From dffb1e3d66e958bbf52a34d3c2035123826a2cf2 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Tue, 29 Aug 2023 14:56:15 +0100 Subject: [PATCH] Improve mbedtls_pkcs5_pbes2_ext changelog description Signed-off-by: Waleed Elmelegy --- ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt b/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt index 1ab864092..a1fded3aa 100644 --- a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt +++ b/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt @@ -1,6 +1,6 @@ -Features - * Add new mbedtls_pkcs5_pbes2_ext function a more secure replacement to - mbedtls_pkcs5_pbes2 function because it reports the length of the output - bytes written to the output buffer and it requires a parameter containing - the output buffer size and validate if the output buffer is big enough - for output including padding. +Security + * Developers using mbedtls_pkcs5_pbes2() should review the size of the output + buffer passed to this function, and note that the output after decryption + may include CBC padding. Consider moving to the new function + mbedtls_pkcs5_pbes2_ext() which checks for overflow of the output buffer + and reports the actual length of the output.