Assemble ChangeLog

Executed scripts/assemble_changelog.py. Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-11-22 06:15:41 +01:00 · 2020-06-26 11:33:34 +01:00 · 2020-06-26 11:33:34 +01:00 · 49e6caf12e
commit 49e6caf12e
parent f69b919844
10 changed files with 52 additions and 56 deletions
--- a/52
+++ b/52
@ -1,5 +1,57 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+   * Fix a side channel vulnerability in modular exponentiation that could
+     reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
+     Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
+     of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
+     Strackx (Fortanix) in #3394.
+   * Fix side channel in mbedtls_ecp_check_pub_priv() and
+     mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
+     private key that didn't include the uncompressed public key), as well as
+     mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
+     f_rng argument. An attacker with access to precise enough timing and
+     memory access information (typically an untrusted operating system
+     attacking a secure enclave) could fully recover the ECC private key.
+     Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
+   * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+     hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+     macros). This would cause the original Lucky 13 attack to be possible in
+     those configurations, allowing an active network attacker to recover
+     plaintext after repeated timing measurements under some conditions.
+     Reported and fix suggested by Luc Perneel in #3246.
+
+Bugfix
+   * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
+     Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
+     the example programs. Reported in #1430 and fix contributed by irwir.
+   * Fix undefined behavior in X.509 certificate parsing if the
+     pathLenConstraint basic constraint value is equal to INT_MAX.
+     The actual effect with almost every compiler is the intended
+     behavior, so this is unlikely to be exploitable anywhere. #3197
+   * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
+   * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
+     when PRNG function fails. Contributed by Jonas Lejeune in #3318.
+   * Add additional bounds checks in ssl_write_client_hello() preventing
+     output buffer overflow if the configuration declared a buffer that was
+     too small.
+
+Changes
+   * Unify the example programs termination to call mbedtls_exit() instead of
+     using a return command. This has been done to enable customization of the
+     behavior in bare metal environments.
+   * Abort the ClientHello writing function as soon as some extension doesn't
+     fit into the record buffer. Previously, such extensions were silently
+     dropped. As a consequence, the TLS handshake now fails when the output
+     buffer is not large enough to hold the ClientHello.
+   * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
+     `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
+     `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
+     are not a concern, this dependency can be avoided by enabling the new
+     option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
+
 = mbed TLS 2.16.6 branch released 2020-04-14

 Security
--- a/ChangeLog.d/bugfix.txt
+++ b/ChangeLog.d/bugfix.txt
@ -1,4 +0,0 @@
-Bugfix
-   * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
-     Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
-     the example programs. Reported in #1430 and fix contributed by irwir.
--- a/ChangeLog.d/ecp-internal-rng.txt
+++ b/ChangeLog.d/ecp-internal-rng.txt
@ -1,16 +0,0 @@
-Changes
-   * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
-     `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
-     `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
-     are not a concern, this dependency can be avoided by enabling the new
-     option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
-
-Security
-   * Fix side channel in mbedtls_ecp_check_pub_priv() and
-     mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
-     private key that didn't include the uncompressed public key), as well as
-     mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
-     f_rng argument. An attacker with access to precise enough timing and
-     memory access information (typically an untrusted operating system
-     attacking a secure enclave) could fully recover the ECC private key.
-     Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
--- a/ChangeLog.d/error-asn1.txt
+++ b/ChangeLog.d/error-asn1.txt
@ -1,2 +0,0 @@
-Bugfix
-   * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
--- a/ChangeLog.d/fix-ecp-mul-memory-leak.txt
+++ b/ChangeLog.d/fix-ecp-mul-memory-leak.txt
@ -1,3 +0,0 @@
-Bugfix
-   * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
-     when PRNG function fails. Contributed by Jonas Lejeune in #3318.
--- a/ChangeLog.d/l13-hw-accel.txt
+++ b/ChangeLog.d/l13-hw-accel.txt
@ -1,7 +0,0 @@
-Security
-   * Fix issue in Lucky 13 counter-measure that could make it ineffective when
-     hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
-     macros). This would cause the original Lucky 13 attack to be possible in
-     those configurations, allowing an active network attacker to recover
-     plaintext after repeated timing measurements under some conditions.
-     Reported and fix suggested by Luc Perneel in #3246.
--- a/ChangeLog.d/max_pathlen.txt
+++ b/ChangeLog.d/max_pathlen.txt
@ -1,5 +0,0 @@
-Bugfix
-   * Fix undefined behavior in X.509 certificate parsing if the
-     pathLenConstraint basic constraint value is equal to INT_MAX.
-     The actual effect with almost every compiler is the intended
-     behavior, so this is unlikely to be exploitable anywhere. #3197
--- a/ChangeLog.d/montmul-cmp-branch.txt
+++ b/ChangeLog.d/montmul-cmp-branch.txt
@ -1,6 +0,0 @@
-Security
-   * Fix a side channel vulnerability in modular exponentiation that could
-     reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
-     Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
-     of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
-     Strackx (Fortanix) in #3394.
--- a/ChangeLog.d/unified-exit-in-examples.txt
+++ b/ChangeLog.d/unified-exit-in-examples.txt
@ -1,4 +0,0 @@
-Changes
-   * Unify the example programs termination to call mbedtls_exit() instead of
-     using a return command. This has been done to enable customization of the
-     behavior in bare metal environments.
--- a/ChangeLog.d/uniformize_bounds_checks.txt
+++ b/ChangeLog.d/uniformize_bounds_checks.txt
@ -1,9 +0,0 @@
-Bugfix
-   * Add additional bounds checks in ssl_write_client_hello() preventing
-     output buffer overflow if the configuration declared a buffer that was
-     too small.
-Changes
-   * Abort the ClientHello writing function as soon as some extension doesn't
-     fit into the record buffer. Previously, such extensions were silently
-     dropped. As a consequence, the TLS handshake now fails when the output
-     buffer is not large enough to hold the ClientHello.