Merge fix for AEAD Random IVs

commit: 8e004104020dd4328434e8a207245b0327bbb9b1 [log] [tgz]
author: Simon Butcher <simon.butcher@arm.com> Fri Oct 14 00:48:33 2016 +0100
committer: Simon Butcher <simon.butcher@arm.com> Fri Oct 14 00:48:33 2016 +0100
tree: 2179f1faeca421722af14280fe05695e0d416bd7
parent: 9800a058ae3693c2cfae3e9b803910605c7ad6ba [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 86f36bb..5f4774a 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -3,6 +3,10 @@
 = mbed TLS 2.3.x branch released 2016-xx-xx
 
 Security
+   * Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
+     with RFC5116 and could lead to session key recovery in very long TLS
+     sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic -
+     "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS")
    * Fix potential stack corruption in mbedtls_x509write_crt_der() and
      mbedtls_x509write_csr_der() when the signature is copied to the buffer
      without checking whether there is enough space in the destination. The
commit	8e004104020dd4328434e8a207245b0327bbb9b1	[log] [tgz]
author	Simon Butcher <simon.butcher@arm.com>	Fri Oct 14 00:48:33 2016 +0100
committer	Simon Butcher <simon.butcher@arm.com>	Fri Oct 14 00:48:33 2016 +0100
tree	2179f1faeca421722af14280fe05695e0d416bd7
parent	9800a058ae3693c2cfae3e9b803910605c7ad6ba [diff] [blame]