Security related

This release further reduces a possible timing side channel in the PolarSSL SSL module during decryption of the buffer due to badly formatted padding in the incoming message.

In addition, a possible timing difference due to bad padding in PKCS#1 v1.5 operations has been reduced.


The internals forrsa_pkcs1_encrypt(),rsa_pkcs1_decrypt(),rsa_pkcs1_sign()andrsa_pkcs1_verify()have been cleaned up and split up as to separate PKCS#1 v1.5 and PKCS#1 v2.1 functionality. The PKCS#1 v2.1 RSA encrypt and decrypt functions now have support for custom labels.

On request, we have re-added handling of SSLv2 Client Hello messages when the define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set.

As a minor change, the provided SSL session cache module (ssl_cache) now also retains peer_cert information (just the peer certificate, not the entire chain) to use after session re-use.

Bug fixes

Bug fixes include fixes to remove a memory leak from the SSL module and to fix a counter bug in the GCM module and fixes to enhance support for MS Visual Studio on 64-bit systems, for the ARM platform and little endian systems.

Who should update

Our advice for users of the PolarSSL 1.2 branch is to update:

  • in order to further remove possible RSA and SSL timing side channels (See PolarSSL Security Advisory 2013-01)
  • in order to remove a possible memory leak in the SSL module

Our advice for users of the PolarSSL 1.1 branch is to update to PolarSSL 1.1.6.