diff --git a/ChangeLog b/ChangeLog index a0eee53bb..77d9d81cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,93 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Features + * Add new API functions mbedtls_ssl_session_save() and + mbedtls_ssl_session_load() to allow serializing a session, for example to + store it in non-volatile storage, and later using it for TLS session + resumption. + * Add a new API function mbedtls_ssl_check_record() to allow checking that + an incoming record is valid, authentic and has not been seen before. This + feature can be used alongside Connection ID and SSL context serialisation. + The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING + option. + +API Changes + * Add DER-encoded test CRTs to library/certs.c, allowing + the example programs ssl_server2 and ssl_client2 to be run + if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. + * The HAVEGE state type now uses uint32_t elements instead of int. + +Bugfix + * Fix missing bounds checks in X.509 parsing functions that could + lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. + * Fix multiple X.509 functions previously returning ASN.1 low-level error + codes to always wrap these codes into X.509 high level error codes before + returning. Fixes #2431. + * Fix to allow building test suites with any warning that detects unused + functions. Fixes #1628. + * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. + * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. + * Fix build failure when building with mingw on Windows by including + stdarg.h where needed. Fixes #2656. + * Fix Visual Studio Release x64 build configuration by inheriting + PlatformToolset from the project configuration. Fixes #1430 reported by + irwir. + * Enable Suite B with subset of ECP curves. Make sure the code compiles even + if some curves are not defined. Fixes #1591 reported by dbedev. + * Fix misuse of signed arithmetic in the HAVEGE module. #2598 + * Avoid use of statically sized stack buffers for certificate writing. + This previously limited the maximum size of DER encoded certificates + in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. + * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716. + * Update test certificates that were about to expire. Reported by + Bernhard M. Wiedemann in #2357. + * Fix the build on ARMv5TE in ARM mode to not use assembly instructions + that are only available in Thumb mode. Fix contributed by Aurelien Jarno + in #2169. + * Fix propagation of restart contexts in restartable EC operations. + This could previously lead to segmentation faults in builds using an + address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. + +Changes + * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. + * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h + suggests). #2671 + * Make `make clean` clean all programs always. Fixes #1862. + * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh, + docker-env.sh) to simplify running test suites on a Linux host. Contributed + by Peter Kolbus (Garmin). + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. + * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi. + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. + * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz. + Contributed by Philippe Antoine (Catena cyber). + += mbed TLS 2.18.1 branch released 2019-07-12 + +Bugfix + * Fix build failure when building with mingw on Windows by including + stdarg.h where needed. Fixes #2656. + +Changes + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + += mbed TLS 2.18.0 branch released 2019-06-11 + Features * Add the Any Policy certificate policy oid, as defined in rfc 5280 section 4.2.1.4. @@ -31,24 +118,11 @@ Features changed its IP or port. The feature is enabled at compile-time by setting MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid(). - * Add new API functions mbedtls_ssl_session_save() and - mbedtls_ssl_session_load() to allow serializing a session, for example to - store it in non-volatile storage, and later using it for TLS session - resumption. - * Add a new API function mbedtls_ssl_check_record() to allow checking that - an incoming record is valid, authentic and has not been seen before. This - feature can be used alongside Connection ID and SSL context serialisation. - The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING - option. API Changes * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, and the used tls-prf. * Add public API for tls-prf function, according to requested enum. - * Add DER-encoded test CRTs to library/certs.c, allowing - the example programs ssl_server2 and ssl_client2 to be run - if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. - * The HAVEGE state type now uses uint32_t elements instead of int. Bugfix * Fix private key DER output in the key_app_writer example. File contents @@ -76,35 +150,7 @@ Bugfix * Set the next sequence of the subject_alt_name to NULL when deleting sequence on failure. Found and fix suggested by Philippe Antoine. Credit to OSS-Fuzz. - * Fix missing bounds checks in X.509 parsing functions that could - lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. - * Fix multiple X.509 functions previously returning ASN.1 low-level error - codes to always wrap these codes into X.509 high level error codes before - returning. Fixes #2431. - * Fix to allow building test suites with any warning that detects unused - functions. Fixes #1628. - * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. - * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. - * Fix build failure when building with mingw on Windows by including - stdarg.h where needed. Fixes #2656. - * Fix Visual Studio Release x64 build configuration by inheriting - PlatformToolset from the project configuration. Fixes #1430 reported by - irwir. - * Enable Suite B with subset of ECP curves. Make sure the code compiles even - if some curves are not defined. Fixes #1591 reported by dbedev. - * Fix misuse of signed arithmetic in the HAVEGE module. #2598 - * Avoid use of statically sized stack buffers for certificate writing. - This previously limited the maximum size of DER encoded certificates - in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. - * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716. - * Update test certificates that were about to expire. Reported by - Bernhard M. Wiedemann in #2357. - * Fix the build on ARMv5TE in ARM mode to not use assembly instructions - that are only available in Thumb mode. Fix contributed by Aurelien Jarno - in #2169. - * Fix propagation of restart contexts in restartable EC operations. - This could previously lead to segmentation faults in builds using an - address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. + Changes * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. @@ -121,31 +167,6 @@ Changes Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. - * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. - * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h - suggests). #2671 - * Make `make clean` clean all programs always. Fixes #1862. - * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh, - docker-env.sh) to simplify running test suites on a Linux host. Contributed - by Peter Kolbus (Garmin). - * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by - Ashley Duncan in #2609. - * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable - test runs without variability. Contributed by Philippe Antoine (Catena - cyber) in #2681. - * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi. - * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by - Ashley Duncan in #2609. - * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable - test runs without variability. Contributed by Philippe Antoine (Catena - cyber) in #2681. - * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by - Ashley Duncan in #2609. - * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable - test runs without variability. Contributed by Philippe Antoine (Catena - cyber) in #2681. - * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz. - Contributed by Philippe Antoine (Catena cyber). = mbed TLS 2.17.0 branch released 2019-03-19 diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 4eff83692..487faf8d2 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -24,7 +24,7 @@ */ /** - * @mainpage mbed TLS v2.17.0 source code documentation + * @mainpage mbed TLS v2.18.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 0cb092e37..f582f9b38 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.17.0" +PROJECT_NAME = "mbed TLS v2.18.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index fd7783044..ea01f1d0e 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -39,7 +39,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 17 +#define MBEDTLS_VERSION_MINOR 18 #define MBEDTLS_VERSION_PATCH 0 /** @@ -47,9 +47,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02110000 -#define MBEDTLS_VERSION_STRING "2.17.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.17.0" +#define MBEDTLS_VERSION_NUMBER 0x02120000 +#define MBEDTLS_VERSION_STRING "2.18.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.18.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 7f0819ef6..c82784ee1 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -172,14 +172,14 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.17.0 SOVERSION 0) + set_target_properties(mbedx509 PROPERTIES VERSION 2.18.0 SOVERSION 1) target_link_libraries(mbedx509 ${libs} mbedcrypto) target_include_directories(mbedx509 PUBLIC ${MBEDTLS_DIR}/include/ PUBLIC ${MBEDTLS_DIR}/crypto/include/) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.17.0 SOVERSION 12) + set_target_properties(mbedtls PROPERTIES VERSION 2.18.0 SOVERSION 13) target_link_libraries(mbedtls ${libs} mbedx509) target_include_directories(mbedtls PUBLIC ${MBEDTLS_DIR}/include/ diff --git a/library/Makefile b/library/Makefile index 8b2e572aa..af472ad93 100644 --- a/library/Makefile +++ b/library/Makefile @@ -35,8 +35,8 @@ LOCAL_CFLAGS += -fPIC -fpic endif endif -SOEXT_TLS=so.12 -SOEXT_X509=so.0 +SOEXT_TLS=so.13 +SOEXT_X509=so.1 SOEXT_CRYPTO=so.3 # Set AR_DASH= (empty string) to use an ar implementation that does not accept diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index a4575ab00..f83b8d3ff 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.17.0" +check_compiletime_version:"2.18.0" Check runtime library version -check_runtime_version:"2.17.0" +check_runtime_version:"2.18.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0