yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-04 13:28:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add ChangeLog entry for previous security fix

Browse source 
Fixes #825
This commit is contained in:
Hanno Becker 2017-09-25 10:51:32 +01:00 committed by Manuel Pégourié-Gonnard
parent dc8751d31e
commit 89e7422a27
1 changed files with 16 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
ChangeLog
View file

@ -2,21 +2,17 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.1.11 branch released xxxx-xx-xx = mbed TLS 2.1.11 branch released xxxx-xx-xx
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
Security Security
* Fix implementation of the truncated HMAC extension. The previous * Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the implementation allowed an offline 2^80 brute force attack on the
HMAC key of a single, uninterrupted connection (with no HMAC key of a single, uninterrupted connection (with no
resumption of the session). resumption of the session).
* Fix a bug in the X.509 module potentially leading to a buffer overread
during CRT verification or to invalid or omitted checks for certificate
validity. The former can be triggered remotely, while the latter requires
a non DER-compliant certificate correctly signed by a trusted CA, or a
trusted CA with a non DER-compliant certificate. Found by luocm on GitHub.
Fixes #825.
Bugfix Bugfix
* Fix assembly sequences in bn_mul.h and aesni.c to avoid segmentation * Fix assembly sequences in bn_mul.h and aesni.c to avoid segmentation
@ -29,6 +25,16 @@ Bugfix
daniel in the Mbed TLS forum. #1351 daniel in the Mbed TLS forum. #1351
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347 * Fix Windows x64 builds with the included mbedTLS.sln file. #1347
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
= mbed TLS 2.1.10 branch released 2018-02-03 = mbed TLS 2.1.10 branch released 2018-02-03
Security Security