Version 0.6
bearssl-0.6.tar.gz, released on August 14th, 2018.
Added general-purpose implementations of EAX and CCM modes (including shared precomputation support for EAX).
Added general-purpose RSA/OAEP implementation.
Added general-purpose HKDF implementation.
Added support for CCM and CCM_8 TLS cipher suites (RFC 6655 and RFC 7251).
Added RSA and EC key generation.
Added private key encoding support (“raw” and PKCS#8 formats, both in DER and PEM, for RSA and EC key pairs).
Made Base64 encoding/decoding constant-time (with regards to the encoded data bytes).
Added a generic API for random seed providers.
Added an extra DRBG based on AES/CTR + Hirose construction for reseeding.
Some cosmetic fixes to avoid warnings with picky compilers.
Makefile fix to achieve compatibility with OpenBSD.
Fixed a bug in bit length computation for big integers (this was breaking RSA signatures with some specific implementations and key lengths).
Made SSL/TLS client stricter in cipher suite selection (to align with server behaviour).
Version 0.5
bearssl-0.5.tar.gz, released on July 30th, 2017.
Added support for the BoarSSL / Twrch test framework.
Header files now include the ritual mantras that make them compatible with C++.
Better Makefile behaviour with Clang (FreeBSD compatibility).
Worked around a bug of GCC 4.8 and 4.9 in 32-bit x86 mode.
Incoming application data after initiating closure is now properly ignored.
Some instances of (critical) Certificate Policies extensions are now ignored (when it is safe to do so).
Fixed some behavioural bugs with regards to renegotiation (all were failing safe).
Added encoded OID for hash functions in the public API, to help with using RSA signatures in non-SSL contexts.
Fixed bug in AES/CBC decryption on x86 with AES-NI opcode (this was breaking decryption with AES/CBC cipher suites and TLS 1.0 only).
Added an explicit stack buffer initialisation (some provably harmless accesses to uninitialised data were performed, Valgrind was not happy).
Fixed bug in the search tree for the cache of SSL sessions (occasional lock-ups).
Fixed bug in modular reduction in the special field for P-256 (this was infrequently breaking ECDSA signatures).
Added support for exporting keying material (RFC 5705).
Added new general-purpose API for AEAD implementations (in non-SSL contexts) and an AES/GCM implementation that follows that API.
Added a function to forget saved session parameter in the LRU cache.
Added a new ChaCha20 implementation that uses SSE2 on x86 architectures (both 32-bit and 64-bit).
Version 0.4
bearssl-0.4.tar.gz, released on April 3rd, 2017.
New AES and GHASH implementations for POWER8 processors (provides AES/GCM at more than 2 gigabytes per second!).
Improved GHASH implementation with AES-NI opcodes (
pclmulqdq
).New Poly1305 implementation with 64→128 multiplications, available on some 64-bit architectures.
New “i62” big-integer code with 64→128 multiplications, available on some 64-bit architectures (RSA is much faster).
Some mostly cosmetic patches to support very old systems (BearSSL now compiles and run on Debian 2.2 “potato” from 2000, with GCC 2.95).
Version 0.3
bearssl-0.3.tar.gz, released on January 29th, 2017.
Support for ALPN extension (RFC 7301).
New big-integers support code (“i15”), that uses 15-bit words internally; this offers better performance and constant-time code on the ARM Cortex M series.
On the ARM Cortex M, a bit of inline assembly can be used to speed up multiplications and modular exponentations.
Many new elliptic curve implementations:
ec_prime_i15
: supports P-256, P-384 and P-521 with the “i15” big integers.ec_p256_m15
: specialised implementation for P-256; similar to “i15” but faster. Internally, 13-bit words are used (for easier carry propagation).ec_p256_m31
: likeec_p256_m15
, but using 30-bit words.ec_c25519_i15
andecc25519_i31
implement Curve25519 with the “i15” and “i31” big integers, respectively.ec_c25519_m15
andecc25519_m31
are specialised implementations of Curve25519 with 13-bit and 30-bit words, respectively; they are faster, but with a larger compiled code size.ec_all_m15
andec_all_m31
are aggregate wrappers that provide support for the three NIST curves and Curve25519, with the “m15/i15” or the “m31/i31” code, respectively.
New API for server-side private key handling: when using ECDHE, the pluggable module that computes the signature on the ServerKeyExchange message can now obtain the actual data, not just a hash thereof (this should help with EdDSA integration when that function is implemented).
Revamped Makefile structure:
Simplified configuration files (in the
conf/
directory) to allow for selectable sets of parameters, including build directory.Visual Studio +
nmake.exe
is now a supported target.
AES implementation with the AES-NI opcodes; works with GCC, Clang and Visual Studio, both in 32-bit and 64-bit modes.
GHASH implementation with
pclmulqdq
; works with GCC, Clang and Visual Studio, both in 32-bit and 64-bit modes.Many fixes, including a buffer overrun.
Version 0.2
bearssl-0.2.tar.gz, released on December 13th, 2016.
Support for ClientHello padding (RFC 7685).
Support for TLS_FALLBACK_SCSV (RFC 7507) (server-side; on the client, this is entirely under control of the caller).
New flag to prohibit renegotiations.
API for saving and restoring session parameters (controllable session resumption on the client side).
Client certificates: API to request a client certificate (on the server side), and to provide a client certificate (on the client side).
API for generic name extraction from X.509 certificates (from the subject DN and the SAN extension).
Improved T0 compilation (threaded code is about 10% shorter).
ChaCha20+Poly1305 support (RFC 7905).
Lots of fixes (including a couple of buffer overruns).
Version 0.1
bearssl-0.1.tar.gz, released on November 3rd, 2016.
- Initial release.