Changelog: Add entry for prime validation fix

2025-01-22 20:31:14 +00:00 · 2018-09-06 10:40:04 +01:00 · 2018-09-06 10:40:04 +01:00 · 8d3fb2e167
parent 0b74161502
commit 8d3fb2e167
1 changed files with 13 additions and 0 deletions
--- a/13
+++ b/13
@ -14,6 +14,19 @@ Changes
     test the handling of large packets and small packets on the client side
     in the same way as on the server side.

+Security
+   * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
+     previous settings for the number of rounds made it practical for an
+     adversary to construct non-primes that would be erroneously accepted as
+     primes with high probability. This does not have an impact on the
+     security of TLS, but can matter in other contexts with potentially
+     adversarially-chosen numbers that should be prime and can be validated.
+     For example, the number of rounds was enough to securely generate RSA key
+     pairs or Diffie-Hellman parameters, but was insufficient to validate
+     Diffie-Hellman parameters properly.
+     See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
+     Kenneth G. Paterson and Juraj Somorovsky.
+
 = mbed TLS 2.7.6 branch released 2018-08-31

 Security