From 06900034cb832ef7b2fcdcc772a83d08308043c7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 9 Jun 2022 18:38:35 +0200 Subject: [PATCH 1/4] Changelog: remove bugfix entry that's actually a robustness improvement If the key agreement or the public key export in ssl_write_client_key_exchange() fails, the handshake enters a failed state. The only valid thing you can do in a failed handshake is to abort it, which calls mbedtls_ssl_handshake_free(), which destroys ecdh_psa_privey. While it's good hygiene to destroy the key in the function that creates it, it would have been cleaned up a little later in the normal course of things anyway, so there wasn't an actual bug. Signed-off-by: Gilles Peskine --- ChangeLog.d/raw-agreement-destroy-missing.txt | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 ChangeLog.d/raw-agreement-destroy-missing.txt diff --git a/ChangeLog.d/raw-agreement-destroy-missing.txt b/ChangeLog.d/raw-agreement-destroy-missing.txt deleted file mode 100644 index 7342b8cfa..000000000 --- a/ChangeLog.d/raw-agreement-destroy-missing.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Add missing key slot destruction calls when a raw key agreement or - a public key export fails in ssl_write_client_key_exchange. From 8960d0585b5ef467e976a71e81ca852cbc0384ed Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 9 Jun 2022 18:44:51 +0200 Subject: [PATCH 2/4] Changelog: mention bug id in bugfix entry Signed-off-by: Gilles Peskine --- ChangeLog.d/use-psa-ecdhe-curve.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/use-psa-ecdhe-curve.txt b/ChangeLog.d/use-psa-ecdhe-curve.txt index cc432bdae..658f88f84 100644 --- a/ChangeLog.d/use-psa-ecdhe-curve.txt +++ b/ChangeLog.d/use-psa-ecdhe-curve.txt @@ -4,4 +4,4 @@ Bugfix client would fail to check that the curve selected by the server for ECDHE was indeed one that was offered. As a result, the client would accept any curve that it supported, even if that curve was not allowed - according to its configuration. + according to its configuration. Fixes #5291. From cd1608914fda40ec07ab2f04d040f966a9ae6a9e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 9 Jun 2022 18:48:21 +0200 Subject: [PATCH 3/4] Changelog: clarify a cmake-related entry as being about cmake Signed-off-by: Gilles Peskine --- ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt b/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt index 687864523..a6540a1aa 100644 --- a/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt +++ b/ChangeLog.d/fix-windows-cmake-build-with-shared-libraries.txt @@ -1,3 +1,3 @@ Bugfix - * Fix compilation on Windows when building shared library, by setting - library search path to CMAKE_CURRENT_BINARY_DIR. + * Fix the library search path when building a shared library with CMake + on Windows. From 83f54aad6a1046743189058e9a960b41257fce40 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 9 Jun 2022 18:51:18 +0200 Subject: [PATCH 4/4] Changelog: minor copyediting Signed-off-by: Gilles Peskine --- ChangeLog.d/fix-x25519-program.txt | 2 +- ChangeLog.d/mbedtls_ssl_config_defaults-memleak.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/fix-x25519-program.txt b/ChangeLog.d/fix-x25519-program.txt index af60465b5..bf5d6ac39 100644 --- a/ChangeLog.d/fix-x25519-program.txt +++ b/ChangeLog.d/fix-x25519-program.txt @@ -1,4 +1,4 @@ Bugfix - * Fix a bug in x25519 example program where the removal of + * Fix a bug in the x25519 example program where the removal of MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and #3191. diff --git a/ChangeLog.d/mbedtls_ssl_config_defaults-memleak.txt b/ChangeLog.d/mbedtls_ssl_config_defaults-memleak.txt index d55c01631..043b273c7 100644 --- a/ChangeLog.d/mbedtls_ssl_config_defaults-memleak.txt +++ b/ChangeLog.d/mbedtls_ssl_config_defaults-memleak.txt @@ -1,2 +1,2 @@ Bugfix - * Fix memory leak if mbedtls_ssl_config_defaults() call is repeated + * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.