Assemble ChangeLog
Executed scripts/assemble_changelog.py.
Signed-off-by: Janos Follath <janos.follath@arm.com>
diff --git a/ChangeLog b/ChangeLog
index c68bd1b..ccbec19 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,71 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+ * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
+ MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
+ generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
+ * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
+ which is how most uses of randomization in asymmetric cryptography
+ (including key generation, intermediate value randomization and blinding)
+ are implemented. This could cause failures or the silent use of non-random
+ values. A random generator can fail if it needs reseeding and cannot not
+ obtain entropy, or due to an internal failure (which, for Mbed TLS's own
+ CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
+ * Fix a compliance issue whereby we were not checking the tag on the
+ algorithm parameters (only the size) when comparing the signature in the
+ description part of the cert to the real signature. This meant that a
+ NULL algorithm parameters entry would look identical to an array of REAL
+ (size zero) to the library and thus the certificate would be considered
+ valid. However, if the parameters do not match in *any* way then the
+ certificate should be considered invalid, and indeed OpenSSL marks these
+ certs as invalid when mbedtls did not.
+ Many thanks to guidovranken who found this issue via differential fuzzing
+ and reported it in #3629.
+ * Zeroising of local buffers and variables which are used for calculations
+ in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
+ mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
+ functions to erase sensitive data from memory. Reported by
+ Johan Malmgren and Johan Uppman Bruce from Sectra.
+
+Bugfix
+ * Fix rsa_prepare_blinding() to retry when the blinding value is not
+ invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
+ addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
+ Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
+ Fixes #3647.
+ * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
+ Fix #3432.
+ * Correct the default IV size for mbedtls_cipher_info_t structures using
+ MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
+ * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
+ defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602.
+ * Fix build failures on GCC 11. Fixes #3782.
+ * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
+ (an error condition) and the second operand was aliased to the result.
+ * Fix a case in elliptic curve arithmetic where an out-of-memory condition
+ could go undetected, resulting in an incorrect result.
+ * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
+ Fixes #2927.
+ * In PEM writing functions, fill the trailing part of the buffer with null
+ bytes. This guarantees that the corresponding parsing function can read
+ the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
+ until this property was inadvertently broken in Mbed TLS 2.19.0.
+ Fixes #3682.
+ * Fix an issue that occurred when building with MBEDTLS_AES_SETKEY_DEC_ALT.
+ Key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were
+ excluded from the build and led to failure. Fixes #3818. Reported by
+ John Stroebel.
+
+Changes
+ * Reduce stack usage significantly during sliding window exponentiation.
+ Reported in #3591 and fix contributed in #3592 by Daniel Otte.
+ * Remove the zeroization of a pointer variable in AES rounds. It was valid
+ but spurious and misleading since it looked like a mistaken attempt to
+ zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
+ Leti, France.
+
= mbed TLS 2.16.8 branch released 2020-09-01
Features
diff --git a/ChangeLog.d/AES_SETKEY_ALT-fix.txt b/ChangeLog.d/AES_SETKEY_ALT-fix.txt
deleted file mode 100644
index 2a23fbc..0000000
--- a/ChangeLog.d/AES_SETKEY_ALT-fix.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix an issue that occurred when building with MBEDTLS_AES_SETKEY_DEC_ALT.
- Key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were
- excluded from the build and led to failure. Fixes #3818. Reported by
- John Stroebel.
diff --git a/ChangeLog.d/_GNU_SOURCE-redefined.txt b/ChangeLog.d/_GNU_SOURCE-redefined.txt
deleted file mode 100644
index 59c8a15..0000000
--- a/ChangeLog.d/_GNU_SOURCE-redefined.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
- Fix #3432.
diff --git a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt b/ChangeLog.d/adjusting sliding_window_size_PR3592.txt
deleted file mode 100644
index 6089565..0000000
--- a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Reduce stack usage significantly during sliding window exponentiation.
- Reported in #3591 and fix contributed in #3592 by Daniel Otte.
diff --git a/ChangeLog.d/aes-zeroize-pointer.txt b/ChangeLog.d/aes-zeroize-pointer.txt
deleted file mode 100644
index ccc6dc1..0000000
--- a/ChangeLog.d/aes-zeroize-pointer.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * Remove the zeroization of a pointer variable in AES rounds. It was valid
- but spurious and misleading since it looked like a mistaken attempt to
- zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
- Leti, France.
diff --git a/ChangeLog.d/arc4random_buf-implicit.txt b/ChangeLog.d/arc4random_buf-implicit.txt
deleted file mode 100644
index d20e4c8..0000000
--- a/ChangeLog.d/arc4random_buf-implicit.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
- defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602.
diff --git a/ChangeLog.d/bugfix-2927.txt b/ChangeLog.d/bugfix-2927.txt
deleted file mode 100644
index 2213c6e..0000000
--- a/ChangeLog.d/bugfix-2927.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
- Fixes #2927.
diff --git a/ChangeLog.d/bugfix_3782.txt b/ChangeLog.d/bugfix_3782.txt
deleted file mode 100644
index a92dffa..0000000
--- a/ChangeLog.d/bugfix_3782.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix build failures on GCC 11. Fixes #3782.
diff --git a/ChangeLog.d/clean_pem_buffers.txt b/ChangeLog.d/clean_pem_buffers.txt
deleted file mode 100644
index 5f79649..0000000
--- a/ChangeLog.d/clean_pem_buffers.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * In PEM writing functions, fill the trailing part of the buffer with null
- bytes. This guarantees that the corresponding parsing function can read
- the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
- until this property was inadvertently broken in Mbed TLS 2.19.0.
- Fixes #3682.
diff --git a/ChangeLog.d/ecb_iv_fix.txt b/ChangeLog.d/ecb_iv_fix.txt
deleted file mode 100644
index ae2ae25..0000000
--- a/ChangeLog.d/ecb_iv_fix.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Correct the default IV size for mbedtls_cipher_info_t structures using
- MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
diff --git a/ChangeLog.d/ecp-bignum-error-checks.txt b/ChangeLog.d/ecp-bignum-error-checks.txt
deleted file mode 100644
index 8cad08e..0000000
--- a/ChangeLog.d/ecp-bignum-error-checks.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
- (an error condition) and the second operand was aliased to the result.
- * Fix a case in elliptic curve arithmetic where an out-of-memory condition
- could go undetected, resulting in an incorrect result.
diff --git a/ChangeLog.d/fix-rsa-blinding.txt b/ChangeLog.d/fix-rsa-blinding.txt
deleted file mode 100644
index a13572c..0000000
--- a/ChangeLog.d/fix-rsa-blinding.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * Fix rsa_prepare_blinding() to retry when the blinding value is not
- invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
- addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
- Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
- Fixes #3647.
diff --git a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt
deleted file mode 100644
index 2ba98d5..0000000
--- a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
- MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
- generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
diff --git a/ChangeLog.d/mpi_fill_random-rng_failure.txt b/ChangeLog.d/mpi_fill_random-rng_failure.txt
deleted file mode 100644
index 8addf18..0000000
--- a/ChangeLog.d/mpi_fill_random-rng_failure.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Security
- * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
- which is how most uses of randomization in asymmetric cryptography
- (including key generation, intermediate value randomization and blinding)
- are implemented. This could cause failures or the silent use of non-random
- values. A random generator can fail if it needs reseeding and cannot not
- obtain entropy, or due to an internal failure (which, for Mbed TLS's own
- CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
diff --git a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt b/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt
deleted file mode 100644
index f2c72b0..0000000
--- a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Security
- * Fix a compliance issue whereby we were not checking the tag on the
- algorithm parameters (only the size) when comparing the signature in the
- description part of the cert to the real signature. This meant that a
- NULL algorithm parameters entry would look identical to an array of REAL
- (size zero) to the library and thus the certificate would be considered
- valid. However, if the parameters do not match in *any* way then the
- certificate should be considered invalid, and indeed OpenSSL marks these
- certs as invalid when mbedtls did not.
- Many thanks to guidovranken who found this issue via differential fuzzing
- and reported it in #3629.
diff --git a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt
deleted file mode 100644
index 320bb0e..0000000
--- a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Zeroising of local buffers and variables which are used for calculations
- in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
- mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
- functions to erase sensitive data from memory. Reported by
- Johan Malmgren and Johan Uppman Bruce from Sectra.