11mbed TLS ChangeLog (Sorted per branch, date)
22
3- = mbed TLS 2.xx .x branch released xxxx-xx-xx
3+ = mbed TLS 2.x .x branch released xxxx-xx-xx
44
5- Changes
6- * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
7- from the cipher abstraction layer. Fixes #2198.
5+ Bugfix
6+ * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
7+ when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
8+ * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
9+ Raised as a comment in #1996.
10+ * Reduce the stack consumption of mbedtls_mpi_fill_random() which could
11+ previously lead to a stack overflow on constrained targets.
12+ * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
13+ in the header files, which missed the precompilation check. #971
14+ * Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
15+ * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
16+ * Remove the mbedtls namespacing from the header file, to fix a "file not found"
17+ build error. Fixed by Haijun Gu #2319.
18+ * Fix signed-to-unsigned integer conversion warning
19+ in X.509 module. Fixes #2212.
20+ * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
21+ Fixes #2190.
822
9- = mbed TLS 2.14.0+01b34fb316a5 branch released xxxx-xx-xx
23+ Changes
24+ * Include configuration file in all header files that use configuration,
25+ instead of relying on other header files that they include.
26+ Inserted as an enhancement for #1371
27+ * Add support for alternative CSR headers, as used by Microsoft and defined
28+ in RFC 7468. Found by Michael Ernst. Fixes #767.
29+ * Correct many misspellings. Fixed by MisterDA #2371.
30+ * Provide an abstraction of vsnprintf to allow alternative implementations
31+ for platforms that don't provide it. Based on contributions by Joris Aerts
32+ and Nathaniel Wesley Filardo.
33+ * Fix clobber list in MIPS assembly for large integer multiplication.
34+ Previously, this could lead to functionally incorrect assembly being
35+ produced by some optimizing compilers, showing up as failures in
36+ e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
37+ by Aurelien Jarno and submitted by Jeffrey Martin.
38+
39+ = mbed TLS 2.16.0 branch released 2018-12-21
1040
11- Security
12- * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
13- decryption that could lead to a Bleichenbacher-style padding oracle
14- attack. In TLS, this affects servers that accept ciphersuites based on
15- RSA decryption (i.e. ciphersuites whose name contains RSA but not
16- (EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
17- (University of Adelaide), Daniel Genkin (University of Michigan),
18- Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
19- (University of Adelaide, Data61). The attack is described in more detail
20- in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
21- * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
22- via branching and memory access patterns. An attacker who could submit
23- a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
24- of the decryption and not its result could nonetheless decrypt RSA
25- plaintexts and forge RSA signatures. Other asymmetric algorithms may
26- have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
27- Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
28- * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
29- modules.
41+ Features
42+ * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
43+ of parameters in the API. This allows detection of obvious misuses of the
44+ API, such as passing NULL pointers. The API of existing functions hasn't
45+ changed, but requirements on parameters have been made more explicit in
46+ the documentation. See the corresponding API documentation for each
47+ function to see for which parameter values it is defined. This feature is
48+ disabled by default. See its API documentation in config.h for additional
49+ steps you have to take when enabling it.
3050
3151API Changes
3252 * The following functions in the random generator modules have been
@@ -37,6 +57,19 @@ API Changes
3757 mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
3858 mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
3959 * Extend ECDH interface to enable alternative implementations.
60+ * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
61+ ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
62+ the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
63+ * Additional parameter validation checks have been added for the following
64+ modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
65+ ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
66+ Where modules have had parameter validation added, existing parameter
67+ checks may have changed. Some modules, such as Chacha20 had existing
68+ parameter validation whereas other modules had little. This has now been
69+ changed so that the same level of validation is present in all modules, and
70+ that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
71+ is off. That means that checks which were previously present by default
72+ will no longer be.
4073
4174New deprecations
4275 * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
@@ -57,6 +90,55 @@ Bugfix
5790 on some toolchains. Reported by phoenixmcallister. Fixes #2170.
5891 * Fix double initialization of ECC hardware that made some accelerators
5992 hang.
93+ * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
94+ of check for certificate/key matching. Reported by Attila Molnar, #507.
95+
96+ = mbed TLS 2.15.1 branch released 2018-11-30
97+
98+ Changes
99+ * Update the Mbed Crypto submodule to version 0.1.0b2.
100+
101+ = mbed TLS 2.15.0 branch released 2018-11-23
102+
103+ Features
104+ * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
105+ Mbed Crypto as the source of the cryptography implementation.
106+ * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
107+ the PSA Crypto API from Mbed Crypto when additionally used with the
108+ USE_CRYPTO_SUBMODULE build option.
109+
110+ Changes
111+ * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
112+ from the cipher abstraction layer. Fixes #2198.
113+
114+ = mbed TLS 2.14.1 branch released 2018-11-30
115+
116+ Security
117+ * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
118+ decryption that could lead to a Bleichenbacher-style padding oracle
119+ attack. In TLS, this affects servers that accept ciphersuites based on
120+ RSA decryption (i.e. ciphersuites whose name contains RSA but not
121+ (EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
122+ (University of Adelaide), Daniel Genkin (University of Michigan),
123+ Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
124+ (University of Adelaide, Data61). The attack is described in more detail
125+ in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
126+ * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
127+ via branching and memory access patterns. An attacker who could submit
128+ a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
129+ of the decryption and not its result could nonetheless decrypt RSA
130+ plaintexts and forge RSA signatures. Other asymmetric algorithms may
131+ have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
132+ Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
133+ * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
134+ modules.
135+
136+ API Changes
137+ * The new functions mbedtls_ctr_drbg_update_ret() and
138+ mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
139+ and mbedtls_hmac_drbg_update() respectively, but the new functions
140+ report errors whereas the old functions return void. We recommend that
141+ applications use the new functions.
60142
61143= mbed TLS 2.14.0 branch released 2018-11-19
62144
@@ -281,7 +363,7 @@ Security
281363 1.2, that allowed a local attacker, able to execute code on the local
282364 machine as well as manipulate network packets, to partially recover the
283365 plaintext of messages under some conditions by using a cache attack
284- targetting an internal MD/SHA buffer. With TLS or if
366+ targeting an internal MD/SHA buffer. With TLS or if
285367 mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
286368 the same secret (for example a HTTP Cookie) has been repeatedly sent over
287369 connections manipulated by the attacker. Connections using GCM or CCM
@@ -1167,7 +1249,7 @@ Bugfix
11671249 * Fix potential build failures related to the 'apidoc' target, introduced
11681250 in the previous patch release. Found by Robert Scheck. #390 #391
11691251 * Fix issue in Makefile that prevented building using armar. #386
1170- * Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
1252+ * Fix memory leak that occurred only when ECJPAKE was enabled and ECDHE and
11711253 ECDSA was disabled in config.h . The leak didn't occur by default.
11721254 * Fix an issue that caused valid certificates to be rejected whenever an
11731255 expired or not yet valid certificate was parsed before a valid certificate
@@ -1409,7 +1491,7 @@ API Changes
14091491 You now need to link to all of them if you use TLS for example.
14101492 * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
14111493 Some names have been further changed to make them more consistent.
1412- Migration helpers scripts/rename.pl and include/mbedlts /compat-1.3.h are
1494+ Migration helpers scripts/rename.pl and include/mbedtls /compat-1.3.h are
14131495 provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
14141496 * Renamings of fields inside structures, not covered by the previous list:
14151497 mbedtls_cipher_info_t.key_length -> key_bitlen
@@ -1464,7 +1546,7 @@ API Changes
14641546 * net_accept() gained new arguments for the size of the client_ip buffer.
14651547 * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
14661548 return void.
1467- * ecdsa_write_signature() gained an addtional md_alg argument and
1549+ * ecdsa_write_signature() gained an additional md_alg argument and
14681550 ecdsa_write_signature_det() was deprecated.
14691551 * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
14701552 * Last argument of x509_crt_check_key_usage() and
@@ -2999,7 +3081,7 @@ XySSL ChangeLog
29993081 not swapped on PadLock; also fixed compilation on older versions
30003082 of gcc (bug reported by David Barrett)
30013083 * Correctly handle the case in padlock_xcryptcbc() when input or
3002- ouput data is non-aligned by falling back to the software
3084+ output data is non-aligned by falling back to the software
30033085 implementation, as VIA Nehemiah cannot handle non-aligned buffers
30043086 * Fixed a memory leak in x509parse_crt() which was reported by Greg
30053087 Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
0 commit comments