diff --git a/ChangeLog b/ChangeLog index fd625a48b..edd57110c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,24 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The + previous settings for the number of rounds made it practical for an + adversary to construct non-primes that would be erroneously accepted as + primes with high probability. This does not have an impact on the + security of TLS, but can matter in other contexts with potentially + adversarially-chosen numbers that should be prime and can be validated. + For example, the number of rounds was enough to securely generate RSA key + pairs or Diffie-Hellman parameters, but was insufficient to validate + Diffie-Hellman parameters properly. + See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and + Kenneth G. Paterson and Juraj Somorovsky. + +New deprecations + * Deprecate the function mbedtls_mpi_is_prime() in favor of + mbedtls_mpi_is_prime_ext() which allows specifying the number of + Miller-Rabin rounds. + Changes * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and use it to reduce error probability in RSA key generation to levels mandated