diff --git a/ChangeLog b/ChangeLog index b765f6b6c..90db442c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,70 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Features + * Support building on e2k (Elbrus) architecture: correctly enable + -Wformat-signedness, and fix the code that causes signed-one-bit-field + and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) + . + +Security + * When checking X.509 CRLs, a certificate was only considered as revoked if + its revocationDate was in the past according to the local clock if + available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, + certificates were never considered as revoked. On builds with + MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for + example, an untrusted OS attacking a secure enclave) could prevent + revocation of certificates via CRLs. Fixed by no longer checking the + revocationDate field, in accordance with RFC 5280. Reported by + yuemonangong in #3340. Reported independently and fixed by + Raoul Strackx and Jethro Beekman in #3433. + * In (D)TLS record decryption, when using a CBC ciphersuites without the + Encrypt-then-Mac extension, use constant code flow memory access patterns + to extract and check the MAC. This is an improvement to the existing + countermeasure against Lucky 13 attacks. The previous countermeasure was + effective against network-based attackers, but less so against local + attackers. The new countermeasure defends against local attackers, even + if they have access to fine-grained measurements. In particular, this + fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, + Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler + (University of Florida) and Dave Tian (Purdue University). + * Fix side channel in RSA private key operations and static (finite-field) + Diffie-Hellman. An adversary with precise enough timing and memory access + information (typically an untrusted operating system attacking a secure + enclave) could bypass an existing counter-measure (base blinding) and + potentially fully recover the private key. + * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). + Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine + for pinpointing the problematic code. + * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused + application data from memory. Reported in #689 by + Johan Uppman Bruce of Sectra. + +Bugfix + * Avoid use of statically sized stack buffers for certificate writing. + This previously limited the maximum size of DER encoded certificates + in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. + * Reduce the stack consumption of mbedtls_x509write_csr_der() which + previously could lead to stack overflow on constrained devices. + Contributed by Doru Gucea and Simon Leet in #3464. + * Use arc4random_buf on NetBSD instead of rand implementation with cyclical + lower bits. Fix contributed in #3540. + * Fix building library/net_sockets.c and the ssl_mail_client program on + NetBSD. NetBSD conditionals were added for the backport to avoid the risk + of breaking a platform. Original fix contributed by Nia Alarie in #3422. + Adapted for long-term support branch 2.16 in #3558. + * Fix bug in redirection of unit test outputs on platforms where stdout is + defined as a macro. First reported in #2311 and fix contributed in #3528. + Adopted for LTS branch 2.16 in #3601. + +Changes + * Update copyright notices to use Linux Foundation guidance. As a result, + the copyright of contributors other than Arm is now acknowledged, and the + years of publishing are no longer tracked in the source files. This also + eliminates the need for the lines declaring the files to be part of + MbedTLS. Fixes #3457. + = mbed TLS 2.16.7 branch released 2020-07-01 Security diff --git a/ChangeLog.d/bugfix_PR_2632.txt b/ChangeLog.d/bugfix_PR_2632.txt deleted file mode 100644 index 1d54b4dd2..000000000 --- a/ChangeLog.d/bugfix_PR_2632.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Avoid use of statically sized stack buffers for certificate writing. - This previously limited the maximum size of DER encoded certificates - in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. diff --git a/ChangeLog.d/copyright.txt b/ChangeLog.d/copyright.txt deleted file mode 100644 index aefc6bc7e..000000000 --- a/ChangeLog.d/copyright.txt +++ /dev/null @@ -1,6 +0,0 @@ -Changes - * Update copyright notices to use Linux Foundation guidance. As a result, - the copyright of contributors other than Arm is now acknowledged, and the - years of publishing are no longer tracked in the source files. This also - eliminates the need for the lines declaring the files to be part of - MbedTLS. Fixes #3457. diff --git a/ChangeLog.d/crl-revocationDate.txt b/ChangeLog.d/crl-revocationDate.txt deleted file mode 100644 index a8ad53216..000000000 --- a/ChangeLog.d/crl-revocationDate.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * When checking X.509 CRLs, a certificate was only considered as revoked if - its revocationDate was in the past according to the local clock if - available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, - certificates were never considered as revoked. On builds with - MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for - example, an untrusted OS attacking a secure enclave) could prevent - revocation of certificates via CRLs. Fixed by no longer checking the - revocationDate field, in accordance with RFC 5280. Reported by - yuemonangong in #3340. Reported independently and fixed by - Raoul Strackx and Jethro Beekman in #3433. diff --git a/ChangeLog.d/e2k-support.txt b/ChangeLog.d/e2k-support.txt deleted file mode 100644 index 023b1888e..000000000 --- a/ChangeLog.d/e2k-support.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Support building on e2k (Elbrus) architecture: correctly enable - -Wformat-signedness, and fix the code that causes signed-one-bit-field - and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) - . diff --git a/ChangeLog.d/fix-build-netbsd.txt b/ChangeLog.d/fix-build-netbsd.txt deleted file mode 100644 index 000614e37..000000000 --- a/ChangeLog.d/fix-build-netbsd.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix building library/net_sockets.c and the ssl_mail_client program on - NetBSD. NetBSD conditionals were added for the backport to avoid the risk - of breaking a platform. Original fix contributed by Nia Alarie in #3422. - Adapted for long-term support branch 2.16 in #3558. diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt deleted file mode 100644 index adf493abe..000000000 --- a/ChangeLog.d/local-lucky13.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * In (D)TLS record decryption, when using a CBC ciphersuites without the - Encrypt-then-Mac extension, use constant code flow memory access patterns - to extract and check the MAC. This is an improvement to the existing - countermeasure against Lucky 13 attacks. The previous countermeasure was - effective against network-based attackers, but less so against local - attackers. The new countermeasure defends against local attackers, even - if they have access to fine-grained measurements. In particular, this - fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, - Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler - (University of Florida) and Dave Tian (Purdue University). diff --git a/ChangeLog.d/netbsd-rand-arc4random_buf.txt b/ChangeLog.d/netbsd-rand-arc4random_buf.txt deleted file mode 100644 index 8539d1f5e..000000000 --- a/ChangeLog.d/netbsd-rand-arc4random_buf.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Use arc4random_buf on NetBSD instead of rand implementation with cyclical - lower bits. Fix contributed in #3540. diff --git a/ChangeLog.d/protect-base-blinding.txt b/ChangeLog.d/protect-base-blinding.txt deleted file mode 100644 index ca0600cee..000000000 --- a/ChangeLog.d/protect-base-blinding.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Fix side channel in RSA private key operations and static (finite-field) - Diffie-Hellman. An adversary with precise enough timing and memory access - information (typically an untrusted operating system attacking a secure - enclave) could bypass an existing counter-measure (base blinding) and - potentially fully recover the private key. diff --git a/ChangeLog.d/stdout-macro.txt b/ChangeLog.d/stdout-macro.txt deleted file mode 100644 index e77b0adfd..000000000 --- a/ChangeLog.d/stdout-macro.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix bug in redirection of unit test outputs on platforms where stdout is - defined as a macro. First reported in #2311 and fix contributed in #3528. - Adopted for LTS branch 2.16 in #3601. diff --git a/ChangeLog.d/x509parse_crl-empty_entry.txt b/ChangeLog.d/x509parse_crl-empty_entry.txt deleted file mode 100644 index 483abb10a..000000000 --- a/ChangeLog.d/x509parse_crl-empty_entry.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). - Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine - for pinpointing the problematic code. diff --git a/ChangeLog.d/x509write_csr_heap_alloc.txt b/ChangeLog.d/x509write_csr_heap_alloc.txt deleted file mode 100644 index 6223698bb..000000000 --- a/ChangeLog.d/x509write_csr_heap_alloc.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Reduce the stack consumption of mbedtls_x509write_csr_der() which - previously could lead to stack overflow on constrained devices. - Contributed by Doru Gucea and Simon Leet in #3464. diff --git a/ChangeLog.d/zeroising_of_plaintext_buffer.txt b/ChangeLog.d/zeroising_of_plaintext_buffer.txt deleted file mode 100644 index f618beb91..000000000 --- a/ChangeLog.d/zeroising_of_plaintext_buffer.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused - application data from memory. Reported in #689 by - Johan Uppman Bruce of Sectra.