues related to X.509 certificate parsing. An error in parsing a maliciously formatted Subject Alt Name field in a certificate could cause a crash due to a write beyond buffer and subsequent free of an unallocated block of memory. An error in parsing a maliciously formatted ASN.1 Bit Field primitive could cause a crash due to a memory read beyond allocated memory.
-
-##Critical TLS handshake parsing bugs
-Security Researcher [Andreas Walz](http://ivesk.hs-offenburg.de/) reported three issues related to processing the ClientHello message.
-
- - The length of the TLS record was not being strictly checked against the length of the extensions field, so that additional unparsed data could be added between the end of extensions and the end of the record. This presents some level of uncertainty in how extensions may be interpreted and could present a security issue.
- - ClientHello parsing was not verifying that a NULL compression suite was sent by the client, as required by the RFC. This did not present a security issue (NULL compression was always forced), but improves strict adherence to the specification.
- - For TLS connections (not DTLS), the major version proposed in the ClientHello suggested by RFC 5246 to only allow the byte value `0x03`. Now the connection is terminated if a value other than this is suggested. Previously the suggested major version field was simply echoed back in the ServerHello message, and treated as `0x03`.
-
-##4096 bit RSA key generation regression
-In some cases RSA key generation of 4096 bit keys would fail and return with an error code. This regression issue has been fixed and key generation will once again succeed.
-
-##General cleanup of build
-Warnings across multiple platforms and compilers were fixed. Various compile time configuration combination build issues were fixed.
-
-##MatrixSSH compatibility issue
-Newer versions of MatrixSSH server were incompatible with the PuTTY client. A fix has been included and enabled by default `USE_PUTTY_WORKAROUND`.
-*Note this does not affect the standard MatrixSSL codebase*.
-
-#2 FEATURES AND IMPROVEMENTS
-
-##New configuration system for build options
-A new top level directory `configs/` now holds several sets of configuration files for MatrixSSL to simplify configuration sets. This method also allows custom sets to be developed specific to a given use case (for example a RSA only build). The following three configuration files now are copied at build time from the `configs` directory:
-
-```
-core/coreConfig.h
-crypto/cryptoConfig.h
-matrixssl/matrixsslConfig.h
-```
-
-> **The default configuration settings for MatrixSSL may have changed from your current settings. Please confirm all settings in these three files after updating.**
-
-From a fresh package, the build process is the same as before: simply type `make`. It will build the software using the default configuration options.
-
-To use a different configuration, for example `configs/noecc`:
-
-```
-$ make clean && make all-noecc
-```
-
-Once a configuration is set, `make` and `make clean` will continue to use the same configuration unless a new one is selected as above.
-
-##`core/` changes
- - Added warning helper macros
- - Additional `PS_` return codes
- - Buffer helper APIs in `psbuf.h`
- - Foundation for `PS_NETWORKING` support for sockets level API
- - `psMutex_t` API return code change, now returns `void` and will call `abort()` on POSIX platforms.
- - `test/` new self-test directory
- - Change in default Linux compile options in `common.mk`
-
-##X.509 parsing and generation
-Added additional field parsing support for X.509, including multiple OU support. Commercial release adds additional certificate creation support, as well as an API set and test suite for programmatically creating certificates. See _MatrixKeyAndCertGeneration.pdf_ for full description.
-
-##`crypto/` changes
- - Added `*PreInit()` APIs for hash functions for compatibility with FIPS library and hardware token requirements
- - Added `psX509GetCertPublicKeyDer()` API
- - Support `dsa_sig` OID for certificates`
- - Support for `ASN_VISIBLE_STRING`
- - Moved CRL functionality into `keyformat/crl.c`
- - Support for parsing an implicitly encoded ECC key without a DER header, as sometimes encountered in the wild.
- - Added PKCS#8 import
- - `ALLOW_VERSION_1_ROOT_CERT_PARSE` configuration option for loading legacy v1 certificates as trusted roots only (default not enabled). Loading as intermediate or leaf certificates is insecure and still not allowed.
-
-##Removed OpenSSL API Emulation
- - `opensslApi.c` and `opensslSocket.c` files removed temporarily in anticipation of moving to a more fully supported OpenSSL layer.
-
-Changes in 3.8.5
-----------------
-
-> **Version 3.8.5**
-> September 2016
-> *Note: 3.8.5 was a limited customer release only.*
-
-Changes in 3.8.4
-----------------
-
-> **Version 3.8.4**
-> July 2016
-> (C) Copyright 2016 INSIDE Secure - All Rights Reserved
-
-1. FEATURES AND IMPROVEMENTS
- - Coverity coverage
- - HTTP/2 restrictions via ALPN
- - Enhanced example apps
- - Process shared Session Cache
- - Enhanced CRL and OCSP support
- - Windows support for certificate date validation
-2. BUG FIXES
- - Critical parsing bug for RSA encrypted blobs
- - Additional restrictions on bignum operations
- - Fixed error in disabled cipher flags
- - Fixed error in DTLS encoding
- - SSLv3 only support fixed
- - Assembly compatibility with more compilers
-
-#1 FEATURES AND IMPROVEMENTS
-
-##Coverity coverage
-MatrixSSL now has zero outstanding defects in [Coverity Static Analysis](https://scan.coverity.com/projects/matrixssl-matrixssl).
-
-##HTTP/2 restrictions via ALPN
-MatrixSSL server code will automatically evaluate the ALPN extension and appropriately restrict the cipher suites and key exchange methods if the HTTP/2 protocol is being used. Per the [HTTP/2 spec](https://tools.ietf.org/html/rfc7540#appendix-A), only AEAD cipher suites and Ephemeral key exchange methods are allowed.
-
-##Enhanced example apps
-Example applications now take additional command line options and also support CRL request and response generation.
-
-##Process shared Session Cache
-Minimal support for a process-shared server session resumption cache is now supported via process-shared mutexes on Linux.
-
-##Enhanced CRL and OCSP support
-A new file _crypto/keyformat/crl.c_ defines additional apis for more complex CRL (Certificate Revocation List) and OCSP support.
-
-##Windows support for certificate date validation
-Previously only Posix based platforms were supported.
-
-#2 BUG FIXES
-
-##Critical parsing bug for RSA encrypted blobs
-Security Researcher [Hanno Böck](https://hboeck.de/) reported several issues related to RSA and bignum operations. An error in parsing a maliciously formatted public key block could produce a remotely triggered crash in SSL server parsing. Additional restrictions on the values provided to RSA and DH operations were also added, although an exploit has not been found.
-
-##Additional restrictions on bignum operations
-The MatrixSSL bignum library, located in _crypto/math/_ was optimized and reduced in size to support only key sizes and operations used by standard RSA, ECC and DH operations (those apis present in _crypto/cryptoApi.h_). Additional constraint checking has been added to the code to prevent unsupported key sizes and values. Users requiring generic bignum operations should take a look at libtomcrypt, GMP, Python or OpenSSL.
-
-##Fixed error in disabled cipher flags
-The optional disabling or enabling of specific ciphers at runtime per session was recently broken (now fixed) due to an errant flags calculation using `<` instead of `<<`.
-
-##Fixed error in DTLS encoding
-An error was returned if attempting to encode a DTLS message exactly the PMTU size.
-
-##SSLv3 only support fixed
-SSLv3 mode is not recommended for deployment, but had become broken in a recent build. It can now be enabled again.
-
-## Assembly compatibility with more compilers
-Fixed "invalid register constraints" error on some versions of GCC and LLVM for ARM, MIPS and x86_64.
-
-Changes in 3.8.3
-----------------
-
-> **Version 3.8.3**
-> April 2016
-> (C) Copyright 2016 INSIDE Secure - All Rights Reserved
-
-1. FEATURES AND IMPROVEMENTS
-  - Simplified Configuration Options
-  - DTLS Combined Package
-  - CHACHA20_POLY1305 Cipher Suites
-  - Libsodium Crypto Provider
-  - Extended Master Secret
-  - Online Certificate Status Protocol
-  - TLS Fallback SCSV
-  - Trusted CA Indication Extension
-  - Removed gmt_unix_time from client and server random
-  - Removed support for SSLv2 CLIENT_HELLO messages
-  - Ephemeral ECC Key Caching
-2. BUG FIXES
-  - Support for parsing large certificate blobs
-  - X.509 certificate parse fix for issuerUniqueID and subjectUniqueID
-  - Diffie-Hellman public key exchange bug
-  - SHA512 based Server Key Exchange signatures
-  - Allow independent hashSigAlg identifiers in Certificate Request message
-  - Improvements to DTLS Cookie handling
-  - Fixed key type verification for chosen cipher suite
-  - Validation of RSA Signature Creation
-  - Side Channel Vulnerability on RSA Cipher Suites
-  - Access Violation on Malicious TLS Record
-
-#1 FEATURES AND IMPROVEMENTS
-
-##Simplified Configuration Options
-The configuration files _coreConfig.h_, _cryptoConfig.h_ and _matrixsslConfig.h_ have been simplified, and the default options have been changed to improve security and code size.
-
-- Many of the insecure algorithms or deprecated options that can be
-   enabled in _cryptoConfig.h_ and _matrixsslConfig.h_ have been moved
-   into _cryptolib.h_ and _matrixssllib.h_, respectively.   
-- TLS 1.1 is now the default minimum TLS version compiled in. The new
-   `USE_TLS_1_1_AND_ABOVE` setting enables this.
-- Rehandshaking on an existing connection is now disabled completely by
-   default with the `USE_REHANDSHAKING` configuration option.
-
-##DTLS Combined Package
-DTLS is now packaged with MatrixSSL, and can be enabled with the `USE_DTLS` configuration option. TLS and DTLS connections can be made simultaneously with the same application.
-
-##CHACHA20_POLY1305 Cipher Suites
-MatrixSSL now has support for ChaCha20-Poly1305 cipher suites compatible with RFC draft https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305.
-The supported cipher suites are defined for TLS 1.2 and can be enabled at compile time.
-
-_cryptoConfig.h_
-: `USE_CHACHA20_POLY1305`
-
-_matrixsslConfig.h_
-: `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
-`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
-
-MatrixSSL must be linked with the libsodium library to provide implementation of the crypto primitives.
-
-##Libsodium Crypto Provider
-MatrixSSL now includes a layer for crypto primitives to the *libsodium* crypto library, in addition to the *OpenSSL libcrypto* and the native (default) MatrixSSL crypto library. *libsodium* provides crypto primitives for ChaCha20 and Poly1305. In addition, enabling the layer will use *libsodium* primitives for SHA256/SHA384/SHA512 based hashes and AES-256-GCM ciphers that provide high performance on *Intel* platforms.
-
-> As of this release, the current version of libsodium is available here:
-https://download.libsodium.org/libsodium/releases/libsodium-1.0.8.tar.gz
-To build libsodium, follow the instructions here:
-https://download.libsodium.org/doc/installation/index.html
-
-To enable in the MatrixSSL make system, enable the following and rebuild:
-
-_common.mk_
-: `PS_LIBSODIUM:=1`
-`LIBSODIUM_ROOT:=`*(path_to_libsodium_build)*
-
-##Extended Master Secret
-The “extended master secret” as specified in [RFC 7627](https://tools.ietf.org/html/rfc7627) is an important security feature for TLS implementations that use session resumption.  The extended master secret feature associates the internal TLS master secret directly to the connection context to prevent man-in-the-middle attacks during session resumption.  One such attack is a synchronizing triple handshake as described in [Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS](https://mitls.org/pages/attacks/3SHAKE).
-
-See the _Extended Master Secret_ section in the _MatrixSSL API_ document for details.
-
-##Online Certificate Status Protocol
-The Online Certificate Status Protocol (OCSP) is an alternative to the Certificate Revocation List (CRL) mechanism for performing certificate revocation tests on server keys.  TLS integrates with OCSP in a mechanism known as “OCSP stapling”.   This feature allows the client to request that the server provide a time-stamped OCSP response when presenting the X.509 certificate during the TLS handshake.   The primary goal for this scheme is to allow resource constrained clients to perform certificate revocation tests without having to communicate with an OCSP Responder themselves.
-
-See the _OCSP Revocation_ section in the _MatrixSSL API_ document for details.
-
-##TLS Fallback SCSV
-The RFC for detecting version rollback attacks has been implemented per [RFC7507](https://tools.ietf.org/html/rfc7507). See the _MatrixSSL Developer’s Guide_ for more information.
-
-##Trusted CA Indication Extension
-The Trusted CA Indication extension is specified in [RFC 6066](https://tools.ietf.org/html/rfc6066).  This feature allows TLS clients to send their list of certificate authorities to servers in the `CLIENT_HELLO` message.  
-See the Trusted CA Indication section in the _MatrixSSL_API_ document for details.
-
-##Removed gmt_unix_time from client and server random
-The TLS RFC specifies that the first 4 bytes of the `CLIENT_HELLO` and `SERVER_HELLO` random values be the current platform time. Current best practices recommend using random data for all 32 bytes. MatrixSSL now uses all random data by default.
-
-##Removed support for SSLv2 CLIENT_HELLO messages
-SSLv2 `CLIENT_HELLO` parsing was previously supported to maintain compatibility with very old TLS implementations. Although this does not present a security risk at this time, the code has been removed, and only modern TLS record header parsing is supported.
-
-##Ephemeral ECC Key Caching
-Previous versions of MatrixSSL generated new, unique ephemeral keys for each connection using `ECDHE_` cipher suites, as per NIST recommendations. Beginning with this version, ephemeral keys are cached and re-used for connections within a time frame of two hours and a maximum usage of 1000 times. This improves performance of ECDHE suites, and is inline with the configuration current web browsers. This feature can be configured in _matrixsslConfig.h_.
-
-#2 BUG FIXES
-
-##Support for parsing large certificate blobs
-Certificate collections larger than 64KB were not being parsed correctly after a change to some data types (32 bit to 16 bit) in the parsing code.  This bug is now fixed and large collections of certificates are now parsing correctly.
-
-##X.509 certificate parse fix for issuerUniqueID and subjectUniqueID
-Previous MatrixSSL versions could not parse these rarely encountered members of X.509 certificates.
-
-##Diffie-Hellman public key exchange bug
-MatrixSSL clients would not successfully handshake with servers that sent Diffie-Hellman public keys that were not the same byte length as the DH group Prime parameter.  Clients will now successfully handshake with servers that provide shorter length public keys.
-
-##SHA512 based Server Key Exchange signatures
-SHA512 was not supported for `SERVER_KEY_EXCHANGE` messages in previous versions.
-
-##Allow independent hashSigAlg identifiers in Certificate Request message
-Previous client versions of MatrixSSL would not allow servers to send signature algorithm identifiers that were not already specified by the client in the `CLIENT_HELLO` message.  Now, the client will correctly allow the server to send an independent list of supported algorithms and the client will look for matches from that list.
-
-##Improvements to DTLS Cookie handling
-HMAC-SHA1 or HMAC-SHA256 are now used to generate the DTLS cookie, and additional checking is done on the cookie for Denial-of-Service prevention.
-
-##Fixed key type verification for chosen cipher suite
-An internal verification function that determined whether the server key type was correct for the chosen cipher suite has now been fixed.  Previous versions would sometimes incorrectly determine the server was using the wrong key type if the server was using a certificate chain where parent certificates did not use the same key type.  This bug resulted in a failed handshake and is now fixed.
-
-##Validation of RSA Signature Creation
-An internal RSA validation of created signatures has been added to the library in the `psRsaEncryptPriv()` function.
-
-Security researcher Florian Weimer has shown it is possible for RSA private key information to leak under some special failure circumstances.  Information on the exploit can be found here: https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
-
-The potential leak is only possible if a `DHE_RSA` based cipher suite is supported on the server side.  This is the only handshake combination in which an RSA signature is sent over the wire (during the `SERVER_KEY_EXCHANGE` message).  The signature itself must have been incorrectly generated for the exploit to be possible.
-
-The additional signature validation test will now cause the TLS handshake to fail prior to a faulty signature being sent to the client.
-
-##Side Channel Vulnerability on RSA Cipher Suites
-A Bleichenbacher variant attack, where certain information is leaked from the results of a RSA private key operation has been reported by a security researcher. The code has been updated to error without providing any information on the premaster contents.
-Thank you to Juraj Somorovsky, author of [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker)
-> Note that other side channel attacks may still be possible as MatrixSSL non-FIPS crypto is not always constant-time.
-
-##Access Violation on Malicious TLS Record
-TLS cipher suites with CBC mode in TLS 1.1 and 1.2 could have an access violation (read beyond memory) with a maliciously crafted message. Thank you to Juraj Somorovsky, author of [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker)
-
-#3 KNOWN ISSUES
-
-- *Microsoft Windows* targets do not support certificate date validation currently. Users requiring this feature can use Windows APIs to get and parse the current date, using the POSIX implementation as a reference.
-- *Arm* platforms linking with some versions of *OpenSSL* `libcrypto` library may have errors in AES-CBC cipher suites due to the library's inability to handle in-situ encryption within the same block.
-
-Changes in 3.8.2
-----------------
-
-> **Version 3.8.2**
-> December 2015
-> (C) Copyright 2015 INSIDE Secure - All Rights Reserved
-
-1. FILE/API REORGANIZATION
-  - File Locations
-  - Crypto API
-2. SECURITY IMPROVEMENTS
-  - Simplified Configuration
-  - Deprecated Ciphers
-  - Deprecated TLS Features
-  - Key Strength
-  - Ephemeral Cipher Suites Enabled by Default
-  - ECC Curve List
-  - Reordered cipher suite preferences
-  - memset_s()
-  - Handshake State Machine Improvements
-3. FEATURES AND IMPROVEMENTS
-  - DTLS Protocol Included
-  - Optimized Diffie-Hellman performance
-  - Optimized EC signature generation performance
-  - OpenSSL Crypto Primitive Provider
-  - OpenSSL TLS API layer
-  - Reduced TLS session footprint
-  - X.509 Improvements
-  - PKCS#12 Key Parsing
-  - Improved certificate callback example
-  - Per digest control of HMAC algorithms
-  - Default high resolution timing
-  - Assert and Error Optimizations
-4. BUG FIXES
-  - 64 bit little endian platforms
-  - X.509 KeyUsage extension
-  - X.509 date validation fix
-  - Fixed handshake parse issue
-  - TLS server sending old self-signed certificate
-  - Fixed ECC variable encoding bugs
-  - DHE_PSK compatibility
-  - AES-GCM with AESNI
-  - Library configuration test
-  - Windows psGetFileBuf
-
-#1 FILE/API REORGANIZATION
-
-##File Locations
-MatrixSSL 3.8.2 introduces directory changes to the distribution since 3.7.2
-
-TLS/DTLS example apps moved from ./apps to ./apps/ssl and ./apps/dtls.
-Test keys and certificates moved from ./sampleCerts to ./testkeys.
-XCode and Visual Studio projects moved to ./xcode and ./visualstudio.
-
-Several file changes and renames are present as well:
-
-TLS Decoding moved ./matrixssl/sslDecode.c from ./matrixssl/sslDecode.c,
-./matrixssl/hsDecode.c and ./matrixssl/extDecode.c.
-Private key import/export from ./crypto/pubkey/pkcs.c. to
-./crypto/keyformat/pkcs.c.
-Configuration consistency and sanity checks from ./matrixssl/matrixssllib.h
-to ./matrixssl/matrixsslCheck.h.
-
-##Crypto API
-The API layers into the raw cryptographic operations have been significantly changed. The crypto API changes do not affect the main MatrixSSL API for creating TLS sessions, etc. However, developers who interface with crypto directly, or who want to write a custom hardware layer will be interested in the new layer.
-
-###API Model
-The cryptography API for symmetric crypto, digests and HMAC follow the common model:
-
-**Init API**
-: Initializes the cipher and returns an error on failure (typically due to bad input parameters or insufficient memory).
-
-**Encrypt/Decrypt/Update API**
-: Performs the operation and does not return an error code (previously some APIs would return the number of bytes decrypted).
-
-**Clear API**
-: Zero and/or free any associated memory associated with the cipher.
-
-###Standard Types
-Standard C99 types from `<stdint.h>` are used to specify integer parameters.
-
-`uint8_t`
-: The length of an IV, password or an AES-GCM tag
-
-`uint16_t`
-: The length of an asymmetric key (RSA/DH/ECC), a HMAC key or Additional Authenticated Data (AAD) for an AEAD cipher such as AES-GCM.
-
-`uint32_t`
-: The length of data to be processed by the cipher
-
-`uint64_t`: Internally used by crypto library to store large counter values and when optimizing for 64 bit platforms.
-
-###Const Correctness
-Pointers to values that are not modified are marked `const`.
-
-###API Name changes
-API names have been standardized as follows:
-
-Initialization of low level AES block cipher from psAesInitKey to psAesInitBlockKey.
-AES CBC from psAesInit, psAesDecrypt and psAesEncrypt to psAesInitCBC, psAesDecryptCBC and psAesEncryptCBC.
-SHA2 HMAC from psHmacSha2 to psHmacSha256 and psHmacSha384.
-ECC signature creation from psEccSignHash to psEccDsaSign.
-ECC signature validation from psEcDsaValidateSignature to psEccDsaVerify.
-
-###Standardized Context Names
-Cryptographic functions that used to accept generic “context” identifiers now require the specific key/algorithm structure, for example:
-
-HMAC family from psHmacContext_t to psHmacSha1_t, psHmacSha256_t, ...
-Digest family from psDigestContext_t to psSha1_t, psSha256_t, etc...
-Symmetric family from psCipherContext_t to psAesCbc_t, psAesGcm_t, psDes3Key_t
-RSA private key parse (pkcs1) from psPubKey_t to psRsaKey_t.
-ECC private key parse from psPubKey_t to psEccKey_t.
-
-###Standardized Return Types
-In general, Init apis return a standard `PS_*` status code. A status code that is not `PS_SUCCESS` typically indicates invalid input parameters or a resource allocation failure.  Update and Clear APIs no longer have a return. For example:
-
-HMAC Init from void to int32_t.
-HMAC Final from int32_t to void.
-Digest Init from void to int32_t.
-Digest Final from int32_t to void.
-
-###Memory Model
-In general, APIs now take an allocated cipher structure, and do not allocate the structure in the Init routine. In the past, the memory allocation model was inconsistent.
-
-For ECC and DH, there are now additional APIs that allow the key to be allocated and initialized, to complement the APIs which just initialize the keys.
-
-The Clear API must always be called when done with a context, as some algorithms internally allocate additional memory for operation.
-
-#2 SECURITY IMPROVEMENTS
-
-##Simplified Configuration
-The configuration of ciphers and cipher suites in _crypto/cryptoConfig.h_ and _matrixssl/matrixsslConfig.h_ has been simplified considerably. Existing and new users of MatrixSSL should take a look at these files to understand the various options and features supported.
-
-##Deprecated Ciphers
-- ARC4, SEED, IDEA, RC2, MD4 and MD2 are deprecated, and not enabled by default in _cryptoConfig.h_
-- MD5 and SHA1 are not recommended for use, but enabled by default because they are required for TLS protocols before version 1.2. Although they are enabled in _cryptoConfig.h,_ their use within the TLS protocol is limited to where required, and they can be independently disabled from use as a certificate signature algorithm and an HMAC algorithm. The new crypto primitive `psMd5Sha1_t` is intended to replace standalone MD5 or SHA1 use outside of where required in TLS.
-- 3DES is not deprecated, but be aware of key strength limitations vs. AES-128 and AES-256.
-
-##Deprecated TLS Features
-- TLS cipher suites that rely on deprecated crypto algorithms have also been deprecated in matrixsslConfig.h
-- TLS Compression support is now deprecated and the option removed from the configuration.
-- False Start support is now deprecated and the option removed from the configuration.
-
-##Key Strength
-Key strength defines have not changed since previous releases, however it should be noted that the default minimum RSA/DH sizes of 1024 and ECC sizes of 192 do not meet a growing number of security standards and larger keys should be beginning to be deployed.
-
-##Ephemeral Cipher Suites Enabled by Default
-ECDHE and DHE cipher suites are now enabled by default. Be aware that for embedded platforms, this may require significant additional CPU load.
-
-##ECC Curve List
-The supported ECC Curve list is now always given in bit-strength order. This ensures that when negotiating EC Parameters, the strongest available will be used.
-
-##Reordered cipher suite preferences
-Clients send a priority list order of cipher suites during TLS negotiations, and servers use a priority list of ciphers to pick a common cipher for the connection.
-
-MatrixSSL orders this list using the following rules, resulting in some change to the cipher suite preference order in _cipherSuite.c_. In order to make as secure a connection as possible, the parameters of Authentication, Data Integrity and Data Security were taken in that order to generate a new cipher preference list. In places where these parameters are of equivalent strength, the faster algorithm is preferred (although the “faster” algorithm often depends on the platform). *Currently DHE is prioritized over ECDHE due only to performance. In future releases, ECDHE may be the preferred key exchange mode.*
-
-The ordering of the ciphers is grouped and sub-grouped by the following:
-
-1. Non-deprecated
-2. Ephemeral
-3. Authentication Method (PKI > PSK > anon)
-4. Hash Strength (SHA384 > SHA256 > SHA > MD5)
-5. Cipher Strength (AES256 > AES128 > 3DES > ARC4 > SEED > IDEA > NULL)
-6. PKI Key Exchange (DHE* > ECDHE > ECDH > RSA > PSK)
-7. Cipher Mode (GCM > CBC)
-8. PKI Authentication Method (ECDSA > RSA > PSK)
-
-##memset_s()
-Use the `memset_s()` api to zero memory regardless of compiler optimization which might skip zeroing for memory that is not subsequently used. For platforms without a built in implementation, `memset_s()` is automatically built in `core/memset_s.c`
-
-##Handshake State Machine Improvements
-
-###Simplified code paths
-The handshake decode state machine was split among additional files and functions. Switch statements replace other logic to more clearly show each case and its result. The state machine is still quite complex due to the large number of modes and states that are supported in MatrixSSL. Always consult support when making changes to the state machine.
-
-###Multiple state tracking
-Connection state tracking has always been implemented as "expected next state", with no security issues. However for a double check, MatrixSSL now implements independent tracking of the last state encoded and decoded, as well as the expected next state.
-
-###More strict extension processing
-The extension parsing is more strict in what can be accepted and when.
-
-#3 FEATURES AND IMPROVEMENTS
-
-##DTLS Protocol Included
-Beginning in the 3.8.2 version of MatrixSSL, the DTLS 1.0 and DTLS 1.2 protocols are included in MatrixSSL open source package.
-
-Enable `USE_DTLS` in _./matrixssl/matrixsslConfig.h_ to include it in library. Additional documentation, app examples, and test code is included to aid in development.
-
-##Optimized Diffie-Hellman performance
-Use smaller generated key sizes for a given DH prime field size per [NIST SP 800-57 Part 1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf). This provides up to a 9x performance gain for DH operations, greatly increasing the speed of ephemeral ciphers using DH.
-
-##Optimized EC signature generation performance
-Improved performance for finding valid ECC key pairs, especially on larger key sizes.
-
-##OpenSSL Crypto Primitive Provider
-Allows MatrixSSL to be linked against _OpenSSL_ `libcrypto` as a crypto primitive provider. This allows platforms that use _OpenSSL_ as their crypto API (such as _Cavium Octeon_) provide hardware acceleration to MatrixSSL applications.
-
-##OpenSSL TLS API layer
-Users wishing to replace _OpenSSL_ with MatrixSSL often desire a layer that will ease the integration. MatrixSSL 3.8.2 includes an _OpenSSL_API layer that was previously provided upon request. This layer is found in the _./matrixssl_ directory in the _opensslApi.c_and _opensslSocket.c_ files. The _opensslApi.h_ and _opensslSocket.h_ headers define the interface.
-
-##Reduced TLS session footprint
-The size of each TLS session was reduced by 512 bytes for AES cipher suites, and additionally by ~100 bytes for all cipher suites.
-
-##X.509 Improvements
-OID parsing has been improved and provides better feedback on error. SHA-512 signed certificates are now supported.
-
-##PKCS#12 Key Parsing
-Support for longer passwords and additional private key bag.
-
-##Improved certificate callback example
-The _./apps/ssl/client.c_ application now has a more robust processing example to help integrators understand the relationship between the incoming `alert` value and the individual `authStatus` members of the server’s certificate chain.
-
-##Per digest control of HMAC algorithms
-Each HMAC algorithm can now be specifically enabled/disabled with `USE_HMAC_(digest)` defines in _cryptoConfig.h_
-
-##Default high resolution timing
-POSIX platforms will have high-resolution timers active by default
-
-##Assert and Error Optimizations
-`USE_CORE_ASSERT` and `USE_CORE_ERROR` can now be disabled in _coreConfig.h_. This can reduce code size by removing the static strings used in errors and asserts. Recommended for final deployment only.
-
-#4 BUG FIXES
-
-##64 bit little endian platforms
-The `STORE32L` macro in _cryptolib.h_ has been fixed for little endian 64 platforms. The `STORE32H` macro in _cryptolib.h_ has been fixed for big endian 64 platforms not using assembly language optimizations.
-Platforms such as *MIPS64* are now automatically detected by the build system.
-
-##X.509 KeyUsage extension
-Fixed the parse to allow for `BIT_STRING` lengths longer than should be expected.
-
-##X.509 date validation fix
-A bug has been fixed in the `validateDateRange()` function in _x509.c_. In previous versions, the time format (`ASN_UTCTIME`, etc..) of the `notAfter` date was being set based on the `notBefore` field. This bug would have caused problems for certificates that used different time formats for the `notBefore` and `notAfter` fields.
-
-##Fixed handshake parse issue
-A bug was found on the server side while parsing a specific case of handshake messages from a client. If the cipher suite used a key exchange mechanism of ECDHE or ECHE, and the handshake was using client authentication, and the client was sending the `CLIENT_KEY_EXCHANGE` message and `CERTIFICATE_VERIFY` message in a single record, the MatrixSSL server was unable to parse that flight and would close the connection. This is now fixed.
-
-##TLS server sending old self-signed certificate
-A bug has been fixed so that if a server sends a self-signed certificate that does not contain the `AuthorityKeyIdentifier` extension, the authentication logic will detect that and not report an error to the certificate callback.
-> Servers shouldn’t send self-signed certificates in the `CERTIFICATE` message. Client must still always have the same self-signed cert loaded in order to authenticate.
-
-##Fixed ECC variable encoding bugs
-For Client Auth rehandshakes, the variable signature sizes of ECDSA resulted in an issue when clients were creating the encrypted `CERTIFICATE_VERIFY` message.
-`secp224r1` curves also had an additional bug that could cause an invalid signature in some cases due to the variable encoding rules.
-
-##DHE_PSK compatibility
-Fixed issue with `DHE_PSK` ciphers when a `PSK_ID` was not used. Previously a handshake alert would occur.
-
-##AES-GCM with AESNI
-Fixed an issue causing an invalid encoding of large data buffers with aes-gcm on Intel platforms with AESNI.
-
-##Library configuration test
-The mechanism to test that MatrixSSL applications have been compiled using the same configuration as the MatrixSSL static libraries has been fixed.
-
-##Windows psGetFileBuf
-Parameters to `CreateFileA()` are now correct for opening existing files.
-
-#5 KNOWN ISSUES
-- *Microsoft Windows* targets do not support certificate date validation currently. Users requiring this feature can use Windows APIs to get and parse the current date, using the POSIX implementation as a reference.
-- *Arm* platforms linking with some versions of *OpenSSL* `libcrypto` library may have errors in AES-CBC cipher suites due to the library's inability to handle in-situ encryption within the same block.
diff --git a/doc/CHANGES.txt b/doc/CHANGES.txt
deleted file mode 100644
index 82dc1d6..0000000
--- a/doc/CHANGES.txt
+++ /dev/null
@@ -1,1390 +0,0 @@
-
-
-MATRIXSSL RELEASE NOTES
-
-
-Changes in 3.9.0
-
-  VERSION 3.9.0 March 2017 (C) Copyright 2017 INSIDE Secure - All Rights
-  Reserved
-
-1.  BUG FIXES SINCE 3.8.7b
-
--   Fixed server-side handling of client authentication with Server Name
-    Indication
--   Constant Time Modular Exponentiation
-
-2.  NEW FEATURES SINCE 3.8.7b
-
--   RFC 5280 Compliant Certificate Matching
--   Certificate Validation Configuration Options
--   Client Authentication using an External Security Token
--   X.509 Generation Improvements (Commercial Edition Only)
--   Added psX509GetOnelineDN API
--   Added matrixValidateCertsExt API
--   Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing
--   ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option
-
-3.  OTHER CHANGES SINCE 3.8.7b
-
--   Indent style changes
-
-
-
-1. BUG FIXES SINCE 3.8.7B
-
-
-Fixed server-side handling of client authentication with Server Name Indication
-
-This bug caused client authentication to fail when MatrixSSL was used as
-the server and the client was sending the Server Name Indication
-extension.
-
-
-Constant Time Modular Exponentiation
-
-It was reported by Andreas Zankl that Matrix Crypto implementation had a
-side-channel information leak via instruction cache. In response to the
-research, Matrix Crypto modular exponentiation was changed to use code
-that does not leak information via instruction cache and uses
-constant-time execution. The new code is slower. (Note: The SafeZone
-CL/CLS cryptography used in MatrixSSL FIPS Edition has been using
-constant time modular exponention before.)
-
-
-
-2. NEW FEATURES SINCE 3.8.7B
-
-
-RFC 5280 Compliant Certificate Matching
-
-Matching certificate fields in MatrixSSL has been improved. MatrixSSL
-now implements the requirement from RFC 5280 that Subject Alternative
-Name is used for matching instead of subject Common Name if alternative
-name is available. Subject Alternative Name contain more precise
-information on the type of the field and thus avoids false positive
-field matches. MatrixSSL now allows RFC 5280 compliant matching of email
-addresses, where only domain name part is case insensitive. It is now
-possible to specify the type of name to match with new session options.
-See the Session Options section in the MatrixSSL APIs manual for
-details.
-
-The issues in certificate matching were reported by Suphannee Sivakorn
-from Columbia University.
-
-
-Certificate Validation Configuration Options
-
-New session options have been added for configuring MatrixSSL's internal
-certificate validation process. These include options for specifying the
-field in the server certificate against which the expected server name
-should be matched, an option to limit the maximum certificate chain
-validation depth and options for retaining the peer certificate after
-processing. See the Session Options section in the MatrixSSL APIs manual
-for details.
-
-
-Client Authentication using an External Security Token
-
-MatrixSSL's external client authentication feature allows client-side
-private key operation in TLS client authentication, i.e. the signing of
-the handshake_messages hash in the CertificateVerify handshake message,
-to be offloaded from MatrixSSL to an external module such as a security
-or authentication token. See the MatrixSSL External Module Integration
-manual for details.
-
-
-X.509 Generation Improvements (Commercial Edition Only)
-
-Support has been added for encoding the netscape-comment certificate
-extension. The psParseCertReqBufExt API has been added. This version of
-psParseCertReqBufExt allows storing additional information from the
-parsed CSR. Another additional API is psX509SetPublicKey, which can be
-used to set the public key in a psCertConfig_t struct, before it is
-passed to the CSR or certificate encoding routines. See the MatrixSSL
-Certificates and Certificate Revocation Lists manual for details.
-
-
-Added psX509GetOnelineDN API
-
-The new psX509GetOnelineDN API can be used to generate a one-line string
-representation of a Distinguished Name.
-
-
-Added matrixValidateCertsExt API
-
-The new matrixValidateCertsExt API has an additional options struct
-argument for configuring some aspects of the certificate chain
-validation process. The old matrixValidateCerts API is now deprecated.
-
-
-Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing
-
-Support for RSA-MD2 and RSA-MD5 signature verification has been added to
-CSR parsing, and support for RSA-MD2 signature verification has been
-added to CRL parsing. These insecure, legacy algorithms are disabled by
-default, but they can be enabled by defining USE_MD2 or USE_MD5.
-
-
-ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option
-
-The ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE build-time option allows CRL
-authentication to succeed even when signer CA's cert does not have the
-keyUsage extension and thus no cRLSign bit. This option is for
-compatibility with old CRL issuer certs. RFC 5280 requires CRL issuer
-certs to have the keyUsage extension and the cRLSign bit.
-
-
-
-3. OTHER CHANGES SINCE 3.8.7B
-
-
-Indent style changes
-
-Indent style has been changed and made more consistent accross source
-and header files.
-
-
-Changes in 3.8.7b
-
-  VERSION 3.8.7B January 2017 (C) Copyright 2017 INSIDE Secure - All
-  Rights Reserved
-
-1.  BUG FIXES SINCE 3.8.7
-
--   Fixed compile error if SHA224 was enabled.
--   Fixed compile warning around HTTP2 alpn detection.
--   Fixed issue where a cipher suite could be negotiated that did not
-    match the authentication type for the keys.
-
-
-
-1. BUG FIXES SINCE 3.8.7
-
-
-Fixed issue where a cipher suite could be negotiated that did not match the authentication type for the keys.
-
-This manifested in the default apps/ssl/server.c example when Chrome was
-connected. It negotiated an ECDSA based cipher even though keys loaded
-by default were RSA keys.
-
-
-Changes in 3.8.7
-
-  VERSION 3.8.7 November 2016 (C) Copyright 2016 INSIDE Secure - All
-  Rights Reserved
-
-1.  BUG FIXES SINCE 3.8.6
-
--   Fixed Wrong Computation Results Bug In pstm.c Division
--   Fixed Memory Corruption In psDhImportPubKey
--   Fixed RSA Public Key Read Overflow
--   X.509/CRL/OCSP Timestamp Validation
--   Unix Year 2038 Problem Fix
--   Stricter OID Comparison
--   Multibyte String Handling
--   Configuration Robustness Improvements
--   X.509 Certificate Parsing Read Overflow
--   PKCS #8 Buffer Read Overflow
--   OCSP Bug Fixes
--   Generic Bug Fixes For Test Programs
--   Changes to Recommended Configurations
--   psMutex Locking and Unlocking APIs Compiler Warnings Removed
--   MD5 and SHA-1 Combined Digest Function
--   Coverity Issues Fixed
--   Yarrow Build Issues Fixed
-
-2.  NEW FEATURES SINCE 3.8.6
-
--   SHA-512 for X.509 Certificates Improvements
--   OCSP Improvements
--   X.509 Certificate Domain Components
--   New Configuration: Minimal PSK
-
-
-
-1. BUG FIXES SINCE 3.8.6
-
-
-Fixed Wrong Computation Results Bug In pstm.c Division
-
-The bug could cause some big number mathematics to return wrong values
-when divisor and dividend are very far from each other. This issue is
-related to public key computation problems reported by Security
-Researcher Hanno Böck.
-
-
-Fixed Memory Corruption In psDhImportPubKey
-
-Importing Diffie-Hellman public key cleared some memory beyond end of
-the key. On some systems this bug may have caused memory corruption.
-
-
-Fixed RSA Public Key Read Overflow
-
-When importing RSA key from certificate, maliciously crafted RSA public
-key could cause read buffer overflow and crash.
-
-
-X.509/CRL/OCSP Timestamp Validation
-
-MatrixSSL accepted some X.509 certificates with illegal timestamps, such
-as leap day in an ordinary year. In additional, some two digit years
-were parsed incorrectly. Timestamp parsing has been altered everywhere
-to use new psBrokenDownDate API, which correctly handles these corner
-cases. Some of X.509 time parsing issues were reported by Sze Yiu Chau.
-
-
-Unix Year 2038 Problem Fix
-
-On 32-bit Unix devices, time_t type, which is signed will overflow in
-2038. A workaround was added that will allow timestamps and dates to be
-processed correctly by MatrixSSL on and after Tuesday 19 January 2038.
-
-
-Stricter OID Comparison
-
-The OID comparison in MatrixSSL uses a simple non-cryptographic digest
-function, based on sum of bytes, which is not collision free. Comparison
-of OID binary representation was added to ensure unknown OIDs are not
-accidentally interpreted the same than some of existing OIDs. This issue
-was reported by Sze Yiu Chau.
-
-
-Multibyte String Handling
-
-The MatrixSSL now includes function to recode strings containing
-multibyte (BMPString) characters as UTF-8 strings. This handling is
-applied to X.509 certificate fields, such as Subject Name. This allows
-code using MatrixSSL to work with BMPString input without actually
-knowing the encoding used.
-
-
-Configuration Robustness Improvements
-
-MatrixSSL has been made more robust with configurations: changing
-configuration options is less likely to cause problems building the
-software.
-
-These improvements allow smaller configurations for embedded systems.
-(E.g. build without DTLS, or build only server-side or client-side
-support.)
-
-
-X.509 Certificate Parsing Read Overflow
-
-Fixed read overflow from X.509 certificate date handling and removed
-possible buffer read overflow in parseGeneralNames(). Without these
-fixes maliciously crafted X.509 certificate could cause software crash.
-
-
-PKCS #8 Buffer Read Overflow
-
-Fixed reading overly large invalid PKCS #8 encoded private key. Without
-this fix, maliciously crafted PKCS #8 file could cause software crash.
-
-
-OCSP Bug Fixes
-
-In lieu of OCSP improvements, small bugs in OCSP implementation have
-been fixed. The most notable bug was a memory leak.
-
-
-Generic Bug Fixes For Test Programs
-
-Removed some warnings and memory leaks from test programs. Made test
-programs confirm to Unix/POSIX return value scheme on relevant
-platforms.
-
-
-Changes to Recommended Configurations
-
-The recommended configurations have been edited slightly. Most notably,
-the tracing is disabled by default on non-debug configurations.
-
-
-psMutex Locking and Unlocking APIs Compiler Warnings Removed
-
-Removed return value from psLockMutex() and psUnlockMutex() APIs. This
-removes several warnings regarding return values not being used.
-
-
-MD5 and SHA-1 Combined Digest Function
-
-The MatrixSSL will now invoke combined MD5 and SHA-1 hash function
-psMd5Sha1, whenever possible instead of separate MD5 and SHA-1 hash
-functions.
-
-
-Coverity Issues Fixed
-
-Implementation of getTicketKeys and parseSSLHandshake functions was
-changed to remove issues detected by Coverity.
-
-
-Yarrow Build Issues Fixed
-
-MatrixSSL comes with a version of Yarrow PRNG. Its use has been
-deprecated, but the PRNG continued to be shipped with MatrixSSL.
-Unfortunately, the latest versions of MatrixSSL had compilation errors
-in yarrow.c. Those errors have been fixed, and the source code file has
-been marked deprecated.
-
-
-
-2. NEW FEATURES SINCE 3.8.6
-
-
-SHA-512 for X.509 Certificates Improvements
-
-MatrixSSL can use SHA-512 to sign self-signed certificate or certificate
-request. SHA-512 was already previously supported for verification of
-X.509 certificates. (This feature can be used only on MatrixSSL
-Commercial Edition.)
-
-
-OCSP Improvements
-
-OCSP example application apps/crypto/ocsp.c (Commercial Edition Only)
-and MatrixSSL Developer Guide have been improved to give more
-documentation regarding OCSP request. OCSP request can now use
-requestorId feature and request status of list of certificates.
-
-
-X.509 Certificate Domain Components
-
-Added Functions for obtaining contents of X.509 certificate Domain
-Component field(s).
-
-
-New Configuration: Minimal PSK
-
-New configuration psk added. This configuration provides small footprint
-MatrixSSL build with only Pre-Shared Key and TLS 1.2 functionality using
-Matrix Crypto.
-
-
-Changes in 3.8.6
-
-  VERSION 3.8.6 October 2016 (C) Copyright 2016 INSIDE Secure - All
-  Rights Reserved
-
-1.  BUG FIXES
-
--   Critical parsing bug for X.509 certificates
--   Critical TLS handshake parsing bugs
--   4096 bit RSA key generation regression
--   General cleanup of build
--   MatrixSSH compatibility issue
-
-2.  FEATURES AND IMPROVEMENTS
-
--   New configuration system for build options
--   core/ changes
--   X.509 parsing and generation
--   crypto/ changes
--   Removed OpenSSL API Emulation
-
-
-
-1 BUG FIXES
-
-
-Critical parsing bug for X.509 certificates
-
-Security Researcher Craig Young reported two issues related to X.509
-certificate parsing. An error in parsing a maliciously formatted Subject
-Alt Name field in a certificate could cause a crash due to a write
-beyond buffer and subsequent free of an unallocated block of memory. An
-error in parsing a maliciously formatted ASN.1 Bit Field primitive could
-cause a crash due to a memory read beyond allocated memory.
-
-
-Critical TLS handshake parsing bugs
-
-Security Researcher Andreas Walz reported three issues related to
-processing the ClientHello message.
-
--   The length of the TLS record was not being strictly checked against
-    the length of the extensions field, so that additional unparsed data
-    could be added between the end of extensions and the end of
-    the record. This presents some level of uncertainty in how
-    extensions may be interpreted and could present a security issue.
--   ClientHello parsing was not verifying that a NULL compression suite
-    was sent by the client, as required by the RFC. This did not present
-    a security issue (NULL compression was always forced), but improves
-    strict adherence to the specification.
--   For TLS connections (not DTLS), the major version proposed in the
-    ClientHello suggested by RFC 5246 to only allow the byte value 0x03.
-    Now the connection is terminated if a value other than this
-    is suggested. Previously the suggested major version field was
-    simply echoed back in the ServerHello message, and treated as 0x03.
-
-
-4096 bit RSA key generation regression
-
-In some cases RSA key generation of 4096 bit keys would fail and return
-with an error code. This regression issue has been fixed and key
-generation will once again succeed.
-
-
-General cleanup of build
-
-Warnings across multiple platforms and compilers were fixed. Various
-compile time configuration combination build issues were fixed.
-
-
-MatrixSSH compatibility issue
-
-Newer versions of MatrixSSH server were incompatible with the PuTTY
-client. A fix has been included and enabled by default
-USE_PUTTY_WORKAROUND. _Note this does not affect the standard MatrixSSL
-codebase_.
-
-
-
-2 FEATURES AND IMPROVEMENTS
-
-
-New configuration system for build options
-
-A new top level directory configs/ now holds several sets of
-configuration files for MatrixSSL to simplify configuration sets. This
-method also allows custom sets to be developed specific to a given use
-case (for example a RSA only build). The following three configuration
-files now are copied at build time from the configs directory:
-
-    core/coreConfig.h
-    crypto/cryptoConfig.h
-    matrixssl/matrixsslConfig.h
-
-  THE DEFAULT CONFIGURATION SETTINGS FOR MATRIXSSL MAY HAVE CHANGED FROM
-  YOUR CURRENT SETTINGS. PLEASE CONFIRM ALL SETTINGS IN THESE THREE
-  FILES AFTER UPDATING.
-
-From a fresh package, the build process is the same as before: simply
-type make. It will build the software using the default configuration
-options.
-
-To use a different configuration, for example configs/noecc:
-
-    $ make clean && make all-noecc
-
-Once a configuration is set, make and make clean will continue to use
-the same configuration unless a new one is selected as above.
-
-
-core/ changes
-
--   Added warning helper macros
--   Additional PS_ return codes
--   Buffer helper APIs in psbuf.h
--   Foundation for PS_NETWORKING support for sockets level API
--   psMutex_t API return code change, now returns void and will call
-    abort() on POSIX platforms.
--   test/ new self-test directory
--   Change in default Linux compile options in common.mk
-
-
-X.509 parsing and generation
-
-Added additional field parsing support for X.509, including multiple OU
-support. Commercial release adds additional certificate creation
-support, as well as an API set and test suite for programmatically
-creating certificates. See _MatrixKeyAndCertGeneration.pdf_ for full
-description.
-
-
-crypto/ changes
-
--   Added *PreInit() APIs for hash functions for compatibility with FIPS
-    library and hardware token requirements
--   Added psX509GetCertPublicKeyDer() API
--   Support dsa_sig OID for certificates`
--   Support for ASN_VISIBLE_STRING
--   Moved CRL functionality into keyformat/crl.c
--   Support for parsing an implicitly encoded ECC key without a DER
-    header, as sometimes encountered in the wild.
--   Added PKCS#8 import
--   ALLOW_VERSION_1_ROOT_CERT_PARSE configuration option for loading
-    legacy v1 certificates as trusted roots only (default not enabled).
-    Loading as intermediate or leaf certificates is insecure and still
-    not allowed.
-
-
-Removed OpenSSL API Emulation
-
--   opensslApi.c and opensslSocket.c files removed temporarily in
-    anticipation of moving to a more fully supported OpenSSL layer.
-
-
-Changes in 3.8.5
-
-  VERSION 3.8.5 September 2016 _Note: 3.8.5 was a limited customer
-  release only._
-
-
-Changes in 3.8.4
-
-  VERSION 3.8.4 July 2016 (C) Copyright 2016 INSIDE Secure - All Rights
-  Reserved
-
-1.  FEATURES AND IMPROVEMENTS
-
--   Coverity coverage
--   HTTP/2 restrictions via ALPN
--   Enhanced example apps
--   Process shared Session Cache
--   Enhanced CRL and OCSP support
--   Windows support for certificate date validation
-
-2.  BUG FIXES
-
--   Critical parsing bug for RSA encrypted blobs
--   Additional restrictions on bignum operations
--   Fixed error in disabled cipher flags
--   Fixed error in DTLS encoding
--   SSLv3 only support fixed
--   Assembly compatibility with more compilers
-
-
-
-1 FEATURES AND IMPROVEMENTS
-
-
-Coverity coverage
-
-MatrixSSL now has zero outstanding defects in Coverity Static Analysis.
-
-
-HTTP/2 restrictions via ALPN
-
-MatrixSSL server code will automatically evaluate the ALPN extension and
-appropriately restrict the cipher suites and key exchange methods if the
-HTTP/2 protocol is being used. Per the HTTP/2 spec, only AEAD cipher
-suites and Ephemeral key exchange methods are allowed.
-
-
-Enhanced example apps
-
-Example applications now take additional command line options and also
-support CRL request and response generation.
-
-
-Process shared Session Cache
-
-Minimal support for a process-shared server session resumption cache is
-now supported via process-shared mutexes on Linux.
-
-
-Enhanced CRL and OCSP support
-
-A new file _crypto/keyformat/crl.c_ defines additional apis for more
-complex CRL (Certificate Revocation List) and OCSP support.
-
-
-Windows support for certificate date validation
-
-Previously only Posix based platforms were supported.
-
-
-
-2 BUG FIXES
-
-
-Critical parsing bug for RSA encrypted blobs
-
-Security Researcher Hanno Böck reported several issues related to RSA
-and bignum operations. An error in parsing a maliciously formatted
-public key block could produce a remotely triggered crash in SSL server
-parsing. Additional restrictions on the values provided to RSA and DH
-operations were also added, although an exploit has not been found.
-
-
-Additional restrictions on bignum operations
-
-The MatrixSSL bignum library, located in _crypto/math/_ was optimized
-and reduced in size to support only key sizes and operations used by
-standard RSA, ECC and DH operations (those apis present in
-_crypto/cryptoApi.h_). Additional constraint checking has been added to
-the code to prevent unsupported key sizes and values. Users requiring
-generic bignum operations should take a look at libtomcrypt, GMP, Python
-or OpenSSL.
-
-
-Fixed error in disabled cipher flags
-
-The optional disabling or enabling of specific ciphers at runtime per
-session was recently broken (now fixed) due to an errant flags
-calculation using < instead of <<.
-
-
-Fixed error in DTLS encoding
-
-An error was returned if attempting to encode a DTLS message exactly the
-PMTU size.
-
-
-SSLv3 only support fixed
-
-SSLv3 mode is not recommended for deployment, but had become broken in a
-recent build. It can now be enabled again.
-
-
-Assembly compatibility with more compilers
-
-Fixed "invalid register constraints" error on some versions of GCC and
-LLVM for ARM, MIPS and x86_64.
-
-
-Changes in 3.8.3
-
-  VERSION 3.8.3 April 2016 (C) Copyright 2016 INSIDE Secure - All Rights
-  Reserved
-
-1.  FEATURES AND IMPROVEMENTS
-
--   Simplified Configuration Options
--   DTLS Combined Package
--   CHACHA20_POLY1305 Cipher Suites
--   Libsodium Crypto Provider
--   Extended Master Secret
--   Online Certificate Status Protocol
--   TLS Fallback SCSV
--   Trusted CA Indication Extension
--   Removed gmt_unix_time from client and server random
--   Removed support for SSLv2 CLIENT_HELLO messages
--   Ephemeral ECC Key Caching
-
-2.  BUG FIXES
-
--   Support for parsing large certificate blobs
--   X.509 certificate parse fix for issuerUniqueID and subjectUniqueID
--   Diffie-Hellman public key exchange bug
--   SHA512 based Server Key Exchange signatures
--   Allow independent hashSigAlg identifiers in Certificate Request
-    message
--   Improvements to DTLS Cookie handling
--   Fixed key type verification for chosen cipher suite
--   Validation of RSA Signature Creation
--   Side Channel Vulnerability on RSA Cipher Suites
--   Access Violation on Malicious TLS Record
-
-
-
-1 FEATURES AND IMPROVEMENTS
-
-
-Simplified Configuration Options
-
-The configuration files _coreConfig.h_, _cryptoConfig.h_ and
-_matrixsslConfig.h_ have been simplified, and the default options have
-been changed to improve security and code size.
-
--   Many of the insecure algorithms or deprecated options that can be
-    enabled in _cryptoConfig.h_ and _matrixsslConfig.h_ have been moved
-    into _cryptolib.h_ and _matrixssllib.h_, respectively.
--   TLS 1.1 is now the default minimum TLS version compiled in. The new
-    USE_TLS_1_1_AND_ABOVE setting enables this.
--   Rehandshaking on an existing connection is now disabled completely
-    by default with the USE_REHANDSHAKING configuration option.
-
-
-DTLS Combined Package
-
-DTLS is now packaged with MatrixSSL, and can be enabled with the
-USE_DTLS configuration option. TLS and DTLS connections can be made
-simultaneously with the same application.
-
-
-CHACHA20_POLY1305 Cipher Suites
-
-MatrixSSL now has support for ChaCha20-Poly1305 cipher suites compatible
-with RFC draft
-https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305. The
-supported cipher suites are defined for TLS 1.2 and can be enabled at
-compile time.
-
-_cryptoConfig.h_
-    USE_CHACHA20_POLY1305
-
-_matrixsslConfig.h_
-    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-
-MatrixSSL must be linked with the libsodium library to provide
-implementation of the crypto primitives.
-
-
-Libsodium Crypto Provider
-
-MatrixSSL now includes a layer for crypto primitives to the _libsodium_
-crypto library, in addition to the _OpenSSL libcrypto_ and the native
-(default) MatrixSSL crypto library. _libsodium_ provides crypto
-primitives for ChaCha20 and Poly1305. In addition, enabling the layer
-will use _libsodium_ primitives for SHA256/SHA384/SHA512 based hashes
-and AES-256-GCM ciphers that provide high performance on _Intel_
-platforms.
-
-  As of this release, the current version of libsodium is available
-  here:
-  https://download.libsodium.org/libsodium/releases/libsodium-1.0.8.tar.gz
-  To build libsodium, follow the instructions here:
-  https://download.libsodium.org/doc/installation/index.html
-
-To enable in the MatrixSSL make system, enable the following and
-rebuild:
-
-_common.mk_
-    PS_LIBSODIUM:=1 LIBSODIUM_ROOT:=_(path_to_libsodium_build)_
-
-
-Extended Master Secret
-
-The “extended master secret” as specified in RFC 7627 is an important
-security feature for TLS implementations that use session resumption.
-The extended master secret feature associates the internal TLS master
-secret directly to the connection context to prevent man-in-the-middle
-attacks during session resumption. One such attack is a synchronizing
-triple handshake as described in Triple Handshakes and Cookie Cutters:
-Breaking and Fixing Authentication over TLS.
-
-See the _Extended Master Secret_ section in the _MatrixSSL API_ document
-for details.
-
-
-Online Certificate Status Protocol
-
-The Online Certificate Status Protocol (OCSP) is an alternative to the
-Certificate Revocation List (CRL) mechanism for performing certificate
-revocation tests on server keys. TLS integrates with OCSP in a mechanism
-known as “OCSP stapling”. This feature allows the client to request that
-the server provide a time-stamped OCSP response when presenting the
-X.509 certificate during the TLS handshake. The primary goal for this
-scheme is to allow resource constrained clients to perform certificate
-revocation tests without having to communicate with an OCSP Responder
-themselves.
-
-See the _OCSP Revocation_ section in the _MatrixSSL API_ document for
-details.
-
-
-TLS Fallback SCSV
-
-The RFC for detecting version rollback attacks has been implemented per
-RFC7507. See the _MatrixSSL Developer’s Guide_ for more information.
-
-
-Trusted CA Indication Extension
-
-The Trusted CA Indication extension is specified in RFC 6066. This
-feature allows TLS clients to send their list of certificate authorities
-to servers in the CLIENT_HELLO message.
-See the Trusted CA Indication section in the _MatrixSSL_API_ document
-for details.
-
-
-Removed gmt_unix_time from client and server random
-
-The TLS RFC specifies that the first 4 bytes of the CLIENT_HELLO and
-SERVER_HELLO random values be the current platform time. Current best
-practices recommend using random data for all 32 bytes. MatrixSSL now
-uses all random data by default.
-
-
-Removed support for SSLv2 CLIENT_HELLO messages
-
-SSLv2 CLIENT_HELLO parsing was previously supported to maintain
-compatibility with very old TLS implementations. Although this does not
-present a security risk at this time, the code has been removed, and
-only modern TLS record header parsing is supported.
-
-
-Ephemeral ECC Key Caching
-
-Previous versions of MatrixSSL generated new, unique ephemeral keys for
-each connection using ECDHE_ cipher suites, as per NIST recommendations.
-Beginning with this version, ephemeral keys are cached and re-used for
-connections within a time frame of two hours and a maximum usage of 1000
-times. This improves performance of ECDHE suites, and is inline with the
-configuration current web browsers. This feature can be configured in
-_matrixsslConfig.h_.
-
-
-
-2 BUG FIXES
-
-
-Support for parsing large certificate blobs
-
-Certificate collections larger than 64KB were not being parsed correctly
-after a change to some data types (32 bit to 16 bit) in the parsing
-code. This bug is now fixed and large collections of certificates are
-now parsing correctly.
-
-
-X.509 certificate parse fix for issuerUniqueID and subjectUniqueID
-
-Previous MatrixSSL versions could not parse these rarely encountered
-members of X.509 certificates.
-
-
-Diffie-Hellman public key exchange bug
-
-MatrixSSL clients would not successfully handshake with servers that
-sent Diffie-Hellman public keys that were not the same byte length as
-the DH group Prime parameter. Clients will now successfully handshake
-with servers that provide shorter length public keys.
-
-
-SHA512 based Server Key Exchange signatures
-
-SHA512 was not supported for SERVER_KEY_EXCHANGE messages in previous
-versions.
-
-
-Allow independent hashSigAlg identifiers in Certificate Request message
-
-Previous client versions of MatrixSSL would not allow servers to send
-signature algorithm identifiers that were not already specified by the
-client in the CLIENT_HELLO message. Now, the client will correctly allow
-the server to send an independent list of supported algorithms and the
-client will look for matches from that list.
-
-
-Improvements to DTLS Cookie handling
-
-HMAC-SHA1 or HMAC-SHA256 are now used to generate the DTLS cookie, and
-additional checking is done on the cookie for Denial-of-Service
-prevention.
-
-
-Fixed key type verification for chosen cipher suite
-
-An internal verification function that determined whether the server key
-type was correct for the chosen cipher suite has now been fixed.
-Previous versions would sometimes incorrectly determine the server was
-using the wrong key type if the server was using a certificate chain
-where parent certificates did not use the same key type. This bug
-resulted in a failed handshake and is now fixed.
-
-
-Validation of RSA Signature Creation
-
-An internal RSA validation of created signatures has been added to the
-library in the psRsaEncryptPriv() function.
-
-Security researcher Florian Weimer has shown it is possible for RSA
-private key information to leak under some special failure
-circumstances. Information on the exploit can be found here:
-https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
-
-The potential leak is only possible if a DHE_RSA based cipher suite is
-supported on the server side. This is the only handshake combination in
-which an RSA signature is sent over the wire (during the
-SERVER_KEY_EXCHANGE message). The signature itself must have been
-incorrectly generated for the exploit to be possible.
-
-The additional signature validation test will now cause the TLS
-handshake to fail prior to a faulty signature being sent to the client.
-
-
-Side Channel Vulnerability on RSA Cipher Suites
-
-A Bleichenbacher variant attack, where certain information is leaked
-from the results of a RSA private key operation has been reported by a
-security researcher. The code has been updated to error without
-providing any information on the premaster contents. Thank you to Juraj
-Somorovsky, author of TLS-Attacker > Note that other side channel
-attacks may still be possible as MatrixSSL non-FIPS crypto is not always
-constant-time.
-
-
-Access Violation on Malicious TLS Record
-
-TLS cipher suites with CBC mode in TLS 1.1 and 1.2 could have an access
-violation (read beyond memory) with a maliciously crafted message. Thank
-you to Juraj Somorovsky, author of TLS-Attacker
-
-
-
-3 KNOWN ISSUES
-
-
--   _Microsoft Windows_ targets do not support certificate date
-    validation currently. Users requiring this feature can use Windows
-    APIs to get and parse the current date, using the POSIX
-    implementation as a reference.
--   _Arm_ platforms linking with some versions of _OpenSSL_ libcrypto
-    library may have errors in AES-CBC cipher suites due to the
-    library's inability to handle in-situ encryption within the
-    same block.
-
-
-Changes in 3.8.2
-
-  VERSION 3.8.2 December 2015 (C) Copyright 2015 INSIDE Secure - All
-  Rights Reserved
-
-1.  FILE/API REORGANIZATION
-
--   File Locations
--   Crypto API
-
-2.  SECURITY IMPROVEMENTS
-
--   Simplified Configuration
--   Deprecated Ciphers
--   Deprecated TLS Features
--   Key Strength
--   Ephemeral Cipher Suites Enabled by Default
--   ECC Curve List
--   Reordered cipher suite preferences
--   memset_s()
--   Handshake State Machine Improvements
-
-3.  FEATURES AND IMPROVEMENTS
-
--   DTLS Protocol Included
--   Optimized Diffie-Hellman performance
--   Optimized EC signature generation performance
--   OpenSSL Crypto Primitive Provider
--   OpenSSL TLS API layer
--   Reduced TLS session footprint
--   X.509 Improvements
--   PKCS#12 Key Parsing
--   Improved certificate callback example
--   Per digest control of HMAC algorithms
--   Default high resolution timing
--   Assert and Error Optimizations
-
-4.  BUG FIXES
-
--   64 bit little endian platforms
--   X.509 KeyUsage extension
--   X.509 date validation fix
--   Fixed handshake parse issue
--   TLS server sending old self-signed certificate
--   Fixed ECC variable encoding bugs
--   DHE_PSK compatibility
--   AES-GCM with AESNI
--   Library configuration test
--   Windows psGetFileBuf
-
-
-
-1 FILE/API REORGANIZATION
-
-
-File Locations
-
-MatrixSSL 3.8.2 introduces directory changes to the distribution since
-3.7.2
-
-TLS/DTLS example apps moved from ./apps to ./apps/ssl and ./apps/dtls.
-Test keys and certificates moved from ./sampleCerts to ./testkeys. XCode
-and Visual Studio projects moved to ./xcode and ./visualstudio.
-
-Several file changes and renames are present as well:
-
-TLS Decoding moved ./matrixssl/sslDecode.c from ./matrixssl/sslDecode.c,
-./matrixssl/hsDecode.c and ./matrixssl/extDecode.c. Private key
-import/export from ./crypto/pubkey/pkcs.c. to ./crypto/keyformat/pkcs.c.
-Configuration consistency and sanity checks from
-./matrixssl/matrixssllib.h to ./matrixssl/matrixsslCheck.h.
-
-
-Crypto API
-
-The API layers into the raw cryptographic operations have been
-significantly changed. The crypto API changes do not affect the main
-MatrixSSL API for creating TLS sessions, etc. However, developers who
-interface with crypto directly, or who want to write a custom hardware
-layer will be interested in the new layer.
-
-API Model
-
-The cryptography API for symmetric crypto, digests and HMAC follow the
-common model:
-
-INIT API
-    Initializes the cipher and returns an error on failure (typically
-    due to bad input parameters or insufficient memory).
-
-ENCRYPT/DECRYPT/UPDATE API
-    Performs the operation and does not return an error code (previously
-    some APIs would return the number of bytes decrypted).
-
-CLEAR API
-    Zero and/or free any associated memory associated with the cipher.
-
-Standard Types
-
-Standard C99 types from <stdint.h> are used to specify integer
-parameters.
-
-uint8_t
-    The length of an IV, password or an AES-GCM tag
-
-uint16_t
-    The length of an asymmetric key (RSA/DH/ECC), a HMAC key or
-    Additional Authenticated Data (AAD) for an AEAD cipher such
-    as AES-GCM.
-
-uint32_t
-    The length of data to be processed by the cipher
-
-uint64_t: Internally used by crypto library to store large counter
-values and when optimizing for 64 bit platforms.
-
-Const Correctness
-
-Pointers to values that are not modified are marked const.
-
-API Name changes
-
-API names have been standardized as follows:
-
-Initialization of low level AES block cipher from psAesInitKey to
-psAesInitBlockKey. AES CBC from psAesInit, psAesDecrypt and psAesEncrypt
-to psAesInitCBC, psAesDecryptCBC and psAesEncryptCBC. SHA2 HMAC from
-psHmacSha2 to psHmacSha256 and psHmacSha384. ECC signature creation from
-psEccSignHash to psEccDsaSign. ECC signature validation from
-psEcDsaValidateSignature to psEccDsaVerify.
-
-Standardized Context Names
-
-Cryptographic functions that used to accept generic “context”
-identifiers now require the specific key/algorithm structure, for
-example:
-
-HMAC family from psHmacContext_t to psHmacSha1_t, psHmacSha256_t, ...
-Digest family from psDigestContext_t to psSha1_t, psSha256_t, etc...
-Symmetric family from psCipherContext_t to psAesCbc_t, psAesGcm_t,
-psDes3Key_t RSA private key parse (pkcs1) from psPubKey_t to psRsaKey_t.
-ECC private key parse from psPubKey_t to psEccKey_t.
-
-Standardized Return Types
-
-In general, Init apis return a standard PS_* status code. A status code
-that is not PS_SUCCESS typically indicates invalid input parameters or a
-resource allocation failure. Update and Clear APIs no longer have a
-return. For example:
-
-HMAC Init from void to int32_t. HMAC Final from int32_t to void. Digest
-Init from void to int32_t. Digest Final from int32_t to void.
-
-Memory Model
-
-In general, APIs now take an allocated cipher structure, and do not
-allocate the structure in the Init routine. In the past, the memory
-allocation model was inconsistent.
-
-For ECC and DH, there are now additional APIs that allow the key to be
-allocated and initialized, to complement the APIs which just initialize
-the keys.
-
-The Clear API must always be called when done with a context, as some
-algorithms internally allocate additional memory for operation.
-
-
-
-2 SECURITY IMPROVEMENTS
-
-
-Simplified Configuration
-
-The configuration of ciphers and cipher suites in
-_crypto/cryptoConfig.h_ and _matrixssl/matrixsslConfig.h_ has been
-simplified considerably. Existing and new users of MatrixSSL should take
-a look at these files to understand the various options and features
-supported.
-
-
-Deprecated Ciphers
-
--   ARC4, SEED, IDEA, RC2, MD4 and MD2 are deprecated, and not enabled
-    by default in _cryptoConfig.h_
--   MD5 and SHA1 are not recommended for use, but enabled by default
-    because they are required for TLS protocols before version 1.2.
-    Although they are enabled in _cryptoConfig.h,_ their use within the
-    TLS protocol is limited to where required, and they can be
-    independently disabled from use as a certificate signature algorithm
-    and an HMAC algorithm. The new crypto primitive psMd5Sha1_t is
-    intended to replace standalone MD5 or SHA1 use outside of where
-    required in TLS.
--   3DES is not deprecated, but be aware of key strength limitations vs.
-    AES-128 and AES-256.
-
-
-Deprecated TLS Features
-
--   TLS cipher suites that rely on deprecated crypto algorithms have
-    also been deprecated in matrixsslConfig.h
--   TLS Compression support is now deprecated and the option removed
-    from the configuration.
--   False Start support is now deprecated and the option removed from
-    the configuration.
-
-
-Key Strength
-
-Key strength defines have not changed since previous releases, however
-it should be noted that the default minimum RSA/DH sizes of 1024 and ECC
-sizes of 192 do not meet a growing number of security standards and
-larger keys should be beginning to be deployed.
-
-
-Ephemeral Cipher Suites Enabled by Default
-
-ECDHE and DHE cipher suites are now enabled by default. Be aware that
-for embedded platforms, this may require significant additional CPU
-load.
-
-
-ECC Curve List
-
-The supported ECC Curve list is now always given in bit-strength order.
-This ensures that when negotiating EC Parameters, the strongest
-available will be used.
-
-
-Reordered cipher suite preferences
-
-Clients send a priority list order of cipher suites during TLS
-negotiations, and servers use a priority list of ciphers to pick a
-common cipher for the connection.
-
-MatrixSSL orders this list using the following rules, resulting in some
-change to the cipher suite preference order in _cipherSuite.c_. In order
-to make as secure a connection as possible, the parameters of
-Authentication, Data Integrity and Data Security were taken in that
-order to generate a new cipher preference list. In places where these
-parameters are of equivalent strength, the faster algorithm is preferred
-(although the “faster” algorithm often depends on the platform).
-_Currently DHE is prioritized over ECDHE due only to performance. In
-future releases, ECDHE may be the preferred key exchange mode._
-
-The ordering of the ciphers is grouped and sub-grouped by the following:
-
-1.  Non-deprecated
-2.  Ephemeral
-3.  Authentication Method (PKI > PSK > anon)
-4.  Hash Strength (SHA384 > SHA256 > SHA > MD5)
-5.  Cipher Strength (AES256 > AES128 > 3DES > ARC4 > SEED > IDEA > NULL)
-6.  PKI Key Exchange (DHE* > ECDHE > ECDH > RSA > PSK)
-7.  Cipher Mode (GCM > CBC)
-8.  PKI Authentication Method (ECDSA > RSA > PSK)
-
-
-memset_s()
-
-Use the memset_s() api to zero memory regardless of compiler
-optimization which might skip zeroing for memory that is not
-subsequently used. For platforms without a built in implementation,
-memset_s() is automatically built in core/memset_s.c
-
-
-Handshake State Machine Improvements
-
-Simplified code paths
-
-The handshake decode state machine was split among additional files and
-functions. Switch statements replace other logic to more clearly show
-each case and its result. The state machine is still quite complex due
-to the large number of modes and states that are supported in MatrixSSL.
-Always consult support when making changes to the state machine.
-
-Multiple state tracking
-
-Connection state tracking has always been implemented as "expected next
-state", with no security issues. However for a double check, MatrixSSL
-now implements independent tracking of the last state encoded and
-decoded, as well as the expected next state.
-
-More strict extension processing
-
-The extension parsing is more strict in what can be accepted and when.
-
-
-
-3 FEATURES AND IMPROVEMENTS
-
-
-DTLS Protocol Included
-
-Beginning in the 3.8.2 version of MatrixSSL, the DTLS 1.0 and DTLS 1.2
-protocols are included in MatrixSSL open source package.
-
-Enable USE_DTLS in _./matrixssl/matrixsslConfig.h_ to include it in
-library. Additional documentation, app examples, and test code is
-included to aid in development.
-
-
-Optimized Diffie-Hellman performance
-
-Use smaller generated key sizes for a given DH prime field size per NIST
-SP 800-57 Part 1. This provides up to a 9x performance gain for DH
-operations, greatly increasing the speed of ephemeral ciphers using DH.
-
-
-Optimized EC signature generation performance
-
-Improved performance for finding valid ECC key pairs, especially on
-larger key sizes.
-
-
-OpenSSL Crypto Primitive Provider
-
-Allows MatrixSSL to be linked against _OpenSSL_ libcrypto as a crypto
-primitive provider. This allows platforms that use _OpenSSL_ as their
-crypto API (such as _Cavium Octeon_) provide hardware acceleration to
-MatrixSSL applications.
-
-
-OpenSSL TLS API layer
-
-Users wishing to replace _OpenSSL_ with MatrixSSL often desire a layer
-that will ease the integration. MatrixSSL 3.8.2 includes an _OpenSSL_API
-layer that was previously provided upon request. This layer is found in
-the _./matrixssl_ directory in the _opensslApi.c_and _opensslSocket.c_
-files. The _opensslApi.h_ and _opensslSocket.h_ headers define the
-interface.
-
-
-Reduced TLS session footprint
-
-The size of each TLS session was reduced by 512 bytes for AES cipher
-suites, and additionally by ~100 bytes for all cipher suites.
-
-
-X.509 Improvements
-
-OID parsing has been improved and provides better feedback on error.
-SHA-512 signed certificates are now supported.
-
-
-PKCS#12 Key Parsing
-
-Support for longer passwords and additional private key bag.
-
-
-Improved certificate callback example
-
-The _./apps/ssl/client.c_ application now has a more robust processing
-example to help integrators understand the relationship between the
-incoming alert value and the individual authStatus members of the
-server’s certificate chain.
-
-
-Per digest control of HMAC algorithms
-
-Each HMAC algorithm can now be specifically enabled/disabled with
-USE_HMAC_(digest) defines in _cryptoConfig.h_
-
-
-Default high resolution timing
-
-POSIX platforms will have high-resolution timers active by default
-
-
-Assert and Error Optimizations
-
-USE_CORE_ASSERT and USE_CORE_ERROR can now be disabled in
-_coreConfig.h_. This can reduce code size by removing the static strings
-used in errors and asserts. Recommended for final deployment only.
-
-
-
-4 BUG FIXES
-
-
-64 bit little endian platforms
-
-The STORE32L macro in _cryptolib.h_ has been fixed for little endian 64
-platforms. The STORE32H macro in _cryptolib.h_ has been fixed for big
-endian 64 platforms not using assembly language optimizations. Platforms
-such as _MIPS64_ are now automatically detected by the build system.
-
-
-X.509 KeyUsage extension
-
-Fixed the parse to allow for BIT_STRING lengths longer than should be
-expected.
-
-
-X.509 date validation fix
-
-A bug has been fixed in the validateDateRange() function in _x509.c_. In
-previous versions, the time format (ASN_UTCTIME, etc..) of the notAfter
-date was being set based on the notBefore field. This bug would have
-caused problems for certificates that used different time formats for
-the notBefore and notAfter fields.
-
-
-Fixed handshake parse issue
-
-A bug was found on the server side while parsing a specific case of
-handshake messages from a client. If the cipher suite used a key
-exchange mechanism of ECDHE or ECHE, and the handshake was using client
-authentication, and the client was sending the CLIENT_KEY_EXCHANGE
-message and CERTIFICATE_VERIFY message in a single record, the MatrixSSL
-server was unable to parse that flight and would close the connection.
-This is now fixed.
-
-
-TLS server sending old self-signed certificate
-
-A bug has been fixed so that if a server sends a self-signed certificate
-that does not contain the AuthorityKeyIdentifier extension, the
-authentication logic will detect that and not report an error to the
-certificate callback. > Servers shouldn’t send self-signed certificates
-in the CERTIFICATE message. Client must still always have the same
-self-signed cert loaded in order to authenticate.
-
-
-Fixed ECC variable encoding bugs
-
-For Client Auth rehandshakes, the variable signature sizes of ECDSA
-resulted in an issue when clients were creating the encrypted
-CERTIFICATE_VERIFY message. secp224r1 curves also had an additional bug
-that could cause an invalid signature in some cases due to the variable
-encoding rules.
-
-
-DHE_PSK compatibility
-
-Fixed issue with DHE_PSK ciphers when a PSK_ID was not used. Previously
-a handshake alert would occur.
-
-
-AES-GCM with AESNI
-
-Fixed an issue causing an invalid encoding of large data buffers with
-aes-gcm on Intel platforms with AESNI.
-
-
-Library configuration test
-
-The mechanism to test that MatrixSSL applications have been compiled
-using the same configuration as the MatrixSSL static libraries has been
-fixed.
-
-
-Windows psGetFileBuf
-
-Parameters to CreateFileA() are now correct for opening existing files.
-
-
-
-5 KNOWN ISSUES
-
-
--   _Microsoft Windows_ targets do not support certificate date
-    validation currently. Users requiring this feature can use Windows
-    APIs to get and parse the current date, using the POSIX
-    implementation as a reference.
--   _Arm_ platforms linking with some versions of _OpenSSL_ libcrypto
-    library may have errors in AES-CBC cipher suites due to the
-    library's inability to handle in-situ encryption within the
-    same block.
diff --git a/doc/CHANGES_v3.9.html b/doc/CHANGES_v3.9.html
deleted file mode 100644
index 92ef3b1..0000000
--- a/doc/CHANGES_v3.9.html
+++ /dev/null
@@ -1,106 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-  <meta http-equiv="Content-Style-Type" content="text/css" />
-  <meta name="generator" content="pandoc" />
-  <title></title>
-  <style type="text/css">code{white-space: pre;}</style>
-</head>
-<body>
-<h1 id="matrixssl-3.9-changelog">MatrixSSL 3.9 changelog</h1>
-<h2 id="changes-between-3.9.3-and-3.9.5-december-2017">Changes between 3.9.3 and 3.9.5 [December 2017]</h2>
-<p>This version fixes several vulnerabilities in the CMS and TLS libraries, contains a large amount of bug fixes and some new features for the TLS and X.509 libraries.</p>
-<ul>
-<li><p>SSL/TLS</p>
-<ul>
-<li><p>Fixed several out-of-bounds heap reads reported by researchers Simon Friedberger, Robert Merget and Juraj Somorovsky, working at the Ruhr-University Bochum. It was possible to trigger the out-of-bounds reads with maliciously crafted Certificate and ServerHello handshake messages.</p></li>
-<li><p>Fixed vulnerabilities reported by Richard Clarke (<span class="citation">@rsclarke</span>). Truncated certificates could be created to cause out-of-bounds reads of size 1 in getAsnOID and getSerialNum.</p></li>
-<li><p>Fixed an issue where the server did not keep the raw DER of the client cert during a rehandshake, even when the keep_peer_cert_der session option was set.</p></li>
-<li><p>Fixed an issue that caused empty SNI to be sent in the ServerHello during renegotiation even when the last ClientHello did not contain it.</p></li>
-<li><p>Fixed issues with handling of RSA-SHA-1 server and client certificates. One of the symptoms was a segfault that occurred when trying to use a server certificate signed with RSA-SHA-1.</p></li>
-<li><p>Refactor supported_signature_algorithms checking and signature algorithm selection for CertificateVerify and ServerKeyExchange Including adding support for RSA-SHA-512 server certificates.</p></li>
-<li><p>Added support for on-demand client certificate and client private key loading (USE_EXT_CLIENT_CERT_KEY_LOADING). MatrixSSL now provides an asynchronous mechanism that allows client-programs to load or change the client certificate on-demand, as a response to a CertificateRequest.</p></li>
-<li><p>Added new option to matrixValidateCertsExt that can be used to (re-)perform certificate date validation in that function. By default, MatrixSSL checks the certificate date during parsing. The new option is useful for e.g. long-living processes that may outlast the certificate validity period.</p></li>
-<li><p>Added support for SSLv2 Client Hello format used by some TLS clients. Only Client Hello message is supported, SSLv2 connections are not supported as it would have security implications. See RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 Appendix E.2 for details of TLS backwards compatibility with SSLv2.</p></li>
-<li><p>Enabled TLS FALSE START support by default. This allows better interoperability with recent versions of Firefox browser and some versions of Chrome. (Controlled with USE_SERVER_SIDE_FALSE_START_SUPPORT.)</p></li>
-<li><p>Fixed a compilation problem if USE_TLS_1_2 was not defined.</p></li>
-<li><p>Fixed compilation issues when compiling without USE_SHA384.</p></li>
-<li><p>Fixed compilation without USE_REHANDSHAKING.</p></li>
-<li><p>Improved the example server and client applications.</p></li>
-<li><p>Fixes to file paths client.c uses for RSA-3072 PEM files.</p></li>
-</ul></li>
-<li><p>Crypto library</p>
-<ul>
-<li><p>Fixed an out-of-bounds read in psAesUnwrap.</p></li>
-<li><p>Fixed byte order issue in psEccDsaSign.</p></li>
-<li><p>Fixed double-free when s parameter handling fails in MatrixCrypto's psEccDsaSign.</p></li>
-</ul></li>
-<li><p>CMS library</p>
-<ul>
-<li>Fixed a critical bug in the Authenticated-Enveloped-data stream parsing API (matrixCmsFinalParseAuthEnvData) that caused verification of the CBC MAC to be skipped.</li>
-</ul></li>
-<li><p>X.509 library</p>
-<ul>
-<li><p>The EC public key coordinates were encoded incorrectly into certificates when the leading 8 bits of a coordinate were all zero.</p></li>
-<li><p>subjectKeyId got encoded always, even when no one actually computed the value.</p></li>
-<li><p>Encoding of extensions was omitted when there was an issuerAltName but no subjectAltName given.</p></li>
-<li><p>psWriteCertExt set the basicConstraints CA bit to TRUE even if the value was actually CA_UNDEFINED.</p></li>
-<li><p>psX509SetCAIssuedCertExtensions used the extensions struct pointer from CSR when there were no extensions in the CA's config. This lead to a double-free.</p></li>
-<li><p>The psWriteCertReqMem_BinConfig function was leaking memory.</p></li>
-<li><p>Added new initialization function for the extensions struct.</p></li>
-<li><p>Fix for otherName OID encoding in subjectAltName.</p></li>
-<li><p>Added possibility to give the otherName OID as a dot-notation string.</p></li>
-<li><p>Fixed otherName OIDs length restriction.</p></li>
-<li><p>Added support for the PrintableString and IA5String ASN.1 types in psX509SetDNAttribute.</p></li>
-<li><p>Improved the order in which Relative Distinguished Names are encoded into certificates and CSRs.</p></li>
-<li><p>Support for setting and parsing certificate request with challenge password (psX509SetChallengePassword(), and psCertReqGetChallengePassword())</p></li>
-</ul></li>
-<li><p>Networking and the MatrixSSL Net convenience layer</p>
-<ul>
-<li><p>Fixed multirecord handling in matrixsslNet.</p></li>
-<li><p>Fixed mishandled PS_EAGAIN from MatrixSSL in matrixsslNet.c.</p></li>
-<li><p>Added &quot;peek&quot; to psnet.</p></li>
-<li><p>Added feature to matrixsslNet that allows writing during read buffer contains some data.</p></li>
-<li><p>Enlarged buffer used by matrixsslNet.c to avoid having the read input in multiple blocks.</p></li>
-<li><p>Fixes to MatrixSslNet to work when it receives multiple application data records at once.</p></li>
-</ul></li>
-</ul>
-<h2 id="changes-between-3.9.2-and-3.9.3-june-2017">Changes between 3.9.2 and 3.9.3 [June 2017]</h2>
-<p>Fix serious buffer handling vulnerabilities along with other smaller bug fixes.</p>
-<ul>
-<li><p>Fixed buffer overflow vulnerability in parsePolicyMappings and buffer underflow in parseGeneralNames. Vulnerabilities discovered by Aleksandar Nikolic of Cisco Talos.</p></li>
-<li><p>psX509ParseCert modified not to call parse_single_cert when there are only a few bytes remaining.</p></li>
-<li><p>Fix compilation when USE_PKCS8 is not defined.</p></li>
-<li><p>Added common makefiles directory for reusable makefile components.</p></li>
-<li><p>Added new result code PS_SELFTEST_FAILED for detecting psCryptoOpen() failure due to self-test failure of underlying cryptographic primitivers.</p></li>
-<li><p>Debugging build log output can be redirected to a file using PSCORE_DEBUG_FILE/PSCORE_DEBUG_FILE_APPEND/FLPS_DEBUG_FILE/ FLPS_DEBUG_FILE_APPEND environment variables.</p></li>
-<li><p>New example configuration for use of libopenssl-compat. This configuration enables TLS 1.0, which is common to use with libopenssl-compat.</p></li>
-<li><p>Add client side option for rejecting version downgrade during TLS handshake.</p></li>
-<li><p>ECDSA cipher suites were errorneously rejected by client using CAs with only RSA certificates.</p></li>
-<li><p>Small improvements to psBuf and psDynBuf functions.</p></li>
-<li><p>CMS library improvements, support for multiple recipients with authenticated encrypted data.</p></li>
-<li><p>CMS library improvements, support for zero or multiple signers for signed data.</p></li>
-<li><p>Signed data can now contain X.509 CRLs.</p></li>
-<li><p>Fixed handling of OCSP responses using OCSP responderName.</p></li>
-<li><p>Fixed memory leak in freeing of OCSP requestor id.</p></li>
-<li><p>MatrixSSL client sometimes prevented ECDSA cipher suites from being used due to flaw in key material compatibility test. The test has been removed.</p></li>
-</ul>
-<h2 id="changes-between-3.9.1-and-3.9.2">Changes between 3.9.1 and 3.9.2</h2>
-<p>3.9.2. only released as a part of SafeZone FIPS SW SDK.</p>
-<ul>
-<li><p>Added support for OCSP response with SHA-512 signature.</p></li>
-<li><p>psPkcs8ParsePrivBin() function now supports any SafeZone CL library supported PKCS #8 key formats, in addition to PKCS #8 keys ordinarily supported by MatrixSSL. (Only applicable to MatrixSSL FIPS Edition.)</p></li>
-<li><p>Added matrixSslLoadKeys and matrixSslLoadKeysMem. This key loading function can be used in situations where the type of private key (RSA or EC) to load is unknown.</p></li>
-<li><p>Added support for loading CA bundles containing both supported and unsupported certificates. Previously, the loading of a CA bundle failed if any of the certificates could not be fully parsed by MatrixSSL, due to e.g. disabled v1 certificate support. The new feature can be enabled by defining ALLOW_CA_BUNDLE_PARTIAL_PARSE in matrixsslConfig.h. Also the crypto-level psX509ParseCert and psX509ParseCertFile functions support the same feature when passed the CERT_ALLOW_BUNDLE_PARTIAL_PARSE flag.</p></li>
-<li><p>Added support for RSA-SHA224 and ECDSA-SHA224 signatures in CSR generation, CSR parsing and certificate generation. Expanded X.509 Generation API test.</p></li>
-</ul>
-<h2 id="changes-between-3.9.0-and-3.9.1">Changes between 3.9.0 and 3.9.1</h2>
-<ul>
-<li><p>Disabled support for SHA-1 signed certificates by default. SHA-1 can no longer be considered secure for this purpose (see https://shattered.it/static/shattered.pdf). We decided to disable SHA-1 signed certificates by default to ensure that MatrixSSL customers consider the security implications before enabling them. Support for SHA-1 signed certificates can be restored by defining ENABLE_SHA1_SIGNED_CERTS in cryptoConfig.h.</p></li>
-<li><p>Regenerated all test certificates. Many of the old ones had exceeded their validity period. The new test certificates have some minor changes, such as the addition of some missing basicConstraints and authorityKeyIdentifier extensions. Note that the test certificates should never be used in production, but only for initial testing during development.</p></li>
-<li><p>Fixed bug that caused a segfault when ALLOW_VERSION_1_ROOT_CERT_PARSE was enabled and the peer sent a version 1 certificate. Correct behaviour is to just produce an internal certificate validation failure in this case, as the above define only allows parsing of locally stored trusted root certificates. This bug is minor as ALLOW_VERSION_1_ROOT_CERT_PARSE is disabled by default, and rarely used by MatrixSSL customers.</p></li>
-<li><p>Introduced new function setSocketTlsCertAuthCb for setting certificate authentication callback when using MatrixSSL via psSocket_t interface. Previously constant function name ssl_cert_auth was used for authentication callback.</p></li>
-</ul>
-</body>
-</html>
diff --git a/doc/CHANGES_v3.9.md b/doc/CHANGES_v3.9.md
deleted file mode 100644
index e0334ac..0000000
--- a/doc/CHANGES_v3.9.md
+++ /dev/null
@@ -1,245 +0,0 @@
-# MatrixSSL 3.9 changelog
-
-## Changes between 3.9.3 and 3.9.5 [December 2017]
-
-This version fixes several vulnerabilities in the CMS and TLS
-libraries, contains a large amount of bug fixes and some new features
-for the TLS and X.509 libraries.
-
-- SSL/TLS
-
-    * Fixed several out-of-bounds heap reads reported by researchers
-      Simon Friedberger, Robert Merget and Juraj Somorovsky, working
-      at the Ruhr-University Bochum. It was possible to trigger the
-      out-of-bounds reads with maliciously crafted Certificate and
-      ServerHello handshake messages.
-
-    * Fixed vulnerabilities reported by Richard Clarke
-      (@rsclarke). Truncated certificates could be created to cause
-      out-of-bounds reads of size 1 in getAsnOID and getSerialNum.
-
-    * Fixed an issue where the server did not keep the raw DER of the
-      client cert during a rehandshake, even when the
-      keep_peer_cert_der session option was set.
-
-    * Fixed an issue that caused empty SNI to be sent in the
-      ServerHello during renegotiation even when the last ClientHello
-      did not contain it.
-
-    * Fixed issues with handling of RSA-SHA-1 server and client
-      certificates. One of the symptoms was a segfault that occurred
-      when trying to use a server certificate signed with RSA-SHA-1.
-
-    * Refactor supported_signature_algorithms checking and signature
-      algorithm selection for CertificateVerify and ServerKeyExchange
-      Including adding support for RSA-SHA-512 server certificates.
-
-    * Added support for on-demand client certificate and client
-      private key loading (USE_EXT_CLIENT_CERT_KEY_LOADING). MatrixSSL
-      now provides an asynchronous mechanism that allows
-      client-programs to load or change the client certificate
-      on-demand, as a response to a CertificateRequest.
-
-    * Added new option to matrixValidateCertsExt that can be used to
-      (re-)perform certificate date validation in that function. By
-      default, MatrixSSL checks the certificate date during
-      parsing. The new option is useful for e.g. long-living processes
-      that may outlast the certificate validity period.
-
-    * Added support for SSLv2 Client Hello format used by some TLS
-      clients.  Only Client Hello message is supported, SSLv2
-      connections are not supported as it would have security
-      implications.  See RFC 5246: The Transport Layer Security (TLS)
-      Protocol Version 1.2 Appendix E.2 for details of TLS backwards
-      compatibility with SSLv2.
-
-    * Enabled TLS FALSE START support by default. This allows better
-      interoperability with recent versions of Firefox browser and
-      some versions of Chrome. (Controlled with
-      USE_SERVER_SIDE_FALSE_START_SUPPORT.)
-
-    * Fixed a compilation problem if USE_TLS_1_2 was not defined.
-
-    * Fixed compilation issues when compiling without USE_SHA384.
-
-    * Fixed compilation without USE_REHANDSHAKING.
-
-    * Improved the example server and client applications.
-
-    * Fixes to file paths client.c uses for RSA-3072 PEM files.
-
-- Crypto library
-
-    * Fixed an out-of-bounds read in psAesUnwrap.
-
-    * Fixed byte order issue in psEccDsaSign.
-
-    * Fixed double-free when s parameter handling fails in
-      MatrixCrypto's psEccDsaSign.
-
-- CMS library
-
-    * Fixed a critical bug in the Authenticated-Enveloped-data stream
-      parsing API (matrixCmsFinalParseAuthEnvData) that caused
-      verification of the CBC MAC to be skipped.
-
-- X.509 library
-
-    * The EC public key coordinates were encoded incorrectly into
-      certificates when the leading 8 bits of a coordinate were all
-      zero.
-
-    * subjectKeyId got encoded always, even when no one actually
-      computed the value.
-
-    * Encoding of extensions was omitted when there was an
-      issuerAltName but no subjectAltName given.
-
-    * psWriteCertExt set the basicConstraints CA bit to TRUE even if
-      the value was actually CA_UNDEFINED.
-
-    * psX509SetCAIssuedCertExtensions used the extensions struct
-      pointer from CSR when there were no extensions in the CA's
-      config. This lead to a double-free.
-
-    * The psWriteCertReqMem_BinConfig function was leaking memory.
-
-    * Added new initialization function for the extensions struct.
-
-    * Fix for otherName OID encoding in subjectAltName.
-
-    * Added possibility to give the otherName OID as a dot-notation
-      string.
-
-    * Fixed otherName OIDs length restriction.
-
-    * Added support for the PrintableString and IA5String ASN.1 types
-      in psX509SetDNAttribute.
-
-    * Improved the order in which Relative Distinguished Names are
-      encoded into certificates and CSRs.
-
-    * Support for setting and parsing certificate request with
-      challenge password (psX509SetChallengePassword(), and
-      psCertReqGetChallengePassword())
-
-- Networking and the MatrixSSL Net convenience layer
-
-    * Fixed multirecord handling in matrixsslNet.
-
-    * Fixed mishandled PS_EAGAIN from MatrixSSL in matrixsslNet.c.
-
-    * Added "peek" to psnet.
-
-    * Added feature to matrixsslNet that allows writing during read
-      buffer contains some data.
-
-    * Enlarged buffer used by matrixsslNet.c to avoid having the read input
-      in multiple blocks.
-
-    * Fixes to MatrixSslNet to work when it receives multiple application
-      data records at once.
-
-## Changes between 3.9.2 and 3.9.3 [June 2017]
-
-Fix serious buffer handling vulnerabilities along with other smaller bug fixes.
-
-- Fixed buffer overflow vulnerability in parsePolicyMappings and buffer
-  underflow in parseGeneralNames. Vulnerabilities discovered by Aleksandar
-  Nikolic of Cisco Talos.
-
-- psX509ParseCert modified not to call parse_single_cert when there are
-  only a few bytes remaining.
-
-- Fix compilation when USE_PKCS8 is not defined.
-
-- Added common makefiles directory for reusable makefile components.
-
-- Added new result code PS_SELFTEST_FAILED for detecting psCryptoOpen() failure
-  due to self-test failure of underlying cryptographic primitivers.
-
-- Debugging build log output can be redirected to a file using
-  PSCORE_DEBUG_FILE/PSCORE_DEBUG_FILE_APPEND/FLPS_DEBUG_FILE/
-  FLPS_DEBUG_FILE_APPEND environment variables.
-
-- New example configuration for use of libopenssl-compat.
-  This configuration enables TLS 1.0, which is common to use with
-  libopenssl-compat.
-
-- Add client side option for rejecting version downgrade during TLS handshake.
-
-- ECDSA cipher suites were errorneously rejected by client using CAs with only
-  RSA certificates.
-
-- Small improvements to psBuf and psDynBuf functions.
-
-- CMS library improvements, support for multiple recipients with
-  authenticated encrypted data.
-
-- CMS library improvements, support for zero or multiple signers
-  for signed data.
-
-- Signed data can now contain X.509 CRLs.
-
-- Fixed handling of OCSP responses using OCSP responderName.
-
-- Fixed memory leak in freeing of OCSP requestor id.
-
-- MatrixSSL client sometimes prevented ECDSA cipher suites from being used
-  due to flaw in key material compatibility test. The test has been removed.
-
-## Changes between 3.9.1 and 3.9.2
-
-3.9.2. only released as a part of SafeZone FIPS SW SDK.
-
-- Added support for OCSP response with SHA-512 signature.
-
-- psPkcs8ParsePrivBin() function now supports any SafeZone CL library supported
-  PKCS #8 key formats, in addition to PKCS #8 keys ordinarily supported by
-  MatrixSSL. (Only applicable to MatrixSSL FIPS Edition.)
-
-- Added matrixSslLoadKeys and matrixSslLoadKeysMem. This key loading
-  function can be used in situations where the type of private key
-  (RSA or EC) to load is unknown.
-
-- Added support for loading CA bundles containing both supported and
-  unsupported certificates. Previously, the loading of a CA bundle failed
-  if any of the certificates could not be fully parsed by MatrixSSL, due to
-  e.g. disabled v1 certificate support. The new feature can be enabled
-  by defining ALLOW_CA_BUNDLE_PARTIAL_PARSE in matrixsslConfig.h. Also
-  the crypto-level psX509ParseCert and psX509ParseCertFile functions support
-  the same feature when passed the CERT_ALLOW_BUNDLE_PARTIAL_PARSE flag.
-
-- Added support for RSA-SHA224 and ECDSA-SHA224 signatures in CSR generation,
-  CSR parsing and certificate generation. Expanded X.509 Generation API
-  test.
-
-## Changes between 3.9.0 and 3.9.1
-
-- Disabled support for SHA-1 signed certificates by default. SHA-1 can
-  no longer be considered secure for this purpose (see
-  https://shattered.it/static/shattered.pdf). We decided to disable
-  SHA-1 signed certificates by default to ensure that MatrixSSL
-  customers consider the security implications before enabling them.
-  Support for SHA-1 signed certificates can be restored by defining
-  ENABLE_SHA1_SIGNED_CERTS in cryptoConfig.h.
-
-- Regenerated all test certificates. Many of the old ones had exceeded
-  their validity period. The new test certificates have some minor
-  changes, such as the addition of some missing basicConstraints and
-  authorityKeyIdentifier extensions. Note that the test certificates
-  should never be used in production, but only for initial testing
-  during development.
-
-- Fixed bug that caused a segfault when
-  ALLOW_VERSION_1_ROOT_CERT_PARSE was enabled and the peer sent a
-  version 1 certificate. Correct behaviour is to just produce an
-  internal certificate validation failure in this case, as the above
-  define only allows parsing of locally stored trusted root
-  certificates. This bug is minor as ALLOW_VERSION_1_ROOT_CERT_PARSE
-  is disabled by default, and rarely used by MatrixSSL customers.
-
-- Introduced new function setSocketTlsCertAuthCb for setting certificate
-  authentication callback when using MatrixSSL via psSocket_t interface.
-  Previously constant function name ssl_cert_auth was used for authentication
-  callback.
diff --git a/doc/CHANGES_v3.9.txt b/doc/CHANGES_v3.9.txt
deleted file mode 100644
index 1d9a8b5..0000000
--- a/doc/CHANGES_v3.9.txt
+++ /dev/null
@@ -1,258 +0,0 @@
-
-
-MATRIXSSL 3.9 CHANGELOG
-
-
-Changes between 3.9.3 and 3.9.5 [December 2017]
-
-This version fixes several vulnerabilities in the CMS and TLS libraries,
-contains a large amount of bug fixes and some new features for the TLS
-and X.509 libraries.
-
--   SSL/TLS
-
-    -   Fixed several out-of-bounds heap reads reported by researchers
-        Simon Friedberger, Robert Merget and Juraj Somorovsky, working
-        at the Ruhr-University Bochum. It was possible to trigger the
-        out-of-bounds reads with maliciously crafted Certificate and
-        ServerHello handshake messages.
-
-    -   Fixed vulnerabilities reported by Richard Clarke (@rsclarke).
-        Truncated certificates could be created to cause out-of-bounds
-        reads of size 1 in getAsnOID and getSerialNum.
-
-    -   Fixed an issue where the server did not keep the raw DER of the
-        client cert during a rehandshake, even when the
-        keep_peer_cert_der session option was set.
-
-    -   Fixed an issue that caused empty SNI to be sent in the
-        ServerHello during renegotiation even when the last ClientHello
-        did not contain it.
-
-    -   Fixed issues with handling of RSA-SHA-1 server and
-        client certificates. One of the symptoms was a segfault that
-        occurred when trying to use a server certificate signed
-        with RSA-SHA-1.
-
-    -   Refactor supported_signature_algorithms checking and signature
-        algorithm selection for CertificateVerify and ServerKeyExchange
-        Including adding support for RSA-SHA-512 server certificates.
-
-    -   Added support for on-demand client certificate and client
-        private key loading (USE_EXT_CLIENT_CERT_KEY_LOADING). MatrixSSL
-        now provides an asynchronous mechanism that allows
-        client-programs to load or change the client certificate
-        on-demand, as a response to a CertificateRequest.
-
-    -   Added new option to matrixValidateCertsExt that can be used to
-        (re-)perform certificate date validation in that function. By
-        default, MatrixSSL checks the certificate date during parsing.
-        The new option is useful for e.g. long-living processes that may
-        outlast the certificate validity period.
-
-    -   Added support for SSLv2 Client Hello format used by some
-        TLS clients. Only Client Hello message is supported, SSLv2
-        connections are not supported as it would have
-        security implications. See RFC 5246: The Transport Layer
-        Security (TLS) Protocol Version 1.2 Appendix E.2 for details of
-        TLS backwards compatibility with SSLv2.
-
-    -   Enabled TLS FALSE START support by default. This allows better
-        interoperability with recent versions of Firefox browser and
-        some versions of Chrome. (Controlled
-        with USE_SERVER_SIDE_FALSE_START_SUPPORT.)
-
-    -   Fixed a compilation problem if USE_TLS_1_2 was not defined.
-
-    -   Fixed compilation issues when compiling without USE_SHA384.
-
-    -   Fixed compilation without USE_REHANDSHAKING.
-
-    -   Improved the example server and client applications.
-
-    -   Fixes to file paths client.c uses for RSA-3072 PEM files.
-
--   Crypto library
-
-    -   Fixed an out-of-bounds read in psAesUnwrap.
-
-    -   Fixed byte order issue in psEccDsaSign.
-
-    -   Fixed double-free when s parameter handling fails in
-        MatrixCrypto's psEccDsaSign.
-
--   CMS library
-
-    -   Fixed a critical bug in the Authenticated-Enveloped-data stream
-        parsing API (matrixCmsFinalParseAuthEnvData) that caused
-        verification of the CBC MAC to be skipped.
--   X.509 library
-
-    -   The EC public key coordinates were encoded incorrectly into
-        certificates when the leading 8 bits of a coordinate were
-        all zero.
-
-    -   subjectKeyId got encoded always, even when no one actually
-        computed the value.
-
-    -   Encoding of extensions was omitted when there was an
-        issuerAltName but no subjectAltName given.
-
-    -   psWriteCertExt set the basicConstraints CA bit to TRUE even if
-        the value was actually CA_UNDEFINED.
-
-    -   psX509SetCAIssuedCertExtensions used the extensions struct
-        pointer from CSR when there were no extensions in the
-        CA's config. This lead to a double-free.
-
-    -   The psWriteCertReqMem_BinConfig function was leaking memory.
-
-    -   Added new initialization function for the extensions struct.
-
-    -   Fix for otherName OID encoding in subjectAltName.
-
-    -   Added possibility to give the otherName OID as a
-        dot-notation string.
-
-    -   Fixed otherName OIDs length restriction.
-
-    -   Added support for the PrintableString and IA5String ASN.1 types
-        in psX509SetDNAttribute.
-
-    -   Improved the order in which Relative Distinguished Names are
-        encoded into certificates and CSRs.
-
-    -   Support for setting and parsing certificate request with
-        challenge password (psX509SetChallengePassword(),
-        and psCertReqGetChallengePassword())
-
--   Networking and the MatrixSSL Net convenience layer
-
-    -   Fixed multirecord handling in matrixsslNet.
-
-    -   Fixed mishandled PS_EAGAIN from MatrixSSL in matrixsslNet.c.
-
-    -   Added "peek" to psnet.
-
-    -   Added feature to matrixsslNet that allows writing during read
-        buffer contains some data.
-
-    -   Enlarged buffer used by matrixsslNet.c to avoid having the read
-        input in multiple blocks.
-
-    -   Fixes to MatrixSslNet to work when it receives multiple
-        application data records at once.
-
-
-Changes between 3.9.2 and 3.9.3 [June 2017]
-
-Fix serious buffer handling vulnerabilities along with other smaller bug
-fixes.
-
--   Fixed buffer overflow vulnerability in parsePolicyMappings and
-    buffer underflow in parseGeneralNames. Vulnerabilities discovered by
-    Aleksandar Nikolic of Cisco Talos.
-
--   psX509ParseCert modified not to call parse_single_cert when there
-    are only a few bytes remaining.
-
--   Fix compilation when USE_PKCS8 is not defined.
-
--   Added common makefiles directory for reusable makefile components.
-
--   Added new result code PS_SELFTEST_FAILED for
-    detecting psCryptoOpen() failure due to self-test failure of
-    underlying cryptographic primitivers.
-
--   Debugging build log output can be redirected to a file using
-    PSCORE_DEBUG_FILE/PSCORE_DEBUG_FILE_APPEND/FLPS_DEBUG_FILE/
-    FLPS_DEBUG_FILE_APPEND environment variables.
-
--   New example configuration for use of libopenssl-compat. This
-    configuration enables TLS 1.0, which is common to use
-    with libopenssl-compat.
-
--   Add client side option for rejecting version downgrade during
-    TLS handshake.
-
--   ECDSA cipher suites were errorneously rejected by client using CAs
-    with only RSA certificates.
-
--   Small improvements to psBuf and psDynBuf functions.
-
--   CMS library improvements, support for multiple recipients with
-    authenticated encrypted data.
-
--   CMS library improvements, support for zero or multiple signers for
-    signed data.
-
--   Signed data can now contain X.509 CRLs.
-
--   Fixed handling of OCSP responses using OCSP responderName.
-
--   Fixed memory leak in freeing of OCSP requestor id.
-
--   MatrixSSL client sometimes prevented ECDSA cipher suites from being
-    used due to flaw in key material compatibility test. The test has
-    been removed.
-
-
-Changes between 3.9.1 and 3.9.2
-
-3.9.2. only released as a part of SafeZone FIPS SW SDK.
-
--   Added support for OCSP response with SHA-512 signature.
-
--   psPkcs8ParsePrivBin() function now supports any SafeZone CL library
-    supported PKCS #8 key formats, in addition to PKCS #8 keys
-    ordinarily supported by MatrixSSL. (Only applicable to MatrixSSL
-    FIPS Edition.)
-
--   Added matrixSslLoadKeys and matrixSslLoadKeysMem. This key loading
-    function can be used in situations where the type of private key
-    (RSA or EC) to load is unknown.
-
--   Added support for loading CA bundles containing both supported and
-    unsupported certificates. Previously, the loading of a CA bundle
-    failed if any of the certificates could not be fully parsed by
-    MatrixSSL, due to e.g. disabled v1 certificate support. The new
-    feature can be enabled by defining ALLOW_CA_BUNDLE_PARTIAL_PARSE
-    in matrixsslConfig.h. Also the crypto-level psX509ParseCert and
-    psX509ParseCertFile functions support the same feature when passed
-    the CERT_ALLOW_BUNDLE_PARTIAL_PARSE flag.
-
--   Added support for RSA-SHA224 and ECDSA-SHA224 signatures in CSR
-    generation, CSR parsing and certificate generation. Expanded X.509
-    Generation API test.
-
-
-Changes between 3.9.0 and 3.9.1
-
--   Disabled support for SHA-1 signed certificates by default. SHA-1 can
-    no longer be considered secure for this purpose
-    (see https://shattered.it/static/shattered.pdf). We decided to
-    disable SHA-1 signed certificates by default to ensure that
-    MatrixSSL customers consider the security implications before
-    enabling them. Support for SHA-1 signed certificates can be restored
-    by defining ENABLE_SHA1_SIGNED_CERTS in cryptoConfig.h.
-
--   Regenerated all test certificates. Many of the old ones had exceeded
-    their validity period. The new test certificates have some minor
-    changes, such as the addition of some missing basicConstraints and
-    authorityKeyIdentifier extensions. Note that the test certificates
-    should never be used in production, but only for initial testing
-    during development.
-
--   Fixed bug that caused a segfault when
-    ALLOW_VERSION_1_ROOT_CERT_PARSE was enabled and the peer sent a
-    version 1 certificate. Correct behaviour is to just produce an
-    internal certificate validation failure in this case, as the above
-    define only allows parsing of locally stored trusted
-    root certificates. This bug is minor as
-    ALLOW_VERSION_1_ROOT_CERT_PARSE is disabled by default, and rarely
-    used by MatrixSSL customers.
-
--   Introduced new function setSocketTlsCertAuthCb for setting
-    certificate authentication callback when using MatrixSSL via
-    psSocket_t interface. Previously constant function name
-    ssl_cert_auth was used for authentication callback.
diff --git a/doc/CHANGES_v4.x.html b/doc/CHANGES_v4.x.html
index 1059e5d..af8db4d 100644
--- a/doc/CHANGES_v4.x.html
+++ b/doc/CHANGES_v4.x.html
@@ -9,6 +9,21 @@
 </head>
 <body>
 <h1 id="matrixssl-4.x-changelog">MatrixSSL 4.x changelog</h1>
+<h2 id="changes-between-4.2.1-and-4.2.2-august-2019">Changes between 4.2.1 and 4.2.2 [August 2019]</h2>
+<p>This version fixes a few security issues related to DTLS and handshake message length. It also defines the size of psBool_t to be equivalent to bool on both x86 and ARM platforms.</p>
+<ul>
+<li><p>TLS:</p>
+<ul>
+<li><p>Fixed vulenerabilities and bugs related to DTLS discovered by Jakub Botwicz (Samsung R&amp;D Poland).</p></li>
+<li><p>Limited handshake message length.</p></li>
+</ul></li>
+<li><p>Crypto</p>
+<ul>
+<li>Added support for parsing public keys in OpenSSL ECC DER/PEM format.<br />
+</li>
+<li>Fixed support for SHA224 RSA.</li>
+</ul></li>
+</ul>
 <h2 id="changes-between-4.2.0-and-4.2.1-june-2019">Changes between 4.2.0 and 4.2.1 [June 2019]</h2>
 <p>This version fixes an out of bounds read in ASN.1 handling found by Tyler Nighswander (ForAllSecure).</p>
 <h2 id="changes-between-4.1.0-and-4.2.0-may-2019">Changes between 4.1.0 and 4.2.0 [May 2019]</h2>
diff --git a/doc/CHANGES_v4.x.md b/doc/CHANGES_v4.x.md
index b631f32..ae0a976 100644
--- a/doc/CHANGES_v4.x.md
+++ b/doc/CHANGES_v4.x.md
@@ -1,7 +1,25 @@
 # MatrixSSL 4.x changelog
 
+## Changes between 4.2.1 and 4.2.2 [August 2019]
+
+This version fixes a few security issues related to DTLS and
+handshake message length. It also defines the size of psBool_t
+to be equivalent to bool on both x86 and ARM platforms.
+
+- TLS:
+
+    * Fixed vulenerabilities and bugs related to DTLS discovered by
+      Jakub Botwicz (Samsung R&D Poland).
+
+    * Limited handshake message length.                                    
+
+- Crypto
+
+    * Added support for parsing public keys in OpenSSL ECC DER/PEM format.        
+    * Fixed support for SHA224 RSA.                                        
+
 ## Changes between 4.2.0 and 4.2.1 [June 2019]
- 
+
 This version fixes an out of bounds read in ASN.1 handling
 found by Tyler Nighswander (ForAllSecure).
 
diff --git a/doc/CHANGES_v4.x.txt b/doc/CHANGES_v4.x.txt
index 4b87036..647d990 100644
--- a/doc/CHANGES_v4.x.txt
+++ b/doc/CHANGES_v4.x.txt
@@ -3,6 +3,26 @@
 MATRIXSSL 4.X CHANGELOG
 
 
+Changes between 4.2.1 and 4.2.2 [August 2019]
+
+This version fixes a few security issues related to DTLS and handshake
+message length. It also defines the size of psBool_t to be equivalent to
+bool on both x86 and ARM platforms.
+
+-   TLS:
+
+    -   Fixed vulenerabilities and bugs related to DTLS discovered by
+        Jakub Botwicz (Samsung R&D Poland).
+
+    -   Limited handshake message length.
+
+-   Crypto
+
+    -   Added support for parsing public keys in OpenSSL ECC DER/PEM
+        format.
+    -   Fixed support for SHA224 RSA.
+
+
 Changes between 4.2.0 and 4.2.1 [June 2019]
 
 This version fixes an out of bounds read in ASN.1 handling found by
diff --git a/matrixssl/dtls.c b/matrixssl/dtls.c
index a68dbe5..6ecae8a 100644
--- a/matrixssl/dtls.c
+++ b/matrixssl/dtls.c
@@ -103,7 +103,12 @@ int32_t dtlsComputeCookie(ssl_t *ssl, unsigned char *helloBytes, int32 helloLen)
 #  endif
     if (rc >= 0)
     {
-        /* Truncate hash output if necessary */
+        /* Truncate hash output if necessary;
+           Use the first four bytes as srvCookie valid indicator. */
+        if ((out[0] | out[1] | out[2] | out[3]) == 0)
+        {
+            out[0] = 1; /* All bits are zero: Set one bit. */
+        }
         Memcpy(ssl->srvCookie, out, DTLS_COOKIE_SIZE);
     }
     memzero_s(out, DTLS_COOKIE_SIZE);
diff --git a/matrixssl/matrixssllib.h b/matrixssl/matrixssllib.h
index cd203f1..9c98053 100644
--- a/matrixssl/matrixssllib.h
+++ b/matrixssl/matrixssllib.h
@@ -1504,6 +1504,7 @@ struct ssl
                               related to this session */
     void *userPtr;
     void *userDataPtr;
+    uint32_t fragLenStored; /* Used in DTLS along side fragTotal. */
 }; /* End of struct ssl { ... */
 
 typedef struct ssl ssl_t;
diff --git a/matrixssl/sslDecode.c b/matrixssl/sslDecode.c
index 0f050c6..10b6487 100644
--- a/matrixssl/sslDecode.c
+++ b/matrixssl/sslDecode.c
@@ -780,6 +780,11 @@ SKIP_RECORD_PARSE:
                    on.  OpenSSL sends them separately but most wouldn't */
                 if (end != c)
                 {
+                    if (*c != SSL_RECORD_TYPE_HANDSHAKE)
+                    {
+                        /* Silently ignore packet. */
+                        return MATRIXSSL_SUCCESS;
+                    }
                     psAssert(*c == SSL_RECORD_TYPE_HANDSHAKE); /* Finished */
                     c += 11;                                   /* Skip type, version, epoch to get to length */
                     /* borrow rc since we will be leaving here anyway */
@@ -2283,6 +2288,7 @@ hsStateDetermined:
  */
     if (ssl->rec.majVer >= SSL3_MAJ_VER)
     {
+        uint32 hsLenMax;
         if (end - c < 3)
         {
             ssl->err = SSL_ALERT_DECODE_ERROR;
@@ -2293,6 +2299,44 @@ hsStateDetermined:
         hsLen = *c << 16; c++;
         hsLen += *c << 8; c++;
         hsLen += *c; c++;
+
+        if (ssl->hsState == SSL_HS_CLIENT_HELLO)
+        {
+            /* This is for Client Hello.
+               Note: "Client Hello" is determined according to 
+               expected state of server, rather than examining of the
+               message. Therefore, this limit applies to any first
+               protocol handshake message received. */
+#ifdef SSL_DEFAULT_IN_HS_SIZE_CLIENT_HELLO
+            hsLenMax = SSL_DEFAULT_IN_HS_SIZE_CLIENT_HELLO;
+#else
+            hsLenMax = 1024; /* Built-in default, in case MatrixSSL
+                                configuration does not override the size. */
+#endif
+        }
+        else
+        {
+            /* This is for other messages. Other messages can be
+               larger, due to possibility that they can include certificates.
+               Certificates can be (in theory) arbitrarily large,
+               but we need to provide a limit for certificate chain, because
+               otherwise arbitrary amount of memory could be allocated
+               . */
+#ifdef SSL_DEFAULT_IN_HS_SIZE
+            hsLenMax = SSL_DEFAULT_IN_HS_SIZE;
+#else
+            hsLenMax = 65536; /* Built-in default, in case MatrixSSL
+                                 configuration does not override the size. */
+#endif
+        }
+        if (hsLen > hsLenMax)
+        {
+            /* The (fragmented) packet is considered overly large and dropped.
+             */
+            ssl->err = SSL_ALERT_DECODE_ERROR;
+            psTraceInt("Maximum length exceeded (%d)\n", (int) hsLenMax);
+            return MATRIXSSL_ERROR;
+        }
 #ifdef USE_DTLS
         if (ACTV_VER(ssl, v_dtls_any))
         {
@@ -2342,6 +2386,7 @@ hsStateDetermined:
                         ssl->fragMessage = NULL;
                     }
                     ssl->fragMessage = psMalloc(ssl->hsPool, hsLen);
+                    ssl->fragLenStored = hsLen;
                     if (ssl->fragMessage == NULL)
                     {
                         return SSL_MEM_ERROR;
@@ -2378,6 +2423,20 @@ hsStateDetermined:
                         MAX_FRAGMENTS);
                     return PS_LIMIT_FAIL;
                 }
+
+/*
+                Verify the fragment belongs within fragMessage.
+*/
+                if (fragOffset + fragLen > hsLen ||
+                    fragOffset + fragLen > ssl->fragLenStored)
+                {
+                    /* Fragment outside proper area. */
+                    ssl->err = SSL_ALERT_DECODE_ERROR;
+                    psTraceIntDtls("Fragment outside range [0...%d]: ignored\n",
+                                   (int) hsLen);
+                    return MATRIXSSL_ERROR;
+                }
+                
 /*
                 Need to save the hs header info aside as well so that we may
                 pass the fragments through the handshake hash mechanism in
diff --git a/matrixssl/sslEncode.c b/matrixssl/sslEncode.c
index d82dba0..bcf3125 100644
--- a/matrixssl/sslEncode.c
+++ b/matrixssl/sslEncode.c
@@ -7869,6 +7869,12 @@ static int32 writeHelloVerifyRequest(ssl_t *ssl, sslBuf_t *out)
     Memcpy(c, ssl->srvCookie, DTLS_COOKIE_SIZE);
     c += DTLS_COOKIE_SIZE;
 
+    if ((ssl->srvCookie[0] | ssl->srvCookie[1] | ssl->srvCookie[2] | ssl->srvCookie[3]) == 0)
+    {
+        /* The cookie is invalid. Cannot encode. */
+        return PS_LIMIT_FAIL;
+    }
+    
     if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
              SSL_HS_HELLO_VERIFY_REQUEST, messageSize, padLen, encryptStart,
              out, &c)) < 0)
diff --git a/matrixssl/tls.c b/matrixssl/tls.c
index 146d447..adf1f85 100644
--- a/matrixssl/tls.c
+++ b/matrixssl/tls.c
@@ -1176,12 +1176,20 @@ int32_t findFromUint16Array(const uint16_t *a,
 
 psBool_t anyTls13VersionSupported(ssl_t *ssl)
 {
-    return SUPP_VER(ssl, v_tls_1_3_any);
+    if (SUPP_VER(ssl, v_tls_1_3_any))
+    {
+        return PS_TRUE;
+    }
+    return PS_FALSE;
 }
 
 psBool_t anyNonTls13VersionSupported(ssl_t *ssl)
 {
-    return SUPP_VER(ssl, v_tls_legacy);
+    if (SUPP_VER(ssl, v_tls_legacy))
+    {
+        return PS_TRUE;
+    }
+    return PS_FALSE;
 }
 
 # ifdef USE_TLS_1_3
diff --git a/matrixssl/version.h b/matrixssl/version.h
index 3e16081..2c8c3aa 100644
--- a/matrixssl/version.h
+++ b/matrixssl/version.h
@@ -8,10 +8,10 @@
 extern "C" {
 #endif
 
-#define MATRIXSSL_VERSION      "4.2.1-OPEN"
+#define MATRIXSSL_VERSION      "4.2.2-OPEN"
 #define MATRIXSSL_VERSION_MAJOR 4
 #define MATRIXSSL_VERSION_MINOR 2
-#define MATRIXSSL_VERSION_PATCH 1
+#define MATRIXSSL_VERSION_PATCH 2
 #define MATRIXSSL_VERSION_CODE "OPEN"
 
 #ifdef __cplusplus
diff --git a/pgp.asc b/pgp.asc
index b5383c8..808a887 100644
--- a/pgp.asc
+++ b/pgp.asc
@@ -1,5 +1,4 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.14 (GNU/Linux)
 
 mQINBFeO0mMBEACxCB7D5JVdizXwb0TKKlXGFGBvJHCQvPZplHNXXxsfZUgdJg7v
 THuNdu5eryy1EIvE5dFGnvoq/cOPXc9bKMj2zLEyeVTGm2nImzCTn3MMNGqrIv9g
@@ -47,6 +46,53 @@ dK2uyGlos2WgPYlUUlCbv3hutv1RkosiQP38LegOgC7i3BEkQdVQHeBb3PGJI4YD
 1KAUWKNYi3nvvZ2niyodxpblRFbz7rh66zDJZ61P0GBlH9ay3eAd7V8RWV07PKAH
 tq40V6yOsQei9xyJrUmjfQipeE+XAG2fXYNEUJE/Ss5T0gGFkiA3ON8pCcMM64u4
 vZDOUAgVur9Qt6XjmgP8+V2TmCg6i5onmlobqu/vOaFZVhZSaWDF8ENRINGNWidm
-jlkZfHBR7FeZ+zk4xUe4qQTxkw==
-=ytP8
+jlkZfHBR7FeZ+zk4xUe4qQTxk5kCDQRdd41XARAAuOVAK/GCMaHyMM+IOwg8YB1s
+n1zVTDGNwT94Yh+jrTVdDhv85kYAafHeKQRjWKpMseqFnfGQB5EPfnqO2/EwXOHu
+bOU+FRTTfWQ8icmQh1GS7o8bROv89WRVuN+xWJabPx3XDaRASGhSCiaF9IpSFIuT
+oL8zh5gxPlCQxrY1k9ZQDedCBTvuOVXMQhag5k/+8L1GJkMsjdKuEtPFc2Izz8nT
+4wTsZVKqK1+ODvUW06+cn4ZBwVbRmqi/kl4VvvD+1ZXtO7rFKQi+xUaYN1usrFxl
+AgNej9SrTgmpA7bXYjr1lc3+N5FC+EtAYjidcCyE7E5eV+haxiHO7pZRfpJ1NH3S
+3vcRgbzR2nvERvs3pdEUnB4o5koX2V+3GpThwVG9sspoDi5av3C65zlo/YStNBbW
+t9j2RGOSO7Ccl2eMeASSjz7nLF8nxENIFfV6GoC9BuTKzlE8P9YtGXh9zrbYz+Kx
+LMPDVsnu2cknm37rfW0kXj/ExBM3oj+FySf9PiUI8iLwvMT7+osg2dQs0KydcbzN
+8wv0MtphvlYc7PwTyoiCdytNO6E/mr/nT9gyyupxOzQY1/l5O96mD83vxlhCtVtr
+ZL/Cq5X0YwKGO/Zei20f0/h/s1+wC0Mhvw+erk+ktKhRz0ZR5aHZXQWCgy7orRk5
+xY6jpfXgrypPoCYo0H8AEQEAAbQpTWF0cml4U1NMIFN1cHBvcnQgPHN1cHBvcnRA
+bWF0cml4c3NsLm9yZz6JAlQEEwEIAD4WIQQRVIslQVGnrCe0iQas+91cqn8IkgUC
+XXeNVwIbAwUJEswDAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCs+91cqn8I
+knuND/9ub/rJgAdGSK4wDjSlKfeV2wP08SmVCR7EiRtyZre4QfS3HYZ9qH1ovWAC
+Efdz0vhTporudP1NVzySwPw+9e83RvFpHkHxt4MHw0pAWeRQBhVFWdUi4rEwrg7z
+UvvIsqo79Wr8Xy/tjWlHfFnsg8+u/fvAm7kCbKgazCiUmXtFfSHOEQu9u6L7j/Qf
+XZXjp3fLqNnvDtvOw4gQBpMD+sS6YOcz4Y8WaJG1lY8fE+0UDIwzBnTByzry2coB
+xEleo4F79epZC1E4CEf2C3hsMbU2cG1g+bpQtznSmgkldLzrSzYP3CVouAaXc8bH
+vQrx9dUqW1yy4i1baFTCjLF6Q3VdLe2VIuzjl/Og5rAfOX7W5vnW06Rkce681XLI
+zEZb8U8UocTmKimHxFCQ9RBRXFBevm5nxVZjbtN14ZVgbLEOht8k3DID+Ae3WHZj
+9KFPYXgq/AQhRMcN4PDdsBsfKDQkiAVeaLbK4WHVLGHs4qTqJ+kKB/Sm++gJg17u
+CoWPacfvnrF+YPS6f6C5Wn1KMgsPyzlu0WJUciGtas5p0qyhhRrl3+ei+bXw/g0h
+NevXwuKYXj+B3tnkYVclFMj0wNqg8qPe93+X1cNG4jVdKQZmPwB29RFm7VaSgZIW
+lVWXKTG+TJO8+v9axwAqaJRsu9GewTCEyFsGlUpam08xUP2NSrkCDQRdd41XARAA
+qhz/XGSpzQuIxJfspwnifqnzRPqY9Kw6DFT57zYQq7+RpA0EDgCdJw4qTrpnzlfL
+g/L2DiTz2wNFfmsFeHk/5sgQrbXkzdGbZEI8IjfXosV7aMfBPytRJ6xV3NlhL03n
+tWT5scO2qFJ1ezqTWjqKLEOUrWkSqkGm++0u7/LlUDQaY/q0tXsz7szVK+Om+H5M
+gK9Y2bkKKtUre667egpinw9KmmE9cLrA3+TUMBZaAPGBg6vIyBn7YxUvecZDzz7e
+WAkYtui8aib8GPxzVUKxkpr7xE0yI06U7EWfTDkXj1IRJJ4yBt6LNGYldn2dyPkH
+TcJCgWFnMQwgPhReYyP22Y0eXg2Tb/G79ir5icj7z4XUjJHRXDcKC9YEs5z74MZe
+ubF/ZTOHXlO1UfDj+e2NkqN0yISqwBLMkSKjQ7fwdT6Z50TpFHb6K/tiDkYwLgjv
+E2RXIuMMnodC7VFQR+8JOKIamU5t2h3hnN3tL5mn0m2yg/ZsH/oTGgHJhdvjSEMc
+7IWQ4YcFer89NyFOSIXRsLnLL7WprtvQSurU5kOUXWxGA+5m8U8/tYlpm0yQAt3A
+C430YrdkdSTfSArxv4+73Q9n/ubjNpauOeMGqc+SYtv/3Zcxz6DWp3V6a7nWYAcc
+W7igyyvWeHZlDpNLhYXHWVhq/ZXMmylP1KJIY91zuV0AEQEAAYkCPAQYAQgAJhYh
+BBFUiyVBUaesJ7SJBqz73VyqfwiSBQJdd41XAhsMBQkSzAMAAAoJEKz73VyqfwiS
+fMoQALDVQ+LTQ85TFY/zQmsvwxFhr41iIDMoajoQsY0AL1kkwMT1Tw/GVrqDffto
+Nb6yAcwjxYEbEgirItuyuTr6q8N2TopJkjuO9gl5hhWjnM5XtQIKy7DfyfDZaSjL
+N+F1wZdHkyrabU9Up/pe5RUM9LrGDEZKKearJ2i4Vs1GP/LQ4Gry60eJpna/GZyu
+Dzu8+36GZkMTPDYXk3h8xA2Fus/51QSxuiNqNnKPEorw2f/BFN+1GgQH28gGbCi/
+lsPFQlnbaXoIs6eLYOAbLhZ5GmXznccVKQ/8vaQdildKkbXSx/VByvFNzzZ0Z/JJ
+EH1UlOpmrbD+/j1lsldyxIgDUHxr0Dv+S1FZMJRZUPMJx2BtiZoDfqxN0mtsx10K
+i8AdCdkRWoiCg1ql8AaWUiMark9qcfrvKycRMRW1zVzi/QjbMirsOOFcljr+cMxx
+XMxozC/fLK95vjDvx7fz5UNxj0vuBiA3akLs1TzAI+9GXD5oc4w5MhNnR1auVuVR
+ZYogXa1K02wlrb3eGd3iXSZKJ19fHZ/CxjN0/v6k7+D3KX4sHStbQ2iAQRHGJYJD
+ho1MGJEeG4kt8LgOyFIiMTZUhK5pJP2Ow/d3hZnU0tnveDMt4+DVvEXbd6rMt4Ng
+QKWz0rXO8zwpVTEeLyH4dkwQgoTAYDP3QrNAkS/TeKtVdlGh
+=dgWJ
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/release_notes-4-2-1-open.html b/release_notes-4-2-2-open.html
similarity index 95%
rename from release_notes-4-2-1-open.html
rename to release_notes-4-2-2-open.html
index 1059e5d..af8db4d 100644
--- a/release_notes-4-2-1-open.html
+++ b/release_notes-4-2-2-open.html
@@ -9,6 +9,21 @@
 </head>
 <body>
 <h1 id="matrixssl-4.x-changelog">MatrixSSL 4.x changelog</h1>
+<h2 id="changes-between-4.2.1-and-4.2.2-august-2019">Changes between 4.2.1 and 4.2.2 [August 2019]</h2>
+<p>This version fixes a few security issues related to DTLS and handshake message length. It also defines the size of psBool_t to be equivalent to bool on both x86 and ARM platforms.</p>
+<ul>
+<li><p>TLS:</p>
+<ul>
+<li><p>Fixed vulenerabilities and bugs related to DTLS discovered by Jakub Botwicz (Samsung R&amp;D Poland).</p></li>
+<li><p>Limited handshake message length.</p></li>
+</ul></li>
+<li><p>Crypto</p>
+<ul>
+<li>Added support for parsing public keys in OpenSSL ECC DER/PEM format.<br />
+</li>
+<li>Fixed support for SHA224 RSA.</li>
+</ul></li>
+</ul>
 <h2 id="changes-between-4.2.0-and-4.2.1-june-2019">Changes between 4.2.0 and 4.2.1 [June 2019]</h2>
 <p>This version fixes an out of bounds read in ASN.1 handling found by Tyler Nighswander (ForAllSecure).</p>
 <h2 id="changes-between-4.1.0-and-4.2.0-may-2019">Changes between 4.1.0 and 4.2.0 [May 2019]</h2>