From 7ac5fd18617c0b63457c8017156f3ba30226cf25 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Dec 2020 15:03:46 +0000 Subject: [PATCH] Assemble ChangeLog Executed scripts/assemble_changelog.py. Signed-off-by: Janos Follath --- ChangeLog | 171 ++++++++++++++++++ ChangeLog.d/AES_SETKEY_ALT-fix.txt | 5 - ChangeLog.d/_GNU_SOURCE-redefined.txt | 3 - ChangeLog.d/add-aes-ecb-to-psa.txt | 2 - .../add_MBEDTLS_TARGET_PREFIX_to_cmake.txt | 6 - ChangeLog.d/add_cipher_transparent_driver.txt | 4 - ChangeLog.d/add_export_public_key_driver.txt | 3 - ..._sign_verify_keygen_transparent_driver.txt | 4 - ChangeLog.d/add_validate_key_driver.txt | 3 - .../adjusting sliding_window_size_PR3592.txt | 3 - ChangeLog.d/aes-zeroize-pointer.txt | 5 - ChangeLog.d/android-socklen_t.txt | 3 - ChangeLog.d/arc4random_buf-implicit.txt | 3 - ChangeLog.d/bugfix-2927.txt | 3 - ChangeLog.d/bugfix_3524.txt | 3 - ChangeLog.d/bugfix_3782.txt | 2 - ChangeLog.d/bugfix_3794.txt | 4 - ChangeLog.d/bugfix_PR3294.txt | 4 - ChangeLog.d/cipher-auth-crypt-nist-kw.txt | 23 --- ChangeLog.d/clean_pem_buffers.txt | 6 - ChangeLog.d/ecb_iv_fix.txt | 3 - ChangeLog.d/ecp-bignum-error-checks.txt | 5 - ChangeLog.d/ecp_curve_list.txt | 5 - ChangeLog.d/error-include-string.txt | 2 - ChangeLog.d/feature-dtls-srtp.txt | 3 - ChangeLog.d/fix-rsa-blinding.txt | 6 - ChangeLog.d/fix_ccm_add_length_check.txt | 5 - ...it_size_of_diffie_hellman_calculations.txt | 4 - ChangeLog.d/minimum_cmake_version_PR3802.txt | 3 - ...sage-arguments_mbedtls_ssl_decrypt_buf.txt | 2 - ChangeLog.d/mpi_fill_random-rng_failure.txt | 8 - .../psa-crypto-api-iv-nonce-macros-1.0.0.txt | 4 - ChangeLog.d/psa-crypto-api-values-1.0.0.txt | 9 - ChangeLog.d/psa-openless.txt | 17 -- ...rgument_for_invalid_cipher_input_sizes.txt | 4 - ChangeLog.d/psa_generate_key-curve25519.txt | 3 - .../support-ecdh-kdf-with-ecdh-key.txt | 6 - ...agreement-and-derivation-output-as-key.txt | 4 - .../systematically_store_bit_size_3740.txt | 6 - ...x509-add-tag-check-to-algorithm-params.txt | 11 -- ...ons_of_sensitive_data_in_PKCS5_and_SHA.txt | 6 - 41 files changed, 171 insertions(+), 205 deletions(-) delete mode 100644 ChangeLog.d/AES_SETKEY_ALT-fix.txt delete mode 100644 ChangeLog.d/_GNU_SOURCE-redefined.txt delete mode 100644 ChangeLog.d/add-aes-ecb-to-psa.txt delete mode 100644 ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt delete mode 100644 ChangeLog.d/add_cipher_transparent_driver.txt delete mode 100644 ChangeLog.d/add_export_public_key_driver.txt delete mode 100644 ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt delete mode 100644 ChangeLog.d/add_validate_key_driver.txt delete mode 100644 ChangeLog.d/adjusting sliding_window_size_PR3592.txt delete mode 100644 ChangeLog.d/aes-zeroize-pointer.txt delete mode 100644 ChangeLog.d/android-socklen_t.txt delete mode 100644 ChangeLog.d/arc4random_buf-implicit.txt delete mode 100644 ChangeLog.d/bugfix-2927.txt delete mode 100644 ChangeLog.d/bugfix_3524.txt delete mode 100644 ChangeLog.d/bugfix_3782.txt delete mode 100644 ChangeLog.d/bugfix_3794.txt delete mode 100644 ChangeLog.d/bugfix_PR3294.txt delete mode 100644 ChangeLog.d/cipher-auth-crypt-nist-kw.txt delete mode 100644 ChangeLog.d/clean_pem_buffers.txt delete mode 100644 ChangeLog.d/ecb_iv_fix.txt delete mode 100644 ChangeLog.d/ecp-bignum-error-checks.txt delete mode 100644 ChangeLog.d/ecp_curve_list.txt delete mode 100644 ChangeLog.d/error-include-string.txt delete mode 100644 ChangeLog.d/feature-dtls-srtp.txt delete mode 100644 ChangeLog.d/fix-rsa-blinding.txt delete mode 100644 ChangeLog.d/fix_ccm_add_length_check.txt delete mode 100644 ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt delete mode 100644 ChangeLog.d/minimum_cmake_version_PR3802.txt delete mode 100644 ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt delete mode 100644 ChangeLog.d/mpi_fill_random-rng_failure.txt delete mode 100644 ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt delete mode 100644 ChangeLog.d/psa-crypto-api-values-1.0.0.txt delete mode 100644 ChangeLog.d/psa-openless.txt delete mode 100644 ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt delete mode 100644 ChangeLog.d/psa_generate_key-curve25519.txt delete mode 100644 ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt delete mode 100644 ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt delete mode 100644 ChangeLog.d/systematically_store_bit_size_3740.txt delete mode 100644 ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt delete mode 100644 ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt diff --git a/ChangeLog b/ChangeLog index 594c3cf4a..f8cd778a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,176 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +API changes + * The numerical values of the PSA Crypto API macros have been updated to + conform to version 1.0.0 of the specification. + * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4. + The underlying stream cipher is determined by the key type + (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4). + * The functions mbedtls_cipher_auth_encrypt() and + mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, + as they have no way to check if the output buffer is large enough. + Please use mbedtls_cipher_auth_encrypt_ext() and + mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and + Cryptofuzz. Fixes #3665. + +Requirement changes + * Update the minimum required CMake version to 2.8.12. + * This silences a warning on CMake 3.19.0. #3801 + +New deprecations + * PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated. + Use PSA_ALG_STREAM_CIPHER instead. + * The functions mbedtls_cipher_auth_encrypt() and + mbedtls_cipher_auth_decrypt() are deprecated in favour of the new + functions mbedtls_cipher_auth_encrypt_ext() and + mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, + these new functions always append the tag to the ciphertext, and include + the tag in the ciphertext length. + +Features + * Partial implementation of the new PSA Crypto accelerator APIs for + enabling key generation and asymmetric signing/verification through crypto + accelerators. Contributed by Steven Cooreman in #3501. + * Add support for ECB to the PSA cipher API. + * Partial implementation of the new PSA Crypto accelerator APIs for + enabling symmetric cipher acceleration through crypto accelerators. + Contributed by Steven Cooreman in #3644. + * In PSA, allow using a key declared with a base key agreement algorithm + in combined key agreement and derivation operations, as long as the key + agreement algorithm in use matches the algorithm the key was declared with. + This is currently non-standard behaviour, but expected to make it into a + future revision of the PSA Crypto standard. + * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls, + mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by + external CMake projects that include this one to avoid CMake target name + clashes. The default value of this variable is "", so default target names + are unchanged. + * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan + Pascal, improved by Ron Eldor. + * In the PSA API, it is no longer necessary to open persistent keys: + operations now accept the key identifier. The type psa_key_handle_t is now + identical to psa_key_id_t instead of being platform-defined. This bridges + the last major gap to compliance with the PSA Cryptography specification + version 1.0.0. Opening persistent keys is still supported for backward + compatibility, but will be deprecated and later removed in future + releases. + * Implementation of the export_public_key interface for PSA Crypto + accelerator drivers, as defined in #3493. Contributed in #3786. + * Implementation of the validate_key entry point for PSA Crypto accelerator + drivers as defined in #3695. + * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and + PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version + 1.0.0 of the PSA Crypto API specification. + +Security + * The functions mbedtls_cipher_auth_encrypt() and + mbedtls_cipher_auth_decrypt() would write past the minimum documented + size of the output buffer when used with NIST_KW. As a result, code using + those functions as documented with NIST_KW could have a buffer overwrite + of up to 15 bytes, with consequences ranging up to arbitrary code + execution depending on the location of the output buffer. + * Limit the size of calculations performed by mbedtls_mpi_exp_mod to + MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when + generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. + * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), + which is how most uses of randomization in asymmetric cryptography + (including key generation, intermediate value randomization and blinding) + are implemented. This could cause failures or the silent use of non-random + values. A random generator can fail if it needs reseeding and cannot not + obtain entropy, or due to an internal failure (which, for Mbed TLS's own + CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). + * Fix a compliance issue whereby we were not checking the tag on the + algorithm parameters (only the size) when comparing the signature in the + description part of the cert to the real signature. This meant that a + NULL algorithm parameters entry would look identical to an array of REAL + (size zero) to the library and thus the certificate would be considered + valid. However, if the parameters do not match in *any* way then the + certificate should be considered invalid, and indeed OpenSSL marks these + certs as invalid when mbedtls did not. + Many thanks to guidovranken who found this issue via differential fuzzing + and reported it in #3629. + * Zeroising of local buffers and variables which are used for calculations + in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), + mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() + functions to erase sensitive data from memory. Reported by + Johan Malmgren and Johan Uppman Bruce from Sectra. + +Bugfix + * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is + enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294. + * Include the psa_constant_names generated source code in the source tree + instead of generating it at build time. Fixes #3524. + * Fix rsa_prepare_blinding() to retry when the blinding value is not + invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This + addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). + Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). + Fixes #3647. + * Use socklen_t on Android and other POSIX-compliant system + * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. + Fix #3432. + * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input + sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the + psa_cipher_* functions compliant with the PSA Crypto API specification. + * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names + "x25519" and "x448". These curves support ECDH but not ECDSA. If you need + only the curves that support ECDSA, filter the list with + mbedtls_ecdsa_can_do(). + * Fix psa_generate_key() returning an error when asked to generate + an ECC key pair on Curve25519 or secp244k1. + * Fix psa_key_derivation_output_key() to allow the output of a combined key + agreement and subsequent key derivation operation to be used as a key + inside of the PSA Crypto core. + * Fix handling of EOF against 0xff bytes and on platforms with unsigned + chars. Fixes a build failure on platforms where char is unsigned. Fixes + #3794. + * Fix an off-by-one error in the additional data length check for + CCM, which allowed encryption with a non-standard length field. + Fixes #3719. + * Correct the default IV size for mbedtls_cipher_info_t structures using + MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs. + * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is + defined. Fix contributed in #3571. + * Fix conditions for including string.h in error.c. Fixes #3866. + * psa_set_key_id() now also sets the lifetime to persistent for keys located + in a secure element. + * Attempting to create a volatile key with a non-zero key identifier now + fails. Previously the key identifier was just ignored when creating a + volatile key. + * Attempting to create or register a key with a key identifier in the vendor + range now fails. + * Fix build failures on GCC 11. Fixes #3782. + * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf. + * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative + (an error condition) and the second operand was aliased to the result. + * Fix a case in elliptic curve arithmetic where an out-of-memory condition + could go undetected, resulting in an incorrect result. + * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). + Fixes #2927. + * In PEM writing functions, fill the trailing part of the buffer with null + bytes. This guarantees that the corresponding parsing function can read + the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem + until this property was inadvertently broken in Mbed TLS 2.19.0. + Fixes #3682. + * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT + option on. In this configuration key management methods that are required + for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. + Fixes #3818. Reported by John Stroebel. + +Changes + * Reduce stack usage significantly during sliding window exponentiation. + Reported in #3591 and fix contributed in #3592 by Daniel Otte. + * The PSA persistent storage format is updated to always store the key bits + attribute. No automatic upgrade path is provided. Previously stored keys + must be erased, or manually upgraded based on the key storage format + specification (docs/architecture/mbed-crypto-storage-specification.md). + Fixes #3740. + * Remove the zeroization of a pointer variable in AES rounds. It was valid + but spurious and misleading since it looked like a mistaken attempt to + zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA + Leti, France. + = mbed TLS 2.24.0 branch released 2020-09-01 API changes diff --git a/ChangeLog.d/AES_SETKEY_ALT-fix.txt b/ChangeLog.d/AES_SETKEY_ALT-fix.txt deleted file mode 100644 index a0d1679d2..000000000 --- a/ChangeLog.d/AES_SETKEY_ALT-fix.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT - option on. In this configuration key management methods that are required - for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. - Fixes #3818. Reported by John Stroebel. diff --git a/ChangeLog.d/_GNU_SOURCE-redefined.txt b/ChangeLog.d/_GNU_SOURCE-redefined.txt deleted file mode 100644 index 59c8a153f..000000000 --- a/ChangeLog.d/_GNU_SOURCE-redefined.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. - Fix #3432. diff --git a/ChangeLog.d/add-aes-ecb-to-psa.txt b/ChangeLog.d/add-aes-ecb-to-psa.txt deleted file mode 100644 index b0de67c4e..000000000 --- a/ChangeLog.d/add-aes-ecb-to-psa.txt +++ /dev/null @@ -1,2 +0,0 @@ -Features - * Add support for ECB to the PSA cipher API. diff --git a/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt b/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt deleted file mode 100644 index 533f309ab..000000000 --- a/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls, - mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by - external CMake projects that include this one to avoid CMake target name - clashes. The default value of this variable is "", so default target names - are unchanged. diff --git a/ChangeLog.d/add_cipher_transparent_driver.txt b/ChangeLog.d/add_cipher_transparent_driver.txt deleted file mode 100644 index ce6f33d0d..000000000 --- a/ChangeLog.d/add_cipher_transparent_driver.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Partial implementation of the new PSA Crypto accelerator APIs for - enabling symmetric cipher acceleration through crypto accelerators. - Contributed by Steven Cooreman in #3644. diff --git a/ChangeLog.d/add_export_public_key_driver.txt b/ChangeLog.d/add_export_public_key_driver.txt deleted file mode 100644 index dc13131a7..000000000 --- a/ChangeLog.d/add_export_public_key_driver.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Implementation of the export_public_key interface for PSA Crypto - accelerator drivers, as defined in #3493. Contributed in #3786. diff --git a/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt b/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt deleted file mode 100644 index fe4389992..000000000 --- a/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Partial implementation of the new PSA Crypto accelerator APIs for - enabling key generation and asymmetric signing/verification through crypto - accelerators. Contributed by Steven Cooreman in #3501. diff --git a/ChangeLog.d/add_validate_key_driver.txt b/ChangeLog.d/add_validate_key_driver.txt deleted file mode 100644 index 0d569695d..000000000 --- a/ChangeLog.d/add_validate_key_driver.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Implementation of the validate_key entry point for PSA Crypto accelerator - drivers as defined in #3695. diff --git a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt b/ChangeLog.d/adjusting sliding_window_size_PR3592.txt deleted file mode 100644 index 608956541..000000000 --- a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Reduce stack usage significantly during sliding window exponentiation. - Reported in #3591 and fix contributed in #3592 by Daniel Otte. diff --git a/ChangeLog.d/aes-zeroize-pointer.txt b/ChangeLog.d/aes-zeroize-pointer.txt deleted file mode 100644 index ccc6dc159..000000000 --- a/ChangeLog.d/aes-zeroize-pointer.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Remove the zeroization of a pointer variable in AES rounds. It was valid - but spurious and misleading since it looked like a mistaken attempt to - zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA - Leti, France. diff --git a/ChangeLog.d/android-socklen_t.txt b/ChangeLog.d/android-socklen_t.txt deleted file mode 100644 index d795a5274..000000000 --- a/ChangeLog.d/android-socklen_t.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Use socklen_t on Android and other POSIX-compliant system - diff --git a/ChangeLog.d/arc4random_buf-implicit.txt b/ChangeLog.d/arc4random_buf-implicit.txt deleted file mode 100644 index 81c245e67..000000000 --- a/ChangeLog.d/arc4random_buf-implicit.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is - defined. Fix contributed in #3571. diff --git a/ChangeLog.d/bugfix-2927.txt b/ChangeLog.d/bugfix-2927.txt deleted file mode 100644 index 2213c6ee4..000000000 --- a/ChangeLog.d/bugfix-2927.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). - Fixes #2927. diff --git a/ChangeLog.d/bugfix_3524.txt b/ChangeLog.d/bugfix_3524.txt deleted file mode 100644 index e3ee01ea4..000000000 --- a/ChangeLog.d/bugfix_3524.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Include the psa_constant_names generated source code in the source tree - instead of generating it at build time. Fixes #3524. diff --git a/ChangeLog.d/bugfix_3782.txt b/ChangeLog.d/bugfix_3782.txt deleted file mode 100644 index a92dffa28..000000000 --- a/ChangeLog.d/bugfix_3782.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix build failures on GCC 11. Fixes #3782. diff --git a/ChangeLog.d/bugfix_3794.txt b/ChangeLog.d/bugfix_3794.txt deleted file mode 100644 index bcb7fbf78..000000000 --- a/ChangeLog.d/bugfix_3794.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix handling of EOF against 0xff bytes and on platforms with unsigned - chars. Fixes a build failure on platforms where char is unsigned. Fixes - #3794. diff --git a/ChangeLog.d/bugfix_PR3294.txt b/ChangeLog.d/bugfix_PR3294.txt deleted file mode 100644 index a6ea75e05..000000000 --- a/ChangeLog.d/bugfix_PR3294.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is - enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294. - diff --git a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt b/ChangeLog.d/cipher-auth-crypt-nist-kw.txt deleted file mode 100644 index fd18e859a..000000000 --- a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt +++ /dev/null @@ -1,23 +0,0 @@ -API changes - * The functions mbedtls_cipher_auth_encrypt() and - mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, - as they have no way to check if the output buffer is large enough. - Please use mbedtls_cipher_auth_encrypt_ext() and - mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and - Cryptofuzz. Fixes #3665. - -Security - * The functions mbedtls_cipher_auth_encrypt() and - mbedtls_cipher_auth_decrypt() would write past the minimum documented - size of the output buffer when used with NIST_KW. As a result, code using - those functions as documented with NIST_KW could have a buffer overwrite - of up to 15 bytes, with consequences ranging up to arbitrary code - execution depending on the location of the output buffer. - -New deprecations - * The functions mbedtls_cipher_auth_encrypt() and - mbedtls_cipher_auth_decrypt() are deprecated in favour of the new - functions mbedtls_cipher_auth_encrypt_ext() and - mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, - these new functions always append the tag to the ciphertext, and include - the tag in the ciphertext length. diff --git a/ChangeLog.d/clean_pem_buffers.txt b/ChangeLog.d/clean_pem_buffers.txt deleted file mode 100644 index 5f796496f..000000000 --- a/ChangeLog.d/clean_pem_buffers.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * In PEM writing functions, fill the trailing part of the buffer with null - bytes. This guarantees that the corresponding parsing function can read - the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem - until this property was inadvertently broken in Mbed TLS 2.19.0. - Fixes #3682. diff --git a/ChangeLog.d/ecb_iv_fix.txt b/ChangeLog.d/ecb_iv_fix.txt deleted file mode 100644 index ae2ae2543..000000000 --- a/ChangeLog.d/ecb_iv_fix.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Correct the default IV size for mbedtls_cipher_info_t structures using - MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs. diff --git a/ChangeLog.d/ecp-bignum-error-checks.txt b/ChangeLog.d/ecp-bignum-error-checks.txt deleted file mode 100644 index 8cad08e97..000000000 --- a/ChangeLog.d/ecp-bignum-error-checks.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative - (an error condition) and the second operand was aliased to the result. - * Fix a case in elliptic curve arithmetic where an out-of-memory condition - could go undetected, resulting in an incorrect result. diff --git a/ChangeLog.d/ecp_curve_list.txt b/ChangeLog.d/ecp_curve_list.txt deleted file mode 100644 index 55745d38d..000000000 --- a/ChangeLog.d/ecp_curve_list.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names - "x25519" and "x448". These curves support ECDH but not ECDSA. If you need - only the curves that support ECDSA, filter the list with - mbedtls_ecdsa_can_do(). diff --git a/ChangeLog.d/error-include-string.txt b/ChangeLog.d/error-include-string.txt deleted file mode 100644 index 0a12c7bec..000000000 --- a/ChangeLog.d/error-include-string.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix conditions for including string.h in error.c. Fixes #3866. diff --git a/ChangeLog.d/feature-dtls-srtp.txt b/ChangeLog.d/feature-dtls-srtp.txt deleted file mode 100644 index af8bfe801..000000000 --- a/ChangeLog.d/feature-dtls-srtp.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan - Pascal, improved by Ron Eldor. diff --git a/ChangeLog.d/fix-rsa-blinding.txt b/ChangeLog.d/fix-rsa-blinding.txt deleted file mode 100644 index a13572c9a..000000000 --- a/ChangeLog.d/fix-rsa-blinding.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fix rsa_prepare_blinding() to retry when the blinding value is not - invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This - addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). - Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). - Fixes #3647. diff --git a/ChangeLog.d/fix_ccm_add_length_check.txt b/ChangeLog.d/fix_ccm_add_length_check.txt deleted file mode 100644 index 259399fd4..000000000 --- a/ChangeLog.d/fix_ccm_add_length_check.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix an off-by-one error in the additional data length check for - CCM, which allowed encryption with a non-standard length field. - Fixes #3719. - diff --git a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt deleted file mode 100644 index 2ba98d541..000000000 --- a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Limit the size of calculations performed by mbedtls_mpi_exp_mod to - MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when - generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. diff --git a/ChangeLog.d/minimum_cmake_version_PR3802.txt b/ChangeLog.d/minimum_cmake_version_PR3802.txt deleted file mode 100644 index a24b854cb..000000000 --- a/ChangeLog.d/minimum_cmake_version_PR3802.txt +++ /dev/null @@ -1,3 +0,0 @@ -Requirement changes - * Update the minimum required CMake version to 2.8.12. - * This silences a warning on CMake 3.19.0. #3801 diff --git a/ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt b/ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt deleted file mode 100644 index 2f1126439..000000000 --- a/ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf. diff --git a/ChangeLog.d/mpi_fill_random-rng_failure.txt b/ChangeLog.d/mpi_fill_random-rng_failure.txt deleted file mode 100644 index 8addf180c..000000000 --- a/ChangeLog.d/mpi_fill_random-rng_failure.txt +++ /dev/null @@ -1,8 +0,0 @@ -Security - * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), - which is how most uses of randomization in asymmetric cryptography - (including key generation, intermediate value randomization and blinding) - are implemented. This could cause failures or the silent use of non-random - values. A random generator can fail if it needs reseeding and cannot not - obtain entropy, or due to an internal failure (which, for Mbed TLS's own - CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). diff --git a/ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt b/ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt deleted file mode 100644 index 07e00e649..000000000 --- a/ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and - PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version - 1.0.0 of the PSA Crypto API specification. diff --git a/ChangeLog.d/psa-crypto-api-values-1.0.0.txt b/ChangeLog.d/psa-crypto-api-values-1.0.0.txt deleted file mode 100644 index 0bd376417..000000000 --- a/ChangeLog.d/psa-crypto-api-values-1.0.0.txt +++ /dev/null @@ -1,9 +0,0 @@ -API changes - * The numerical values of the PSA Crypto API macros have been updated to - conform to version 1.0.0 of the specification. - * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4. - The underlying stream cipher is determined by the key type - (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4). -New deprecations - * PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated. - Use PSA_ALG_STREAM_CIPHER instead. diff --git a/ChangeLog.d/psa-openless.txt b/ChangeLog.d/psa-openless.txt deleted file mode 100644 index 2e40cdff8..000000000 --- a/ChangeLog.d/psa-openless.txt +++ /dev/null @@ -1,17 +0,0 @@ -Features - * In the PSA API, it is no longer necessary to open persistent keys: - operations now accept the key identifier. The type psa_key_handle_t is now - identical to psa_key_id_t instead of being platform-defined. This bridges - the last major gap to compliance with the PSA Cryptography specification - version 1.0.0. Opening persistent keys is still supported for backward - compatibility, but will be deprecated and later removed in future - releases. - -Bugfix - * psa_set_key_id() now also sets the lifetime to persistent for keys located - in a secure element. - * Attempting to create a volatile key with a non-zero key identifier now - fails. Previously the key identifier was just ignored when creating a - volatile key. - * Attempting to create or register a key with a key identifier in the vendor - range now fails. diff --git a/ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt b/ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt deleted file mode 100644 index 85c363bef..000000000 --- a/ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input - sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the - psa_cipher_* functions compliant with the PSA Crypto API specification. diff --git a/ChangeLog.d/psa_generate_key-curve25519.txt b/ChangeLog.d/psa_generate_key-curve25519.txt deleted file mode 100644 index 24b6fcfe2..000000000 --- a/ChangeLog.d/psa_generate_key-curve25519.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix psa_generate_key() returning an error when asked to generate - an ECC key pair on Curve25519 or secp244k1. diff --git a/ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt b/ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt deleted file mode 100644 index 6660dc3d5..000000000 --- a/ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * In PSA, allow using a key declared with a base key agreement algorithm - in combined key agreement and derivation operations, as long as the key - agreement algorithm in use matches the algorithm the key was declared with. - This is currently non-standard behaviour, but expected to make it into a - future revision of the PSA Crypto standard. diff --git a/ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt b/ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt deleted file mode 100644 index 3f61481ab..000000000 --- a/ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix psa_key_derivation_output_key() to allow the output of a combined key - agreement and subsequent key derivation operation to be used as a key - inside of the PSA Crypto core. diff --git a/ChangeLog.d/systematically_store_bit_size_3740.txt b/ChangeLog.d/systematically_store_bit_size_3740.txt deleted file mode 100644 index 4a039e04d..000000000 --- a/ChangeLog.d/systematically_store_bit_size_3740.txt +++ /dev/null @@ -1,6 +0,0 @@ -Changes - * The PSA persistent storage format is updated to always store the key bits - attribute. No automatic upgrade path is provided. Previously stored keys - must be erased, or manually upgraded based on the key storage format - specification (docs/architecture/mbed-crypto-storage-specification.md). - Fixes #3740. diff --git a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt b/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt deleted file mode 100644 index f2c72b0ec..000000000 --- a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * Fix a compliance issue whereby we were not checking the tag on the - algorithm parameters (only the size) when comparing the signature in the - description part of the cert to the real signature. This meant that a - NULL algorithm parameters entry would look identical to an array of REAL - (size zero) to the library and thus the certificate would be considered - valid. However, if the parameters do not match in *any* way then the - certificate should be considered invalid, and indeed OpenSSL marks these - certs as invalid when mbedtls did not. - Many thanks to guidovranken who found this issue via differential fuzzing - and reported it in #3629. diff --git a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt deleted file mode 100644 index 320bb0e86..000000000 --- a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Zeroising of local buffers and variables which are used for calculations - in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), - mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() - functions to erase sensitive data from memory. Reported by - Johan Malmgren and Johan Uppman Bruce from Sectra.