mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-22 19:05:32 +00:00
Refine the language in the ChangeLog
Fix the language and descriptions in the ChangeLog following review of the Release Notes for the next release.
This commit is contained in:
parent
681edee803
commit
b35e59d36d
29
ChangeLog
29
ChangeLog
|
@ -4,16 +4,16 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||
|
||||
Security
|
||||
* Fix overly strict DN comparison when looking for CRLs belonging to a
|
||||
particular CA. This previously lead to ignoring CRLs when the CRL's issuer
|
||||
particular CA. This previously led to ignoring CRLs when the CRL's issuer
|
||||
name and the CA's subject name differed in their string encoding (e.g.,
|
||||
one using PrintableString and the other UTF8String) or in the choice of
|
||||
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
|
||||
#1784.
|
||||
* Fix a flawed bounds check in server PSK hint parsing. In case the
|
||||
incoming message buffer was placed within the first 64KB of address
|
||||
incoming message buffer was placed within the first 64KiB of address
|
||||
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
|
||||
to trigger a memory access up to 64KB beyond the incoming message buffer,
|
||||
potentially leading to application crash or information disclosure.
|
||||
to trigger a memory access up to 64KiB beyond the incoming message buffer,
|
||||
potentially leading to an application crash or information disclosure.
|
||||
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
|
||||
previous settings for the number of rounds made it practical for an
|
||||
adversary to construct non-primes that would be erroneously accepted as
|
||||
|
@ -28,11 +28,11 @@ Security
|
|||
|
||||
Features
|
||||
* Add support for temporarily suspending expensive ECC computations after
|
||||
some configurable amount of operations, to be used in single-threaded
|
||||
constrained systems where ECC is time consuming and blocking until
|
||||
completion cannot be tolerated. This is enabled by
|
||||
MBEDTLS_ECP_RESTARTABLE at compile time (disabled by default) and
|
||||
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to new
|
||||
some configurable amount of operations. This is intended to be used in
|
||||
constrained, single-threaded systems where ECC is time consuming and can
|
||||
block other operations until they complete. This is disabled by default,
|
||||
but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
|
||||
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
|
||||
xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
|
||||
yet), and to existing functions in ECDH and SSL (currently only
|
||||
implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
|
||||
|
@ -41,12 +41,11 @@ Features
|
|||
operations. On CPUs where the extensions are available, they can accelerate
|
||||
MPI multiplications used in ECC and RSA cryptography. Contributed by
|
||||
Aurelien Jarno.
|
||||
* Extend RSASSA-PSS signature to allow slightly a smaller salt size.
|
||||
Previously, PSS signature always used a salt with the same length as the
|
||||
hash, and returned an error if this was not possible. Now the salt size
|
||||
may be up to two bytes shorter. This allows the library to support all
|
||||
hash and signature sizes that comply with FIPS 186-4, including SHA-512
|
||||
with a 1024-bit key.
|
||||
* Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
|
||||
signature always used a salt with the same length as the hash, and returned
|
||||
an error if this was not possible. Now the salt size may be up to two bytes
|
||||
shorter. This allows the library to support all hash and signature sizes
|
||||
that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
|
||||
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
|
||||
than 256 bits limits the security of generated material to 128 bits.
|
||||
|
||||
|
|
Loading…
Reference in a new issue