yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-12 18:45:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix ChangeLog by grouping baremetal entries

Browse source 
In previous merges, ChangeLog entries from the baremetal branch got mixed with
entries from the 2.16 branch, which resulted in a confusing and unhelpful log.
Restore some order by grouping all baremetal entries in their own section.
This commit is contained in:
Manuel Pégourié-Gonnard 2019-09-11 13:02:18 +02:00
parent fa4cbe0422
commit 3cdfa0c2cc
1 changed files with 65 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

127
ChangeLog
View file

@ -1,6 +1,66 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx = mbed TLS "baremetal" branch
Features
* Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that enables
code size savings in configurations where cache-based session resumption is
not used.
* Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that
enables code size savings in configurations where no form of session
resumption is used.
* Add support for draft-05 of the Connection ID extension, as specified
in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
The Connection ID extension allows to keep DTLS connections beyond the
lifetime of the underlying transport by adding a connection identifier
to the DTLS record header. This identifier can be used to associated an
incoming record with the correct connection data even after the peer has
changed its IP or port. The feature is enabled at compile-time by setting
MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
* Add new API functions mbedtls_ssl_session_save() and
mbedtls_ssl_session_load() to allow serializing a session, for example to
store it in non-volatile storage, and later using it for TLS session
resumption.
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`
which allows copy-less parsing of DER encoded X.509 CRTs,
at the cost of additional lifetime constraints on the input
buffer, but at the benefit of reduced RAM consumption.
* Add new API function mbedtls_ssl_conf_extended_master_secret_enforce() to
allow enforcing the usage of ExtendedMasterSecret extension. If the
extension is used and this option is enabled, handshakes not leading to
the use of the extended master secret will be aborted. On the server,
fail the handshake if client doesn't advertise the ExtendedMasterSecret
extension. On the client, fail the handshake if the server doesn't
consent to the use of the ExtendedMasterSecret extension in its
ServerHello.
* Add new configuration option MBEDTLS_SSL_PROTO_NO_TLS that enables code
size savings in configurations where only DTLS is used.
API Changes
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
See the Features section for more information.
* Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
for the benefit of saving RAM, by disabling the new compile-time
option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
API stability). Disabling this option makes mbedtls_ssl_get_peer_cert()
always return NULL, and removes the peer_cert field from the
mbedtls_ssl_session structure which otherwise stores the peer's
certificate.
* Add a new compile-time option `MBEDTLS_X509_ON_DEMAND_PARSING`,
disabled by default, which allows to parse and cache X.509 CRTs
on demand only, at the benefit of lower RAM usage. Enabling
this option breaks the structure API of X.509 in that most
fields of `mbedtls_x509_crt` are removed, but it keeps the
X.509 function API. See the API changes section as well as
the documentation in `config.h` for more information.
Changes
* Reduce RAM consumption during session renegotiation by not storing
the peer CRT chain and session ticket twice.
= mbed TLS 2.16.3 branch released 2019-09-06
Security Security
* Fix a missing error detection in ECJPAKE. This could have caused a * Fix a missing error detection in ECJPAKE. This could have caused a
@ -17,13 +77,10 @@ Security
about 1 bit of information on average and could cause the value to be about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer. 1 byte too large for the output buffer.
Features API Changes
* Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that enables * The new function mbedtls_ecdsa_sign_det_ext() is similar to
code size savings in configurations where cache-based session resumption is mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
not used. purpose of blinding.
* Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that
enables code size savings in configurations where no form of session
resumption is used.
Bugfix Bugfix
* Fix to allow building test suites with any warning that detects unused * Fix to allow building test suites with any warning that detects unused
@ -64,18 +121,6 @@ Changes
suggests). #2671 suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862. * Make `make clean` clean all programs always. Fixes #1862.
API Changes
* Add a new compile-time option `MBEDTLS_X509_ON_DEMAND_PARSING`,
disabled by default, which allows to parse and cache X.509 CRTs
on demand only, at the benefit of lower RAM usage. Enabling
this option breaks the structure API of X.509 in that most
fields of `mbedtls_x509_crt` are removed, but it keeps the
X.509 function API. See the API changes section as well as
the documentation in `config.h` for more information.
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
purpose of blinding.
= mbed TLS 2.16.2 branch released 2019-06-11 = mbed TLS 2.16.2 branch released 2019-06-11
Security Security
@ -86,46 +131,6 @@ Security
an error or a meaningless output from mbedtls_ecdh_get_params. In the an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key. latter case, this could expose at most 5 bits of the private key.
Features
* Add support for draft-05 of the Connection ID extension, as specified
in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
The Connection ID extension allows to keep DTLS connections beyond the
lifetime of the underlying transport by adding a connection identifier
to the DTLS record header. This identifier can be used to associated an
incoming record with the correct connection data even after the peer has
changed its IP or port. The feature is enabled at compile-time by setting
MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
* Add new API functions mbedtls_ssl_session_save() and
mbedtls_ssl_session_load() to allow serializing a session, for example to
store it in non-volatile storage, and later using it for TLS session
resumption.
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`
which allows copy-less parsing of DER encoded X.509 CRTs,
at the cost of additional lifetime constraints on the input
buffer, but at the benefit of reduced RAM consumption.
* Add new API function mbedtls_ssl_conf_extended_master_secret_enforce() to
allow enforcing the usage of ExtendedMasterSecret extension. If the
extension is used and this option is enabled, handshakes not leading to
the use of the extended master secret will be aborted. On the server,
fail the handshake if client doesn't advertise the ExtendedMasterSecret
extension. On the client, fail the handshake if the server doesn't
consent to the use of the ExtendedMasterSecret extension in its
ServerHello.
* Add new configuration option MBEDTLS_SSL_PROTO_NO_TLS that enables code
size savings in configurations where only DTLS is used.
API Changes
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
See the Features section for more information.
* Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
for the benefit of saving RAM, by disabling the new compile-time
option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
API stability). Disabling this option makes mbedtls_ssl_get_peer_cert()
always return NULL, and removes the peer_cert field from the
mbedtls_ssl_session structure which otherwise stores the peer's
certificate.
Bugfix Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default * Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted. mbedTLS configuration only SHA-2 signed certificates are accepted.
@ -213,8 +218,6 @@ Bugfix
leading content octet. Fixes #1610. leading content octet. Fixes #1610.
Changes Changes
* Reduce RAM consumption during session renegotiation by not storing
the peer CRT chain and session ticket twice.
* Include configuration file in all header files that use configuration, * Include configuration file in all header files that use configuration,
instead of relying on other header files that they include. instead of relying on other header files that they include.
Inserted as an enhancement for #1371 Inserted as an enhancement for #1371