Changelog: Add entry for prime validation fix

commit: 8d3fb2e167de5df9052f0b76f7ac6162b79955b0 [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Thu Sep 06 10:40:04 2018 +0100
committer: Darryl Green <darryl.green@arm.com> Fri Oct 19 09:21:15 2018 +0100
tree: 208e0315264f3bb4080bef1aa5851309430bb3dc
parent: 0b7416150288f4edea4870092e23998a9ba34182 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 0a9dc4f..7ab6f67 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -14,6 +14,19 @@
      test the handling of large packets and small packets on the client side
      in the same way as on the server side.
 
+Security
+   * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
+     previous settings for the number of rounds made it practical for an
+     adversary to construct non-primes that would be erroneously accepted as
+     primes with high probability. This does not have an impact on the
+     security of TLS, but can matter in other contexts with potentially
+     adversarially-chosen numbers that should be prime and can be validated.
+     For example, the number of rounds was enough to securely generate RSA key
+     pairs or Diffie-Hellman parameters, but was insufficient to validate
+     Diffie-Hellman parameters properly.
+     See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
+     Kenneth G. Paterson and Juraj Somorovsky.
+
 = mbed TLS 2.7.6 branch released 2018-08-31
 
 Security
commit	8d3fb2e167de5df9052f0b76f7ac6162b79955b0	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Thu Sep 06 10:40:04 2018 +0100
committer	Darryl Green <darryl.green@arm.com>	Fri Oct 19 09:21:15 2018 +0100
tree	208e0315264f3bb4080bef1aa5851309430bb3dc
parent	0b7416150288f4edea4870092e23998a9ba34182 [diff] [blame]