yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 17:45:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve Changelog

Browse Source
This commit is contained in:
Janos Follath 2017-06-16 09:00:07 +01:00
parent 90651914a9
commit 5a1c0e7162
1 changed files with 35 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
ChangeLog
View File

@ -17,39 +17,45 @@ Security
potential Bleichenbacher/BERserk-style attack. potential Bleichenbacher/BERserk-style attack.
Bugfix Bugfix
* Remove invalid use of size zero arrays in ECJPAKE test suite. * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
valid C and they prevented the test from compiling in Visual Studio 2015
and with GCC using the -Wpedantic compilation option.
* Fix insufficient support for signature-hash-algorithm extension, * Fix insufficient support for signature-hash-algorithm extension,
resulting in compatibility problems with Chrome. Found by hfloyrd. #823 resulting in compatibility problems with Chrome. Found by hfloyrd. #823
* If sending a fatal alert fails, make sure not to hide the error * Fix behaviour that hid the original cause of fatal alerts in some cases
when sending the alert failed. The fix makes sure not to hide the error
that triggered the alert. that triggered the alert.
* In SSLv3, if refusing a renegotiation attempt, don't process any further * Fix SSLv3 renegotiation behaviour and stop processing data received from
data. peer after sending a fatal alert to refuse a renegotiation attempt.
Previous behaviour was to keep processing data even after the alert has
been sent.
* Accept empty trusted CA chain in authentication mode * Accept empty trusted CA chain in authentication mode
MBEDTLS_SSL_VERIFY_OPTIONAL. MBEDTLS_SSL_VERIFY_OPTIONAL.
Fixes #864. Found by jethrogb. Found by jethrogb. #864
* Fix implementation of mbedtls_ssl_parse_certificate * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
to not annihilate fatal errors in authentication mode fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
MBEDTLS_SSL_VERIFY_OPTIONAL and to reflect bad EC curves reflect bad EC curves within verification result.
within verification result. * Fix bug that caused the modular inversion function to accept the invalid
* Fix modular inversion function on invalid modulus 1. modulus 1 and therefore to hang. Found by blaufish. #641.
Found by blaufish. Fixes #641. * Fix incorrect sign computation in modular exponentiation when the base is
* Fix incorrect sign computation in modular exponentiation a negative MPI. Previously the result was always negative. Found by Guido
when dealing with negative MPI. Found by Guido Vranken. Vranken.
* Fix potential stack underflow in mpi_read_file. * Fix a numerical underflow leading to stack overflow in mpi_read_file()
Found by Guido Vranken. that was triggered uppon reading an empty line. Found by Guido Vranken.
Changes Changes
* Send fatal alerts in many more cases instead of dropping the connection. * Send fatal alerts in more cases. The previous behaviour was to skip
sending the fatal alert and just drop the connection.
* Clarify ECDSA documentation and improve the sample code to avoid * Clarify ECDSA documentation and improve the sample code to avoid
misunderstandings and potentially dangerous use of the API. Pointed out misunderstanding and potentially dangerous use of the API. Pointed out
by Jean-Philippe Aumasson. by Jean-Philippe Aumasson.
= mbed TLS 2.5.0 branch released 2017-05-17 = mbed TLS 2.5.0 branch released 2017-05-17
Security Security
* Wipe stack buffers in RSA private key operations * Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
Found by Laurent Simon. Simon.
* Add exponent blinding to RSA private operations as a countermeasure * Add exponent blinding to RSA private operations as a countermeasure
against side-channel attacks like the cache attack described in against side-channel attacks like the cache attack described in
https://arxiv.org/abs/1702.08719v2. https://arxiv.org/abs/1702.08719v2.
@ -57,8 +63,10 @@ Security
Clémentine Maurice and Stefan Mangard. Clémentine Maurice and Stefan Mangard.
Features Features
* Exposed parts of the Elliptic Curve Point internal interface, to provide * Add hardware acceleration support for the Elliptic Curve Point module.
interface for external hardware acceleration code. This involved exposing parts of the internal interface to enable
replacing the core functions and adding and alternative, module level
replacement support for enabling the extension of the interface.
* Add a new configuration option to 'mbedtls_ssl_config' to enable * Add a new configuration option to 'mbedtls_ssl_config' to enable
suppressing the CA list in Certificate Request messages. The default suppressing the CA list in Certificate Request messages. The default
behaviour has not changed, namely every configured CAs name is included. behaviour has not changed, namely every configured CAs name is included.
@ -74,7 +82,12 @@ API Changes
Bugfix Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most * Remove macros from compat-1.3.h that correspond to deleted items from most
recent versions of the library. Found by Kyle Keen. recent versions of the library. Found by Kyle Keen.
* Fixed issue in mutexes to failing to initialise. #667 * Fixed issue in the Threading module that prevented mutexes from
initialising. Found by sznaider. #667 #843
* Add checks in the PK module for the RSA functions on 64-bit systems.
The PK and RSA modules use different types for passing hash length and
without these checks the type cast could lead to data loss. Found by Guido
Vranken.
= mbed TLS 2.4.2 branch released 2017-03-08 = mbed TLS 2.4.2 branch released 2017-03-08