Reorder and group sections in the ChangeLog
This commit is contained in:
parent
06b786372c
commit
b060cc21b1
1 changed files with 14 additions and 16 deletions
30
ChangeLog
30
ChangeLog
|
@ -2,6 +2,14 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
= mbed TLS x.x.x branch released xxxx-xx-xx
|
= mbed TLS x.x.x branch released xxxx-xx-xx
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
|
||||||
|
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
|
||||||
|
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
|
||||||
|
(default: 8) intermediates, even when it was not trusted. Could be
|
||||||
|
triggered remotely on both sides. (With auth_mode set to required
|
||||||
|
(default), the handshake was correctly aborted.)
|
||||||
|
|
||||||
Features
|
Features
|
||||||
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
|
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
|
||||||
and the context struct mbedtls_platform_context to perform
|
and the context struct mbedtls_platform_context to perform
|
||||||
|
@ -16,6 +24,12 @@ API Changes
|
||||||
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
|
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
|
||||||
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. #978
|
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. #978
|
||||||
Found by James Cowgill.
|
Found by James Cowgill.
|
||||||
|
* Certificate verification functions now set flags to -1 in case the full
|
||||||
|
chain was not verified due to an internal error (including in the verify
|
||||||
|
callback) or chain length limitations.
|
||||||
|
* With authmode set to optional, handshake is now aborted if the
|
||||||
|
verification of the peer's certificate failed due to an overlong chain or
|
||||||
|
a fatal error in the vrfy callback.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Add a check if iv_len is zero, and return an error if it is zero. reported
|
* Add a check if iv_len is zero, and return an error if it is zero. reported
|
||||||
|
@ -42,22 +56,6 @@ Bugfix
|
||||||
encoded X509 certificates. The overflow would enable maliciously
|
encoded X509 certificates. The overflow would enable maliciously
|
||||||
constructed certificates to bypass the certificate verification check.
|
constructed certificates to bypass the certificate verification check.
|
||||||
|
|
||||||
Security
|
|
||||||
* Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
|
|
||||||
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
|
|
||||||
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
|
|
||||||
(default: 8) intermediates, even when it was not trusted. Could be
|
|
||||||
triggered remotely on both sides. (With auth_mode set to required
|
|
||||||
(default), the handshake was correctly aborted.)
|
|
||||||
|
|
||||||
API changes
|
|
||||||
* Certificate verification functions now set flags to -1 in case the full
|
|
||||||
chain was not verified due to an internal error (including in the verify
|
|
||||||
callback) or chain length limitations.
|
|
||||||
* With authmode set to optional, handshake is now aborted if the
|
|
||||||
verification of the peer's certificate failed due to an overlong chain or
|
|
||||||
a fatal error in the vrfy callback.
|
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
|
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
|
||||||
64-bit division. #708
|
64-bit division. #708
|
||||||
|
|
Loading…
Reference in a new issue