yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-10-18 10:21:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixes running order of sections in Changelog

Browse source
This commit is contained in:
Simon Butcher 2017-07-27 15:11:52 +01:00
parent 5deb518d05
commit f85c90a61d
1 changed files with 14 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
ChangeLog
View file

@ -2,6 +2,14 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx
Security
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. Could be
triggered remotely on both sides. (With auth_mode set to required
(default), the handshake was correctly aborted.)
Features
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
and the context struct mbedtls_platform_context to perform
@ -16,6 +24,12 @@ API Changes
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. #978
Found by James Cowgill.
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
* With authmode set to optional, handshake is now aborted if the
verification of the peer's certificate failed due to an overlong chain or
a fatal error in the vrfy callback.
Bugfix
* Add a check if iv_len is zero, and return an error if it is zero. reported
@ -42,22 +56,6 @@ Bugfix
encoded X509 certificates. The overflow would enable maliciously
constructed certificates to bypass the certificate verification check.
Security
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. Could be
triggered remotely on both sides. (With auth_mode set to required
(default), the handshake was correctly aborted.)
API changes
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
* With authmode set to optional, handshake is now aborted if the
verification of the peer's certificate failed due to an overlong chain or
a fatal error in the vrfy callback.
Changes
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
64-bit division. #708