News

MatrixSSL 3.9.1

Mar 21, 2017

MatrixSSL 3.9.1 was driven by the need to update the development certificates that were expiring. There are no strong reasons to upgrade if you already use 3.9.0.

Download matrixssl-3-9-1-open.tar.gz

Changes between 3.9.0 and 3.9.1

  • Disabled support for SHA-1 signed certificates by default. SHA-1 can
    no longer be considered secure for this purpose (see
    https://shattered.it/static/shattered.pdf). We decided to disable
    SHA-1 signed certificates by default to ensure that MatrixSSL
    customers consider the security implications before enabling them.
    Support for SHA-1 signed certificates can be restored by defining
    ENABLE_SHA1_SIGNED_CERTS in cryptoConfig.h.

  • Regenerated all test certificates. Many of the old ones had exceeded
    their validity period. The new test certificates have some minor
    changes, such as the addition of some missing basicConstraints and
    authorityKeyIdentifier extensions. Note that the test certificates
    should never be used in production, but only for initial testing
    during development.

  • Fixed bug that caused a segfault when
    ALLOW_VERSION_1_ROOT_CERT_PARSE was enabled and the peer sent a
    version 1 certificate. Correct behaviour is to just produce an
    internal certificate validation failure in this case, as the above
    define only allows parsing of locally stored trusted root
    certificates. This bug is minor as ALLOW_VERSION_1_ROOT_CERT_PARSE
    is disabled by default, and rarely used by MatrixSSL customers.

  • Introduced new function setSocketTlsCertAuthCb for setting certificate
    authentication callback when using MatrixSSL via psSocket_t interface.
    Previously constant function name ssl_cert_auth was used for authentication
    callback.

Full list of changes: CHANGES_v3.9.md.

[Read More]

MatrixSSL 3.9.0

Mar 10, 2017

This version contains several new features and bug fixes. It is recommended for all users.

Download matrixssl-3-9-0-open.tar.gz

  1. BUG FIXES SINCE 3.8.7b
    • Fixed server-side handling of client authentication with Server Name Indication
    • Constant Time Modular Exponentiation
  2. NEW FEATURES SINCE 3.8.7b
    • RFC 5280 Compliant Certificate Matching
    • Certificate Validation Configuration Options
    • Client Authentication using an External Security Token
    • X.509 Generation Improvements (Commercial Edition Only)
    • Added psX509GetOnelineDN API
    • Added matrixValidateCertsExt API
    • Support for RSA-MD2 and RSA-MD5 Signatures in CSR and CRL Parsing
    • ALLOW_CRL_ISSUERS_WITHOUT_KEYUSAGE Compatibility Option
  3. OTHER CHANGES SINCE 3.8.7b
    • Indent style changes

Full list of changes: changelog.

[Read More]

MatrixSSL 3.8.7

Nov 25, 2016

This version fixes several critical bugs and is recommended for all users.

Thank you to security researcher Hanno Böck for finding and reporting the computation problem in pstm.c.

Download matrixssl-3-8-7b-open.tar.gz

  1. BUG FIXES SINCE 3.8.6
    • Fixed Wrong Computation Results Bug In pstm.c Division
    • Fixed Memory Corruption In psDhImportPubKey
    • Fixed RSA Public Key Read Overflow
    • X.509/CRL/OCSP Timestamp Validation
    • Unix Year 2038 Problem Fix
    • Stricter OID Comparison
    • Multibyte String Handling
    • Configuration Robustness Improvements
    • X.509 Certificate Parsing Read Overflow
    • PKCS #8 Buffer Read Overflow
    • OCSP Bug Fixes
    • Generic Bug Fixes For Test Programs
    • Changes to Recommended Configurations
    • psMutex Locking and Unlocking APIs Compiler Warnings Removed
    • MD5 and SHA-1 Combined Digest Function
    • Coverity Issues Fixed
    • Yarrow Build Issues Fixed
  2. NEW FEATURES SINCE 3.8.6
    • SHA-512 for X.509 Certificates Improvements
    • OCSP Improvements
    • X.509 Certificate Domain Components
    • New Configuration: Minimal PSK

Full list of changes: changelog.

[Read More]

MatrixSSL 3.8.6

Oct 10, 2016

This version fixes several critical bugs and is recommended for all users.

Thank you to security researchers Craig Young and Andreas Walz for finding and reporting these issues.

Download matrixssl-3-8-6-open.tar.gz

  1. BUG FIXES
    • Critical parsing bug for X.509 certificates
    • Critical TLS handshake parsing bugs
    • 4096 bit RSA key generation regression
    • General cleanup of build
  2. FEATURES AND IMPROVEMENTS
    • New configuration system for build options
    • core/ changes
    • X.509 parsing and generation
    • crypto/ changes
    • Removed OpenSSL API Emulation

Full list of changes: changelog.

[Read More]

MatrixSSL 3.8.4

Jul 19, 2016

This version fixes a critical remote exploit and is recommended for all users to improve performance and security.

Download matrixssl-3-8-4-open.tar.gz

Critical parsing bug for RSA encrypted blobs
Security Researcher Hanno Böck reported several issues related to RSA and bignum operations. An error in parsing a maliciously formatted public key block could produce a remotely triggered crash in SSL server parsing. Additional restrictions on the values provided to RSA and DH operations were also added, although an exploit has not been found.
Coverity and Clang static analyzer cleanup
Numerous minor issues were fixed based on static analysis.
HTTP/2 restrictions via ALPN
MatrixSSL server code will automatically evaluate the ALPN extension and appropriately restrict the cipher suites and key exchange methods if the HTTP/2 protocol is being used. Per the HTTP/2 spec, only AEAD cipher suites and Ephemeral key exchange methods are allowed.
Enhanced example apps
Example applications now take additional command line options and also support CRL request and response generation.
Process shared Session Cache
Minimal support for a process-shared server session resumption cache is now supported via process-shared mutexes on Linux.
Enhanced CRL and OCSP support
A new file crypto/keyformat/crl.c defines additional apis for more complex CRL (Certificate Revocation List) and OCSP support.
PDF Documents included in tarball package
Documentation is now included again in the tarball, as well as online.
Additional minor changes
Numerous other improvements and bug fixes are included. Release notes are included in the download package. See changelog.

[Read More]

MatrixSSL 3.8.3

Apr 20, 2016

This version represents a full point update to MatrixSSL and is recommended for all users to improve performance and security.

Download matrixssl-3-8-3-open.tar.gz

DTLS Support Included
DTLS support is now included in the open source package.
Extended Master Secret, OCSP and SCSV Extensions
These additional extensions are now supported.
API Name Changes
APIs and filenames in the crypto directory have been reorganized and standardized.
ChaCha20-Poly1305 Support
Latest IETF standard draft supported.
Many more changes
Numerous other improvements and bug fixes are included. Release notes are included in the download package. See changelog.

[Read More]

MatrixSSL Webinar

Nov 16, 2015

Is the SSL/TLS Protocol Broken?
Register for INSIDE’s webinar to learn about the current state of the protocol, gain an understanding of the recent TLS attacks, and learn what you can do to protect your enterprise.

[Read More]

MatrixSSL 3.7.2b

Jul 13, 2015

Using AES-GCM ciphers in combination with Intel AESNI acceleration could fail to decrypt correctly with record sizes over 4KB. This release addresses this single issue.


This update is only required for users of AES-GCM Ciphersuites on Intel platforms which support AESNI instructions.

[Read More]

MatrixSSL 3.7.2a

Jul 6, 2015

OpenSSL 1.0.2 and later accepts only strict encoding of ECDSA signatures as
signed integers, requiring a leading 0x0 byte in front of signatures which have
the high bit set in either the R or S parameters (statistically a 75% chance).
In the past OpenSSL (and MatrixSSL) treated the value as a “cast to unsigned”,
which did not require a leading zero.
This release encodes with a leading zero when necessary,
which conforms to strict ASN.1 encoding. MatrixSSL still can receive signatures
encoded in either method. The encoding method does not affect the security of
the protocol.


This update is only required for users of ECDH_ECDSA or ECDHE_ECDSA cipher suites that interoperate with the latest version of OpenSSL.

[Read More]

MatrixSSL 3.7.2

Apr 14, 2015

Many changes and improvements are included in this release that are not detailed below. Please see the Release Notes included in the package for a full list of changes.

Configuration Changes

  • Default Ciphers - Four default ciphers are now enabled: TLS_RSA_WITH_AES_[128,256]_CBC_[SHA,SHA256]
  • Disabled Ciphers - 3DES ciphers join RC4 in the disabled by default ciphers list. PKCS5 and PKCS8 password protected private key parsing are not enabled by default.
  • Compile Options - For Linux, OS X and Windows platforms, -O3 is now the default optimization level. Assembly language optimizations are always enabled on all supported platforms. Algorithm optimizations trading size for speed now default to speed, unless compiling without optimizations (-O0) or optimizing for size (-Os).
  • Static Libraries - Static libraries have been renamed. Please see detailed release notes for more info.

Security Improvements

  • Stack Zeroing - BURN_STACK is enabled by default to clear sensitive data from the stack. In addition, memset_s() is now used to ensure that the compiler does not optimize away the memset of local stack variables. This change and other compiler warnings were suggested by Pavel Pimenov using PVS-Studio and Cppcheck. The issues are listed in this blog post and all have been fixed: http://www.viva64.com/en/b/0304/
  • X.509 Certificates - Improved certificate date validation, as well as distinguished name and key usage fields for older certificates.
  • ECC Key Generation - Now ensuring random number is less than the order value when performing ECDH key generation.


[Read More]

MatrixSSL Unaffected by FREAK and SKIP-TLS (SMACK) Vulnerabilities

Mar 11, 2015

Security Measures


[Read More]

MatrixSSL 3.7.1

Dec 4, 2014

  • X.509 and ASN.1 Parsing Improvements - The Advanced Threat Research team at Intel Security discovered several issues as part of their research on the BERSerk attack on RSA signature verification. MatrixSSL does not contain this vulnerability which can result in a MITM attack, however some other ASN.1 fields were not consistently checked against remaining buffer length when parsed. These have each been fixed, and the getAsnLength() internal API now also does a double check against the remaining buffer length for variable length fields in all cases.
  • Constant-Time Memory Compare - Calls to memcmp() have been replaced with a memcmpct() implementation to reduce the effectiveness of future timing based attacks.


New Features

  • Application-Layer Protocol Negotiation - Implemented RFC 7301.
  • X.509 RSASSA-PSS Signatures - MatrixSSL now supports the more secure RSASSA-PSS signature algorithm in X.509 certificates.
  • Run-Time TLS Feature Control - Truncated HMAC use, Maximum Fragment Length requests, and Elliptic Curve specification can now be enabled on a per-session basis when creating a new session..


API Changes

  • Several - Please see the release notes included in the package for details.


[Read More]

MatrixSSL Unaffected by SSL 3.0 POODLE Vulnerability

Oct 14, 2014

Security Measures

  • POODLE Vulnerability in SSL 3.0 - An attack against the SSL 3.0 random padding method for block ciphers was proven to be feasible. This was a known weakness and fixed in TLS 1.0 (SSL version 3.1), but only recently was attack code produced. MatrixSSL is not affected by the POODLE vulnerability: SSL 3.0 is disabled by default since version 3.3.1 on July 16, 2012. We recommend deprecating use of SSL 3.0 and moving directly to TLS 1.2.


[Read More]

MatrixSSL 3.6.2

Sep 5, 2014

  • ECC Key Validation - A security researcher reported that maliciously crafted ECDHE keys could be used to expose an error in the library that could cause an infinite loop or crash, on some platforms. ECDHE cipher suites are not enabled in the default configuration, however users that have enabled ECDHE cipher suites should update to the current version of MatrixSSL.
  • AES-GCM Mode on Big Endian - Fixed a bug that was preventing the AES_GCM tag from being created correctly on big endian platforms.
  • X.509 PathLen with Root Certs - Clients were incorrectly calculating the pathLen constraint in X.509 certificate chains when servers sent the root CA as part of the chain. It is not advised servers send the root CA but it is now handled correctly if those servers are encountered.

Other Changes

  • Simultaneous Re-handshake - Clarified the behaviour if client and server sent a re-handshake simultaneously.
  • Library Repackaging - The Makefile framework now generates three module libraries when compiling MatrixSSL: core, crypto and matrixssl. Previously these were packaged as a single library. This change makes it easier to share crypto and core libraries with other libs like MatrixSSH, MatrixDTLS and MatrixCMS.
  • Additional Changes - See the relase notes in the package for a complete list of changes in this version.


[Read More]

MatrixSSL 3.6.1

Apr 11, 2014

Note: - All versions of MatrixSSL are unaffected by the recent OpenSSL “Heartbleed” bug. That bug is due to an OpenSSL implementation error, not an attack against the SSL/TLS protocol.

  • Explicit Length Testing in Parsing Code - A security researcher reported a 'length underflow' vulnerability, which led to an internal audit of message parsing in MatrixSSL. This identified a handful of places in which explicit tests were needed in areas that read 'length' bytes from message streams. The primary areas of change were the TLS extension parsing for ECC cipher suite parameters and Secure Renegotiation. The code now confirms values are within valid ranges to prevent underflow decrements of unsigned integer counters that would result in bad loop logic and could potentially cause a memory access violation.


[Read More]

MatrixSSL 3.6.0

Apr 9, 2014

This release aligns the commercial and GPL version numbers of MatrixSSL and moves most of the previously commercial only features into the GPL version.

Security Features

  • Stronger X.509 Enforcement - Improved X.509 certificate parsing and validation. V1 and V2 certs no longer supported. Enforcement of critical extensions, certificate chain path length, subject alt name, AuthorityKeyIdentifier, minimum key strength and several other constraints. Moved date range parsing into X.509 library.
  • Runtime Configuration of Ciphersuites - CipherSuite, TLS version and AllowResumption can now be set on a per SSL session basis.
  • Heartbleed Bug - All versions of MatrixSSL are unaffected by the recent OpenSSL "Heartbleed" bug. That bug is due to an OpenSSL implementation error, not an attack against the SSL/TLS protocol.


New Features

  • TLS 1.2 - Full support open sourced from commercial codebase.
  • ECC Cipher Suites - ECDHE_ECDSA, ECDH_ECDSA, ECDHE_RSA and ECDH_RSA open sourced. NIST prime curves (SECP192R1, 224, 256, 384, 521) and Brainpool curves (224, 256, 384, 512) are supported.
  • DH Cipher Suites - DH, DHE and DH_anon open sourced.
  • AES-GCM Cipher Suites - Full suite of GCM ciphers open sourced, optimized for Intel AES-NI extensions.
  • Preshared Key Cipher Suites - Full suite of PSK ciphers open sourced.
  • IDEA and Seed Ciphers - Open sourced.
  • SHA-2 Hashes - SHA-256, SHA384, SHA512 and HMAC counterparts open sourced.
  • Server Name Indication - SNI extension now supported.
  • Stateless Session Tickets - Session Tickets now supported for cacheless session resumption.
  • Session Cache Improvement - Very large session caches are now managed more efficiently and can effectively scale to memory constraints.
  • Truncated HMAC - Truncated HMAC extension open sourced.
  • ZLIB Support - Minimal SSL compression support, disabled by default for security reasons.


API Changes

  • Several - Please see the release notes included in the package for details.


[Read More]

MatrixSSL 3.4.2

Feb 28, 2013

Bug Fixes and Improvements

  • Improved Run-Time Checks of Certificate Algorithms Against Cipher Suites Checking the public key and signature algorithms of the certificate material during initialization and cipher suite negotiation is now stricter. Servers now look at the signature algorithm of their certificate when negotiating cipher suites to ensure the authentication mechanism is consistent with the cipher suite. This enables the handshake to fail early in the process if the certificate material does not support a requested cipher suite. This is mainly a protection against user configuration errors because a server should not enable cipher suites it isn't prepared to support. Clients now confirm the server certificate signature algorithm as a pre-emptive measure during the parsing of the CERTIFICATE message. Previous versions would terminate the connection later in the handshake process when the unsupported algorithm was encountered for the public key operation itself.
  • SSL Alert Sent on Handshake Message Creation Failure Previous versions would silently terminate the SSL connection if handshake message creation failed. Now an INTERNAL_ERROR alert is sent before closing the connection.
  • Expired Session Resumption Fix Fixed server support for scenarios in which a session that is already in a resumed handshake state will correctly fall back to a full handshake if the client attempts a resumed re-handshake after the session has expired in the server cache.
  • Disable Yarrow by Default and Simplified PRNG Reseeding The USE_YARROW define is now disabled by default in cryptoConfig.h because the two default entropy gathering sources are PRNG sources themselves so it isn't necessary to run that data through Yarrow. This change will result in a minor connection speed improvement. If Yarrow is needed, the logic for reseeding that algorithm has been simplified to update only on the amount of data read rather than including the number of function calls to the PRNG retrieval function.
  • Removed the USE_RSA Configuration Define The open source version of MatrixSSL only supports RSA cipher suites so the removal of that option makes this explicit.
  • Example Applications Load Full CA List To aid in testing, the example client and server applications now load the full list of sample Certificate Authority files so a recompile is not needed if changing the sample certificate material of the peer.


[Read More]

MatrixSSL 3.4.1

Feb 6, 2013

Security Features

  • Lucky Thirteen Countermeasure - An attack against block cipher padding was proven to be feasible. This affects CBC ciphers including AES and 3DES. This update adds timing countermeasures that reduce the effectiveness of this attack.


[Read More]

MatrixSSL 3.4.0

Jan 28, 2013

Security Features

  • Certificate Revocation List (CRL) - Two new APIs have been added to support CRLs. If a Certificate Authority uses the CRL Distribution Points extension to identify the URI where a CRL can be found, use the new matrixSslGetCRL API to aid in the fetch. If a local CRL is available use the matrixSslLoadCRL API to register the revoked certificates with the CA for testing during the SSL handshake. The client example application implements these two new APIs as a reference..
  • Client Certificate Authentication - This has been a feature in the commercial MatrixSSL release for some time. Client Certs are being deployed more often now, so we were asked by some open source users to include this feature under GPL. Enable the USE_CLIENT_AUTH define in matrixsslConfig.h to add support for this feature to the library. Clients and servers are both supported and the example applications implement client authentication for reference. The sslTest utility will exercise the client authentication handshake variations as well.

New Features

  • Assembly Language Opimizations - Assembly code optimizations that were previously only available in commercial versions of MatrixSSL are now included in the open source packages. Optimizations for common processors such as ARM, x86, x86_64, and MIPS32 can now be enabled with the use of compile-time defines. RSA operations gain a significant speed advantage using these optimizations.

Public API Changes

  • Client management of the session ID for resumption is now more explicit. The new matrixSslNewSessionId and matrixSslDeleteSessionId APIs enable library control of the sslSessionId_t parameter used in matrixSslNewClientSession. Refer to the API documentation for more details.
  • An additional parameter has been added to the matrixSslNewServerSession and matrixSslNewClientSession APIs for compatibility with MatrixDTLS packages. For SSL usage, the final parameter should be 0 to both of these functions.
  • This function prototype previously used a void return value. This change to an int return type was made simply to keep the core/ module APIs consistent.</li> </ul>

    Bug Fixes and Improvements

    • X.509 certificate parsing now includes separate time format fields for the notBefore and notAfter identifiers. UTCTIME and GENERALIZEDTIME are still supported. However, it is not correct to assume both must be the same type. The psX509Cert_t structure accessible through the certificate callback will contain notBeforeTimeType and notAfterTimeType members instead of timeType.
    • The alert type and description were not correctly passed to the user via matrixSslReceivedData when the TLS 1.1 protocol was being used.
    • The length parser in the internal X.509 parseGeneralNames function assumed values less than 255. All lengths are supported now. Optional Attributes in a PKCS#8 format are now properly recognized. The PKCS#12 key generation algorithm is now more flexible. Previous implementations assumed a salt length of 8 bytes. Salts may now be up to 20 bytes. Also, certificates will be re-ordered in a child-to-parent hierarchy after the parse is complete.

[Read More]

INSIDE Secure Acquires MatrixSSL

Nov 19, 2012

The Embedded Security group MatrixSSL is part of has been acquired by INSIDE Secure.
Apple Acquisition Target AuthenTec Sells Off Embedded Security Division To Inside Secure For $48M

[Read More]

MatrixSSL 3.3.1

Jul 16, 2012

Security Features

  • Fine Grained TLS Version Support - USE_TLS_* configuration options now allow for specifying only TLS 1.1, or only TLS 1.2 support for users with very strict security policies. TLS 1.1 and above support explicit-IV and so it may be desirable to limit negotiation to only this version and above. SSL 3.0 is now disabled by default in compile time, and if required must be manually be enabled by commenting out the define for DISABLE_SSLV3 in matrixsslConfig.h

New Features

  • RFC 4366 - Maximum Fragment Length Extension The max_fragment_length extension defined in RFC 4366 has been added to MatrixSSL. This extension allows TLS clients to suggest the maximum record size that can be used in communications with a server. Support for this extension has been added to both MatrixSSL clients and servers. The new define REQUESTED_MAX_PLAINTEXT_RECORD_LEN in matrixsslConfig.h has been added to control this feature. Small footprint clients can see significant socket buffer memory reduction when negotiating this option.

Public API Changes

  • The API for raw RSA encryption now has an additional parameter.

Bug Fixes

  • Fixed issue with ARC4 ciphers related to multiple records in a single network buffer. Previously, the connection could be incorrectly closed prematurely in some cases.
  • Fixed a compile issue with MATRIX_USE_FILE_SYSTEM on Windows platforms.
  • Fixed an initialization issue with a potential double free in an error path loading an RSA key from disk. Affected users would have seen this error immediately upon initialization.


[Read More]

MatrixSSL 3.3

Feb 22, 2012

Security Feature

  • Rehandshake Denial of Service - A denial of service attack against SSL servers was uncovered where a malicious client could repeatedly ask for a rehandshake at very low cpu cost to itself but at high CPU cost to the server (due to the private key operation).

    New compile-time defines DEFAULT_RH_CREDITS and BYTES_BEFORE_RH_CREDIT have been added to matrixsslConfig.h to reduce the number of allowable re-handshakes per connection. This feature is enabled by default.

    As with previous SSL vulnerabilities, this DOS attack has been known since the early days of SSL, but it had not been applied until recently.

Feature Updates

  • The sample SSL server now utilities False Start support within MatrixSSL to allow the Google Chrome browser to connect. Support for False Start has been available in MatrixSSL since version 3.1.4 but the sample server was not taking advantage of this feature.
  • All file headers and documentation updated and branded to reflect the AuthenTec acquisition of PeerSec Networks and MatrixSSL.

Public API Changes

  • None.

Bug Fixes

  • None.


[Read More]

PeerSec MatrixSSL Acquired by AuthenTec

Dec 6, 2011

AuthenTec Acquires PeerSec Networks to Strengthen Leadership in Embedded Security

Combination of AuthenTec QuickSec® and PeerSec Matrix™ Product Lines Creates Comprehensive Embedded Secure Networking Portfolio

Read more…

[Read More]

MatrixSSL 3.2.2

Oct 7, 2011

Security Feature

  • BEAST Vulnerability - In Sept. 2011 security researchers demonstrated how a previously known CBC encryption weakness could be used to decrypt HTTP data over SSL. The attack was named BEAST (Browser Exploit Against SSL/TLS).

    A new compile-time define USE_BEAST_WORKAROUND has been added to matrixsslConfig.h to thwart the attack. It is enabled by default.

    As with previous SSL vulnerabilities, the attack is generally considered a very low risk for individual browsers as it requires the attacker to have control over the network to become a MIM. They will also have to have knowledge of the first couple blocks of underlying plaintext in order to mount the attack.

    A zero length record proceeding a data record has been a known fix to this problem for years and MatrixSSL has always supported the handling of empty records.

    This BEAST fix is on the sending side and moves the implementation down to the SSL library level so users do not need to manually send zero length records. This fix uses the same IV obfuscation logic as a zero length record by breaking up each application data record in two. The first being just a single byte of the plaintext message.

    This issue only effects TLS 1.0 (and SSL) and only if the cipher suite is using a symmetric CBC block cipher. Enable USE_TLS_1_1 above to completely negate the need for any workaround if TLS 1.1 is also supported by peers.

Feature Updates

  • PKCS#12 Key Parsing - Support for parsing the most common PKCS#12 formats has been added to this version of MatrixSSL. PKCS#12 is the recommended format for securely storing certificates and their associated private key in the same file. The parsing has been introduced through the new public API matrixSslLoadPkcs12 and should be used as a replacement for matrixSslLoadRsaKeys where appropriate. Please see the full details of this new function in the API documentation.
  • RC2 Cipher Added - PKCS#12 formats often encrypt the public certificate using the legacy RC2 cipher. This should be the only reason to enable this outdated and insecure algorithm.
  • ASN.1 Parser Accepts Indefinite Length Formats - The addition of PKCS#12 uncovered the use of indefinite length encoding. Low level calls to getAsnLength will now return ASN_UNKNOWN_LEN rather than an error beginning in this release.

Public API Changes

  • x509SubjectAltName_t structure renamed to x509GeneralName_t - This structure type has been renamed to reflect the correct generic X.509 type rather than the specific Subject Alternate Name (SAN) of a certificate. This change should have a very low impact as this structure type was never a direct parameter to any public API. This structure type is currently only used as the san member in the x509v3extensions_t which a user might be examining as part of the custom validation of a certificate in the certificate callback function. See the section The Certificate Validation Callback Function in the API document for full details.

Bug Fixes

  • Server Clears Session Entry On Failed Handshakes - An issue was discovered in which the server would leave a partial session resumption entry in its table even though the initial handshake with the client failed. If the client, for some reason, choose to use that session ID in subsequent CLIENT_HELLO messages, the server was locating the entry and attempting a resumed handshake with an erroneous master secret. Of course, the connection would not succeed since the secret was not correct between the peers but the server should not have been finding the entry to begin with. The table entry is now removed on handshake failures.
  • AES Cipher Contexts Internally Zeroed - An issue was discovered in which the standalone use of the AES cipher could fail if the initialization function was called with a context structure that contained non-NULL data. The key initialization functions now internally memset the context structures to 0x0 to prevent this problem.
  • No Double Frees When Deleting Key Material After Errors - An issue was discovered in which a call to matrixSslDeleteKeys after the failure of matrixSslLoadRsaKeys would perform a second memory free on data members that had been handled in the error cases of matrixSslLoadRsaKeys itself. The error handling internal to matrixSslLoadRsaKeys will now NULL any freed memory to prevent this problem.


[Read More]

BEAST Attack on SSL

Oct 7, 2011

In Sept. 2011 security researchers demonstrated how a previously known CBC encryption weakness could be used to decrypt HTTP data over SSL. The attack was named BEAST (Browser Exploit Against SSL/TLS). As with previous man-in-the-middle SSL vulnerabilities, the attack is generally considered a very low risk for individual browsers as it requires the attacker to have control over the network. Additionally, in this specific exploit they will also have to have a mechanism to elicit known HTTPS responses from the client. Most MatrixSSL users do not fall into the category of vulnerable uses.

Solutions

  1. MatrixSSL 3.2.2 - Released on October 7th, version 3.2.2 includes a fix to thwart this attack for client implementations. The solution has been implemented internally to the library and uses an IV obfuscation technique by breaking up each application data record in two. The first being just a single byte of the plaintext message, the second containing the remainder. This is the same approach the Chrome team at Google introduced in their solution to the issue. This fix is enabled by default for clients that are using SSLv3 or TLS1.0 coupled with a CBC block cipher.
  2. MatrixSSL 3.2.* - This exploit can also be thwarted simply by using TLS protocol version 1.1 or by using a cipher suite that implements a stream cipher such as SSL_RSA_WITH_RC4_128_SHA. TLS 1.1 is enabled by default in MatrixSSL 3.2 and above and will be negotiated to if the peer also supports that version.
  3. All MatrixSSL Versions - A zero length record proceeding a data record has been a known fix to this problem for years and MatrixSSL has always supported the encoding and processing of empty records. Current MatrixSSL users can manually add this fix to existing versions by simply calling matrixSslEncodeWritebuf with a 0 length prior to encoding the actual application data. It should be noted that some SSL implementations do not handle 0 length records and this is the primary reason this solution did not become widespread.

[Read More]

MatrixSSL 3.2

Jun 7, 2011

Feature Updates

  • Added TLS 1.1 protocol support - TLS 1.1 protocol support is now available in the open source version of MatrixSSL. The protocol is enabled/disabled through the compile time define USE_TLS_1_1 in matrixsslConfig.h. If enabled, the protocol negotiation will default to TLS 1.1 for any communicating SSL peer that also supports it. It is also now possible to disable SSL 3.0 using the DISABLE_SSLV3 define if only TLS version protocols are desired.
  • Added PKCS#8 private key parsing - The PKCS#8 standard is becoming more widespread for newly issued private keys. PKCS#8 parsing is now included by default in the open source version of MatrixSSL. This support is built into the existing matrixSslLoadRsaKeys API.
  • IN and OUT default buffer sizes - Previous versions of MatrixSSL used a single compile time setting for the default internal input and output buffers. This define has now been split into SSL_DEFAULT_OUT_BUF_SIZE and SSL_DEFAULT_IN_BUF_SIZE defines to give the user more memory control for the specific use case. For example, if the integrator knows that incoming data will be short requests and the outgoing reply data will be large files, the SSL_DEFAULT_IN_BUF_SIZE may be set smaller that SSL_DEFAULT_OUT_BUF_SIZE to help streamline this implementation.
  • Zero length SSL records now returned to user - Callers of matrixSslReceivedData will now be informed of zero length SSL records with the standard return code of MATRIXSSL_APP_DATA and length values of 0. Previous versions of MatrixSSL would silently discard empty records.

Public API Changes

  • Added matrixSslEncodeToOutdata - An SSL record encoding alternative to the existing matrixSslGetWritebuf/ matrixSslEncodeWritebuf combination has been introduced. The new matrixSslEncodeToOutdata enables integrators to encode plaintext from where it exists in an external memory location. This differs from the matrixSslEncodeWritebuf API that requires the plaintext has been written or copied into the internal library buffer. The new matrixSslEncodeToOutdata function will leave the plaintext buffer untouched while encoding to the internal library buffer. The encoded data is still retrieved for sending using matrixSslGetOutdata. Please see the API documentation for more information on this new function.

Bug Fixes
None reported.

[Read More]

MatrixSSL 3.1.4

Jan 11, 2011

Feature Updates

  • Primary crypto algorithms now have configuration options for size vs. speed tradeoffs - Previous versions of MatrixSSL had an undocumented compile time define (SMALL_CODE) that influenced the binary code size of some symmetric cipher algorithms. Each algorithm that used this define has now been given its own define to control whether the user wants to build the library for faster algorithm support at the cost of an increased binary code size. The size vs. speed tradeoff is platform dependent but, in general, the speed improvements will be about 5%-10% at the cost of 10-20KB for each algorithm. The default, in each case, is that these defines are disabled in cryptoConfig.h to compile in favor of smallest binary footprint.
  • RSA algorithm now has configuration option for memory usage vs. speed tradeoff -A pair of defines have been added to determine whether the RSA algorithm should be compiled for smaller RAM usage or faster performance. The default is to compile for smaller RAM usage.
  • Servers can now disable specific cipher suites at runtime - Cipher suites that have been compiled into the library can now be programatically disabled (and re-enabled) on a per-session basis. This is useful for servers that wish to limit the supported ciphers suites for a specific connecting client. A new API, matrixSslSetCipherSuiteEnabledStatus, has been added to support this functionality. Please see the MatrixSSL API documentation for detailed information on this new feature.
  • An Xcode project for iPhone development is now included - In the apps/iphone directory the user can now find a Mac Xcode project for developing SSL/TLS client applications for the iPhone.
  • Server compatibility with Chrome browsers that use "false start" - The Google Chrome browser has introduced a new protocol mechanism called false start that is incompatible with strict TLS implementations that do not allow application data exchange before the handshake protocol is complete. Enabling ENABLE_FALSE_START in matrixsslConfig.h will allow newer versions of the Chrome browser to connect with MatrixSSL servers. Enabled by default.
  • A new explicit int16 data type has been added - The osdep.h file now includes a typedef for a 16-bit integer type called int16. The initial internal use of this new data type can be found in the pstm.c math function to help improve performance on some platforms.
  • Updated for Luminary Micro/TI Stellaris examples - Updated to support the new release of secure web server examples for the ARM Cortex-M3.

Public API Changes

  • Compile-time define for file system support has been renamed - The USE_FILE_SYSTEM define has been renamed to include a PS_ prefix so that it is now PS_USE_FILE_SYSTEM. In addition, this define is no longer present in the coreConfig.h header file. It should be included in the platform build environment as a compile-time define if file system support is needed.
  • Return types changed for osdep.c Open and Close routines - The platform interface functions implemented in osdep.c have undergone prototype changes.

Bug Fixes
None reported.

[Read More]

MatrixSSL 3.1.3

Sep 2, 2010

Feature Updates

  • New server-side configuration option to decrease binary executable size - Servers may now disable a new USE_CERT_PARSE define in crytpoConfig.h to exclude a relatively large portion of the x509.c source code.

    Previous versions of MatrixSSL would always pass the server certificate through an X.509 parse phase during initialization. This allowed the library to confirm the format of the certificate and perform algorithm tests based on the chosen cipher suite. However, these tests were in place primarily to prevent user error so if USE_CERT_PARSE is disabled, the user must be confident the certificate material is valid for the cipher suites that have been enabled in matrixsslConfig.h.

  • New Pseudo-Random Number Generation algorithms -An implementation of Yarrow is now included in the MatrixSSL source code package. Random numbers are now retrieved through Yarrow by default. An entropy source and implementation of psGetEntropy is still required for each platform.
  • Windows project files updated to Microsoft Visual C++ 2010 Express - Previous versions used the 2008 Express Edition of Visual C++.

Public API Changes

  • New members in x509DNattributes_t structure - The Distinguished Name attributes in X.509 certificates such as Common Name, Organization, and Country are now accompanied by the explicit ASN.1 data type and length. Previous versions of MatrixSSL attempted to treat these fields as NULL terminated strings using single byte characters. In order to support a larger variety of certificate formats the Type and Len fields have been added so the user will have all the needed information to interpret certificate information that is passed into the certificate callback routine.

    New x509DNattributes_t members:

    short countryType;
    short countryLen;
    short stateType;
    short stateLen;
    short localityType;
    short localityLen;
    short organizationType;
    short organizationLen;
    short orgUnitType;
    short orgUnitLen;
    short commonNameType;
    short commonNameLen;
    Type members will be one of the following:
    ASN_PRINTABLESTRING
    ASN_UTF8STRING
    ASN_IA5STRING
    ASN_T61STRING
    ASN_BMPSTRING

Bug Fixes

  • Error return code fixed for matrixSslReceivedData - One code path through matrixSslReceivedData was performing an unsigned char typecast on a potentially negative return code which converted it to a positive value. This resulted in an undocumented and ambiguous return code. The typecast has been removed and all error cases now return negative values as documented.


[Read More]

MatrixSSL 3.1.2

May 28, 2010

Feature Updates

  • Explicit API support for processing multi-record data buffers - The 3.1.1 API set did not include a documented mechanism for processing buffers in which multiple application data records are concatenated in a single recv buffer. This is not an uncommon scenario and users are strongly encouraged to update to this latest MatrixSSL version and implement the new matrixSslProcessedData function in their applications. Details can be found in the updated API documentation included in this package.
  • MatrixSSL version defines added - A version.h file has been added that includes defines for the MatrixSSL major, minor, and patch build version. The new header is included by matrixsslApi.h and defines the full version and the individual components. For example:
    #define MATRIXSSL_VERSION       3.1.2-OPEN
    #define MATRIXSSL_VERSION_MAJOR	3
    #define MATRIXSSL_VERSION_MINOR	1
    #define MATRIXSSL_VERSION_PATCH	2
    #define MATRIXSSL_VERSION_CODE	OPEN
  • The sslTest application includes a timing mode - The sslTest application can now be built to measure the connection speeds for clients and servers for the various cipher suites.
  • Improvements to HTTP parsing in example application code - The server and client example applications now identify partial and multi-record HTTP records.

Public API Changes

  • New matrixSslProcessedData prototype and return codes - To support the processing of multi-record data buffers, the matrixSslProcessedData function prototype and return codes have changed. The new function has two additional parameters that are used to return the next decoded record in the buffer. The return codes for this function have been expanded to inform the user how that second record should be handled.

    Please see the API documentation and code examples for detailed information.

Bug Fixes

  • Fixed return codes where unsigned data types were assigned negative values - The functions psRsaDecryptPriv, psRsaDecryptPub, and matrixSslDecode are now consistent in their use of unsigned vs. signed data types.


[Read More]

MatrixSSL 3.1.1

Apr 15, 2010

Feature Updates

  • Secure Renegotiations - Turn re-handshaking support back on, MatrixSSL users! Beginning in version 3.1.1 support for the recently published TLS Renegotiation Indication Extension (RFC 5746 ) is included. SSL/TLS renegotiations enable servers to fine tune the security parameters or access controls for individual clients without having to reconnect. MatrixSSL enabled clients and servers now support the "renegotiation_info" extension and the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite to prevent any possibility of the "plaintext injection attack" that was disclosed November 2009 and described in CVE-2009-3555.
  • CLIENT_HELLO extension support - Support for adding extensions to CLIENT_HELLO messages is now included in the open source version of MatrixSSL. More information on hello extensions can be found in RFC 3546.
  • Client cipher suites on re-handshakes - Clients will now resend the full list of supported cipher suites on server-initiated re-handshakes. In previous versions, upon receiving a HELLO_REQUEST from a connected server, the client would only supply the cipher suite that was currently negotiated in the CLIENT_HELLO.
  • Makefile auto detects 32 and 64 bit platforms - The top level Makefile now detects whether 32 or 64 bit Linux or Mac OS X is running, and sets some defines appropriately to optimize performance for 64 bit platforms.
  • New documents - Migration to 3.1 and OS Porting Guide

Public API Changes

  • New matrixSslNewClientSession prototype - An additional parameter has been added to this routine to improve hello extension support. Clients can now register a callback that will be invoked during the SSL handshakes to parse any SERVER_HELLO extensions that might be sent by the server.
  • USE_INT64 renamed to HAVE_NATIVE_INT64 - This define in coreConfig.h has been renamed for clarity.

Bug Fixes

  • Changing Cipher Suites on Re-handshake - A handshaking failure was discovered during re-handshake testing in some cases where the underlying cipher suite was changing, resulting in an invalid SSL Alert and connection close. This has been fixed as part of the overall handshake protocol change.
  • Default size for pstm_digit - The default 32-bit platform now explicitly sets the psmt_digit type as a 32-bit unsigned integer rather than an unsigned long. This fixes a compile issue witbh running with 32-bit math on a 64-bit platform.


[Read More]

MatrixSSL 3.1

Mar 8, 2010

Major Revision and Feature Updates

  • Celebrating 8 years of MatrixSSL! - New 3.x version of Open Source matches Commercial versioning.
  • TLS 1.0 Protocol Support - Beginning in MatrixSSL 3.1 the TLS 1.0 protocol and AES cipher are now available in open source releases.
  • Improved API - It is now easier than ever to integrate SSL into your application. MatrixSSL has always provided SSL integration to applications at a data buffer level to guarantee support for any given transport mechanism. Previous versions, however, left the management of these data buffers in the hands of the integrator. The new MatrixSSL 3.1 API incorporates size-optimized buffer management so the user is left only with the task of determining when data needs to be read or written, while still maintaing a transport-neutral, zero buffer copy API.
  • Faster and Smaller RSA Cryptography - The public key cryptography operations required for RSA mathematics are the primary contributors to high water memory and CPU resources during the SSL handshake. MatrixSSL 3.1 includes specific optimizations that have resulted in major improvements to both speed and memory usage during public cryptography. These substantial memory savings and performance improvements allow MatrixSSL to be used on an even larger number of embedded platforms. The entire SSL handshake, including network buffers can now be completed in as little as 10KB of RAM, with a post-handshake dynamic memory footprint of less than 3KB.
  • File and Functional Reorganization - The MatrixSSL 3.1 source code package has been organized to better reflect the individual functional areas. The core and crypto modules are now clear building blocks on which MatrixSSL relies and each module has an API and Configuration header to manage optional features and functionality.
  • New Supported Client and Server Applications - New client and server examples are now provided as a starting off point for customer integration or new application development. The client application is an example of a simple, blocking sockets API HTTPS client that prints the response to a HTTP GET request. The server example demonstrates a non-blocking HTTPS server that handles multiple connections and session timeouts. The MatrixSSL API usage for both applications is very similar, and should help clarify how to integrate MatrixSSL with other applications.
  • New Test Application - A SSL/TLS protocol test application is now included in the package so that new ports of MatrixSSL can quickly be verified and functionally tested, even before integration with a sockets layer. The application creates virtual SSL connections within a single process using memory buffers as the transport layer. Each supported cipher suite and handshake mode are validated.
  • Additional Project File Formats - Project files for the MatrixSSL library, example and test applications are now provided for Microsoft Visual Studio Express Edition, Apple Xcode and standard GNU make. Projects for the Eclipse IDE can be directly imported from GNU Makefile.


[Read More]

MatrixSSL 1.8.8

Nov 10, 2009

Protocol Security Updates

  • A security exploit around SSL re-negotiation has been discovered. This is a protocol level flaw, and affects all SSL and TLS implementations. The protocol sitting above SSL may or may not be affected. For example, HTTPS with keep-alive support on authenticated connections IS affected. MatrixSSL disables re-negotiation for server side SSL in this release, protecting secure servers from attack. When using MatrixSSL for client connections, care should be taken to only connect to SSL servers that have re-negotiation disabled.
  • More information: HTTPS/SSL Attack Vector Discovered


[Read More]

MatrixSSL 1.8.7

Jun 24, 2009

New Features

  • Windows project files for library and example application builds are now based on the freely available Microsoft Visual Studio C++ 2008 Express Edition



Functional Changes

  • The USE_MULTITHREADING define in matrixConfig.h is now off by default so that POSIX platforms will not require pthreads by default.



Fixes

  • Fixed the size calculations for SSL_FULL conditions when encoding the FINISHED flight of handshake messages
  • Additional checks and proper error handling for the following types of malformed X.509 certificates as tested by Orange Labs. These do not constitute a remote attack vector for the Open Source release.
    • Testing for Serial Number encodings that use bad length specifications
    • Testing for Distinguished Name extension encodings that use bad length specifications
    • Error handling for Subject Alternate Name extensions that use bad length specifications


[Read More]

MatrixSSL 1.8.6

Sep 10, 2008

New Features

  • The matrixRsaParsePubKey routine has added support for X.509 SubjectPublicKeyInfo formatted keys
  • Full parsing support of the subjectAltName extension in certificates



Functional Changes

  • Allowing clients to send multiple compression parameters in the CLIENT_HELLO message
  • The matrixX509ReadCert routine supports additional PEM file header and footer formats



Minor Fixes

  • Corrected filename misspelling in httpsReflector.c for loading example CAcertCln.der certificate


[Read More]

MatrixSSL 1.8.5

Mar 11, 2008

API changes

  • Internal API change to accommodate MatrixSSH users.



Functional changes

  • Ignore TLS extensions sent with SSL 3.0 ClientHello. Thunderbird sends these extensions if negotiating down from a TLS connection, even though they are meaningless.
  • Enhanced the parsing of the Key Usage certificate extension.



Bug fixes and optimizations

  • Assure file reads into memory are NULL terminated. This was an issue flagged by Valgrind that doesn't present a problem in practice.
  • 2008 copyright update.



Notes

  • MatrixSSL 1.8.4 was not a public release.


[Read More]

MatrixSSL 1.8.3

Feb 7, 2007

API changes

  • const qualifiers added to literal string parameters for matrixRsaReadPrivKey, matrixRsaReadKeys, matrixRsaReadKeysEx and matrixX509ReadPubKey.



Functional changes

  • Additional error reporting in RSA public decryption routine.



Bug fixes and optimizations

  • Improved the enforcement of maximum certificate chain length.
  • Added the fPIC compile option to default POSIX builds.
  • Fixed one time memory leak on error conditional during certificate parsing.
  • 2007 copyright update.


[Read More]

MatrixSSL 1.8.2

Oct 5, 2006

API additions

  • None



Functional changes

  • New "leaky bucket" algorithm for empty message denial-of-service countermeasure. Previously, the count of empty messages was continually being incremented by the MatrixSSL library regardless of any interleaving valid messages. This could potentially cause the connection to be closed if a peer was sending many blank SSL messages. The count will now decrement on valid messages. This change is most relevant to use-cases that involve an OpenSSL client communicating with a MatrixSSL server, as these clients tend to periodically send a blank record.



Bug fixes and optimizations

  • None


[Read More]

MatrixSSL 1.8.1

Jul 11, 2006

API additions

  • None



Functional changes

  • Cleaner POSIX cross platform compiles for newer versions of Linux.
  • Build support for Intel Macs (tested on OS X 10.4 CoreDuo).



Bug fixes and optimizations

  • Minor compile warnings fixed.
  • Graceful handling when MAX_CHAIN_LEN limit is exceeded in certificate parsing.
  • Added ASN.1 BMPSTRING format support to certificate parsing.
  • Fixed matrixSslReadKeysMem so that private key parameter is optional.
  • Fixed one time memory leak for client initialization issues that include non-parsable certificates.


[Read More]

MatrixSSL 1.8

Apr 6, 2006

API additions

  • Addition of two new server APIs that allow the user to add a custom flag value to client sessions. Servers may now assign persistant custom data to connected sessions that can be later retrieved from a session that was established with a session resumption handshake. See the API documentation for matrixSslSetResumptionFlag and matrixSslGetResumptionFlag for more details.



Functional changes

  • Ability to put multiple certificates in a single PEM file.
  • The handshake will now fail on an un-authenticated cert if no user validation callback has been defined with matrixSslSetCertValidator. It is still encouraged that a callback be registered.
  • Users can now reply to a closure alert with a closure alert of their own using matrixSslEncodeClosureAlert. Previously, the SSL_CLOSED flag prevented this. Now only error cases will prevent the closure alert from being created.



Bug fixes and optimizations

  • Numerous compile warnings fixed. Especially in the area of unsigned char / char type mismatches.
  • Added explicit void types to empty parameter functions.
  • Fixed a bad shift operation in cipherSuite.c (no functional change).
  • Fixed possible memory leak of pre-master secret if deleteSession called on some corner failure cases.
  • Fixed compile and link issues when USE_FILE_SYSTEM was turned off in matrixConfig.h.
  • Fix for unknown X.509 certificate extension parsing in which the extensions did not provide explicit data lengths in the encoding.
  • Fixed parse issue with an empty AuthorityKeyIdentifier certificate extension.
  • Created new sample certificates with updated dates.


[Read More]

MatrixSSL 1.7.3

Nov 16, 2005

Bug fixes and optimizations

  • Fixed issue with certificate extension parsing causing a cert with some unrecognized extensions to fail validation.
  • Fixed requirement when USE_CLIENT_SIDE is enabled with ReadKeysMem - CA is no longer required.


[Read More]

MatrixSSL 1.7.1b

Sep 17, 2005

Bug fixes and optimizations

  • Fixed packaging issue causing a build error on Windows and Linux. No functional change from 1.7.1


[Read More]

MatrixSSL 1.7.1

Sep 13, 2005

Bug fixes and optimizations

  • Fixed certificate chain parsing bug where a valid certificate chain was marked as invalid under certain circumstances. The result of the fix is that more cert chain configurations are supported.
  • Added support for cert validation when the server sends the Root CA cert in addition to the lower levels of the chain. Typically the Root CA cert is loaded into the client, and not sent by the server. We have encountered some deployments where the server does send the root CA as well, and now successfully validate this chain.
  • Relaxed parsing of the CertificateSerialNumber field within AuthorityKeyIdentifier. Although officially defined as an ASN.1 INTEGER type, some certificate generators use a non-integer value. Parser now supports these technically incorrect datatypes.


[Read More]

MatrixSSL 1.7

Aug 17, 2005

Overall changes

  • Explicit support for anonymous RSA handshaking</a>
  • New APIs to support anonymous handshaking and re-handshaking over existing connections with new key material
  • </ul>
    Functional changes
    • Version updated from 1.2.5 to 1.7 to mirror commercial MatrixSSL versioning
    • Directory and file reorganization

    Bug fixes and optimizations
    • Significantly accelerated RSA handshake speeds
    • Additional parsing of X.509 certificate extensions

[Read More]

MatrixSSL 1.2.5

Apr 4, 2005

Overall changes

  • No API changes from 1.2.4 release



Functional changes

  • Updated expiration date in sample certificates



Bug fixes and optimizations

  • Remove unnecessary link to -lcrypto on Linux
  • Fix prevTicks compatibility on non-i386 Linux platforms


[Read More]

MatrixSSL 1.2.4

Feb 24, 2005

Overall changes

  • No API changes from 1.2.2 release
  • There was no public 1.2.3 release



Functional changes

  • Client will reply with NULL cert message if client authentication is requested.



Bug fixes and optimizations

  • Generate static libraries in addition to shared objects on Linux
  • AMD64/Nacona x64 compile support on Linux
  • Changed all instances of int types to int32 to be more explicit and to allow easy global redefinitions for porting
  • Corrected the maximum message size limit to match the SSL specification
  • Cert parse can handle duplicate distinguished name entries.
  • ASN.1 parse fix for AlgorithmIdentifier missing the trailing NULL
  • Checking certificate version before doing checking the 'ca' member of the basic constraint entry during certificate validation.
  • Developers may notice some internal routines using a psPool_t parameter. These parameters allow deterministic memory support in the commercial version of MatrixSSL. They are unused in the GNU version of MatrixSSL.


[Read More]

MatrixSSL 1.2.2

Sep 23, 2004

Functional changes

  • Added legacy certificate support

  • - for certificates without basic constraints
    - MD2 support for older certificates (Because it is a less secure algorithm, it must be explicitly enabled).



Bug fixes and optimizations

  • Sanity check against invalid key lengths from certificate (potential DOS fix)
  • Fixed 64 bit issue with mpi.c
  • Fix potential leak in certificates with duplicate fields
  • Allow application data parsing within re-handshake state


[Read More]

MatrixSSL 1.2.1

Aug 16, 2004

Bug fixes and optimizations

  • Increased max SSL record length to 16K + 2K for Apache compatibility
  • Validate outgoing record length in matrixSslEncode()
  • Sanity check mac padding loop
  • Validate all ASN.1 length fields in X.509 certificates


[Read More]

MatrixSSL 1.2

Jul 29, 2004

Functional changes

  • Added re-handshake support

  • - A connected server may issue a HelloRequest message to the client
    - A connected client may issue a new ClientHello message to the server
  • Added support for certificate chaining
  • Added RSA_WITH_NULL_SHA1 and RSA_WITH_NULL_MD5 ciphers to provide authentication and tamper detection without encryption overhead. (Because these are less secure ciphers, they must be explicitly enabled in cipherSuite.c). </ul>
    Bug fixes and optimizations
    • Cleaned up several mismatched types (mostly unsigned char to char compiler warnings)
    • Rework of the cipher suite logic to support re-handshaking
    • Rename internal APIs to avoid namespace issues with other packages

    API changes from 1.1 release
    • Added matrixSslSetSessionOption()
    • Added matrixSslEncodeHelloRequest()
    • Added 'next' member to the sslCertInfo_t structure. This member creates a linked list to expose certificate chains to the user.

[Read More]

MatrixSSL 1.1.2

Jul 8, 2004

Bug fixes and optimizations

  • Remove newline requirement for private key parsing
  • Allow NULL certificate for matrixSslReadKeys()
  • Cleaned up some spurious compiler warnings


[Read More]

MatrixSSL 1.1.1

Jun 11, 2004

Functional changes

  • Enabled SSL_RSA_WITH_3DES_EDE_CBC_SHA by default. The footprint remains the same, since 3DES was already included with the USE_ENCRYPTED_PRIVATE_KEYS define. Note that this is the preferred cipher for many SSL clients, so by enabling this cipher, communications will default to a stronger, but slower cipher.


Bug fixes and optimizations
  • Safer memory usage for RSA blinding function. Code was already safe for 1024 and 2048 bit keys, but this ensures the safety.

  • Properly compare the time in the session cache to ensure the oldest unused session is replaced first. Previously the oldest session may not have been chosen, and a newer one replaced instead.

  • Fixed a null-termination error in a static buffer that caused a crash on some platforms using encrypted private keys.

  • Improved example code handling of return codes of sslRead(). Clarified that a 0 return code may indicate either a successful parse of a record with no application data, or an EOF. Previously both cases were treated as EOF, which fits the examples, but isn't as useful for other applications.


[Read More]

Test Scenarios

Jun 1, 2004

Test environments as of 1.1

SSL Servers

  • PeerSec httpsReflector (All platforms)
  • Mbedthis AppWeb (Linux, Windows)
  • OpenSSL s_server

SSL Clients

  • PeerSec httpsClient (All platforms)
  • Microsoft IE 6 (Windows 2K, XP)
  • Mozilla/Firefox 1.6 (Linux, Windows, MacOS X)
  • Opera 7 (Windows)
  • MacOS Safari (MacOS X)
  • Camino (MacOS X)
  • OpenSSL s_client 0.9.7c (Linux, Windows)
  • OpenSSL s_time 0.9.7c (Linux, Windows)
  • GnuTLS gnutls-cli-debug (Linux)

Build Environment

  • Linux (RedHat 9, All Debian platforms, gcc 3.2.2)
  • uClinux (gcc MIPS cross compiler)
  • VxWorks (Tornado 5.4, i386 BSP)
  • Windows CE (Embedded Visual C 3.0, PocketPC environment)
  • Microsoft Windows (2K & XP, Visual Studio .NET)
  • MacOS X (10.1.5, gcc 2.95.2)
  • Debug and Release builds
  • Enabled various optional feature combinations in matrixConfig.h

Certificates

  • OpenSSL generated certificates and private keys.
  • 3DES encrypted private keys.
  • 1024 and 2048 bit RSA keys.
  • Multiple certificates in a single file are not supported
  • Various X.509 certificate format and contents validation checks

Cipher Suites and Protocol Levels

  • All combinations of cipher suites: RC4-MD5, RC4-SHA and DES-CBC3-SHA
  • 1024 and 2048 bit RSA keys
  • Tested negotiation to best cipher suite with multiple clients
  • Verified correct error sent if negotiating to SSLv2 and TLS-only
  • Successful parsing of SSLv2 ClientHello and negotiating down to SSLv3 from TLS

Longevity Testing

  • Overnight testing using OpenSSL s_time SSL tests on Linux and Windows.
  • All tests run under Valgrind to detect memory leaks and overruns
  • Verification of zero memory growth during longevity testing
  • Used the following for longevity testing:
    openssl s_time -connect 'ip':4433 -www / -time 'seconds' -cipher 'cipher' -ssl3

Architecture Testing

  • IA32
  • PowerPC
  • Mips32

[Read More]

MatrixSSL 1.1

Jun 1, 2004

Enhancements

  • Added session cache expiry code (defaults to 24 hours)
  • Added optional support for RSA blinding (USE_RSA_BLINDING, off by default)
  • Support for VxWorks
  • Support for MacOS X
  • Support for Microsoft Windows CE
  • Support for platforms without native 64 bit integers (USE_INT64, on by default)

Changes

  • Split matrixSsl.c into two additional files: sslDecode.c and sslEncode.c
  • Updated matrixSslSetCertValidator() API and callback to support user supplied argument
  • Added sigHash and sigHashLen parameters to sslCertInfo_t structure for public access to the certificate fingerprint
  • General code formatting and cleanup
  • Removed strtok() and va_args use for better portability

Fixes

  • Support for (ignoring) TLS extensions in ClientHello
  • Fixed bug in handling of static strings for matrixSslReadKeys()
  • Fixed maximum 4 byte memory compare overrun in certificate parsing

[Read More]

Session Expiry Times

May 10, 2004

Update: Fixed in 1.1

Background
SSL session resumption allows session keys to be cached after a session is closed. Future sessions can be negotiated much more quickly, without an expensive private key operation with this functionality. MatrixSSL does not automatically flush cached session information based on a fixed time period.

Solution
Sessions are deleted based on their age in the session cache; once it is full, the oldest unused session data is deleted and must be re-negotiated by a client reconnecting. Cache entries are also cleared if there was an error on the SSL connection of any kind, or if the SSL server process is restarted. ARC4 cipher data throughput is also monitored to force re-keying after a maximum safe amount of data is encrypted (MatrixSSL block ciphers do not require this restriction). A future MatrixSSL release will prevent the lookup of sessions that are "stale" by a predetermined period (several days) time.

Workaround
The session cache may be periodically flushed manually if desired by the calling application.

[Read More]

MatrixSSL 1.0.2

May 3, 2004

This release fixes two issues; an error in parsing packed handshake records, and a corner case memory leak in the socket example code. Neither of these issues presents a security risk, but could affect interoperability and resource usage.

[Read More]

RSA Blinding

Apr 30, 2004

Update: Fixed in 1.1

Background
MatrixSSL does not currently support RSA Blinding, a technique used to combat a specific timing attack against the RSA math operations. Information on the RSA timing attack is available in this PDF. The attack works by sending millions of specific handshake messages to an SSL server and measuring the response times. If network latency variations are low, the time taken to do the RSA operation on each handshake can be used to statistically determine the RSA private key.

Solution
The most well regarded solution for this issue is to "blind" the operation by including a calculation based on random data for each RSA operation. This will make it impossible to guess the keys based on timing the operation. We are looking to provide this solution on a future MatrixSSL release.

Workarounds
In the short term, a workaround that is suitable for many embedded devices is to throttle the number of SSL connections per second to limit the number of attack messages that can be sent. Alternately, forcing the response time for the handshake message to, for example, 100ms can provide blinding as well.

[Read More]

MatrixSSL 1.0.1

Apr 19, 2004

We've released a minor update to 1.0. Support has been added for validation of X.509 certificates with serial numbers using more than 32 bits, improving compatibility with more certificates. This change affects the public sslCertInfo_t structure serialNumber field type and adds a new element, serialNumberLen to the structure.

[Read More]

MatrixSSL 1.0

Mar 29, 2004

We’ve posted our 1.0 release of MatrixSSL. Thank you to all the beta testers who sent us feedback and suggestions. We’re sure the requirements will continue to be enhanced as additional products use MatrixSSL, but thanks to the open source community, this has been a strong 1.0 release.

[Read More]

1.0 Feature Complete

Mar 19, 2004

We've reached feature complete for our 1.0 release. This means that 1.0 is just around the corner. Some of the features included are:

  • Incorporate feedback from the beta community

  • User extensible certificate validation

  • Support for multiple client side root CA certificates

  • Support for platforms without standard filesystems

  • Comprehensive sockets examples and documentation


[Read More]

Pre 2.96 gcc Error

Mar 16, 2004

Update: Fixed in 1.0
A compiler error in the file pscrypto.h has been reported for pre gcc 2.96 compilers. The error is related to the handling of curly braces in C macros. As 2.96 is actually a misnomer for a development release of gcc 3.0, this explains the incompatibility with the preprocessor between such close release numbers. A fix is available upon request and will be included in the next release.

[Read More]

Beta2 R2

Mar 11, 2004

We’ve released an updated Beta 2 package to fix an issue with the example certificate file included with the initial release. This certificate contained extensions that were not readable by Netscape 7 or Mozilla. We have regenerated the certificates and included them in the latest source download, with an update to asn1.c. These certificates are only for testing purposes and should not be used in an actual release.

[Read More]

Certificate Validation Limitations

Mar 8, 2004

Update: Fixed in 1.0

Support for certificate validation is limited in the beta release. Certificates are validated either as self signed or as signed by a single parent root CA if specified in the matrixSslReadKeys() API.

The certificate contents are parsed but not currently accessible to the client application, so validation on expiration date or certificate name are not supported.

The next release of MatrixSSL will expose the parsed certificate through an API which will allow application level validation.

[Read More]

MatrixSSL 1.0 Beta 2

Mar 2, 2004

We have just released a second beta version of MatrixSSL for download. Final release is just around the corner, but we wanted to get our client side SSL implementation some beta time.

Release Notes:

  • RC4-MD5 and RC4-SHA are now enabled by default.
  • httpClient and httpReflector must be "Set As StartUp Project" project in their respective VisualStudio solutions in order to run automatically in the debugger in Windows.
  • Certificate validation currently checks only that the certificate was signed by the root CA, and that other internals are consistent. User level checks of the distinguished name will be added in final release.

Change Log:

  • Added client side SSL support
  • Added X.509 certificate parsing and basic validation
  • Added httpClient example
  • Added several new APIs for client side SSL
  • Enhanced client and reflector example with support for pipelined requests
  • Fixed length check in record parsing that could lead to a comparison beyond memory boundaries.
  • Fixed SSL record version check that could allow invalid record versions to be sent. As only SSLv3 was supported, this did not cause a security concern.
  • Added workaround for bug in Microsoft Internet Explorer, where negotiated version is sent in the encrypted premaster secret, rather than the requested version as per specification.
  • Minor updates to cryptography code suggested by Tom St. Denis.

[Read More]

MatrixSSL on the WRT54G

Feb 26, 2004

We’ve built MatrixSSL for the Linksys WRT54G wireless router. This is a linux based router that has open firmware available directly from the manufacturer. Here are the specs:

  • uClinux 2.4.20 kernel
  • 200Mhz MIPS32 processor
  • 4 MB Flash Memory
  • 16 MB RAM
  • 5 100Mbit ethernet ports

Developing for this platform is very straightforward and shows how easy it is to port Linux applications to embedded Linux. No changes to MatrixSSL code are required for embedded Linux, just point the Makefile at the relevant cross compiler and you’re good to go. Here are some performance numbers running our https server on the WRT54G:

  • 110 SSL connections opened/closed per second (SSL resumption handshake + closure alert)
  • 500 keepalive HTTP request/responses over an SSL connection using RC4-SHA cipher suite.

[Read More]

Mozilla Cipher Suites

Feb 18, 2004

Update: Fixed in Beta2 R2
Mozilla 1.2, which ships with RedHat Linux 9.0 does not contain support for the default cipher suite built with MatrixSSL. When trying to access a server running MatrixSSL through https, Mozilla will display the following error: "Mozilla and 'host' cannot communicate because they have no common encryption algorithms." It appears this version of Mozilla has support for the other two built in MatrixSSL cipher suites (ARC4-MD5 and 3DES-SHA). A workaround is to enable one of the other supported cipher suites in matrixssl/src/matrixConfig.h and recompile MatrixSSL. Alternatively, upgrading to Mozilla 1.5 or 1.6 will fix the incompatibility.

Future releases of MatrixSSL will come with more cipher suites enabled by default to provide additional compatibility. Support for export ciphers is not planned, however. This means that browsers supporting only export level encryption will need to be updated to communicate with MatrixSSL.

[Read More]

MatrixSSL on freshmeat.net

Feb 12, 2004

We’ve registered MatrixSSL with freshmeat.net: http://freshmeat.net/projects/matrixssl. Freshmeat is run by the same parent company as Slashdot, and is a searchable repository of open source projects. Users can sign up to be notified when new releases are available for projects they use. We provide a similar feature through our XML RSS feed.

[Read More]

MatrixSSL OS Calls

Feb 6, 2004

The following operating system calls are used within MatrixSSL. Justification and alternatives for each set of calls is given.

</tr> </tr> </tr> </tr> </tr> </tr> </tr> </table>
Memory Allocation
malloc()
realloc()
free()
calloc()
Memory allocation is done with pre-determined buffer sizes in most cases. The RSA code uses various memory sizes however, so arbitrary block allocation must be supported in a custom implementation of these routines. Any suitable library replacement for standard memory allocation semantics can be used with MatrixSSL. Example implementations of these functions are included in matrixssl/src/os/malloc.c
Memory Operations
memcmp()
memcpy()
memset()
strstr()
strlen()
These functions can easily be replaced with custom implementations, should they not be present in the standard platform library.
File Access
stat()
fopen()
fclose()
fgets()
File access functions are used only to read certificate and private key files. If a filesystem is not supported, the matrixSslReadKeysMem() API, defined in matrixInternal.h can be used to parse certificates and keys from memory buffers, allowing operation without a filesystem. Disable the USE_FILE_SYSTEM define in matrixConfig.h to disable the file system calls on systems that do not support them.
Time
time() The time() routine is used to check expiration of the session cache, and to provide the first four bytes of the ServerRandom value. Any known-scale time value such as clock ticks since startup can be used for the first value. The ServerRandom value should have a monotonically increasing value that is preserved across machine restarts to help prevent replay based attacks. Intel platforms use a processor dependant high resolution timer rather than the time() system call.
Debugging
printf()
abort()
These functions are used only for debugging and can easily be replaced by other mechanisms of error reporting.
Multithreading
Mutex APIs
Mutex locks are used only to protect the session cache if multiple threads have simultaneous sessions open. Systems without mutex support typically also lack threading support so these functions should not need to be ported. Disabling the USE_MULTITHREADING define in matrixConfig.h will disable all mutex code. The abstraction layer for thread synchronization is in the OS specific directories under matrixssl/src/os.
Forked Processing
 
Applications using fork() to handle new connections are common on Unix based platforms. Because the MatrixSSL session cache is located in the process data space, a forked process will not be able to update the master session cache, thereby preventing future sessions from being able to take advantage of this speed improvement. In order to support session resumption in forked servers, a file or shared memory based session cache must be implemented. Please contact us for additional help in this area.
Networking
Sockets APIs
MatrixSSL operates independently from the network layer. Existing socket code tuned to your platform can continue to send and receive data that is encoded and decoded by MatrixSSL in memory.
Entropy Gathering
Random Data In order to create a secure SSL connection, it is critical to have a source of good random data on each platform. Ports of MatrixSSL to any platform must support the gathering of cryptographically random entropy bytes. Operating systems typically provide this data through kernel level timers, random keyboard events, etc. Embedded systems are much more predictable in terms of user and kernel timings, so drivers for hardware based entropy are usually used in this case. The built in entropy gathering API, sslGetEntropy() is implemented in the OS specific directories under matrixssl/src/os.

[Read More]

Linuxdevices.com Article

Feb 5, 2004

LinuxDevices.com caught our post to openssl-dev and wrote up a little article on MatrixSSL.

[Read More]

Beta Feedback

Feb 4, 2004

We’ve put together a preliminary list of items we’re looking for feedback on during the beta process:

  • Is the basic featureset in beta useful?
  • What additional features would you like to see?
  • Does the public API seem reasonable for integration into your application?
  • Does the software seem portable to the platform you're considering?
  • Is the code and documentation clear?
  • Have you found any bugs?


[Read More]

Beta Test Plan

Jan 27, 2004

In order simplify the testing that our beta customers do, here is a list of the testing we have done prior to this release.

SSL Servers

  • PeerSec httpReflector (Linux, Windows)
  • Mbedthis AppWeb (Linux, Windows)
  • Blocking and non-blocking sockets tested

SSL Clients

  • Microsoft IE 6 (Windows 2K, XP)
  • Mozilla 1.6 (Linux, Windows)
  • Opera 7 (Windows)
  • OpenSSL s_client 0.9.7c (Linux, Windows)
  • OpenSSL s_time 0.9.7c (Linux, Windows)

Build Environment

  • Linux (RedHat 9, gcc 3.2.2)
  • Microsoft Windows (2K & XP, Visual Studio .NET)
  • Debug and Release builds

Certificates

  • OpenSSL generated certificates and private keys were tested.
  • 3DES encrypted private keys tested.
  • 1024 and 2048 bit RSA keys.
  • Multiple certificates in a single file are not supported

Cipher Suites and Protocol Levels

  • All combinations of cipher suites: RC4-MD5, RC4-SHA and DES-CBC3-SHA
  • 1024 and 2048 bit RSA keys
  • Tested negotiation to best cipher suite with multiple clients
  • Verified correct error sent if negotiating to SSLv2 and TLS-only
  • Successful parsing of SSLv2 ClientHello and negotiating down to SSLv3 from TLS

Longevity Testing

  • Overnight testing using OpenSSL s_time SSL tests on Linux and Windows.
  • Verification of zero memory growth during longevity testing
  • Used the following for longevity testing:
    openssl s_time -connect 'ip':4433 -www / -time 'seconds' -cipher 'cipher' -ssl3

Cryptography Provider

  • PeerSec only

Architecture Testing

  • IA32 only


[Read More]

MatrixSSL 1.0 Beta

Jan 26, 2004

First general public release of MatrixSSL.

[Read More]

Beta Software Disclaimer

Jan 26, 2004

Applies to: MatrixSSL 1.0 Beta

This beta software is currently undergoing public evaluation and security audit. Please contact support before using this code in production systems.

[Read More]

MatrixSSL 1.0 Beta Monday

Jan 25, 2004

We're set to release the beta of MatrixSSL on Monday. The software will be publicly available as a download through this site. We look forward to hearing your feedback!

[Read More]

Subscribe

Subscribe via RSS.

Tags

News (22) Releases (50)

Recent Posts

About

MatrixSSL™ is an embedded SSL and TLS implementation designed for small footprint applications and devices.

Links

Company

Copyright (c) INSIDE Secure Corp., 2002-2017. All Rights Reserved.