While BearSSL improvements and fixes are pushed when ready into the git repository, one at a time, I plan to make some “formal releases” when some milestones are reached. This is not a strict schedule and may change over time; in particular, dates are merely estimate and code is shipped when ready, only when ready1.

Right now, this is how releases should go:

  • Version 0.2 was realeased on December 13th, 2016. It got the last “big API changes” with the addition of client certificates. Subsequent releases (until 1.0) may still break binary compatibility, but should keep source compatibility.

  • Version 0.3 was released on January 29th, 2017. The build system (makefiles) has been revamped, to more easily handle multiple architectures and cross-compilation.

    This new build system has been used to allow inclusion of AES and GHASH implementations powered by the AES-NI opcodes. These are compatible with GCC, Clang, and also Visual Studio + nmake.exe (on Windodws).

    That version also saw inclusion of many elliptic curve implementations, including support for Curve25519, and RSA/EC code optimised for ARM Cortex M platforms.

  • Version 0.4 was released on April 3rd, 2017. It includes some new implementations: optimised AES/GCM on POWER8 systems (with specialised crypto opcodes), and new Poly1305 and RSA implementations leveraging 64→128 multiplications (available on some 64-bit architectures).

  • Version 0.5 was released on July 30th, 2017. Main addition was a new testing framework called BoarSSL / Twrch in which BearSSL is automatically tested against an independent C# TLS implementation, that exercises many parameter combinations and abnormal exchanges. BearSSL was declared to reach “beta” level.

  • Version 0.6 was released on August 14th, 2018. Some stand-alone general-purpose (non-SSL) implementations have been added, especially EAX and CCM authenticated encryption modes, RSA/OAEP encryption, and HKDF. Key pair generation for both RSA and EC was implemented, as well as key pair encoding in the usual formats in the X.509 world.

Feature Schedule

The table below lists the BearSSL features, and their status. Each status is one of:

  • Done (x.y): feature is implemented, first appearing in version “x.y”.

  • Scheduled for x.y: feature is not implemented yet, but should be included in version “x.y”.

  • Planned: feature will be implemented in a future version, but no schedule has been made yet.

  • Never: feature will not be implemented.

All schedules are potentially subject to change; even a feature tagged “never” may still be implemented at some point, if some compelling arguments make me change my mind on that subject.

Feature Status Notes
API documentation (HTML) Done (0.2)
API documentation (man pages) Planned
Arch-specific compilation Done (0.3)
MD5 Done (0.1)
SHA-1 Done (0.1)
SHA-224 and SHA-256 Done (0.1)
SHA-384 and SHA-512 Done (0.1)
SHA-512/224 and SHA-512/256 Planned Delayed: no standard “TLS” identifier defined.
SHA-256 (assembly, ARM) Planned
SHA-512 (assembly, ARM) Planned
SHAKE Planned Required for Ed448 signature support.
Multi-Hasher Done (0.1)
GHASH (32->64 multiplications) Done (0.1)
GHASH (32->32 multiplications) Done (0.1)
GHASH (64->64 multiplications) Done (0.1)
GHASH (x86/SSE2) Planned Maybe not much useful.
GHASH (x86/AES-NI) Done (0.3)
GHASH (POWER8) Done (0.4)
Poly1305 Done (0.2)
Poly1305 (32->32 multipications) Done (0.3)
Poly1305 (64->128 multiplications) Done (0.4)
HMAC Done (0.1)
HMAC constant-time Done (0.1)
HKDF Done (0.6)
HMAC DRBG Done (0.1)
AES/CTR DRBG Done (0.6)
PRF for TLS 1.0/1.1 Done (0.1)
PRF for TLS 1.2 Done (0.1)
AES (classic, with tables) Done (0.1)
AES (small, with tables) Done (0.1)
AES (tiny, assembly, ARM) Planned
AES (tiny, assembly, i386) Planned
AES (tiny, assembly, amd64) Planned
AES constant-time (32-bit) Done (0.1)
AES constant-time (64-bit) Done (0.1)
AES constant-time (x86/SSE2) Planned
AES constant-time (x86/AES-NI) Done (0.3)
AES constant-time (POWER8) Done (0.4)
ChaCha20 Done (0.2)
ChaCha20 (x86/SSE2) Done (0.5)
DES/3DES (classic, with tables) Done (0.1)
DES/3DES (constant-time) Done (0.1)
RC4 Never
RSA (constant-time, 32-bit) Done (0.1)
RSA (constant-time, __uint128) Done (0.4)
RSA with OAEP Done (0.6)
RSA with PSS Planned
RSA key pair generation Done (0.6)
EC (generic, 32-bit) Done (0.1)
EC (generic, 32->32 only) Done (0.3)
EC (generic, __uint128) Planned
EC NIST P-256 (32-bit) Done (0.3)
EC NIST P-256 (32->32 only) Done (0.3)
EC NIST P-256 (with __uint128) Planned
EC NIST P-384 (32-bit) Planned
EC NIST P-384 (32->32 only) Planned
EC NIST P-384 (with __uint128) Planned
EC Curve25519 (32-bit) Done (0.3)
EC Curve25519 (32->32 only) Done (0.3)
EC Curve25519 (with __uint128) Planned
EC Curve448 Planned
EC EdDSA Planned
ECDSA (generic, 32-bit) Done (0.1)
ECDSA (generic, 32->32 only) Done (0.3)
EC key pair generation Done (0.6)
X.509 chain validation API Done (0.1)
X.509 “known key” model Done (0.1)
X.509 minimal validation Done (0.1)
X.509 name extraction (DN, SAN) Done (0.2)
X.509 Name Constraints (basic) Planned
X.509 wrapper for CryptoAPI Planned
Private key decoding (traditional) Done (0.1)
Private key decoding (PKCS#8) Done (0.1)
PEM decoding (streamed) Done (0.1)
Private key encoding (traditional) Done (0.6)
Private key encoding (PKCS#8) Done (0.6)
PEM encoding Done (0.6)
Cert Request generation (PKCS#10) Planned
SSL core engine Done (0.1)
SSL client API Done (0.1)
SSL server API Done (0.1)
SSL 2.0 Never
SSL 3.0 Never
TLS 1.0 Done (0.1)
TLS 1.1 Done (0.1)
TLS 1.2 Done (0.1)
TLS 1.3 Planned See the dedicated page
DTLS (1.0, 1.2) Planned
SSL RSA key exchange Done (0.1)
SSL ECDH key exchange Done (0.1)
SSL ECDHE key exchange Done (0.1)
SSL renegotiation Done (0.1)
SSL no-renegotiation flag Done (0.2)
SSL session resumption (client) Done (0.1)
SSL session resumption (server) Done (0.1)
SSL session cache (client-side API) Done (0.2)
SSL session cache (server-side) Done (0.1)
SSL client certificates (client) Done (0.2)
SSL client certificates (server) Done (0.2)
SSL ext: ClientHello padding Done (0.2)
SSL ext: ALPN Done (0.3)
SSL multi-threaded wrappers Planned Locks and synchro for multi-threaded access.
T0 optimisation (inlining) Planned Automatic function inlining when appropriate.
T0 optimisation (encoding) Done (0.2) More space-efficient bytecode format.
Automatic test framework Done (0.5)
Documentation Ongoing More documentation is always needed.

Documentation Effort

Documentation is an ongoing effort, especially since one of the long-term goals of BearSSL is to be usable as a pedagogical implementation of SSL/TLS. In other words, techniques employed therein make most sense only when they are duly explained.

Future documentation efforts will primarily focus on the following areas:

  • API for existing and new features. The function-by-function documentation in HTML is partly done (with Doxygen) and should be completed soon. Man pages (for Linux and other Unix-like systems) will be done at some point, too. More usage samples are still needed.

  • T0 documentation. The T0 language shall be thoroughly explained and documented: syntax, compilation, structure, and rationale.

  • Buffering. Most of the inner workings of the SSL engine is about keeping track of data and assembly of records. It is a complex system, which should be thoroughly detailed, and, if possible, “proven” by making explicit all assumptions throughout the code. It is expected that such a documentation work will uncover some potentially nasty bugs.

  • Cryptographic trickeries. Cryptographic algorithm implementations employ some specific techniques that are important for performance and/or security, in particular constant-time code, which must be explained in full details.

  1. For some appropriate notion of readiness.