Reorder and group sections in the ChangeLog

This commit is contained in:
Simon Butcher 2017-07-28 01:04:34 +01:00
parent 06b786372c
commit b060cc21b1

View file

@ -2,6 +2,14 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx = mbed TLS x.x.x branch released xxxx-xx-xx
Security
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. Could be
triggered remotely on both sides. (With auth_mode set to required
(default), the handshake was correctly aborted.)
Features Features
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown() * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
and the context struct mbedtls_platform_context to perform and the context struct mbedtls_platform_context to perform
@ -16,6 +24,12 @@ API Changes
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt, qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. #978 mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. #978
Found by James Cowgill. Found by James Cowgill.
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
* With authmode set to optional, handshake is now aborted if the
verification of the peer's certificate failed due to an overlong chain or
a fatal error in the vrfy callback.
Bugfix Bugfix
* Add a check if iv_len is zero, and return an error if it is zero. reported * Add a check if iv_len is zero, and return an error if it is zero. reported
@ -42,22 +56,6 @@ Bugfix
encoded X509 certificates. The overflow would enable maliciously encoded X509 certificates. The overflow would enable maliciously
constructed certificates to bypass the certificate verification check. constructed certificates to bypass the certificate verification check.
Security
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. Could be
triggered remotely on both sides. (With auth_mode set to required
(default), the handshake was correctly aborted.)
API changes
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
* With authmode set to optional, handshake is now aborted if the
verification of the peer's certificate failed due to an overlong chain or
a fatal error in the vrfy callback.
Changes Changes
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of * Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
64-bit division. #708 64-bit division. #708