./security/polarssl, Lightweight, modular cryptographic and SSL/TLS library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: pkgsrc-2014Q2, Version: 1.2.11, Package name: polarssl-1.2.11, Maintainer: pkgsrc-users

PolarSSL is an SSL library written in ANSI C. PolarSSL makes it easy for
developers to include cryptographic and SSL/TLS capabilities in their
(embedded) products with as little hassle as possible. It is designed to be
readable, documented, tested, loosely coupled and portable.

This package includes headers/libs only, not the demo programs.

PolarSSL is GPLv2, but offers exceptions to be distributed with other works
licensed as Apache, BSD, CC0, EUPL, LGPL, ISC, WTFPL, X11, zlib/libpng.


Master sites:

SHA1: 40cb3a833245273946c2075e6c948bbcda8a1be9
RMD160: 8c9ff2687ded57e1b0ef5b351f61019b6e9c7347
Filesize: 996.26 KB

Version history: (Expand)


CVS history: (Expand)


   2014-07-16 13:53:40 by Matthias Scheler | Files touched by this commit (2) | Package updated
Log message:
Pullup ticket #4452 - requested by obache
security/polarssl: security update

Revisions pulled up:
- security/polarssl/Makefile                                    1.5
- security/polarssl/distinfo                                    1.3

---
   Module Name:	pkgsrc
   Committed By:	obache
   Date:		Wed Jul 16 10:03:57 UTC 2014

   Modified Files:
   	pkgsrc/security/polarssl: Makefile distinfo

   Log message:
   PolarSSL ChangeLog

   = Version 1.2.11 released 2014-07-11
   Features
      * Entropy module now supports seed writing and reading

   Changes
      * Introduced POLARSSL_HAVE_READDIR_R for systems without it
      * Improvements to the CMake build system, contributed by Julian Ospald.
      * Work around a bug of the version of Clang shipped by Apple with
   Mavericks      that prevented bignum.c from compiling. (Reported by Rafael
   Baptista.)    * Improvements to tests/Makefile, contributed by Oden
   Eriksson.    * Use UTC time to check certificate validity.
      * Reject certificates with times not in UTC, per RFC 5280.
      * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
        against unwanted compiler optimizations

   Security
      * Forbid change of server certificate during renegotiation to prevent
        "triple handshake" attack when authentication mode is optional (the
        attack was already impossible when authentication is required).
      * Check notBefore timestamp of certificates and CRLs from the future.
      * Forbid sequence number wrapping
      * Prevent potential NULL pointer dereference in ssl_read_record() (found
   by      TrustInSoft)
      * Fix length checking for AEAD ciphersuites (found by Codenomicon).
        It was possible to crash the server (and client) using crafted messages
        when a GCM suite was chosen.

   Bugfix
      * Fixed X.509 hostname comparison (with non-regular characters)
      * SSL now gracefully handles missing RNG
      * crypt_and_hash app checks MAC before final decryption
      * Fixed x509_crt_parse_path() bug on Windows platforms
      * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found
   by      TrustInSoft)
      * Fixed potential overflow in certificate size verification in
        ssl_write_certificate() (found by TrustInSoft)
      * Fix ASM format in bn_mul.h
      * Potential memory leak in bignum_selftest()
      * Replaced expired test certificate
      * ssl_mail_client now terminates lines with CRLF, instead of LF
      * Fix bug in RSA PKCS#1 v1.5 "reversed" operations
      * Fixed testing with out-of-source builds using cmake
      * Fixed version-major intolerance in server
      * Fixed CMake symlinking on out-of-source builds
      * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
        Alex Wilson.)
      * ssl_init() was leaving a dirty pointer in ssl_context if malloc of
        out_ctr failed
      * ssl_handshake_init() was leaving dirty pointers in subcontexts if
   malloc      of one of them failed
      * x509_get_current_time() uses localtime_r() to prevent thread issues
      * Some example server programs were not sending the close_notify alert.
      * Potential memory leak in mpi_exp_mod() when error occurs during
        calculation of RR.
      * Improve interoperability by not writing extension length in ClientHello
        when no extensions are present (found by Matthew Page)
      * rsa_check_pubkey() now allows an E up to N
      * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
      * mpi_fill_random() was creating numbers larger than requested on
        big-endian platform when size was not an integer number of limbs
      * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
      * Stricter check on SSL ClientHello internal sizes compared to actual
   packet      size (found by TrustInSoft)
      * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
      * Use \n\t rather than semicolons for bn_mul asm, since some assemblers
        interpret semicolons as comment delimiters (found by Barry K. Nathan).
      * Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
      * Fix base64_decode() to return and check length correctly (in case of
        tight buffers)

   = Version 1.2.10 released 2013-10-07
   Changes
      * Changed RSA blinding to a slower but thread-safe version
      * Make get_pkcs_padding() constant-time

   Bugfix
      * Fixed memory leak in RSA as a result of introduction of blinding
      * Fixed ssl_pkcs11_decrypt() prototype
      * Fixed MSVC project files

   = Version 1.2.9 released 2013-10-01
   Changes
      * x509_verify() now case insensitive for cn (RFC 6125 6.4)

   Bugfix
      * Fixed potential memory leak when failing to resume a session
      * Fixed potential file descriptor leaks (found by Remi Gacogne)
      * Minor fixes

   Security
      * Fixed potential heap buffer overflow on large hostname setting
      * Fixed potential negative value misinterpretation in load_file()
      * RSA blinding on CRT operations to counter timing attacks
        (found by Cyril Arnaud and Pierre-Alain Fouque)