mbed TLS 1.3.11 發布，2.0 特性搶先預覽！

PolarSSL 源碼，也許是最小巧的ssl代碼庫。高效、便于移植和集成。尤其適合嵌入式應用。

目前 PolarSSL 已經被 ARM 公司收購，并改名為 mbed TLS。許可證也由 GPL 改為 Apache。

mbed TLS 1.3.11 發布，此版本修復了一些嚴重的 bug，解決了一些安全問題。同時也添加了一些優化功能和提升可用性的新特性。

mbed TLS 2.0 將會在幾周后發布，首個提供 DTLS 官方支持的版本！

為什么不是 1.5 而是 2.0 版本呢？因為準備從 2.0 分支開始使用語義版本控制，也就是說 2.0.1 將會是第一個 bug 修復版本，2.1.0 是新特性版本，下一個重要版本分之是 3.0.0（API 不兼容）。

mbed TLS 2.0 版本將會重命名所有公共可見的符號 (function names, types, enum constants, macros, global objects) ，這些都會以 MBEDTLS_ (macros, enum constants) 或者 mbedtls_ 開頭。

HMAC 函數使用 MD layer 替換，改進 SSL 配置接口，更多 mbed 2.0 特性預覽和準備請看這里：https://tls.mbed.org/tech-updates/blog/preparing-2.0-upgrade。

mbed 1.3.11 更新內容

安全修復

此版本解決了 SSL_VERIFY_OPTIONAL authmode 修改，確保 keyUsage 和 extendedKey 能正確調用和使用。 SSL_VERIFY_REQUIRED 是 authmode 推薦安全設置。

新特性

提升 ECC 性能，支持 Diffie-Hellman 參數

重要改進

• Remove bias in mpi_gen_prime (contributed by Pascal Junod).

• Remove potential sources of timing variations (some contributed by Pascal Junod).

• Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.

• Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.

• compat-1.2.h and openssl.h are deprecated.

• Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev).

• ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10).

• Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder).

• Remove some unneeded inclusions of header files from the standard library "minimize" others (e.g. use stddef.h if only size_t is needed).

• Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code.

• Remove dependency on sscanf() in X.509 parsing modules.

Bug 修復

• Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.

• Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafa? Przywara).

• Fix bug in entropy.c when THREADING_C is also enabled that caused  entropy_free() to crash (thanks to Rafa? Przywara).

• Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context.

• Fix bug in ssl_mail_client when password is longer that username (found  by Bruno Pape).

• Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan).

• mpi_size() and mpi_msb() would segfault when called on an mpi that is  initialized but not set (found by pravic).

• Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time.

• Fix handling of symlinks by "make install" (found by Ga?l PORTAY).

• Fix potential NULL pointer dereference (not trigerrable remotely) when  ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl).

• Fix bug in pk_parse_key() that caused some valid private EC keys to be  rejected.

• Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).

• Fix thread safety bug in RSA operations (found by Fredrik Axelsson).

• Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele).

• Fix warnings from mingw64 in timing.c (found by kxjklele).

• Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms.

• Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).

• Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10).

• Add missing extern "C" guard in aesni.h (reported by amir zamani).

• Add missing dependency on SHA-256 in some x509 programs (reported by  Gergely Budai).

• Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed.

下載：mbedtls-1.3.11-gpl.tgz，更多內容請看發行說明。