Assemble ChangeLog
Executed scripts/assemble_changelog.py.
Signed-off-by: Janos Follath <janos.follath@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 96fa9f3..cf210ad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,57 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+ * Fix a side channel vulnerability in modular exponentiation that could
+ reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
+ Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
+ of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
+ Strackx (Fortanix) in #3394.
+ * Fix side channel in mbedtls_ecp_check_pub_priv() and
+ mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
+ private key that didn't include the uncompressed public key), as well as
+ mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
+ f_rng argument. An attacker with access to precise enough timing and
+ memory access information (typically an untrusted operating system
+ attacking a secure enclave) could fully recover the ECC private key.
+ Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
+ * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+ hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+ macros). This would cause the original Lucky 13 attack to be possible in
+ those configurations, allowing an active network attacker to recover
+ plaintext after repeated timing measurements under some conditions.
+ Reported and fix suggested by Luc Perneel in #3246.
+
+Bugfix
+ * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
+ Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
+ the example programs. Reported in #1430 and fix contributed by irwir.
+ * Fix undefined behavior in X.509 certificate parsing if the
+ pathLenConstraint basic constraint value is equal to INT_MAX.
+ The actual effect with almost every compiler is the intended
+ behavior, so this is unlikely to be exploitable anywhere. #3197
+ * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
+ * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
+ when PRNG function fails. Contributed by Jonas Lejeune in #3318.
+ * Add additional bounds checks in ssl_write_client_hello() preventing
+ output buffer overflow if the configuration declared a buffer that was
+ too small.
+
+Changes
+ * Unify the example programs termination to call mbedtls_exit() instead of
+ using a return command. This has been done to enable customization of the
+ behavior in bare metal environments.
+ * Abort the ClientHello writing function as soon as some extension doesn't
+ fit into the record buffer. Previously, such extensions were silently
+ dropped. As a consequence, the TLS handshake now fails when the output
+ buffer is not large enough to hold the ClientHello.
+ * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
+ `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
+ `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
+ are not a concern, this dependency can be avoided by enabling the new
+ option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
+
= mbed TLS 2.16.6 branch released 2020-04-14
Security
diff --git a/ChangeLog.d/bugfix.txt b/ChangeLog.d/bugfix.txt
deleted file mode 100644
index d7ace30..0000000
--- a/ChangeLog.d/bugfix.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
- Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
- the example programs. Reported in #1430 and fix contributed by irwir.
diff --git a/ChangeLog.d/ecp-internal-rng.txt b/ChangeLog.d/ecp-internal-rng.txt
deleted file mode 100644
index 8b5c514..0000000
--- a/ChangeLog.d/ecp-internal-rng.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-Changes
- * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
- `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
- `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
- are not a concern, this dependency can be avoided by enabling the new
- option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
-
-Security
- * Fix side channel in mbedtls_ecp_check_pub_priv() and
- mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
- private key that didn't include the uncompressed public key), as well as
- mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
- f_rng argument. An attacker with access to precise enough timing and
- memory access information (typically an untrusted operating system
- attacking a secure enclave) could fully recover the ECC private key.
- Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
diff --git a/ChangeLog.d/error-asn1.txt b/ChangeLog.d/error-asn1.txt
deleted file mode 100644
index c165696..0000000
--- a/ChangeLog.d/error-asn1.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
diff --git a/ChangeLog.d/fix-ecp-mul-memory-leak.txt b/ChangeLog.d/fix-ecp-mul-memory-leak.txt
deleted file mode 100644
index e82cadc..0000000
--- a/ChangeLog.d/fix-ecp-mul-memory-leak.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
- when PRNG function fails. Contributed by Jonas Lejeune in #3318.
diff --git a/ChangeLog.d/l13-hw-accel.txt b/ChangeLog.d/l13-hw-accel.txt
deleted file mode 100644
index 53c7924..0000000
--- a/ChangeLog.d/l13-hw-accel.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
- * Fix issue in Lucky 13 counter-measure that could make it ineffective when
- hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
- macros). This would cause the original Lucky 13 attack to be possible in
- those configurations, allowing an active network attacker to recover
- plaintext after repeated timing measurements under some conditions.
- Reported and fix suggested by Luc Perneel in #3246.
diff --git a/ChangeLog.d/max_pathlen.txt b/ChangeLog.d/max_pathlen.txt
deleted file mode 100644
index 4ebf0ad..0000000
--- a/ChangeLog.d/max_pathlen.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix undefined behavior in X.509 certificate parsing if the
- pathLenConstraint basic constraint value is equal to INT_MAX.
- The actual effect with almost every compiler is the intended
- behavior, so this is unlikely to be exploitable anywhere. #3197
diff --git a/ChangeLog.d/montmul-cmp-branch.txt b/ChangeLog.d/montmul-cmp-branch.txt
deleted file mode 100644
index 5994518..0000000
--- a/ChangeLog.d/montmul-cmp-branch.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Fix a side channel vulnerability in modular exponentiation that could
- reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
- Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
- of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
- Strackx (Fortanix) in #3394.
diff --git a/ChangeLog.d/unified-exit-in-examples.txt b/ChangeLog.d/unified-exit-in-examples.txt
deleted file mode 100644
index 3ef9798..0000000
--- a/ChangeLog.d/unified-exit-in-examples.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Unify the example programs termination to call mbedtls_exit() instead of
- using a return command. This has been done to enable customization of the
- behavior in bare metal environments.
diff --git a/ChangeLog.d/uniformize_bounds_checks.txt b/ChangeLog.d/uniformize_bounds_checks.txt
deleted file mode 100644
index 210ab10..0000000
--- a/ChangeLog.d/uniformize_bounds_checks.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Bugfix
- * Add additional bounds checks in ssl_write_client_hello() preventing
- output buffer overflow if the configuration declared a buffer that was
- too small.
-Changes
- * Abort the ClientHello writing function as soon as some extension doesn't
- fit into the record buffer. Previously, such extensions were silently
- dropped. As a consequence, the TLS handshake now fails when the output
- buffer is not large enough to hold the ClientHello.