From 6a4c340c3626ec4c0947ef64b724e47f80aa8253 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 22 Jan 2020 18:28:24 +0100 Subject: [PATCH] Add changelog entries for the crypto changes in 2.20.0 Describe changes between mbedcrypto-2.0.0 (version in Mbed TLS 2.19.0) and mbedcrypto-3.0.0 (version in Mbed TLS 2.20.0). --- ChangeLog | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/ChangeLog b/ChangeLog index 1d3917221..a03d223b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,38 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.20.0 branch released 2020-01-15 +Default behavior changes + * The initial seeding of a CTR\_DRBG instance makes a second call to the + entropy function to obtain entropy for a nonce if the entropy size is less + than 3/2 times the key size. In case you want to disable the extra call to + grab entropy, you can call `mbedtls_ctr_drbg_set_nonce_len()` to force the + nonce length to 0. + +Security + * Enforce that `mbedtls_entropy_func()` gathers a total of + `MBEDTLS_ENTROPY_BLOCK_SIZE` bytes or more from strong sources. In the + default configuration, on a platform with a single entropy source, the + entropy module formerly only grabbed 32 bytes, which is good enough for + security if the source is genuinely strong, but less than the expected 64 + bytes (size of the entropy accumulator). + +Features + * Key derivation inputs in the PSA API can now either come from a key object + or from a buffer regardless of the step type. + * The CTR_DRBG module can grab a nonce from the entropy source during the + initial seeding. The default nonce length is chosen based on the key size + to achieve the security strength defined by NIST SP 800-90A. You can + change it with `mbedtls_ctr_drbg_set_nonce_len()`. + * Add ENUMERATED tag support to the ASN.1 module. Contributed by + msopiha-linaro in #307. + +API changes + * In the PSA API, forbid zero-length keys. To pass a zero-length input to a + key derivation function, use a buffer instead (this is now always + possible). + * Rename `psa_asymmetric_sign()` to `psa_sign_hash()` and + `psa_asymmetric_verify()` to `psa_verify_hash()`. + Bugfix * Fix an incorrect size in a debugging message. Reported and fix submitted by irwir. Fixes #2717. @@ -9,6 +41,34 @@ Bugfix Reported and fix submitted by irwir. Fixes #2800. * Remove a useless assignment. Reported and fix submitted by irwir. Fixes #2801. + * Fix a buffer overflow in the PSA HMAC code when using a long key with an + unsupported algorithm. Fixes #254. + * Fix `mbedtls_asn1_get_int` to support any number of leading zeros. Credit + to OSS-Fuzz for finding a bug in an intermediate version of the fix. + * Fix `mbedtls_asn1_get_bitstring_null` to correctly parse bitstrings of at + most 2 bytes. + * `mbedtls_ctr_drbg_set_entropy_len()` and + `mbedtls_hmac_drbg_set_entropy_len()` now work if you call them before + `mbedtls_ctr_drbg_seed()` or `mbedtls_hmac_drbg_seed()`. + * Fix some false-positive uninitialized variable warnings. Fix contributed + by apple-ihack-geek in ARMmbed/mbedtls#2663. + +Changes + * Remove the technical possibility to define custom `mbedtls_md_info` + structures, which was exposed only in an internal header. + * `psa_close_key(0)` and `psa_destroy_key(0)` now succeed (doing nothing, as + before). + * Variables containing error codes are now initialized to an error code + rather than success, so that coding mistakes or memory corruption tends to + cause functions to return this error code rather than a success. There are + no known instances where this changes the behavior of the library: this is + merely a robustness improvement. #323 + * Remove a useless call to `mbedtls_ecp_group_free()`. Contributed by + Alexander Krizhanovsky in #210. + * Speed up PBKDF2 by caching the digest calculation. Contributed by Jack + Lloyd and Fortanix Inc in #277. + * Small performance improvement of `mbedtls_mpi_div_mpi()`. Contributed by + Alexander Krizhanovsky in #308. = mbed TLS 2.19.1 branch released 2019-09-16