mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-03 16:25:45 +00:00
Update ChangeLog with language and technical corrections
To clarify and correct the ChangeLog.
This commit is contained in:
parent
98b9373849
commit
55fc4e0c5a
77
ChangeLog
77
ChangeLog
|
@ -1,44 +1,46 @@
|
||||||
mbed TLS ChangeLog (Sorted per branch, date)
|
mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
= mbed TLS x.x.x branch released xxxx-xx-xx
|
= mbed TLS 2.7.0 branch released 2018-02-03
|
||||||
|
|
||||||
Security
|
Security
|
||||||
* Fix buffer overflow in RSA-PSS verification when the hash is too
|
* Fix a heap corruption issue in the implementation of the truncated HMAC
|
||||||
large for the key size. Found by Seth Terashima, Qualcomm Product
|
extension. When the truncated HMAC extension is enabled and CBC is used,
|
||||||
Security Initiative, Qualcomm Technologies Inc.
|
sending a malicious application packet could be used to selectively corrupt
|
||||||
* Fix buffer overflow in RSA-PSS verification when the unmasked
|
6 bytes on the peer's heap, which could potentially lead to crash or remote
|
||||||
data is all zeros.
|
code execution. The issue could be triggered remotely from either side in
|
||||||
* Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding
|
both TLS and DTLS. CVE-2018-0488
|
||||||
64kB to the address of the SSL buffer wraps around.
|
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
|
||||||
* Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by
|
for the key size, which could potentially lead to crash or remote code
|
||||||
|
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
|
||||||
|
Qualcomm Technologies Inc. CVE-2018-0487
|
||||||
|
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
|
||||||
|
zeros.
|
||||||
|
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
|
||||||
|
64 KiB to the address of the SSL buffer and causing a wrap around.
|
||||||
|
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
|
||||||
default enabled) maximum fragment length extension is disabled in the
|
default enabled) maximum fragment length extension is disabled in the
|
||||||
config and the application data buffer passed to mbedtls_ssl_write
|
config and the application data buffer passed to mbedtls_ssl_write
|
||||||
is larger than the internal message buffer (16384 bytes by default), the
|
is larger than the internal message buffer (16384 bytes by default), the
|
||||||
latter overflows. The exploitability of this issue depends on whether the
|
latter overflows. The exploitability of this issue depends on whether the
|
||||||
application layer can be forced into sending such large packets. The issue
|
application layer can be forced into sending such large packets. The issue
|
||||||
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
|
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
|
||||||
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707.
|
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
|
||||||
* Tighten should-be-constant-time memcmp against compiler optimizations.
|
Fixes #707.
|
||||||
|
* Add a provision to prevent compiler optimizations breaking the time
|
||||||
|
constancy of mbedtls_ssl_safer_memcmp().
|
||||||
* Ensure that buffers are cleared after use if they contain sensitive data.
|
* Ensure that buffers are cleared after use if they contain sensitive data.
|
||||||
Changes were introduced in multiple places in the library.
|
Changes were introduced in multiple places in the library.
|
||||||
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
|
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
|
||||||
being leaked to memory after release.
|
being leaked to memory after release.
|
||||||
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
||||||
leaking 1 bit of the private key. Reported by prashantkspatil.
|
leaking 1 bit of the private key. Reported by prashantkspatil.
|
||||||
* Make mbedtls_mpi_read_binary constant-time with respect to
|
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
|
||||||
the input data. Previously, trailing zero bytes were detected
|
data. Previously, trailing zero bytes were detected and omitted for the
|
||||||
and omitted for the sake of saving memory, but potentially
|
sake of saving memory, but potentially leading to slight timing
|
||||||
leading to slight timing differences.
|
differences. Reported by Marco Macchetti, Kudelski Group.
|
||||||
Reported by Marco Macchetti, Kudelski Group.
|
|
||||||
* Wipe stack buffer temporarily holding EC private exponent
|
* Wipe stack buffer temporarily holding EC private exponent
|
||||||
after keypair generation.
|
after keypair generation.
|
||||||
* Fix heap corruption in implementation of truncated HMAC extension.
|
* Fix a potential heap buffer over-read in ALPN extension parsing
|
||||||
When the truncated HMAC extension is enabled and CBC is used,
|
|
||||||
sending a malicious application packet can be used to selectively
|
|
||||||
corrupt 6 bytes on the peer's heap, potentially leading to crash or
|
|
||||||
remote code execution. This can be triggered remotely from either
|
|
||||||
side in both TLS and DTLS.
|
|
||||||
* Fix a potential heap buffer overread in ALPN extension parsing
|
|
||||||
(server-side). Could result in application crash, but only if an ALPN
|
(server-side). Could result in application crash, but only if an ALPN
|
||||||
name larger than 16 bytes had been configured on the server.
|
name larger than 16 bytes had been configured on the server.
|
||||||
* Change default choice of DHE parameters from untrustworthy RFC 5114
|
* Change default choice of DHE parameters from untrustworthy RFC 5114
|
||||||
|
@ -69,11 +71,12 @@ Features
|
||||||
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
|
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
|
||||||
* Add support for alternative implementation of ECJPAKE, controlled by
|
* Add support for alternative implementation of ECJPAKE, controlled by
|
||||||
the new configuration flag MBEDTLS_ECJPAKE_ALT.
|
the new configuration flag MBEDTLS_ECJPAKE_ALT.
|
||||||
|
* Add mechanism to provide alternative implementation of the DHM module.
|
||||||
|
|
||||||
API Changes
|
API Changes
|
||||||
* Extend RSA interface by multiple functions allowing structure-
|
* Extend RSA interface by multiple functions allowing structure-
|
||||||
independent setup and export of RSA contexts. Most notably,
|
independent setup and export of RSA contexts. Most notably,
|
||||||
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
|
mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
|
||||||
up RSA contexts from partial key material and having them completed to the
|
up RSA contexts from partial key material and having them completed to the
|
||||||
needs of the implementation automatically. This allows to setup private RSA
|
needs of the implementation automatically. This allows to setup private RSA
|
||||||
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
|
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
|
||||||
|
@ -91,7 +94,7 @@ API Changes
|
||||||
|
|
||||||
New deprecations
|
New deprecations
|
||||||
* Deprecate usage of RSA primitives with non-matching key-type
|
* Deprecate usage of RSA primitives with non-matching key-type
|
||||||
(e.g., signing with a public key).
|
(e.g. signing with a public key).
|
||||||
* Direct manipulation of structure fields of RSA contexts is deprecated.
|
* Direct manipulation of structure fields of RSA contexts is deprecated.
|
||||||
Users are advised to use the extended RSA API instead.
|
Users are advised to use the extended RSA API instead.
|
||||||
* Deprecate usage of message digest functions that return void
|
* Deprecate usage of message digest functions that return void
|
||||||
|
@ -104,8 +107,8 @@ New deprecations
|
||||||
* Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
|
* Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
|
||||||
Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
|
Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
|
||||||
etc.
|
etc.
|
||||||
* Deprecate mbedtls_ssl_conf_dh_param for setting default DHE parameters
|
* Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
|
||||||
from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin
|
from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin()
|
||||||
accepting DHM parameters in binary form, matching the new constants.
|
accepting DHM parameters in binary form, matching the new constants.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
|
@ -141,11 +144,11 @@ Bugfix
|
||||||
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
||||||
non-v3 CRT's.
|
non-v3 CRT's.
|
||||||
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
|
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
|
||||||
* Fix net_would_block to avoid modification by errno through fcntl call.
|
* Fix net_would_block() to avoid modification by errno through fcntl() call.
|
||||||
Found by nkolban. Fixes #845.
|
Found by nkolban. Fixes #845.
|
||||||
* Fix handling of handshake messages in mbedtls_ssl_read in case
|
* Fix handling of handshake messages in mbedtls_ssl_read() in case
|
||||||
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
|
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
|
||||||
* Add a check for invalid private parameters in mbedtls_ecdsa_sign.
|
* Add a check for invalid private parameters in mbedtls_ecdsa_sign().
|
||||||
Reported by Yolan Romailler.
|
Reported by Yolan Romailler.
|
||||||
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
|
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
|
||||||
* Fix incorrect unit in benchmark output. #850
|
* Fix incorrect unit in benchmark output. #850
|
||||||
|
@ -154,7 +157,7 @@ Bugfix
|
||||||
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
|
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
|
||||||
MilenkoMitrovic, #1104
|
MilenkoMitrovic, #1104
|
||||||
* Fix mbedtls_timing_alarm(0) on Unix and MinGW.
|
* Fix mbedtls_timing_alarm(0) on Unix and MinGW.
|
||||||
* Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1.
|
* Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
|
||||||
* Fix possible memory leaks in mbedtls_gcm_self_test().
|
* Fix possible memory leaks in mbedtls_gcm_self_test().
|
||||||
* Added missing return code checks in mbedtls_aes_self_test().
|
* Added missing return code checks in mbedtls_aes_self_test().
|
||||||
* Fix issues in RSA key generation program programs/x509/rsa_genkey and the
|
* Fix issues in RSA key generation program programs/x509/rsa_genkey and the
|
||||||
|
@ -164,9 +167,10 @@ Bugfix
|
||||||
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
|
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
|
||||||
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
|
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
|
||||||
Found and fixed by Martijn de Milliano.
|
Found and fixed by Martijn de Milliano.
|
||||||
* Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that
|
* Fix an issue in the cipher decryption with the mode
|
||||||
sometimes accepted invalid padding. (Not used in TLS.) Found and fixed
|
MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
|
||||||
by Micha Kraus.
|
Note, this padding mode is not used by the TLS protocol. Found and fixed by
|
||||||
|
Micha Kraus.
|
||||||
* Fix the entropy.c module to not call mbedtls_sha256_starts() or
|
* Fix the entropy.c module to not call mbedtls_sha256_starts() or
|
||||||
mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
|
mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
|
||||||
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or
|
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or
|
||||||
|
@ -174,9 +178,11 @@ Bugfix
|
||||||
structure. Do not assume that zeroizing a context is a correct way to
|
structure. Do not assume that zeroizing a context is a correct way to
|
||||||
reset it. Found independently by ccli8 on Github.
|
reset it. Found independently by ccli8 on Github.
|
||||||
* In mbedtls_entropy_free(), properly free the message digest context.
|
* In mbedtls_entropy_free(), properly free the message digest context.
|
||||||
|
* Fix status handshake status message in programs/ssl/dtls_client.c. Found
|
||||||
|
and fixed by muddog.
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Extend cert_write example program by options to set the CRT version
|
* Extend cert_write example program by options to set the certificate version
|
||||||
and the message digest. Further, allow enabling/disabling of authority
|
and the message digest. Further, allow enabling/disabling of authority
|
||||||
identifier, subject identifier and basic constraints extensions.
|
identifier, subject identifier and basic constraints extensions.
|
||||||
* Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
|
* Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
|
||||||
|
@ -186,7 +192,6 @@ Changes
|
||||||
* Only run AES-192 self-test if AES-192 is available. Fixes #963.
|
* Only run AES-192 self-test if AES-192 is available. Fixes #963.
|
||||||
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
|
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
|
||||||
undeclared dependency of the RSA module on the ASN.1 module.
|
undeclared dependency of the RSA module on the ASN.1 module.
|
||||||
* Add mechanism to provide alternative implementation of the DHM module.
|
|
||||||
* Update all internal usage of deprecated message digest functions to the
|
* Update all internal usage of deprecated message digest functions to the
|
||||||
new ones with return codes. In particular, this modifies the
|
new ones with return codes. In particular, this modifies the
|
||||||
mbedtls_md_info_t structure. Propagate errors from these functions
|
mbedtls_md_info_t structure. Propagate errors from these functions
|
||||||
|
|
Loading…
Reference in a new issue