Clarify ChangeLog old versions and param validations

Clarified and made more coherent the parameter validation feature, it's scope
and what has changed. Added version 2.14.1 to the history which was released on
a branch.
This commit is contained in:
Simon Butcher 2018-12-20 16:17:02 +00:00
parent b6cdf980bc
commit e046053ba1

View file

@ -2,26 +2,6 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.xx.x branch released xxxx-xx-xx = mbed TLS 2.xx.x branch released xxxx-xx-xx
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
Features Features
* Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
of parameters in the API. This allows detection of obvious misuses of the of parameters in the API. This allows detection of obvious misuses of the
@ -41,22 +21,19 @@ API Changes
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
* Extend ECDH interface to enable alternative implementations. * Extend ECDH interface to enable alternative implementations.
* Deprecate the ARIA error MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
in favour of a new generic error MBEDTLS_ERR_ARIA_BAD_INPUT_DATA. ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
* Deprecate the CAMELLIA error MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
in favour a new generic error MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following
* Deprecate the Blowfish error MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
in favour of a new generic error MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA. ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
* Add validation checks for input parameters to functions in the CCM module. Where modules have had parameter validation added, existing parameter
* Add validation checks for input parameters to functions in the GCM module. checks may have changed. Some modules, such as Chacha20 had existing
* Add validation checks for input parameters to functions in the SHA-1 parameter validation whereas other modules had little. This has now been
module. changed so that the same level of validation is present in all modules, and
* Add validation checks for input parameters to functions in the SHA-256 that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
module. is off. That means that checks which were previously present by default
* Add validation checks for input parameters to functions in the SHA-512 will no longer be.
module.
* Add validation checks for input parameters to functions in the Cipher
module.
New deprecations New deprecations
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
@ -80,6 +57,35 @@ Bugfix
* Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
of check for certificate/key matching. Reported by Attila Molnar, #507. of check for certificate/key matching. Reported by Attila Molnar, #507.
= mbed TLS 2.14.1 branch released 2018-11-30
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
= mbed TLS 2.14.0 branch released 2018-11-19 = mbed TLS 2.14.0 branch released 2018-11-19
Security Security