From 53b960d9e09bb1bfbeafe95baa0e479217444e32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Mon, 5 Jul 2021 16:17:07 +0100 Subject: [PATCH] Create aggregated ChangeLog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Bence Szépkúti --- ChangeLog | 92 +++++++++++++++++++ ChangeLog.d/add-missing-parenthesis.txt | 3 - ChangeLog.d/aescrypt2.txt | 3 - ChangeLog.d/aria-alt.txt | 5 - ChangeLog.d/bugfix_PR3616.txt | 5 - ChangeLog.d/ciphersuite-sha1-sha384-guard.txt | 4 - ChangeLog.d/dhm_min_bitlen.txt | 4 - ChangeLog.d/dtls_sample_use_read_timeout.txt | 2 - ChangeLog.d/ecdsa-random-leading-zeros.txt | 7 -- ChangeLog.d/ecp_max_bits.txt | 4 - ChangeLog.d/ensure_hash_len_is_valid.txt | 5 - ChangeLog.d/fix-pk-parse-key-error-code.txt | 2 - ChangeLog.d/fix-rsa-leak.txt | 6 -- ChangeLog.d/fix-ssl-cf-hmac-alt.txt | 5 - ChangeLog.d/fix_tls_alert_codes.txt | 5 - ChangeLog.d/host_test-int32.txt | 3 - ChangeLog.d/issue4176.txt | 3 - ChangeLog.d/make-generate-tests-python.txt | 4 - ChangeLog.d/mbedtls_debug_print_mpi.txt | 3 - ChangeLog.d/mpi_exp_mod-zero.txt | 6 -- ChangeLog.d/mpi_gcd-0.txt | 4 - ChangeLog.d/mpi_read_negative_zero.txt | 7 -- ChangeLog.d/posix-define.txt | 6 -- ChangeLog.d/random-range.txt | 4 - ChangeLog.d/reject-low-order-points-early.txt | 6 -- ChangeLog.d/winsock.txt | 4 - 26 files changed, 92 insertions(+), 110 deletions(-) delete mode 100644 ChangeLog.d/add-missing-parenthesis.txt delete mode 100644 ChangeLog.d/aescrypt2.txt delete mode 100644 ChangeLog.d/aria-alt.txt delete mode 100644 ChangeLog.d/bugfix_PR3616.txt delete mode 100644 ChangeLog.d/ciphersuite-sha1-sha384-guard.txt delete mode 100644 ChangeLog.d/dhm_min_bitlen.txt delete mode 100644 ChangeLog.d/dtls_sample_use_read_timeout.txt delete mode 100644 ChangeLog.d/ecdsa-random-leading-zeros.txt delete mode 100644 ChangeLog.d/ecp_max_bits.txt delete mode 100644 ChangeLog.d/ensure_hash_len_is_valid.txt delete mode 100644 ChangeLog.d/fix-pk-parse-key-error-code.txt delete mode 100644 ChangeLog.d/fix-rsa-leak.txt delete mode 100644 ChangeLog.d/fix-ssl-cf-hmac-alt.txt delete mode 100644 ChangeLog.d/fix_tls_alert_codes.txt delete mode 100644 ChangeLog.d/host_test-int32.txt delete mode 100644 ChangeLog.d/issue4176.txt delete mode 100644 ChangeLog.d/make-generate-tests-python.txt delete mode 100644 ChangeLog.d/mbedtls_debug_print_mpi.txt delete mode 100644 ChangeLog.d/mpi_exp_mod-zero.txt delete mode 100644 ChangeLog.d/mpi_gcd-0.txt delete mode 100644 ChangeLog.d/mpi_read_negative_zero.txt delete mode 100644 ChangeLog.d/posix-define.txt delete mode 100644 ChangeLog.d/random-range.txt delete mode 100644 ChangeLog.d/reject-low-order-points-early.txt delete mode 100644 ChangeLog.d/winsock.txt diff --git a/ChangeLog b/ChangeLog index fe7aecd27b..13f9f17ba1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,97 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Security +* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) + private keys and of blinding values for DHM and elliptic curves (ECP) + computations. Reported by FlorianF89 in #4245. +* Fix a potential side channel vulnerability in ECDSA ephemeral key generation. + An adversary who is capable of very precise timing measurements could + learn partial information about the leading bits of the nonce used for the + signature, allowing the recovery of the private key after observing a + large number of signature operations. This completes a partial fix in + Mbed TLS 2.16.4. + * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is + too small, leading to buffer overflows in ECC operations. Fail the build + in such a case. + * An adversary with access to precise enough information about memory + accesses (typically, an untrusted operating system attacking a secure + enclave) could recover an RSA private key after observing the victim + performing a single private-key operation. Found and reported by + Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. + * An adversary with access to precise enough timing information (typically, a + co-located process) could recover a Curve25519 or Curve448 static ECDH key + after inputting a chosen public key and observing the victim performing the + corresponding private-key operation. Found and reported by Leila Batina, + Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe. + +Bugfix + * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may + lead to the seed file corruption in case if the path to the seed file is + equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor + Krasnoshchok in #3616. + * Fix some cases in the bignum module where the library constructed an + unintended representation of the value 0 which was not processed + correctly by some bignum operations. This could happen when + mbedtls_mpi_read_string() was called on "-0", or when + mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of + the arguments being negative and the other being 0. Fixes #4643. + * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is + defined. Fixes #4217. + * Fix an incorrect error code when parsing a PKCS#8 private key. + * In a TLS client, enforce the Diffie-Hellman minimum parameter size + set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the + minimum size was rounded down to the nearest multiple of 8. + * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are + defined to specific values. If the code is used in a context + where these are already defined, this can result in a compilation + error. Instead, assume that if they are defined, the values will + be adequate to build Mbed TLS. + * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available + when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 + was disabled. Fix the dependency. Fixes #4472. + * Fix test suite code on platforms where int32_t is not int, such as + Arm Cortex-M. Fixes #4530. + * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced + directive in a header and a missing initialization in the self-test. + * Fix a missing initialization in the Camellia self-test, affecting + MBEDTLS_CAMELLIA_ALT implementations. + * Fix a regression introduced in 2.16.8 which broke (D)TLS CBC ciphersuites + (when the encrypt-then-MAC extension is not in use) with some ALT + implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing + the affected side to wrongly reject valid messages. Fixes #4118. + * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with + MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. + * Fix a resource leak in a test suite with an alternative AES + implementation. Fixes #4176. + * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. + Reported by lhuang04 in #4578. Fixes #4608. + * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with + A=0 represented with 0 limbs. This bug could not be triggered by code + that constructed A with one of the mbedtls_mpi_read_xxx functions + (including in particular TLS code) since those always built an mpi object + with at least one limb. Credit to OSS-Fuzz. Fixes #4641. + * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no + effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect + applications that call mbedtls_mpi_gcd() directly. Fixes #4642. + * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and + restartable variants now require at least the specified hash length if + nonzero. Before, for RSA, hash_len was ignored in favor of the length of + the specified hash algorithm. + * Fix which alert is sent in some cases to conform to the + applicable RFC: on an invalid Finished message value, an + invalid max_fragment_length extension, or an + unsupported extension used by the server. + +Changes + * Fix the setting of the read timeout in the DTLS sample programs. + * Remove the AES sample application programs/aes/aescrypt2 which shows + bad cryptographic practice. Fix #1906. + * When building the test suites with GNU make, invoke python3 or python, not + python2. The build still works with either Python 2.7 or 3.5+, but we + recommend using a version of Python that is supported upstream. + = mbed TLS 2.16.10 branch released 2021-03-12 Default behavior changes diff --git a/ChangeLog.d/add-missing-parenthesis.txt b/ChangeLog.d/add-missing-parenthesis.txt deleted file mode 100644 index 9576ff3793..0000000000 --- a/ChangeLog.d/add-missing-parenthesis.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is - defined. Fixes #4217. diff --git a/ChangeLog.d/aescrypt2.txt b/ChangeLog.d/aescrypt2.txt deleted file mode 100644 index 7ffa49eaa3..0000000000 --- a/ChangeLog.d/aescrypt2.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Remove the AES sample application programs/aes/aescrypt2 which shows - bad cryptographic practice. Fix #1906. diff --git a/ChangeLog.d/aria-alt.txt b/ChangeLog.d/aria-alt.txt deleted file mode 100644 index 20aaa2b71d..0000000000 --- a/ChangeLog.d/aria-alt.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced - directive in a header and a missing initialization in the self-test. - * Fix a missing initialization in the Camellia self-test, affecting - MBEDTLS_CAMELLIA_ALT implementations. diff --git a/ChangeLog.d/bugfix_PR3616.txt b/ChangeLog.d/bugfix_PR3616.txt deleted file mode 100644 index 47d1044922..0000000000 --- a/ChangeLog.d/bugfix_PR3616.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may - lead to the seed file corruption in case if the path to the seed file is - equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor - Krasnoshchok in #3616. diff --git a/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt b/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt deleted file mode 100644 index d253f349a5..0000000000 --- a/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available - when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 - was disabled. Fix the dependency. Fixes #4472. diff --git a/ChangeLog.d/dhm_min_bitlen.txt b/ChangeLog.d/dhm_min_bitlen.txt deleted file mode 100644 index e7ea827302..0000000000 --- a/ChangeLog.d/dhm_min_bitlen.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * In a TLS client, enforce the Diffie-Hellman minimum parameter size - set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the - minimum size was rounded down to the nearest multiple of 8. diff --git a/ChangeLog.d/dtls_sample_use_read_timeout.txt b/ChangeLog.d/dtls_sample_use_read_timeout.txt deleted file mode 100644 index e3150d6efb..0000000000 --- a/ChangeLog.d/dtls_sample_use_read_timeout.txt +++ /dev/null @@ -1,2 +0,0 @@ -Changes - * Fix the setting of the read timeout in the DTLS sample programs. diff --git a/ChangeLog.d/ecdsa-random-leading-zeros.txt b/ChangeLog.d/ecdsa-random-leading-zeros.txt deleted file mode 100644 index 793b37156e..0000000000 --- a/ChangeLog.d/ecdsa-random-leading-zeros.txt +++ /dev/null @@ -1,7 +0,0 @@ -Security -* Fix a potential side channel vulnerability in ECDSA ephemeral key generation. - An adversary who is capable of very precise timing measurements could - learn partial information about the leading bits of the nonce used for the - signature, allowing the recovery of the private key after observing a - large number of signature operations. This completes a partial fix in - Mbed TLS 2.16.4. diff --git a/ChangeLog.d/ecp_max_bits.txt b/ChangeLog.d/ecp_max_bits.txt deleted file mode 100644 index bfbe11f13c..0000000000 --- a/ChangeLog.d/ecp_max_bits.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is - too small, leading to buffer overflows in ECC operations. Fail the build - in such a case. diff --git a/ChangeLog.d/ensure_hash_len_is_valid.txt b/ChangeLog.d/ensure_hash_len_is_valid.txt deleted file mode 100644 index 2059249e19..0000000000 --- a/ChangeLog.d/ensure_hash_len_is_valid.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and - restartable variants now require at least the specified hash length if - nonzero. Before, for RSA, hash_len was ignored in favor of the length of - the specified hash algorithm. diff --git a/ChangeLog.d/fix-pk-parse-key-error-code.txt b/ChangeLog.d/fix-pk-parse-key-error-code.txt deleted file mode 100644 index 3aa330b1a5..0000000000 --- a/ChangeLog.d/fix-pk-parse-key-error-code.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix an incorrect error code when parsing a PKCS#8 private key. diff --git a/ChangeLog.d/fix-rsa-leak.txt b/ChangeLog.d/fix-rsa-leak.txt deleted file mode 100644 index b7d3e3e758..0000000000 --- a/ChangeLog.d/fix-rsa-leak.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * An adversary with access to precise enough information about memory - accesses (typically, an untrusted operating system attacking a secure - enclave) could recover an RSA private key after observing the victim - performing a single private-key operation. Found and reported by - Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. diff --git a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt deleted file mode 100644 index e77613f03d..0000000000 --- a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a regression introduced in 2.16.8 which broke (D)TLS CBC ciphersuites - (when the encrypt-then-MAC extension is not in use) with some ALT - implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing - the affected side to wrongly reject valid messages. Fixes #4118. diff --git a/ChangeLog.d/fix_tls_alert_codes.txt b/ChangeLog.d/fix_tls_alert_codes.txt deleted file mode 100644 index 10235d7bc3..0000000000 --- a/ChangeLog.d/fix_tls_alert_codes.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix which alert is sent in some cases to conform to the - applicable RFC: on an invalid Finished message value, an - invalid max_fragment_length extension, or an - unsupported extension used by the server. diff --git a/ChangeLog.d/host_test-int32.txt b/ChangeLog.d/host_test-int32.txt deleted file mode 100644 index 60ef8e9702..0000000000 --- a/ChangeLog.d/host_test-int32.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix test suite code on platforms where int32_t is not int, such as - Arm Cortex-M. Fixes #4530. diff --git a/ChangeLog.d/issue4176.txt b/ChangeLog.d/issue4176.txt deleted file mode 100644 index ddca37f9be..0000000000 --- a/ChangeLog.d/issue4176.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a resource leak in a test suite with an alternative AES - implementation. Fixes #4176. diff --git a/ChangeLog.d/make-generate-tests-python.txt b/ChangeLog.d/make-generate-tests-python.txt deleted file mode 100644 index 0feeff8857..0000000000 --- a/ChangeLog.d/make-generate-tests-python.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * When building the test suites with GNU make, invoke python3 or python, not - python2. The build still works with either Python 2.7 or 3.5+, but we - recommend using a version of Python that is supported upstream. diff --git a/ChangeLog.d/mbedtls_debug_print_mpi.txt b/ChangeLog.d/mbedtls_debug_print_mpi.txt deleted file mode 100644 index 895ab18d30..0000000000 --- a/ChangeLog.d/mbedtls_debug_print_mpi.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. - Reported by lhuang04 in #4578. Fixes #4608. diff --git a/ChangeLog.d/mpi_exp_mod-zero.txt b/ChangeLog.d/mpi_exp_mod-zero.txt deleted file mode 100644 index 50a0c1c0e4..0000000000 --- a/ChangeLog.d/mpi_exp_mod-zero.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with - A=0 represented with 0 limbs. This bug could not be triggered by code - that constructed A with one of the mbedtls_mpi_read_xxx functions - (including in particular TLS code) since those always built an mpi object - with at least one limb. Credit to OSS-Fuzz. Fixes #4641. diff --git a/ChangeLog.d/mpi_gcd-0.txt b/ChangeLog.d/mpi_gcd-0.txt deleted file mode 100644 index 41e11e1f6b..0000000000 --- a/ChangeLog.d/mpi_gcd-0.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no - effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect - applications that call mbedtls_mpi_gcd() directly. Fixes #4642. diff --git a/ChangeLog.d/mpi_read_negative_zero.txt b/ChangeLog.d/mpi_read_negative_zero.txt deleted file mode 100644 index 32857694a0..0000000000 --- a/ChangeLog.d/mpi_read_negative_zero.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * Fix some cases in the bignum module where the library constructed an - unintended representation of the value 0 which was not processed - correctly by some bignum operations. This could happen when - mbedtls_mpi_read_string() was called on "-0", or when - mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of - the arguments being negative and the other being 0. Fixes #4643. diff --git a/ChangeLog.d/posix-define.txt b/ChangeLog.d/posix-define.txt deleted file mode 100644 index 98cf2d0122..0000000000 --- a/ChangeLog.d/posix-define.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are - defined to specific values. If the code is used in a context - where these are already defined, this can result in a compilation - error. Instead, assume that if they are defined, the values will - be adequate to build Mbed TLS. diff --git a/ChangeLog.d/random-range.txt b/ChangeLog.d/random-range.txt deleted file mode 100644 index dc35ec6c66..0000000000 --- a/ChangeLog.d/random-range.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security -* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) - private keys and of blinding values for DHM and elliptic curves (ECP) - computations. Reported by FlorianF89 in #4245. diff --git a/ChangeLog.d/reject-low-order-points-early.txt b/ChangeLog.d/reject-low-order-points-early.txt deleted file mode 100644 index eb735697a9..0000000000 --- a/ChangeLog.d/reject-low-order-points-early.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * An adversary with access to precise enough timing information (typically, a - co-located process) could recover a Curve25519 or Curve448 static ECDH key - after inputting a chosen public key and observing the victim performing the - corresponding private-key operation. Found and reported by Leila Batina, - Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe. diff --git a/ChangeLog.d/winsock.txt b/ChangeLog.d/winsock.txt deleted file mode 100644 index 0b42e691c2..0000000000 --- a/ChangeLog.d/winsock.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with - MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. -