From a4b98a970f50dc5806b14d14a80becf56ed1cd89 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 9 Dec 2020 00:31:29 +0000 Subject: [PATCH] Assemble ChangeLog Executed scripts/assemble_changelog.py. Signed-off-by: Janos Follath --- ChangeLog | 66 +++++++++++++++++++ ChangeLog.d/AES_SETKEY_ALT-fix.txt | 5 -- ChangeLog.d/_GNU_SOURCE-redefined.txt | 3 - .../adjusting sliding_window_size_PR3592.txt | 3 - ChangeLog.d/aes-zeroize-pointer.txt | 5 -- ChangeLog.d/arc4random_buf-implicit.txt | 3 - ChangeLog.d/bugfix-2927.txt | 3 - ChangeLog.d/bugfix_3782.txt | 2 - ChangeLog.d/clean_pem_buffers.txt | 6 -- ChangeLog.d/ecb_iv_fix.txt | 3 - ChangeLog.d/ecp-bignum-error-checks.txt | 5 -- ChangeLog.d/fix-rsa-blinding.txt | 6 -- ...it_size_of_diffie_hellman_calculations.txt | 4 -- ChangeLog.d/mpi_fill_random-rng_failure.txt | 8 --- ...x509-add-tag-check-to-algorithm-params.txt | 11 ---- ...ons_of_sensitive_data_in_PKCS5_and_SHA.txt | 6 -- 16 files changed, 66 insertions(+), 73 deletions(-) delete mode 100644 ChangeLog.d/AES_SETKEY_ALT-fix.txt delete mode 100644 ChangeLog.d/_GNU_SOURCE-redefined.txt delete mode 100644 ChangeLog.d/adjusting sliding_window_size_PR3592.txt delete mode 100644 ChangeLog.d/aes-zeroize-pointer.txt delete mode 100644 ChangeLog.d/arc4random_buf-implicit.txt delete mode 100644 ChangeLog.d/bugfix-2927.txt delete mode 100644 ChangeLog.d/bugfix_3782.txt delete mode 100644 ChangeLog.d/clean_pem_buffers.txt delete mode 100644 ChangeLog.d/ecb_iv_fix.txt delete mode 100644 ChangeLog.d/ecp-bignum-error-checks.txt delete mode 100644 ChangeLog.d/fix-rsa-blinding.txt delete mode 100644 ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt delete mode 100644 ChangeLog.d/mpi_fill_random-rng_failure.txt delete mode 100644 ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt delete mode 100644 ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt diff --git a/ChangeLog b/ChangeLog index c68bd1b65..ccbec1983 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,71 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Security + * Limit the size of calculations performed by mbedtls_mpi_exp_mod to + MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when + generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. + * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), + which is how most uses of randomization in asymmetric cryptography + (including key generation, intermediate value randomization and blinding) + are implemented. This could cause failures or the silent use of non-random + values. A random generator can fail if it needs reseeding and cannot not + obtain entropy, or due to an internal failure (which, for Mbed TLS's own + CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). + * Fix a compliance issue whereby we were not checking the tag on the + algorithm parameters (only the size) when comparing the signature in the + description part of the cert to the real signature. This meant that a + NULL algorithm parameters entry would look identical to an array of REAL + (size zero) to the library and thus the certificate would be considered + valid. However, if the parameters do not match in *any* way then the + certificate should be considered invalid, and indeed OpenSSL marks these + certs as invalid when mbedtls did not. + Many thanks to guidovranken who found this issue via differential fuzzing + and reported it in #3629. + * Zeroising of local buffers and variables which are used for calculations + in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), + mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() + functions to erase sensitive data from memory. Reported by + Johan Malmgren and Johan Uppman Bruce from Sectra. + +Bugfix + * Fix rsa_prepare_blinding() to retry when the blinding value is not + invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This + addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). + Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). + Fixes #3647. + * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. + Fix #3432. + * Correct the default IV size for mbedtls_cipher_info_t structures using + MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs. + * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is + defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602. + * Fix build failures on GCC 11. Fixes #3782. + * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative + (an error condition) and the second operand was aliased to the result. + * Fix a case in elliptic curve arithmetic where an out-of-memory condition + could go undetected, resulting in an incorrect result. + * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). + Fixes #2927. + * In PEM writing functions, fill the trailing part of the buffer with null + bytes. This guarantees that the corresponding parsing function can read + the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem + until this property was inadvertently broken in Mbed TLS 2.19.0. + Fixes #3682. + * Fix an issue that occurred when building with MBEDTLS_AES_SETKEY_DEC_ALT. + Key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were + excluded from the build and led to failure. Fixes #3818. Reported by + John Stroebel. + +Changes + * Reduce stack usage significantly during sliding window exponentiation. + Reported in #3591 and fix contributed in #3592 by Daniel Otte. + * Remove the zeroization of a pointer variable in AES rounds. It was valid + but spurious and misleading since it looked like a mistaken attempt to + zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA + Leti, France. + = mbed TLS 2.16.8 branch released 2020-09-01 Features diff --git a/ChangeLog.d/AES_SETKEY_ALT-fix.txt b/ChangeLog.d/AES_SETKEY_ALT-fix.txt deleted file mode 100644 index 2a23fbcf2..000000000 --- a/ChangeLog.d/AES_SETKEY_ALT-fix.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix an issue that occurred when building with MBEDTLS_AES_SETKEY_DEC_ALT. - Key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were - excluded from the build and led to failure. Fixes #3818. Reported by - John Stroebel. diff --git a/ChangeLog.d/_GNU_SOURCE-redefined.txt b/ChangeLog.d/_GNU_SOURCE-redefined.txt deleted file mode 100644 index 59c8a153f..000000000 --- a/ChangeLog.d/_GNU_SOURCE-redefined.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. - Fix #3432. diff --git a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt b/ChangeLog.d/adjusting sliding_window_size_PR3592.txt deleted file mode 100644 index 608956541..000000000 --- a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Reduce stack usage significantly during sliding window exponentiation. - Reported in #3591 and fix contributed in #3592 by Daniel Otte. diff --git a/ChangeLog.d/aes-zeroize-pointer.txt b/ChangeLog.d/aes-zeroize-pointer.txt deleted file mode 100644 index ccc6dc159..000000000 --- a/ChangeLog.d/aes-zeroize-pointer.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Remove the zeroization of a pointer variable in AES rounds. It was valid - but spurious and misleading since it looked like a mistaken attempt to - zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA - Leti, France. diff --git a/ChangeLog.d/arc4random_buf-implicit.txt b/ChangeLog.d/arc4random_buf-implicit.txt deleted file mode 100644 index d20e4c848..000000000 --- a/ChangeLog.d/arc4random_buf-implicit.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is - defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602. diff --git a/ChangeLog.d/bugfix-2927.txt b/ChangeLog.d/bugfix-2927.txt deleted file mode 100644 index 2213c6ee4..000000000 --- a/ChangeLog.d/bugfix-2927.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). - Fixes #2927. diff --git a/ChangeLog.d/bugfix_3782.txt b/ChangeLog.d/bugfix_3782.txt deleted file mode 100644 index a92dffa28..000000000 --- a/ChangeLog.d/bugfix_3782.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix build failures on GCC 11. Fixes #3782. diff --git a/ChangeLog.d/clean_pem_buffers.txt b/ChangeLog.d/clean_pem_buffers.txt deleted file mode 100644 index 5f796496f..000000000 --- a/ChangeLog.d/clean_pem_buffers.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * In PEM writing functions, fill the trailing part of the buffer with null - bytes. This guarantees that the corresponding parsing function can read - the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem - until this property was inadvertently broken in Mbed TLS 2.19.0. - Fixes #3682. diff --git a/ChangeLog.d/ecb_iv_fix.txt b/ChangeLog.d/ecb_iv_fix.txt deleted file mode 100644 index ae2ae2543..000000000 --- a/ChangeLog.d/ecb_iv_fix.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Correct the default IV size for mbedtls_cipher_info_t structures using - MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs. diff --git a/ChangeLog.d/ecp-bignum-error-checks.txt b/ChangeLog.d/ecp-bignum-error-checks.txt deleted file mode 100644 index 8cad08e97..000000000 --- a/ChangeLog.d/ecp-bignum-error-checks.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative - (an error condition) and the second operand was aliased to the result. - * Fix a case in elliptic curve arithmetic where an out-of-memory condition - could go undetected, resulting in an incorrect result. diff --git a/ChangeLog.d/fix-rsa-blinding.txt b/ChangeLog.d/fix-rsa-blinding.txt deleted file mode 100644 index a13572c9a..000000000 --- a/ChangeLog.d/fix-rsa-blinding.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fix rsa_prepare_blinding() to retry when the blinding value is not - invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This - addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). - Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). - Fixes #3647. diff --git a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt deleted file mode 100644 index 2ba98d541..000000000 --- a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Limit the size of calculations performed by mbedtls_mpi_exp_mod to - MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when - generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. diff --git a/ChangeLog.d/mpi_fill_random-rng_failure.txt b/ChangeLog.d/mpi_fill_random-rng_failure.txt deleted file mode 100644 index 8addf180c..000000000 --- a/ChangeLog.d/mpi_fill_random-rng_failure.txt +++ /dev/null @@ -1,8 +0,0 @@ -Security - * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), - which is how most uses of randomization in asymmetric cryptography - (including key generation, intermediate value randomization and blinding) - are implemented. This could cause failures or the silent use of non-random - values. A random generator can fail if it needs reseeding and cannot not - obtain entropy, or due to an internal failure (which, for Mbed TLS's own - CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). diff --git a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt b/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt deleted file mode 100644 index f2c72b0ec..000000000 --- a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * Fix a compliance issue whereby we were not checking the tag on the - algorithm parameters (only the size) when comparing the signature in the - description part of the cert to the real signature. This meant that a - NULL algorithm parameters entry would look identical to an array of REAL - (size zero) to the library and thus the certificate would be considered - valid. However, if the parameters do not match in *any* way then the - certificate should be considered invalid, and indeed OpenSSL marks these - certs as invalid when mbedtls did not. - Many thanks to guidovranken who found this issue via differential fuzzing - and reported it in #3629. diff --git a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt deleted file mode 100644 index 320bb0e86..000000000 --- a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Zeroising of local buffers and variables which are used for calculations - in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), - mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() - functions to erase sensitive data from memory. Reported by - Johan Malmgren and Johan Uppman Bruce from Sectra.