轻量级SSL库PolarSSL发布1.2.6/1.1.6.2013-03-12 1.2/1.1的小Bug修正版本。上个版本是2013-02-03的1.2.5 一些安全bug修正。越来越多应用已经支持PolarSSL如hiawatha。
Description
Security related
This release further reduces a possible timing side channel in the PolarSSL SSL module during decryption of the buffer due to badly formatted padding in the incoming message.
In addition, a possible timing difference due to bad padding in PKCS#1 v1.5 operations has been reduced.
Changes
The internals forrsa_pkcs1_encrypt(),rsa_pkcs1_decrypt(),rsa_pkcs1_sign()andrsa_pkcs1_verify()have been cleaned up and split up as to separate PKCS#1 v1.5 and PKCS#1 v2.1 functionality. The PKCS#1 v2.1 RSA encrypt and decrypt functions now have support for custom labels.
On request, we have re-added handling of SSLv2 Client Hello messages when the define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set.
As a minor change, the provided SSL session cache module (ssl_cache) now also retains peer_cert information (just the peer certificate, not the entire chain) to use after session re-use.
Bug fixes
Bug fixes include fixes to remove a memory leak from the SSL module and to fix a counter bug in the GCM module and fixes to enhance support for MS Visual Studio on 64-bit systems, for the ARM platform and little endian systems.
Who should update
Our advice for users of the PolarSSL 1.2 branch is to update:
in order to further remove possible RSA and SSL timing side channels (See PolarSSL Security Advisory 2013-01)
in order to remove a possible memory leak in the SSL module
Our advice for users of the PolarSSL 1.1 branch is to update to PolarSSL 1.1.6.
下载:https://polarssl.org/download/polarssl-1.2.6-gpl.tgz
https://polarssl.org/download/polarssl-1.1.6-gpl.tgz
来自:开源中国社区
