yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-06 13:45:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add ChangeLog entry for previous security fix

Browse source 
Fixes #825
This commit is contained in:
Hanno Becker 2017-09-25 10:46:20 +01:00 committed by Manuel Pégourié-Gonnard
parent 05e464dff7
commit 7deee20cd2
1 changed files with 17 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
ChangeLog
View file

@ -1,22 +1,18 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.7.x branch released 2018-xx-xx = mbed TLS x.x.x branch released xxxx-xx-xx
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
Security Security
* Fix implementation of the truncated HMAC extension. The previous * Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the implementation allowed an offline 2^80 brute force attack on the
HMAC key of a single, uninterrupted connection (with no HMAC key of a single, uninterrupted connection (with no
resumption of the session). resumption of the session).
* Fix a bug in the X.509 module potentially leading to a buffer overread
during CRT verification or to invalid or omitted checks for certificate
validity. The former can be triggered remotely, while the latter requires
a non DER-compliant certificate correctly signed by a trusted CA, or a
trusted CA with a non DER-compliant certificate. Found by luocm on GitHub.
Fixes #825.
Features Features
* Extend PKCS#8 interface by introducing support for the entire SHA * Extend PKCS#8 interface by introducing support for the entire SHA
@ -44,6 +40,16 @@ Changes
* MD functions deprecated in 2.7.0 are no longer inline, to provide * MD functions deprecated in 2.7.0 are no longer inline, to provide
a migration path for those depending on the library's ABI. a migration path for those depending on the library's ABI.
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
= mbed TLS 2.7.0 branch released 2018-02-03 = mbed TLS 2.7.0 branch released 2018-02-03
Security Security