From 869821100813190d8bdb0722020a6b44e285a655 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 21 Mar 2024 15:47:24 +0000 Subject: [PATCH] Assemble Changelog Signed-off-by: Minos Galanakis --- ChangeLog | 52 +++++++++++++++++++ ChangeLog.d/8372.txt | 3 -- ChangeLog.d/cmake_use_GnuInstallDirs.txt | 5 -- ChangeLog.d/fix-alpn-negotiating-bug.txt | 3 -- .../fix-cmake-3rdparty-custom-config.txt | 3 -- ChangeLog.d/fix-mingw32-build.txt | 4 -- .../fix-ssl-session-serialization-config.txt | 4 -- .../fix_kdf_incorrect_initial_capacity.txt | 3 -- ChangeLog.d/gen-key-segfault.txt | 3 -- ChangeLog.d/pkg-config-files-addition.txt | 3 -- ChangeLog.d/pkwrite-pem-use-heap.txt | 4 -- ChangeLog.d/psa-shared-memory-protection.txt | 17 ------ ChangeLog.d/rsa-bitlen.txt | 3 -- 13 files changed, 52 insertions(+), 55 deletions(-) delete mode 100644 ChangeLog.d/8372.txt delete mode 100644 ChangeLog.d/cmake_use_GnuInstallDirs.txt delete mode 100644 ChangeLog.d/fix-alpn-negotiating-bug.txt delete mode 100644 ChangeLog.d/fix-cmake-3rdparty-custom-config.txt delete mode 100644 ChangeLog.d/fix-mingw32-build.txt delete mode 100644 ChangeLog.d/fix-ssl-session-serialization-config.txt delete mode 100644 ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt delete mode 100644 ChangeLog.d/gen-key-segfault.txt delete mode 100644 ChangeLog.d/pkg-config-files-addition.txt delete mode 100644 ChangeLog.d/pkwrite-pem-use-heap.txt delete mode 100644 ChangeLog.d/psa-shared-memory-protection.txt delete mode 100644 ChangeLog.d/rsa-bitlen.txt diff --git a/ChangeLog b/ChangeLog index 5434e5509..497d71952 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,57 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS x.x.x branch released xxxx-xx-xx + +Features + * AES-NI is now supported in Windows builds with clang and clang-cl. + Resolves #8372. + * Add pc files for pkg-config. eg.: + pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) + +Security + * Passing buffers that are stored in untrusted memory as arguments + to PSA functions is now secure by default. + The PSA core now protects against modification of inputs or exposure + of intermediate outputs during operations. This is currently implemented + by copying buffers. + This feature increases code size and memory usage. If buffers passed to + PSA functions are owned exclusively by the PSA core for the duration of + the function call (i.e. no buffer parameters are in shared memory), + copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. + Note that setting this option will cause input-output buffer overlap to + be only partially supported (#3266). + Fixes CVE-2024-28960 + +Bugfix + * Fix the build with CMake when Everest is enabled through + a user configuration file or the compiler command line. Fixes #8165. + * Fix an inconsistency between implementations and usages of `__cpuid`, + which mainly causes failures when building Windows target using + mingw or clang. Fixes #8334 & #8332. + * Correct initial capacities for key derivation algorithms:TLS12_PRF, + TLS12_PSK_TO_MS + * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a + multiple of 8. Fixes #868. + * Avoid segmentation fault caused by releasing not initialized + entropy resource in gen_key example. Fixes #8809. + * Fix missing bitflags in SSL session serialization headers. Their absence + allowed SSL sessions saved in one configuration to be loaded in a + different, incompatible configuration. + * Fix the restoration of the ALPN when loading serialized connection with + * the mbedtls_ssl_context_load() API. + * Fully support arbitrary overlap between inputs and outputs of PSA + functions. Note that overlap is still only partially supported when + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266). + +Changes + * Use heap memory to allocate DER encoded public/private key. + This reduces stack usage significantly for writing a public/private + key to a PEM string. + * cmake: Use GnuInstallDirs to customize install directories + Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR + variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if + LIB_INSTALL_DIR is set. + = Mbed TLS 2.28.7 branch released 2024-01-26 Security diff --git a/ChangeLog.d/8372.txt b/ChangeLog.d/8372.txt deleted file mode 100644 index 4a72edfb1..000000000 --- a/ChangeLog.d/8372.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * AES-NI is now supported in Windows builds with clang and clang-cl. - Resolves #8372. diff --git a/ChangeLog.d/cmake_use_GnuInstallDirs.txt b/ChangeLog.d/cmake_use_GnuInstallDirs.txt deleted file mode 100644 index d8487555d..000000000 --- a/ChangeLog.d/cmake_use_GnuInstallDirs.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * cmake: Use GnuInstallDirs to customize install directories - Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR - variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if - LIB_INSTALL_DIR is set. diff --git a/ChangeLog.d/fix-alpn-negotiating-bug.txt b/ChangeLog.d/fix-alpn-negotiating-bug.txt deleted file mode 100644 index 3bceb37f3..000000000 --- a/ChangeLog.d/fix-alpn-negotiating-bug.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the restoration of the ALPN when loading serialized connection with - * the mbedtls_ssl_context_load() API. diff --git a/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt b/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt deleted file mode 100644 index c52aa3dee..000000000 --- a/ChangeLog.d/fix-cmake-3rdparty-custom-config.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build with CMake when Everest is enabled through - a user configuration file or the compiler command line. Fixes #8165. diff --git a/ChangeLog.d/fix-mingw32-build.txt b/ChangeLog.d/fix-mingw32-build.txt deleted file mode 100644 index feef0a2c5..000000000 --- a/ChangeLog.d/fix-mingw32-build.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix an inconsistency between implementations and usages of `__cpuid`, - which mainly causes failures when building Windows target using - mingw or clang. Fixes #8334 & #8332. diff --git a/ChangeLog.d/fix-ssl-session-serialization-config.txt b/ChangeLog.d/fix-ssl-session-serialization-config.txt deleted file mode 100644 index ca1cc81f5..000000000 --- a/ChangeLog.d/fix-ssl-session-serialization-config.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix missing bitflags in SSL session serialization headers. Their absence - allowed SSL sessions saved in one configuration to be loaded in a - different, incompatible configuration. diff --git a/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt b/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt deleted file mode 100644 index 11b82782f..000000000 --- a/ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Correct initial capacities for key derivation algorithms:TLS12_PRF, - TLS12_PSK_TO_MS diff --git a/ChangeLog.d/gen-key-segfault.txt b/ChangeLog.d/gen-key-segfault.txt deleted file mode 100644 index fefc70272..000000000 --- a/ChangeLog.d/gen-key-segfault.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Avoid segmentation fault caused by releasing not initialized - entropy resource in gen_key example. Fixes #8809. diff --git a/ChangeLog.d/pkg-config-files-addition.txt b/ChangeLog.d/pkg-config-files-addition.txt deleted file mode 100644 index 5df6ffb3b..000000000 --- a/ChangeLog.d/pkg-config-files-addition.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add pc files for pkg-config. eg.: - pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) diff --git a/ChangeLog.d/pkwrite-pem-use-heap.txt b/ChangeLog.d/pkwrite-pem-use-heap.txt deleted file mode 100644 index 11db7b6b0..000000000 --- a/ChangeLog.d/pkwrite-pem-use-heap.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Use heap memory to allocate DER encoded public/private key. - This reduces stack usage significantly for writing a public/private - key to a PEM string. diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt deleted file mode 100644 index 09779b7d2..000000000 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ /dev/null @@ -1,17 +0,0 @@ -Security - * Passing buffers that are stored in untrusted memory as arguments - to PSA functions is now secure by default. - The PSA core now protects against modification of inputs or exposure - of intermediate outputs during operations. This is currently implemented - by copying buffers. - This feature increases code size and memory usage. If buffers passed to - PSA functions are owned exclusively by the PSA core for the duration of - the function call (i.e. no buffer parameters are in shared memory), - copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. - Note that setting this option will cause input-output buffer overlap to - be only partially supported (#3266). - Fixes CVE-2024-28960 -Bugfix - * Fully support arbitrary overlap between inputs and outputs of PSA - functions. Note that overlap is still only partially supported when - MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266). diff --git a/ChangeLog.d/rsa-bitlen.txt b/ChangeLog.d/rsa-bitlen.txt deleted file mode 100644 index 9cb868947..000000000 --- a/ChangeLog.d/rsa-bitlen.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a - multiple of 8. Fixes #868.