Assemble ChangeLog

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2026-03-20 19:21:09 +01:00 · 2021-12-14 11:08:55 +01:00
parent b0c54a7d46
commit 652e035ea1
13 changed files with 55 additions and 60 deletions
--- a/55
+++ b/55
@@ -1,5 +1,60 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+   * Zeroize several intermediate variables used to calculate the expected
+     value when verifying a MAC or AEAD tag. This hardens the library in
+     case the value leaks through a memory disclosure vulnerability. For
+     example, a memory disclosure vulnerability could have allowed a
+     man-in-the-middle to inject fake ciphertext into a DTLS connection.
+   * Fix a double-free that happened after mbedtls_ssl_set_session() or
+     mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
+     (out of memory). After that, calling mbedtls_ssl_session_free()
+     and mbedtls_ssl_free() would cause an internal session buffer to
+     be free()'d twice.
+
+Bugfix
+   * Stop using reserved identifiers as local variables. Fixes #4630.
+   * The GNU makefiles invoke python3 in preference to python except on Windows.
+     The check was accidentally not performed when cross-compiling for Windows
+     on Linux. Fix this. Fixes #4774.
+   * Mark basic constraints critical as appropriate. Note that the previous
+     entry for this fix in the 2.16.10 changelog was in error, and it was not
+     included in the 2.16.10 release as was stated.
+     Make 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC
+     5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in
+     all CA certificates that contain public keys used to validate digital
+     signatures on certificates and MUST mark the extension as critical in
+     such certificates." Previous to this change, the extension was always
+     marked as non-critical. This was fixed by #4044.
+   * Fix missing constraints on x86_64 assembly code for bignum multiplication
+     that broke some bignum operations with (at least) Clang 12.
+     Fixes #4116, #4786, #4917.
+   * Failures of alternative implementations of AES or DES single-block
+     functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
+     MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
+     This does not concern the implementation provided with Mbed TLS,
+     where this function cannot fail, or full-module replacements with
+     MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
+   * Some failures of HMAC operations were ignored. These failures could only
+     happen with an alternative implementation of the underlying hash module.
+   * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
+     MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
+   * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32.
+     Fixes #4884.
+   * Fix the build when no SHA2 module is included. Fixes #4930.
+   * Fix the build when only the bignum module is included. Fixes #4929.
+   * Fix a potential invalid pointer dereference and infinite loop bugs in
+     pkcs12 functions when the password is empty. Fix the documentation to
+     better describe the inputs to these functions and their possible values.
+     Fixes #5136.
+
+Changes
+   * Improve the performance of base64 constant-flow code. The result is still
+     slower than the original non-constant-flow implementation, but much faster
+     than the previous constant-flow implementation. Fixes #4814.
+
 = mbed TLS 2.16.11 branch released 2021-07-07

 Security
--- a/ChangeLog.d/base64-ranges.txt
+++ b/ChangeLog.d/base64-ranges.txt
@@ -1,4 +0,0 @@
-Changes
-   * Improve the performance of base64 constant-flow code. The result is still
-     slower than the original non-constant-flow implementation, but much faster
-     than the previous constant-flow implementation. Fixes #4814.
--- a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
+++ b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32.
-     Fixes #4884.
--- a/ChangeLog.d/build-without-sha.txt
+++ b/ChangeLog.d/build-without-sha.txt
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the build when no SHA2 module is included. Fixes #4930.
-   * Fix the build when only the bignum module is included. Fixes #4929.
--- a/ChangeLog.d/check-return.txt
+++ b/ChangeLog.d/check-return.txt
@@ -1,10 +0,0 @@
-Bugfix
-   * Failures of alternative implementations of AES or DES single-block
-     functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
-     MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
-     This does not concern the implementation provided with Mbed TLS,
-     where this function cannot fail, or full-module replacements with
-     MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
-   * Some failures of HMAC operations were ignored. These failures could only
-     happen with an alternative implementation of the underlying hash module.
-
--- a/ChangeLog.d/fix-pkcs12-null-password.txt
+++ b/ChangeLog.d/fix-pkcs12-null-password.txt
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a potential invalid pointer dereference and infinite loop bugs in
-     pkcs12 functions when the password is empty. Fix the documentation to
-     better describe the inputs to these functions and their possible values.
-     Fixes #5136.
--- a/ChangeLog.d/fix-session-copy-bug.txt
+++ b/ChangeLog.d/fix-session-copy-bug.txt
@@ -1,6 +0,0 @@
-Security
-   * Fix a double-free that happened after mbedtls_ssl_set_session() or
-     mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
-     (out of memory). After that, calling mbedtls_ssl_session_free()
-     and mbedtls_ssl_free() would cause an internal session buffer to
-     be free()'d twice.
--- a/ChangeLog.d/issue4630.txt
+++ b/ChangeLog.d/issue4630.txt
@@ -1,2 +0,0 @@
-Bugfix
-   * Stop using reserved identifiers as local variables. Fixes #4630.
--- a/ChangeLog.d/issue4870.txt
+++ b/ChangeLog.d/issue4870.txt
@@ -1,10 +0,0 @@
-Bugfix
-   * Mark basic constraints critical as appropriate. Note that the previous
-     entry for this fix in the 2.16.10 changelog was in error, and it was not
-     included in the 2.16.10 release as was stated.
-     Make 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC
-     5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in
-     all CA certificates that contain public keys used to validate digital
-     signatures on certificates and MUST mark the extension as critical in
-     such certificates." Previous to this change, the extension was always
-     marked as non-critical. This was fixed by #4044.
--- a/ChangeLog.d/mac-zeroize.txt
+++ b/ChangeLog.d/mac-zeroize.txt
@@ -1,6 +0,0 @@
-Security
-   * Zeroize several intermediate variables used to calculate the expected
-     value when verifying a MAC or AEAD tag. This hardens the library in
-     case the value leaks through a memory disclosure vulnerability. For
-     example, a memory disclosure vulnerability could have allowed a
-     man-in-the-middle to inject fake ciphertext into a DTLS connection.
--- a/ChangeLog.d/makefile-python-windows.txt
+++ b/ChangeLog.d/makefile-python-windows.txt
@@ -1,4 +0,0 @@
-Bugfix
-   * The GNU makefiles invoke python3 in preference to python except on Windows.
-     The check was accidentally not performed when cross-compiling for Windows
-     on Linux. Fix this. Fixes #4774.
--- a/ChangeLog.d/muladdc-amd64-memory.txt
+++ b/ChangeLog.d/muladdc-amd64-memory.txt
@@ -1,4 +0,0 @@
-Bugfix
-   * Fix missing constraints on x86_64 assembly code for bignum multiplication
-     that broke some bignum operations with (at least) Clang 12.
-     Fixes #4116, #4786, #4917.
--- a/ChangeLog.d/no-strerror.txt
+++ b/ChangeLog.d/no-strerror.txt
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
-     MBEDTLS_ERROR_STRERROR_DUMMY is enabled.