Merge remote-tracking branch 'upstream-restricted/pr/454' into mbedtls-1.3-restricted

This commit is contained in:
Jaeden Amero 2018-02-05 08:54:08 +00:00
commit 2774c6746c

View File

@ -1,39 +1,40 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 1.3.22 branch released 2017-xx-xx = mbed TLS 1.3.22 branch released 2018-02-03
Security Security
* Fix heap corruption in implementation of truncated HMAC extension. * Fix a heap corruption issue in the implementation of the truncated HMAC
When the truncated HMAC extension is enabled and CBC is used, extension. When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet can be used to selectively sending a malicious application packet could be used to selectively corrupt
corrupt 6 bytes on the peer's heap, potentially leading to crash or 6 bytes on the peer's heap, which could potentially lead to crash or remote
remote code execution. This can be triggered remotely from either code execution. The issue could be triggered remotely from either side in
side. both TLS and DTLS. CVE-2018-0488
* Fix buffer overflow in RSA-PSS verification when the hash is too * Fix a buffer overflow in RSA-PSS verification when the hash was too large
large for the key size. Found by Seth Terashima, Qualcomm Product for the key size, which could potentially lead to crash or remote code
Security Initiative, Qualcomm Technologies Inc. execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
* Fix buffer overflow in RSA-PSS verification when the unmasked Qualcomm Technologies Inc. CVE-2018-0487
data is all zeros. * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
* Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding zeros.
64kB to the address of the SSL buffer wraps around. * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
* Tighten should-be-constant-time memcmp against compiler optimizations. 64 KiB to the address of the SSL buffer and causing a wrap around.
* Add a provision to prevent compiler optimizations breaking the time
constancy of the internal function safer_memcmp().
* Ensure that buffers are cleared after use if they contain sensitive data. * Ensure that buffers are cleared after use if they contain sensitive data.
Changes were introduced in multiple places in the library. Changes were introduced in multiple places in the library.
* Set PEM buffer to zero before freeing it, to avoid decoded private keys * Set PEM buffer to zero before freeing it, to avoid decoded private keys
being leaked to memory after release. being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially * Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil. leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mpi_read_binary constant-time with respect to * Make mpi_read_binary() constant-time with respect to the input
the input data. Previously, trailing zero bytes were detected data. Previously, trailing zero bytes were detected and omitted for the
and omitted for the sake of saving memory, but potentially sake of saving memory, but potentially leading to slight timing
leading to slight timing differences. differences. Reported by Marco Macchetti, Kudelski Group.
Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent * Wipe stack buffer temporarily holding EC private exponent
after keypair generation. after keypair generation.
* Change default choice of DHE parameters from untrustworthy RFC 5114 * Change default choice of DHE parameters from untrustworthy RFC 5114
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
manner. manner.
* Fix a potential heap buffer overread in ALPN extension parsing * Fix a potential heap buffer over-read in ALPN extension parsing
(server-side). Could result in application crash, but only if an ALPN (server-side). Could result in application crash, but only if an ALPN
name larger than 16 bytes had been configured on the server. name larger than 16 bytes had been configured on the server.
@ -72,24 +73,25 @@ Bugfix
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011. RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
* Don't print X.509 version tag for v1 CRT's, and omit extensions for * Don't print X.509 version tag for v1 CRT's, and omit extensions for
non-v3 CRT's. non-v3 CRT's.
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 * Fix bugs in RSA test suite under POLARSSL_NO_PLATFORM_ENTROPY. #1023 #1024
* Fix net_would_block to avoid modification by errno through fcntl call. * Fix net_would_block() to avoid modification by errno through fcntl() call.
Found by nkolban. Fixes #845. Found by nkolban. Fixes #845.
* Fix handling of handshake messages in ssl_read in case * Fix handling of handshake messages in ssl_read() in case
POLARSSL_SSL_DISABLE_RENEGOTIATION is set. Found by erja-gp. POLARSSL_SSL_DISABLE_RENEGOTIATION is set. Found by erja-gp.
* Add a check for invalid private parameters in ecdsa_sign. * Add a check for invalid private parameters in ecdsa_sign().
Reported by Yolan Romailler. Reported by Yolan Romailler.
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64. * Fix word size check in in pk.c to not depend on POLARSSL_HAVE_INT64.
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by * Fix crash when calling ssl_cache_free() twice. Found by MilenkoMitrovic.
MilenkoMitrovic, #1104 #1104
* Fix mbedtls_timing_alarm(0) on Unix and MinGW. * Fix set_alarm(0) on Unix and MinGW.
* Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1. * Fix use of uninitialized memory in get_timer() when reset=1.
* Fix issue in RSA key generation program programs/x509/rsa_genkey * Fix issue in RSA key generation program programs/x509/rsa_genkey
where the failure of CTR DRBG initialization lead to freeing an where the failure of CTR DRBG initialization lead to freeing an
RSA context without proper initialization beforehand. RSA context without proper initialization beforehand.
* Fix bug in cipher decryption with POLARSSL_PADDING_ONE_AND_ZEROS that * Fix an issue in the cipher decryption with the mode
sometimes accepted invalid padding. (Not used in TLS.) Found and fixed POLARSSL_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
by Micha Kraus. Note, this padding mode is not used by the TLS protocol. Found and fixed by
Micha Kraus.
Changes Changes
* Extend cert_write example program by options to set the CRT version * Extend cert_write example program by options to set the CRT version
@ -103,8 +105,8 @@ Changes
Security Security
* Fix authentication bypass in SSL/TLS: when authmode is set to optional, * Fix authentication bypass in SSL/TLS: when authmode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA X.509 certificate chain had more than POLARSSL_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. This could be (default: 8) intermediates, even when it was not trusted. This could be
triggered remotely from either side. (With authmode set to 'required' triggered remotely from either side. (With authmode set to 'required'
(the default), the handshake was correctly aborted). (the default), the handshake was correctly aborted).
@ -123,11 +125,11 @@ API Changes
Bugfix Bugfix
* Add a check if iv_len is zero in GCM, and return an error if it is zero. * Add a check if iv_len is zero in GCM, and return an error if it is zero.
Reported by roberto. #716 Reported by roberto. #716
* Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD) * Replace preprocessor condition from #if defined(POLARSSL_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will to #if defined(POLARSSL_THREADING_C) as the library cannot assume they will
always be implemented by pthread support. Fix for #696 always be implemented by pthread support. Fix for #696
* Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(), * Fix a resource leak on Windows platforms in x509_crt_parse_path(), in the
in the case of an error. Found by redplait. #590 case of an error. Found by redplait. #590
* Add MPI_CHK to check for error value of mpi_fill_random. * Add MPI_CHK to check for error value of mpi_fill_random.
Backported from a report and fix suggestion by guidovranken in #740 Backported from a report and fix suggestion by guidovranken in #740
* Fix a potential integer overflow in the version verification for DER * Fix a potential integer overflow in the version verification for DER
@ -175,9 +177,9 @@ Bugfix
resulting in compatibility problems with Chrome. Found by hfloyrd. #823 resulting in compatibility problems with Chrome. Found by hfloyrd. #823
* Accept empty trusted CA chain in authentication mode * Accept empty trusted CA chain in authentication mode
SSL_VERIFY_OPTIONAL. Found by jethrogb. #864. SSL_VERIFY_OPTIONAL. Found by jethrogb. #864.
* Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate * Fix implementation of ssl_parse_certificate() to not annihilate fatal
fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to reflect
reflect bad EC curves within verification result. bad EC curves within verification result.
* Fix bug that caused the modular inversion function to accept the invalid * Fix bug that caused the modular inversion function to accept the invalid
modulus 1 and therefore to hang. Found by blaufish. #641. modulus 1 and therefore to hang. Found by blaufish. #641.
* Fix incorrect sign computation in modular exponentiation when the base is * Fix incorrect sign computation in modular exponentiation when the base is