From d622c7de56b31238a66a1cbe8cda9e56669b673d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 22:18:05 +0100 Subject: [PATCH 01/12] Changelog entry files must have a .txt extension Signed-off-by: Gilles Peskine --- ChangeLog.d/{fix_cmake_gen_files => fix_cmake_gen_files.txt} | 0 ...ix_hard_link_across_drives => fix_hard_link_across_drives.txt} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ChangeLog.d/{fix_cmake_gen_files => fix_cmake_gen_files.txt} (100%) rename ChangeLog.d/{fix_hard_link_across_drives => fix_hard_link_across_drives.txt} (100%) diff --git a/ChangeLog.d/fix_cmake_gen_files b/ChangeLog.d/fix_cmake_gen_files.txt similarity index 100% rename from ChangeLog.d/fix_cmake_gen_files rename to ChangeLog.d/fix_cmake_gen_files.txt diff --git a/ChangeLog.d/fix_hard_link_across_drives b/ChangeLog.d/fix_hard_link_across_drives.txt similarity index 100% rename from ChangeLog.d/fix_hard_link_across_drives rename to ChangeLog.d/fix_hard_link_across_drives.txt From 787c79dc1a39eddf32243d55547cbc5b0e3f8b6a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 22:27:03 +0100 Subject: [PATCH 02/12] Remove changelog entry for an internal change We removed internal code left over after removing a feature in Mbed TLS 3.0. The removal of the internal code is not user-visible. Signed-off-by: Gilles Peskine --- ChangeLog.d/remove_ssl_session_compression.txt | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 ChangeLog.d/remove_ssl_session_compression.txt diff --git a/ChangeLog.d/remove_ssl_session_compression.txt b/ChangeLog.d/remove_ssl_session_compression.txt deleted file mode 100644 index dc59f1c9d..000000000 --- a/ChangeLog.d/remove_ssl_session_compression.txt +++ /dev/null @@ -1,5 +0,0 @@ -Removals - * Remove compression property from SSL session struct. - MBEDTLS_SSL_COMPRESS_NULL is now the only supported - compression option and can be used for compatibility - reasons. Changes requested in #4223. From 20c1f03dd51ea619ee43420b913c21071e91b08b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 22:39:44 +0100 Subject: [PATCH 03/12] Improve wording, punctuation, etc. Signed-off-by: Gilles Peskine --- ChangeLog.d/dtls-connection-id.txt | 15 ++++++++------- ...tend-query_compile_time_config-to-psa_want.txt | 2 +- ...build_error_for_mbedtls_deprecated_removed.txt | 4 ++-- ...x_build_tls1_2_with_single_encryption_type.txt | 5 ++--- ChangeLog.d/fix_cmake_using_iar_toolchain.txt | 2 +- ...mption_fail_when_hostname_is_not_localhost.txt | 6 +++--- ChangeLog.d/fix_zeroization.txt | 4 ++-- ChangeLog.d/mbedtls_asn1_type_free.txt | 4 ++-- ChangeLog.d/tls13-misc.txt | 11 +++++------ 9 files changed, 26 insertions(+), 27 deletions(-) diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt index eb9e216c4..0d0a71f29 100644 --- a/ChangeLog.d/dtls-connection-id.txt +++ b/ChangeLog.d/dtls-connection-id.txt @@ -5,12 +5,13 @@ Features Changes * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05 - of the draft, and was marked experimental and disabled by default. It is - now no longer experimental, and implements the final version from RFC 9146, - which is not interoperable with the draft-05 version. If you need to - communicate with peers that use earlier versions of Mbed TLS, you - need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT to 1, but then you - won't be able to communicate with peers that use the standard (non-draft) - version. If you need to interoperate with both classes of peers with the + of the IETF draft, and was marked experimental and disabled by default. + It is now no longer experimental, and implements the final version from + RFC 9146, which is not interoperable with the draft-05 version. + If you need to communicate with peers that use earlier versions of + Mbed TLS, you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT to 1, + but then you won't be able to communicate with peers that use the standard + (non-draft) version. + If you need to interoperate with both classes of peers with the same build of Mbed TLS, please let us know about your situation on the mailing list or GitHub. diff --git a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt b/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt index b268fd4f0..99b2ec4ee 100644 --- a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt +++ b/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt @@ -1,2 +1,2 @@ Changes - * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config + * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config. diff --git a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt index a70521a00..f0fa00046 100644 --- a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt +++ b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt @@ -1,3 +1,3 @@ Bugfix - * Fix build error due to missing prototype - warning when MBEDTLS_DEPRECATED_REMOVED is enabled + * Fix a build error due to a missing prototype warning when + MBEDTLS_DEPRECATED_REMOVED is enabled. diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt index bac491026..c7d269142 100644 --- a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt +++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt @@ -1,4 +1,3 @@ Bugfix - * Fix bugs and missing dependencies when - building and testing configurations with - only one encryption type enabled in TLS 1.2. + * Fix bugs and missing dependencies when building and testing + configurations with only one encryption type enabled in TLS 1.2. diff --git a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt index ecc09c241..9ec6e0d6b 100644 --- a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt +++ b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt @@ -1,3 +1,3 @@ Bugfix - * Fixed an issue that cause compile error using CMake IAR toolchain. + * Fix a compilation error when using CMake with an IAR toolchain. Fixes #5964. diff --git a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt b/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt index 5797f48e8..9f5c6499d 100644 --- a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt +++ b/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt @@ -1,4 +1,4 @@ Bugfix - * Fix TLS 1.3 session resumption fail. Fixes #6488. - * Add configuration check to exclude TLS 1.3 optional authentication of - client. + * Fix TLS 1.3 session resumption. Fixes #6488. + * Add a configuration check to exclude optional client authentication + in TLS 1.3 (where it is forbidden). diff --git a/ChangeLog.d/fix_zeroization.txt b/ChangeLog.d/fix_zeroization.txt index ad74d9c59..8b00dcc98 100644 --- a/ChangeLog.d/fix_zeroization.txt +++ b/ChangeLog.d/fix_zeroization.txt @@ -1,3 +1,3 @@ Bugfix - * Fix possible crash in TLS PRF code, if a failure to allocate memory occurs. - Reported by Michael Madsen in #6516. + * Fix a possible null pointer dereference if a memory allocation fails + in TLS PRF code. Reported by Michael Madsen in #6516. diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt index 81f3a2007..a6792afa1 100644 --- a/ChangeLog.d/mbedtls_asn1_type_free.txt +++ b/ChangeLog.d/mbedtls_asn1_type_free.txt @@ -1,6 +1,6 @@ Features - * Shared code to free x509 structs like mbedtls_x509_named_data + * Shared code to free x509 structs like mbedtls_x509_named_data. New deprecations * Deprecate mbedtls_asn1_free_named_data(). Use mbedtls_asn1_free_named_data_list() - or mbedtls_asn1_free_named_data_list_shallow() + or mbedtls_asn1_free_named_data_list_shallow(). diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt index 497ed38d2..b76bb9171 100644 --- a/ChangeLog.d/tls13-misc.txt +++ b/ChangeLog.d/tls13-misc.txt @@ -1,9 +1,8 @@ Features - * Mbed TLS supports TLS 1.3 key establishment via pre-shared keys, + * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys, pre-shared keys provisioned externally or via the ticket mechanism (session resumption). - The MBEDTLS_SSL_SESSION_TICKETS configuration option controls the support - for the ticket mechanism. - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED configuration options - have been introduced to control the support for the three possible - TLS 1.3 key exchange modes. + The ticket mechanism is supported when the configuration option + MBEDTLS_SSL_SESSION_TICKETS is enabled. + New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED + control the support for the three possible TLS 1.3 key exchange modes. From 6d069afe6b8c251ac2aceae5d204c58daf786ae2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 22:40:21 +0100 Subject: [PATCH 04/12] Clarify that these two entries are about CMake Signed-off-by: Gilles Peskine --- ChangeLog.d/fix_cmake_gen_files.txt | 4 ++-- ChangeLog.d/fix_hard_link_across_drives.txt | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog.d/fix_cmake_gen_files.txt b/ChangeLog.d/fix_cmake_gen_files.txt index 3b2c09992..e4c0c9f7f 100644 --- a/ChangeLog.d/fix_cmake_gen_files.txt +++ b/ChangeLog.d/fix_cmake_gen_files.txt @@ -1,3 +1,3 @@ Bugfix - * Fix an issue in releases with GEN_FILES turned off whereby missing - generated files could be turned into symlinks to themselves. + * Fix an issue with CMake builds in releases with GEN_FILES turned off, + whereby missing generated files could be turned into symlinks to themselves. diff --git a/ChangeLog.d/fix_hard_link_across_drives.txt b/ChangeLog.d/fix_hard_link_across_drives.txt index 0c55c3038..84d4a522c 100644 --- a/ChangeLog.d/fix_hard_link_across_drives.txt +++ b/ChangeLog.d/fix_hard_link_across_drives.txt @@ -1,3 +1,3 @@ Bugfix - * Fix a build issue on Windows where the source and build directory could not be on - different drives (#5751). + * Fix a build issue on Windows using CMake where the source and build + directory could not be on different drives. Fixes #5751. From 29a56a12510519c1411e312df5761eefc881774f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 22:47:10 +0100 Subject: [PATCH 05/12] Clarify ASN.1 entry named data free functions Mention the name of the new functions in the "Features" entry. Clarify what they're for (there's no structure called mbedtls_x509_named_data, it's mbedtls_asn1_named_data, but that name isn't so important here since we've mentioned the names of the functions). Signed-off-by: Gilles Peskine --- ChangeLog.d/mbedtls_asn1_type_free.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt index a6792afa1..3459bbe2d 100644 --- a/ChangeLog.d/mbedtls_asn1_type_free.txt +++ b/ChangeLog.d/mbedtls_asn1_type_free.txt @@ -1,5 +1,7 @@ Features - * Shared code to free x509 structs like mbedtls_x509_named_data. + * The new functions mbedtls_asn1_free_named_data_list() and + mbedtls_asn1_free_named_data_list_shallow() simplify the management + of memory in named data lists in X.509 structures. New deprecations * Deprecate mbedtls_asn1_free_named_data(). Use mbedtls_asn1_free_named_data_list() From 6593c7e1cba6a846906fb01785739d875a3d4e74 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 22:56:35 +0100 Subject: [PATCH 06/12] Clarify PSS sigalg entry If my understanding is correct (to be confirmed in review), this is a new feature which was not particularly desired on its own but was the simplest way to fix an interoperability issue in TLS 1.2 caused accidentally by the work on TLS 1.3. Signed-off-by: Gilles Peskine --- ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt index f88eb9ed4..c87c3fbbf 100644 --- a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt +++ b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt @@ -1,8 +1,8 @@ Features - * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate - declaring an RSA public key and Mbed TLS is configured in hybrid mode, if - `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then - the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm - for its signature in the key exchange message. As Mbed TLS 1.2 does not - support them, the handshake fails. Add `rsa_pss_rsae_*` support for TLS 1.2 - to resolve the compitablity issue. + * Support rsa_pss_rsae_* signature algorithms in TLS 1.2. +Bugfix + * Fix an interoperability failure between an Mbed TLS client with both + TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server such as GnuTLS or + OpenSSL that supports rsa_pss_rsae_* signature algorithms. This failed + because Mbed TLS supported PSS only in TLS 1.3, but advertised support + in TLS 1.2 as well. From 5ba1697e8a2fee2be65e631212f8f697386636bc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 23:00:08 +0100 Subject: [PATCH 07/12] Put behavior change in the correct category "Changes" is for miscellaneous stuff that doesn't affect backward compatibility. Signed-off-by: Gilles Peskine --- ChangeLog.d/dtls-connection-id.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt index 0d0a71f29..ccb364ea5 100644 --- a/ChangeLog.d/dtls-connection-id.txt +++ b/ChangeLog.d/dtls-connection-id.txt @@ -3,7 +3,7 @@ Features MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with mbedtls_ssl_set_cid(). -Changes +Default behavior changes * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05 of the IETF draft, and was marked experimental and disabled by default. It is now no longer experimental, and implements the final version from From 723bee67b21ea2e633b6a21ca60607a34e7fe67c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 23:06:21 +0100 Subject: [PATCH 08/12] Wrap lines to 79 columns max Signed-off-by: Gilles Peskine --- ChangeLog.d/LMS.txt | 10 +++++----- ChangeLog.d/fix-tls12server-sent-sigalgs.txt | 8 ++++---- ChangeLog.d/fix_cmake_gen_files.txt | 3 ++- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ChangeLog.d/LMS.txt b/ChangeLog.d/LMS.txt index 6de374f86..785bfcf84 100644 --- a/ChangeLog.d/LMS.txt +++ b/ChangeLog.d/LMS.txt @@ -3,9 +3,9 @@ Features Signature verification is production-ready, but generation is for testing purposes only. This currently only supports one parameter set (LMS_SHA256_M32_H10), meaning that each private key can be used to sign - 1024 messages. As such, it is not intended for use in TLS, but instead for - verification of assets transmitted over an insecure channel, particularly - firmware images. + 1024 messages. As such, it is not intended for use in TLS, but instead + for verification of assets transmitted over an insecure channel, + particularly firmware images. * Add the LM-OTS post-quantum-safe one-time signature scheme, which is - required for LMS. This can be used independently, but each key can only be - used to sign one message so is impractical for most circumstances. + required for LMS. This can be used independently, but each key can only + be used to sign one message so is impractical for most circumstances. diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt index 9abde2b52..d3c9aa1b5 100644 --- a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt +++ b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt @@ -1,5 +1,5 @@ Bugfix - * Fix a bug whereby the the list of signature algorithms sent as part of the - TLS 1.2 server certificate request would get corrupted, meaning the first - algorithm would not get sent and an entry consisting of two random bytes - would be sent instead. Found by Serban Bejan and Dudek Sebastian. + * Fix a bug whereby the the list of signature algorithms sent as part of + the TLS 1.2 server certificate request would get corrupted, meaning the + first algorithm would not get sent and an entry consisting of two random + bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian. diff --git a/ChangeLog.d/fix_cmake_gen_files.txt b/ChangeLog.d/fix_cmake_gen_files.txt index e4c0c9f7f..6e5956af5 100644 --- a/ChangeLog.d/fix_cmake_gen_files.txt +++ b/ChangeLog.d/fix_cmake_gen_files.txt @@ -1,3 +1,4 @@ Bugfix * Fix an issue with CMake builds in releases with GEN_FILES turned off, - whereby missing generated files could be turned into symlinks to themselves. + whereby missing generated files could be turned into symlinks to + themselves. From f3cc9d925f3ee4716409367ef509d1591bc57c73 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 29 Nov 2022 23:18:23 +0100 Subject: [PATCH 09/12] Improve "codegen 1.1" entry "version 1.1 of #5137" is not meaningful to users, only as an internal project milestone. Explain what this means from a user's point of view. Announce the requirement for jsonschema in the proper section, which is "Requirement changes". Mention jinja2 and basic.requirements.txt which had not previously been explicitly mentioned in the changelog. Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_crypto_code_gen_1_1.txt | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/psa_crypto_code_gen_1_1.txt b/ChangeLog.d/psa_crypto_code_gen_1_1.txt index 2c18e6f31..e10a81c9a 100644 --- a/ChangeLog.d/psa_crypto_code_gen_1_1.txt +++ b/ChangeLog.d/psa_crypto_code_gen_1_1.txt @@ -1,6 +1,13 @@ Features - * Brought in PSA code geneneration JSON driver list. - Added auto generated templating support for key management. - Added Support for transparent and opaque keys (import/export/copy). - Included some general JSON validation for the given entry points. - Addresses version 1.1 of #5137. + * The PSA driver wrapper generator generate_driver_wrappers.py now + supports a subset of the driver description language, including + the following entry points: import_key, export_key, export_public_key, + get_builtin_key, copy_key. + +Requirement changes + * When building with PSA drivers using generate_driver_wrappers.py, or + when building the library from the development branch rather than + from a release, the Python module jsonschema is now necessary, in + addition to jinja2. The official list of required Python modules is + maintained in scripts/basic.requirements.txt and may change again + in the future. From afb15206b5cb91a84aa733e8c0a87dd206c83ddd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 30 Nov 2022 10:37:19 +0100 Subject: [PATCH 10/12] Wording clarification Signed-off-by: Gilles Peskine --- ChangeLog.d/tls13-misc.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt index b76bb9171..49ab58994 100644 --- a/ChangeLog.d/tls13-misc.txt +++ b/ChangeLog.d/tls13-misc.txt @@ -1,7 +1,7 @@ Features - * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys, - pre-shared keys provisioned externally or via the ticket mechanism - (session resumption). + * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys. + The pre-shared keys can provisioned externally or via the ticket + mechanism (session resumption). The ticket mechanism is supported when the configuration option MBEDTLS_SSL_SESSION_TICKETS is enabled. New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED From cf0074b2c8175660f21985cbd0513d2a022e94a3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 30 Nov 2022 12:07:16 +0100 Subject: [PATCH 11/12] More wording improvements Signed-off-by: Gilles Peskine --- ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt | 8 ++++---- ChangeLog.d/dtls-connection-id.txt | 6 +++--- ChangeLog.d/fix-tls12server-sent-sigalgs.txt | 2 +- ChangeLog.d/fix_cmake_gen_files.txt | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt index c87c3fbbf..0d409688e 100644 --- a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt +++ b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt @@ -2,7 +2,7 @@ Features * Support rsa_pss_rsae_* signature algorithms in TLS 1.2. Bugfix * Fix an interoperability failure between an Mbed TLS client with both - TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server such as GnuTLS or - OpenSSL that supports rsa_pss_rsae_* signature algorithms. This failed - because Mbed TLS supported PSS only in TLS 1.3, but advertised support - in TLS 1.2 as well. + TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports + rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS + advertised support for PSS in both TLS 1.2 and 1.3, but only + actually supported PSS in TLS 1.3. diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt index ccb364ea5..840f837d8 100644 --- a/ChangeLog.d/dtls-connection-id.txt +++ b/ChangeLog.d/dtls-connection-id.txt @@ -9,9 +9,9 @@ Default behavior changes It is now no longer experimental, and implements the final version from RFC 9146, which is not interoperable with the draft-05 version. If you need to communicate with peers that use earlier versions of - Mbed TLS, you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT to 1, - but then you won't be able to communicate with peers that use the standard - (non-draft) version. + Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + to 1, but then you won't be able to communicate with peers that use the + standard (non-draft) version. If you need to interoperate with both classes of peers with the same build of Mbed TLS, please let us know about your situation on the mailing list or GitHub. diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt index d3c9aa1b5..b74c6ec20 100644 --- a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt +++ b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt @@ -1,5 +1,5 @@ Bugfix - * Fix a bug whereby the the list of signature algorithms sent as part of + * Fix a bug whereby the list of signature algorithms sent as part of the TLS 1.2 server certificate request would get corrupted, meaning the first algorithm would not get sent and an entry consisting of two random bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian. diff --git a/ChangeLog.d/fix_cmake_gen_files.txt b/ChangeLog.d/fix_cmake_gen_files.txt index 6e5956af5..cdec6e8a6 100644 --- a/ChangeLog.d/fix_cmake_gen_files.txt +++ b/ChangeLog.d/fix_cmake_gen_files.txt @@ -1,4 +1,4 @@ Bugfix - * Fix an issue with CMake builds in releases with GEN_FILES turned off, - whereby missing generated files could be turned into symlinks to - themselves. + * Fix an issue with in-tree CMake builds in releases with GEN_FILES + turned off: if a shipped file was missing from the working directory, + it could be turned into a symbolic link to itself. From 77d3057c6df1b3787c9512b346737ab626955044 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 6 Dec 2022 11:25:09 +0100 Subject: [PATCH 12/12] More grammar fixes Signed-off-by: Gilles Peskine --- ChangeLog.d/fix_hard_link_across_drives.txt | 2 +- ChangeLog.d/tls13-misc.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/fix_hard_link_across_drives.txt b/ChangeLog.d/fix_hard_link_across_drives.txt index 84d4a522c..46d05c0cf 100644 --- a/ChangeLog.d/fix_hard_link_across_drives.txt +++ b/ChangeLog.d/fix_hard_link_across_drives.txt @@ -1,3 +1,3 @@ Bugfix * Fix a build issue on Windows using CMake where the source and build - directory could not be on different drives. Fixes #5751. + directories could not be on different drives. Fixes #5751. diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt index 49ab58994..673317328 100644 --- a/ChangeLog.d/tls13-misc.txt +++ b/ChangeLog.d/tls13-misc.txt @@ -1,6 +1,6 @@ Features * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys. - The pre-shared keys can provisioned externally or via the ticket + The pre-shared keys can be provisioned externally or via the ticket mechanism (session resumption). The ticket mechanism is supported when the configuration option MBEDTLS_SSL_SESSION_TICKETS is enabled.