Merge remote-tracking branch 'upstream-restricted/pr/453' into mbedtls-2.1-restricted

ChangeLog

@@ -1,44 +1,46 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= mbed TLS 2.1.10 branch released 2017-xx-xx
+= mbed TLS 2.1.10 branch released 2018-02-03
 
 Security
-   * Fix buffer overflow in RSA-PSS verification when the hash is too
+   * Fix a heap corruption issue in the implementation of the truncated HMAC
-     large for the key size. Found by Seth Terashima, Qualcomm Product
+     extension. When the truncated HMAC extension is enabled and CBC is used,
-     Security Initiative, Qualcomm Technologies Inc.
+     sending a malicious application packet could be used to selectively corrupt
-   * Fix buffer overflow in RSA-PSS verification when the unmasked
+     6 bytes on the peer's heap, which could potentially lead to crash or remote
-     data is all zeros.
+     code execution. The issue could be triggered remotely from either side in
-   * Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding
+     both TLS and DTLS. CVE-2018-0488
-     64kB to the address of the SSL buffer wraps around.
+   * Fix a buffer overflow in RSA-PSS verification when the hash was too large
-   * Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by
+     for the key size, which could potentially lead to crash or remote code
+     execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
+     Qualcomm Technologies Inc. CVE-2018-0487
+   * Fix buffer overflow in RSA-PSS verification when the unmasked data is all
+     zeros.
+   * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
+     64 KiB to the address of the SSL buffer and causing a wrap around.
+   * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
      default enabled) maximum fragment length extension is disabled in the
      config and the application data buffer passed to mbedtls_ssl_write
      is larger than the internal message buffer (16384 bytes by default), the
      latter overflows. The exploitability of this issue depends on whether the
      application layer can be forced into sending such large packets. The issue
      was independently reported by Tim Nordell via e-mail and by Florin Petriuc
-     and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707.
+     and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
-   * Tighten should-be-constant-time memcmp against compiler optimizations.
+     Fixes #707.
+   * Add a provision to prevent compiler optimizations breaking the time
+     constancy of mbedtls_ssl_safer_memcmp().
    * Ensure that buffers are cleared after use if they contain sensitive data.
      Changes were introduced in multiple places in the library.
    * Set PEM buffer to zero before freeing it, to avoid decoded private keys
      being leaked to memory after release.
    * Fix dhm_check_range() failing to detect trivial subgroups and potentially
      leaking 1 bit of the private key. Reported by prashantkspatil.
-   * Make mbedtls_mpi_read_binary constant-time with respect to
+   * Make mbedtls_mpi_read_binary() constant-time with respect to the input
-     the input data. Previously, trailing zero bytes were detected
+     data. Previously, trailing zero bytes were detected and omitted for the
-     and omitted for the sake of saving memory, but potentially
+     sake of saving memory, but potentially leading to slight timing
-     leading to slight timing differences.
+     differences. Reported by Marco Macchetti, Kudelski Group.
-     Reported by Marco Macchetti, Kudelski Group.
    * Wipe stack buffer temporarily holding EC private exponent
      after keypair generation.
-   * Fix heap corruption in implementation of truncated HMAC extension.
+   * Fix a potential heap buffer over-read in ALPN extension parsing
-     When the truncated HMAC extension is enabled and CBC is used,
-     sending a malicious application packet can be used to selectively
-     corrupt 6 bytes on the peer's heap, potentially leading to crash or
-     remote code execution. This can be triggered remotely from either
-     side in both TLS and DTLS.
-   * Fix a potential heap buffer overread in ALPN extension parsing
      (server-side). Could result in application crash, but only if an ALPN
      name larger than 16 bytes had been configured on the server.
    * Change default choice of DHE parameters from untrustworthy RFC 5114
@@ -83,11 +85,11 @@ Bugfix
    * Don't print X.509 version tag for v1 CRT's, and omit extensions for
      non-v3 CRT's.
    * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
-   * Fix net_would_block to avoid modification by errno through fcntl call.
+   * Fix net_would_block() to avoid modification by errno through fcntl() call.
      Found by nkolban. Fixes #845.
-   * Fix handling of handshake messages in mbedtls_ssl_read in case
+   * Fix handling of handshake messages in mbedtls_ssl_read() in case
      MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
-   * Add a check for invalid private parameters in ecdsa_sign.
+   * Add a check for invalid private parameters in ecdsa_sign().
      Reported by Yolan Romailler.
    * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
    * Add size-checks for record and handshake message content, securing
@@ -95,13 +97,14 @@ Bugfix
    * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
      MilenkoMitrovic, #1104
    * Fix mbedtls_timing_alarm(0) on Unix and MinGw.
-   * Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1.
+   * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
    * Fix issue in RSA key generation program programs/x509/rsa_genkey
      where the failure of CTR DRBG initialization lead to freeing an
      RSA context without proper initialization beforehand.
-   * Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that
+   * Fix an issue in the cipher decryption with the mode
-     sometimes accepted invalid padding. (Not used in TLS.) Found and fixed
+     MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
-     by Micha Kraus.
+     Note, this padding mode is not used by the TLS protocol. Found and fixed by
+     Micha Kraus.
 
 Changes
    * Extend cert_write example program by options to set the CRT version