mars-matrixssl/release_notes-4-5-1-open.html

<h1>MatrixSSL 4.x changelog</h1>

<h2>Changes between 4.5.0 and 4.5.1 [July 2022]</h2>

<pre><code>* Fix a usage of return value of psX509ParseCert when a flag is set
</code></pre>

<h2>Changes between 4.4.0 and 4.5.0 [June 2022]</h2>

<pre><code>* Enabled RSA SHA512 signature algorithm in TLS1.2 certrequest.
* Enabled SHA512 in privRsaEncryptSignedElement.
* Fixed DTLS change cipher spec retransmit epoch.
* Compilation warning fixes.
* Memory leak fixes.
</code></pre>

<h2>Changes between 4.3.0 and 4.4.0 [December 2021]</h2>

<pre><code>* Fixed a type mismatch in matrixCmsParseEnvelopedDataBuf.
* Increased the value of MAX_OID_BYTES to 48.
* Changes to the handling of the validity time in self generated certs.
* Fixed a possible vulnerability in parseAuthorityInfoAccess 
  discovered by Tavis Ormandy (Github issue #44). 
* Fixed a memory leak in getExplicitExtensions 
  discovered by Tavis Ormandy (Github issue #43). 
* Fixed vulnerability in SHA256 intialisation discovered by Marcel Maehren,
  Philipp Nieting, Sven Hebrok, Robert Merget, Juraj Somorovsky and
  Jörg Schwenk from Ruhr University Bochum and Paderborn-University.
* Fixes in cross certificate handling.
* Fixed a bug in pkcs1Pad.
* Fixed a bug in psX963KeyDerivation.
* Fixed the default behaviour when TLS version is not explicitly specified.
* Fixed compilation errors when using debugging.
* Memory leak fixes.
</code></pre>

<h2>Changes between 4.2.2 and 4.3.0 [June 2020]</h2>

<pre><code>* Added a constant-time variant of eccMulmod, in response to the Minerva attack.
* Fixed a possible infinite loop in message parsing discovered by 
  Andreas Walz (ivESK).
* Timing sidechannel mitigation (Github issue #23).
* Change hard coded values to enums in matrixSslLoadKeys (Github issue #35).
* Disabled TLS 1.3 draft versions by default.
* Fixes TLS 1.2 session ticket based resumption.
* May only enable either PS_PUBKEY_OPTIMIZE_FOR_FASTER_SPEED or
  PS_PUBKEY_OPTIMIZE_FOR_SMALLER_RAM (Github issue #37). 
* Channel Bindings for TLS (only for TLS 1.2 and below), new APIs added
    - matrixSslGetFinished
    - matrixSslGetPeerFinished
    - matrixSslGetTlsUniqueChannelBindings
* Added API for accessing MatrixSSL structures without direct access
  to structure members. Use of this API will slightly enlarge the
  MatrixSSL binary but will enable building software that is not
  dependent on exact binary layout of structures such as ssl_t.
* Fixes the bug when NULL keydata was used in sslLoadKeyPair() function.
* Other bug fixes.
</code></pre>

<h2>Changes between 4.2.1 and 4.2.2 [August 2019]</h2>

<p>This version fixes a few security issues related to DTLS and
handshake message length. It also defines the size of psBool_t
to be equivalent to bool on both x86 and ARM platforms.</p>

<ul>
<li><p>TLS:</p>

<ul>
<li>Fixed vulenerabilities and bugs related to DTLS discovered by
Jakub Botwicz (Samsung R&amp;D Poland).</li>
<li>Limited handshake message length.<br></li>
</ul></li>
<li><p>Crypto</p>

<ul>
<li>Added support for parsing public keys in OpenSSL ECC DER/PEM format.<br></li>
<li>Fixed support for SHA224 RSA.<br></li>
</ul></li>
</ul>

<h2>Changes between 4.2.0 and 4.2.1 [June 2019]</h2>

<p>This version fixes an out of bounds read in ASN.1 handling
found by Tyler Nighswander (ForAllSecure).</p>

<h2>Changes between 4.1.0 and 4.2.0 [May 2019]</h2>

<p>This version adds a compile-time option that allows TLS 1.3 only
builds, adds new getter APIs and fixes several bugs.</p>

<ul>
<li><p>TLS:</p>

<ul>
<li>Allow TLS 1.3 only builds by introducing the USE<em>TLS</em>1<em>3</em>ONLY
compile-time option. This significantly reduces the minimum code
footprint of TLS 1.3 builds. The example configuration
tls13-minimal makes use of the new compile-time option.</li>
<li>Add the matrixSslGetUserPtr API. This getter API should be used
instead of raw access to ssl-&gt;userPtr.</li>
<li>Added the matrixSslGetNegotiatedCiphersuite and
matrixSslGetActiveCiphersuite APIs.</li>
<li>Added the matrixSslGetMasterSecret API. This API requires the
ENABLE<em>MASTER</em>SECRET_EXPORT compile-time option, which is
disabled by default.</li>
<li>Completely remove support for TLS record compression (unifdef
USE<em>ZLIB</em>COMPRESSION). TLS record compression is almost never
used in practice due to serious vulnerabilities associated with
the feature (see e.g. the CRIME attack).</li>
<li>Fixed a bug where decrypting an alert in TLS 1.3 could cause
matrixSslProcessed data to erroneously indicate that there is
more application data to process.</li>
<li>Allow storing the unparsed certificate DER octets (in the
unparsedBin member of psX509Cert_t) even in TLS 1.3.</li>
<li>Fix segfault when receiving a server certificate without the
commonName component.</li>
<li>Fixed handshake failure with some clients that attempted to use
a TLS 1.2 session ticket in a TLS 1.3 connection.</li>
<li>Fix build error with the USE<em>EXT</em>CERTIFICATE<em>VERIFY</em>SIGNING
compile-time option.</li>
<li>Fix sslTest failure when using the
USE<em>EXT</em>CERTIFICATE<em>VERIFY</em>SIGNING compile-time option.</li>
<li>Fix a bug that caused the server to sometimes select a TLS 1.3
ciphersuite even when TLS 1.2 or below had been negotiated.</li>
<li>Add Ed25519 test keys and certificates.</li>
<li>Add Ed25519 testing to sslTest. (Note that Ed25519 is only
supported in TLS 1.3.)</li>
</ul></li>
<li><p>Crypto:</p>

<ul>
<li>(FIPS Edition only): Fix a bug that prevented verification of
RSA-SHA-1 signatures in FIPS mode. FIPS 140-2 allows
verification of SHA-1 based signatures, but forbids generating
such signatures.</li>
<li>Store the order of DN attributes in certificate subject and
issuer fields.</li>
<li>Add an option to the psX509GetOnelineDN API that allows printing
the DN attributes in the original order they were encoded in the
parsed certificate.</li>
<li>Fix parsing of Ed25519 certificates.</li>
<li>Fix parsing of ECDSA-SHA224 certificates.</li>
</ul></li>
</ul>

<h2>Changes between 4.0.2 and 4.1.0 [April 2019]</h2>

<ul>
<li><p>TLS:</p>

<ul>
<li>(RoT Edition only): Added support for Inside Secure VaultIP
(Root-of-Trust) crypto provider.</li>
<li>Improved the separation of private and public TLS header files
for better private-public separation. The public headers now of
the form matrixsslApi*.h, while private headers are of the form
matrixssllib_*.h.</li>
<li>Added client-side support for X25519 in TLS 1.2.</li>
<li>Added client-side support for RSASSA-PSS signatures in TLS 1.2.</li>
<li>Added support for RSASSA-PSS key/cert pairs.</li>
<li>Fix vulnerabilities reported by Robert Święcki (discovered using
Hongfuzzer): a server-side heap buffer read overflow when
parsing maliciously crafted ClientHello extensions and a
segfault in TLS 1.2 GCM decryption of maliciously crafted
records with small ciphertext.</li>
<li>Added the simpleClient.c and simpleServer.c example
applications. These are intended as minimalistic examples of how
to use the top-level TLS API.</li>
<li>Fixed bugs in matrixSslSessOptsServerTlsVersionRange and
matrixSslSessOptsClientTlsVersionRange.</li>
<li>Fixed bug that caused non-insitu app data encryption to fail in
tls13EncodeAppData when using the matrixSslEncodeToOutdata API
instead of the more standard matrixSslGetWriteBuf +
matrixSslEncodeWritebuf pattern.</li>
<li>Added new minimal example configurations: tls12-minimal,
tls12-minimal-client-ecc, tls13-minimal,
tls13-minimal-client-ecc</li>
<li>When performing TLS 1.2 renegotiation, re-send the original
ClientHello cipher list.</li>
<li>Added the USE<em>LENIENT</em>TLS<em>RECORD</em>VERSION_MATCHING compatibility
option.</li>
</ul></li>
</ul>

<h2>Changes between 4.0.1 and 4.0.2 [February 2019]</h2>

<p>This version fixes a critical vulnerability in RSA signature
verification. A maliciously crafted certificate can be used to trigger
a stack buffer overflow, allowing potential remote code execution
attacks. The vulnerability only affects version 4.0.1 and the standard
Matrix Crypto provider. Other providers, such as the FIPS crypto
provider, are not affected by the bug. Thanks to Tavis Ormandy for
reporting this.</p>

<h2>Changes between 4.0.0 and 4.0.1 [November 2018]</h2>

<p>This version improves the security of RSA PKCS #1.5 signature
verification and adds better support for run-time security
configuration.</p>

<ul>
<li><p>TLS:</p>

<ul>
<li>Added a run-time security callback feature
(matrixSslRegisterSecurityCallback). The security callback can
allow or deny a cryptographic operation based on the operation
type and the key size. Currently only authentication and key
exchange operations are supported. The default security callback
supports pre-defined security profiles
(matrixSslSetSecurityProfile).</li>
<li>Added an example security profile: WPA3 1.0 Enterprise 192-bit
mode restrictions for EAP-TLS.</li>
<li>Added support for the TLS<em>DHE</em>RSA<em>WITH</em>AES<em>256</em>GCM_SHA384
ciphersuite.</li>
<li>Changed the way how protocol version IDs are stored internally
and rewrote most of the version negotiation code. This is almost
entirely an internal code refactoring. To the API user, the only
visible change is that version selection APIs now take in an
argument of type psProtocolVersion<em>t instead of int32</em>t. See the
API reference guide for details.</li>
<li>Refactored ServerKeyExchange signature generation and
verification code.</li>
</ul></li>
<li><p>Crypto:</p>

<ul>
<li>Changed from a parsing-based to a comparison-based approach in
DigestInfo validation when verifying RSA PKCS #1.5
signatures. There are no known practical attacks against the old
code, but the comparison-based approach is theoretically more
sound. Thanks to Sze Yiu Chau from Purdue University for
pointing this out.</li>
<li>(MatrixSSL FIPS Edition only:) Fix DH key exchange when using DH
parameter files containing optional privateValueLength argument.</li>
<li>psX509AuthenticateCert now uses the common psVerifySig API for
signature verification. Previously, CRLs and certificates used
different code paths for signature verification.</li>
</ul></li>
</ul>

<h2>Changes between 3.9.5 and 4.0.0 [August 2018]</h2>

<p>This version adds support for RFC 8446 (TLS 1.3), new APIs for
configuring session options as well as fixes to security
vulnerabilities.</p>

<ul>
<li><p>TLS:</p>

<ul>
<li>Added support for TLS 1.3 (RFC 8446 version) as well as draft
versions 23, 24, 26 and 28.</li>
<li>Supported TLS 1.3 handshake types:

<ul>
<li>Basic handshake with server authentication</li>
<li>Incorrect DHE key share (HelloRetryRequest) handshake</li>
<li>PSK handshake</li>
<li>Resumed handshake</li>
<li>0RTT data handshake</li>
</ul></li>
<li>Supported TLS 1.3 ciphersuites:

<ul>
<li>TLS<em>AES</em>128<em>GCM</em>SHA256</li>
<li>TLS<em>AES</em>256<em>GCM</em>SHA384</li>
<li>TLS<em>CHACHA20</em>POLY1305_SHA256</li>
</ul></li>
<li>Supported key exchange modes in TLS 1.3:

<ul>
<li>DHE with the ffdhe2048, ffdhe3072 and ffdhe4096 groups</li>
<li>ECDHE with the P-256, P-384, P-521 and X25519 groups</li>
<li>PSK with (EC)DHE</li>
<li>PSK only</li>
</ul></li>
<li>Supported signature algorithms in TLS 1.3:

<ul>
<li>ECDSA with P-256, P-384 and P-521</li>
<li>Ed25519</li>
<li>RSASSA-PSS</li>
<li>RSA PKCS #1.5 (certificates only)</li>
</ul></li>
<li>Supported PKI features in TLS 1.3:

<ul>
<li>X.509 certificates</li>
<li>CRLs</li>
<li>OCSP stapling</li>
</ul></li>
<li>Supported TLS 1.3 extensions:

<ul>
<li>supported_versions</li>
<li>supported_groups</li>
<li>key_share</li>
<li>signature_algorithms</li>
<li>signature<em>algorithms</em>cert</li>
<li>server_name</li>
<li>certificate_authorities</li>
<li>cookie</li>
<li>status_request</li>
<li>max<em>fragment</em>length</li>
</ul></li>
<li>Support for TLS 1.3 record padding</li>
<li>Fixed several client-side crashes and undefined behaviours on
maliciously crafted server messages. The bugs were found using
TLS-Attacker. Thanks to Robert Merget from the Ruhr-University
Bochum for reporting these.</li>
<li>Added the matrixSslSessOptsSetServerTlsVersions and
matrixSslSessOptsSetClientTlsVersions APIs for selecting the
supported protocol versions at run-time. Please consult the API
reference for details.</li>
<li>Added a couple of TLS 1.3 specific APIs:

<ul>
<li>matrixSslSessOptsSetSigAlgsCert</li>
<li>matrixSslSessOptsSetKeyExGroups</li>
<li>matrixSslGetEarlyDataStatus</li>
<li>matrixSslGetMaxEarlyData</li>
<li>matrixSslLoadTls13Psks</li>
<li>matrixSslSetTls13BlockPadding</li>
</ul></li>
<li>Added an API for selecting supported signature algorithms:
(usable in both TLS 1.3 and TLS 1.2):

<ul>
<li>matrixSslSessOptsSetSigAlgs</li>
</ul></li>
<li>Added new example configurations. The recommended configuration
for using TLS 1.3 and below is tls13 (Commercial Edition) or
nonfips-tls13 (FIPS Edition)</li>
<li>Updated and improved the Developer Guide and the MatrixSSL APIs
reference document.</li>
<li>Improved the example client and server programs and fixed bugs.</li>
<li>Resend user extensions (e.g. SNI) when responding to HelloRequest</li>
<li>sslTest now allows specifying the ciphersuites and protocol
versions to test via environment variables.</li>
<li>Improvements to identity management, including support for
loading multiple identities (key and cert pairs) during
initialization and postponed key and cert loading. See the
MatrixSSL Developer Guide for details.</li>
<li>Refactored key loading and protocol version negotiation.</li>
<li>Fixed server-side signature algorithm selection when the server
certificate is signed with a different algorithm (RSA or ECDSA)
than the public key contain therein.</li>
<li>Much improved TLS-level debug prints and logging
(tlsTrace.c). USE<em>SSL</em>HANDSHAKE<em>MSG</em>TRACE now consistently
enables messages such as &quot;parsing/creating handshake message X
or extension Y&quot;. USE<em>SSL</em>INFORMATIONAL_TRACE now prints out more
details on the contents of handshake messages and extensions.</li>
<li>Refactored public header files.</li>
</ul></li>
<li><p>Crypto:</p>

<ul>
<li>NCC Group&#39;ss Keegan Ryan has found a side-channel attack
affecting multiple cryptographic libraries. The &quot;ROHNP&quot; Key
Extraction Side Channel (CVE-2018-0495) has been fixed.</li>
<li>Added support for Ed25519 signatures in TLS 1.3</li>
<li>Added support for ECDHE with X25519 in TLS 1.3</li>
<li>Added algorithm-independent signature and verification APIs:
psSign and psVerify.</li>
<li>Source file reorganization. New new naming scheme aims for
better consistency, clarity and makes it easier to ifdef out
unneeded features.</li>
<li>Added psEccWritePrivKeyMem and psEccWritePrivKeyFile the public
crypto API</li>
</ul></li>
<li><p>X.509 and PKCS standards</p>

<ul>
<li>Fixed processing of indefinite expiration date (31.12.9999).</li>
<li>Basic Constraints no longer unconditionally added when generating CSR data</li>
<li>Session option for requesting subrange of allowed tls versions.</li>
<li>Specify certificate validity dates when generating certificate.</li>
<li>Support for reading PKCS #12 and CA certificates from memory
(der encoded).</li>
<li>Support for key usage encipher only and decipher only bits
in generating certificate generation.</li>
<li>Option for MD2/MD4/MD5 signatures compatibility on certificates.</li>
<li>X.509 certificates allow NIL character at the end of GeneralName field.
This is for compatibility with various other products.</li>
<li>It is now possible to compile X.509 certificate and CSR
generation code only ECC or RSA support for smaller footprint.</li>
<li>Added Ed25519 specific functions such as psEd25519ParsePrivKey,
psEd25519Sign, etc.</li>
</ul></li>
<li><p>Other changes</p>

<ul>
<li>Added export.mk, which generates example binary packaging of a
previously compiled MatrixSSL package and includes two of the
example applications within the package. This package shows how
to export MatrixSSL includes and libraries outside the source tree
keeping configuration with the includes.</li>
</ul></li>
<li><p>Known issues</p>

<ul>
<li>The TLS 1.3 code has not yet been fully optimized for footprint.</li>
<li>If the client sends a TLS 1.3 ClientHello with X25519 as the key
exchange group, the server downgrades to TLS 1.2 but still
wishes to use X25519, the handshake will fail, because MatrixSSL
does not yet support X25519 in TLS 1.2 and below.</li>
</ul></li>
</ul>