forked from wolfSSL/wolfssl
prepare for release 3.15.5
This commit is contained in:
Jacob Barthelmeh
101
README
101
README
@@ -73,46 +73,81 @@ should be used for the enum name.
|
||||
*** end Notes ***
|
||||
|
||||
|
||||
********* wolfSSL Release 3.15.3 (6/20/2018)
|
||||
********* wolfSSL Release 3.15.5 (11/07/2018)
|
||||
|
||||
Release 3.15.3 of wolfSSL embedded TLS has bug fixes and new features including:
|
||||
|
||||
- ECDSA blinding added for hardening against side channel attacks
|
||||
- Fix for compatibility layer build with no server and no client defined
|
||||
- Use of optimized Intel assembly instructions on compatible AMD processor
|
||||
- wolfCrypt Nucleus port additions
|
||||
- Fix added for MatchDomainName and additional tests added
|
||||
- Fixes for building with ‘WOLFSSL_ATECC508A’ defined
|
||||
- Fix for verifying a PKCS7 file in BER format with indefinite size
|
||||
|
||||
|
||||
This release of wolfSSL fixes 2 security vulnerability fixes.
|
||||
|
||||
Medium level fix for PRIME + PROBE attack combined with a variant of Lucky 13.
|
||||
Constant time hardening was done to avoid potential cache-based side channel
|
||||
attacks when verifying the MAC on a TLS packet. CBC cipher suites are
|
||||
susceptible on systems where an attacker could gain access and run a parallel
|
||||
program for inspecting caching. Only wolfSSL users that are using TLS/DTLS CBC
|
||||
cipher suites need to update. Users that have only AEAD and stream cipher suites
|
||||
set, or have built with WOLFSSL_MAX_STRENGTH (--enable-maxstrength), are not
|
||||
vulnerable. Thanks to Eyal Ronen, Kenny Paterson, and Adi Shamir for the report.
|
||||
|
||||
Medium level fix for a ECDSA side channel attack. wolfSSL is one of over a dozen
|
||||
vendors mentioned in the recent Technical Advisory “ROHNP” by author Ryan
|
||||
Keegan. Only wolfSSL users with long term ECDSA private keys using our fastmath
|
||||
or normal math libraries on systems where attackers can get access to the
|
||||
machine using the ECDSA key need to update. An attacker gaining access to the
|
||||
system could mount a memory cache side channel attack that could recover the key
|
||||
within a few thousand signatures. wolfSSL users that are not using ECDSA private
|
||||
keys, that are using the single precision math library, or that are using ECDSA
|
||||
offloading do not need to update. (blog with more information
|
||||
https://www.wolfssl.com/wolfssh-and-rohnp/)
|
||||
Release 3.15.5 of wolfSSL embedded TLS has bug fixes and new features including:
|
||||
|
||||
- Fixes for GCC-8 warnings with strings
|
||||
- Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
|
||||
- Fixes for OCSP use with NGINX port
|
||||
- Renamed the macro INLINE to WC_INLINE for inline functions
|
||||
- Doxygen updates and formatting for documentation generation
|
||||
- Added support for the STM32L4 with AES/SHA hardware acceleration
|
||||
- Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
|
||||
- Added public key callbacks to ConfirmSignature function to expand public key callback support
|
||||
- Added ECC and Curve25519 key generation callback support
|
||||
- Fix for memory management with wolfSSL_BN_hex2bn function
|
||||
- Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free
|
||||
- Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
|
||||
- OCSP stapling in TLS 1.3 additions
|
||||
- Port for ASIO added with --enable-asio configure flag
|
||||
- Contiki port added with macro WOLFSSL_CONTIKI
|
||||
- Memory free optimizations with adding in earlier free’s where possible
|
||||
- Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
|
||||
- Certificate validation time generation updated
|
||||
- Fixes for MQX classic 4.0 with IAR-EWARM
|
||||
- Fix for assembly optimized version of Curve25519
|
||||
- Make SOCKET_PEER_CLOSED_E consistent between read and write cases
|
||||
- Relocate compatibility layer functions for OpenSSH port update
|
||||
- Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
|
||||
- Updates to Nucleus version supported
|
||||
- Stack size reduction with smallstack build
|
||||
- Updates to Rowley-Crossworks settings for CMSIS 4
|
||||
- Added reference STSAFE-A100 public key callbacks for TLS support
|
||||
- Added reference ATECC508A/ATECC608A public key callbacks for TLS support
|
||||
- Updated support for latest CryptoAuthLib (10/25/2018)
|
||||
- Added a wolfSSL static library project for Atollic TrueSTUDIO
|
||||
- Flag to disable AES-CBC and have only AEAD cipher suites with TLS
|
||||
- AF_ALG and cryptodev-linux crypto support added
|
||||
- Update to IO callbacks with use of WOLFSSL_BIO
|
||||
- Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
|
||||
- Added wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
|
||||
- Updates to XCODE build with wolfSSL
|
||||
- Fix for guard on when to include sys/time.h header
|
||||
- Updates and enhancements to the GCC-ARM example
|
||||
- Fix for PKCS8 padding with encryption
|
||||
- Updates for wolfcrypt JNI wrapper
|
||||
- ALT_ECC_SIZE use with SP math
|
||||
- PIC32MZ hardware acceleration buffer alignment fixes
|
||||
- Renesas e2studio project files added
|
||||
- Renesas RX example project added
|
||||
- Fix for DH algorithm when using SP math with ARM assembly
|
||||
- Fixes and enhancements for NXP K82 support
|
||||
- Benchmark enhancements to print in CSV format and in Japanese
|
||||
- Support for PKCS#11 added with --enable-pkcs11
|
||||
- Fixes for asynchronous crypto use with TLS 1.3
|
||||
- TLS 1.3 only build, allows for disabling TLS 1.2 and earlier protocols
|
||||
- Fix for GCC warnings in function wolfSSL_ASN1_TIME_adj
|
||||
- Added --enable-asn=nocrypt for certificate only parsing support
|
||||
- Added support for parsing PIV format certificates with the function wc_ParseCertPIV and macro WOLFSSL_CERT_PIV
|
||||
- Added APIs to support GZIP
|
||||
- Updates to support Lighttpd
|
||||
- Version resource added for Windows DLL builds
|
||||
- Increased code coverage with additional testing
|
||||
- Added support for constructed OCTET_STRING with PKCS#7 signed data
|
||||
- Added DTLS either (server/client) side initialization setting
|
||||
- Minor fixes for building with MINGW32 compiler
|
||||
- Added support for generic ECC PEM header/footer with PKCS8 parsing
|
||||
- Added Japanese output to example server and client with “-1 1” flag
|
||||
- Added USE_ECDSA_KEYSZ_HASH_ALGO macro for building to use digest sizes that match ephemeral key size
|
||||
- Expand PKCS#7 CMS support with KEKRI, PWRI and ORI
|
||||
- Streaming capability for PKCS#7 decoding and sign verify added
|
||||
|
||||
|
||||
See INSTALL file for build instructions.
|
||||
More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
|
||||
|
||||
|
||||
*** Resources ***
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user