Update ChangeLog with language and technical corrections

To clarify and correct the ChangeLog.
This commit is contained in:
Simon Butcher 2018-02-05 01:09:13 +00:00 committed by Jaeden Amero
parent 98b9373849
commit 55fc4e0c5a

View file

@ -1,44 +1,46 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx = mbed TLS 2.7.0 branch released 2018-02-03
Security Security
* Fix buffer overflow in RSA-PSS verification when the hash is too * Fix a heap corruption issue in the implementation of the truncated HMAC
large for the key size. Found by Seth Terashima, Qualcomm Product extension. When the truncated HMAC extension is enabled and CBC is used,
Security Initiative, Qualcomm Technologies Inc. sending a malicious application packet could be used to selectively corrupt
* Fix buffer overflow in RSA-PSS verification when the unmasked 6 bytes on the peer's heap, which could potentially lead to crash or remote
data is all zeros. code execution. The issue could be triggered remotely from either side in
* Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding both TLS and DTLS. CVE-2018-0488
64kB to the address of the SSL buffer wraps around. * Fix a buffer overflow in RSA-PSS verification when the hash was too large
* Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by for the key size, which could potentially lead to crash or remote code
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
Qualcomm Technologies Inc. CVE-2018-0487
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
zeros.
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
64 KiB to the address of the SSL buffer and causing a wrap around.
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
default enabled) maximum fragment length extension is disabled in the default enabled) maximum fragment length extension is disabled in the
config and the application data buffer passed to mbedtls_ssl_write config and the application data buffer passed to mbedtls_ssl_write
is larger than the internal message buffer (16384 bytes by default), the is larger than the internal message buffer (16384 bytes by default), the
latter overflows. The exploitability of this issue depends on whether the latter overflows. The exploitability of this issue depends on whether the
application layer can be forced into sending such large packets. The issue application layer can be forced into sending such large packets. The issue
was independently reported by Tim Nordell via e-mail and by Florin Petriuc was independently reported by Tim Nordell via e-mail and by Florin Petriuc
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707. and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
* Tighten should-be-constant-time memcmp against compiler optimizations. Fixes #707.
* Add a provision to prevent compiler optimizations breaking the time
constancy of mbedtls_ssl_safer_memcmp().
* Ensure that buffers are cleared after use if they contain sensitive data. * Ensure that buffers are cleared after use if they contain sensitive data.
Changes were introduced in multiple places in the library. Changes were introduced in multiple places in the library.
* Set PEM buffer to zero before freeing it, to avoid decoded private keys * Set PEM buffer to zero before freeing it, to avoid decoded private keys
being leaked to memory after release. being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially * Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil. leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mbedtls_mpi_read_binary constant-time with respect to * Make mbedtls_mpi_read_binary() constant-time with respect to the input
the input data. Previously, trailing zero bytes were detected data. Previously, trailing zero bytes were detected and omitted for the
and omitted for the sake of saving memory, but potentially sake of saving memory, but potentially leading to slight timing
leading to slight timing differences. differences. Reported by Marco Macchetti, Kudelski Group.
Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent * Wipe stack buffer temporarily holding EC private exponent
after keypair generation. after keypair generation.
* Fix heap corruption in implementation of truncated HMAC extension. * Fix a potential heap buffer over-read in ALPN extension parsing
When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively
corrupt 6 bytes on the peer's heap, potentially leading to crash or
remote code execution. This can be triggered remotely from either
side in both TLS and DTLS.
* Fix a potential heap buffer overread in ALPN extension parsing
(server-side). Could result in application crash, but only if an ALPN (server-side). Could result in application crash, but only if an ALPN
name larger than 16 bytes had been configured on the server. name larger than 16 bytes had been configured on the server.
* Change default choice of DHE parameters from untrustworthy RFC 5114 * Change default choice of DHE parameters from untrustworthy RFC 5114
@ -69,11 +71,12 @@ Features
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
* Add support for alternative implementation of ECJPAKE, controlled by * Add support for alternative implementation of ECJPAKE, controlled by
the new configuration flag MBEDTLS_ECJPAKE_ALT. the new configuration flag MBEDTLS_ECJPAKE_ALT.
* Add mechanism to provide alternative implementation of the DHM module.
API Changes API Changes
* Extend RSA interface by multiple functions allowing structure- * Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably, independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
up RSA contexts from partial key material and having them completed to the up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the contexts from keys consisting of N,D,E only, even if P,Q are needed for the
@ -91,7 +94,7 @@ API Changes
New deprecations New deprecations
* Deprecate usage of RSA primitives with non-matching key-type * Deprecate usage of RSA primitives with non-matching key-type
(e.g., signing with a public key). (e.g. signing with a public key).
* Direct manipulation of structure fields of RSA contexts is deprecated. * Direct manipulation of structure fields of RSA contexts is deprecated.
Users are advised to use the extended RSA API instead. Users are advised to use the extended RSA API instead.
* Deprecate usage of message digest functions that return void * Deprecate usage of message digest functions that return void
@ -104,8 +107,8 @@ New deprecations
* Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
etc. etc.
* Deprecate mbedtls_ssl_conf_dh_param for setting default DHE parameters * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin()
accepting DHM parameters in binary form, matching the new constants. accepting DHM parameters in binary form, matching the new constants.
Bugfix Bugfix
@ -141,11 +144,11 @@ Bugfix
* Don't print X.509 version tag for v1 CRT's, and omit extensions for * Don't print X.509 version tag for v1 CRT's, and omit extensions for
non-v3 CRT's. non-v3 CRT's.
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
* Fix net_would_block to avoid modification by errno through fcntl call. * Fix net_would_block() to avoid modification by errno through fcntl() call.
Found by nkolban. Fixes #845. Found by nkolban. Fixes #845.
* Fix handling of handshake messages in mbedtls_ssl_read in case * Fix handling of handshake messages in mbedtls_ssl_read() in case
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp. MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
* Add a check for invalid private parameters in mbedtls_ecdsa_sign. * Add a check for invalid private parameters in mbedtls_ecdsa_sign().
Reported by Yolan Romailler. Reported by Yolan Romailler.
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64. * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
* Fix incorrect unit in benchmark output. #850 * Fix incorrect unit in benchmark output. #850
@ -154,7 +157,7 @@ Bugfix
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
MilenkoMitrovic, #1104 MilenkoMitrovic, #1104
* Fix mbedtls_timing_alarm(0) on Unix and MinGW. * Fix mbedtls_timing_alarm(0) on Unix and MinGW.
* Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1. * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
* Fix possible memory leaks in mbedtls_gcm_self_test(). * Fix possible memory leaks in mbedtls_gcm_self_test().
* Added missing return code checks in mbedtls_aes_self_test(). * Added missing return code checks in mbedtls_aes_self_test().
* Fix issues in RSA key generation program programs/x509/rsa_genkey and the * Fix issues in RSA key generation program programs/x509/rsa_genkey and the
@ -164,9 +167,10 @@ Bugfix
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
Found and fixed by Martijn de Milliano. Found and fixed by Martijn de Milliano.
* Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that * Fix an issue in the cipher decryption with the mode
sometimes accepted invalid padding. (Not used in TLS.) Found and fixed MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
by Micha Kraus. Note, this padding mode is not used by the TLS protocol. Found and fixed by
Micha Kraus.
* Fix the entropy.c module to not call mbedtls_sha256_starts() or * Fix the entropy.c module to not call mbedtls_sha256_starts() or
mbedtls_sha512_starts() in the mbedtls_entropy_init() function. mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or * Fix the entropy.c module to ensure that mbedtls_sha256_init() or
@ -174,9 +178,11 @@ Bugfix
structure. Do not assume that zeroizing a context is a correct way to structure. Do not assume that zeroizing a context is a correct way to
reset it. Found independently by ccli8 on Github. reset it. Found independently by ccli8 on Github.
* In mbedtls_entropy_free(), properly free the message digest context. * In mbedtls_entropy_free(), properly free the message digest context.
* Fix status handshake status message in programs/ssl/dtls_client.c. Found
and fixed by muddog.
Changes Changes
* Extend cert_write example program by options to set the CRT version * Extend cert_write example program by options to set the certificate version
and the message digest. Further, allow enabling/disabling of authority and the message digest. Further, allow enabling/disabling of authority
identifier, subject identifier and basic constraints extensions. identifier, subject identifier and basic constraints extensions.
* Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
@ -186,7 +192,6 @@ Changes
* Only run AES-192 self-test if AES-192 is available. Fixes #963. * Only run AES-192 self-test if AES-192 is available. Fixes #963.
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module. undeclared dependency of the RSA module on the ASN.1 module.
* Add mechanism to provide alternative implementation of the DHM module.
* Update all internal usage of deprecated message digest functions to the * Update all internal usage of deprecated message digest functions to the
new ones with return codes. In particular, this modifies the new ones with return codes. In particular, this modifies the
mbedtls_md_info_t structure. Propagate errors from these functions mbedtls_md_info_t structure. Propagate errors from these functions