These entries were for different aspects of a new, partially implemented
feature. Therefore we are consolidating them into a single entry for
clarity.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Executed scripts/assemble_changelog.py and manually fixed style where it
diverged from the instructions in ChangeLog.d/00README.md.
Manually added ChangeLog.d/bugfix_PR3405 which didn't have the .txt
extension as prescribed in ChangeLog.d/00README.md and deleted it
afterwards.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Since the server might want to have a different maximum fragment length
for the outgoing messages than the negotiated one - introduce a new way of
computing it. This commit also adds additional ssl-opt.sh tests ensuring
that the maximum fragment lengths are set as expected.
mbedtls_ssl_get_max_frag_len() is now a deprecated function,
being an alias to mbedtls_ssl_get_output_max_frag_len(). The behaviour
of this function is the same as before.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
The MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH build option has been added since
the last release, but there was no entry for it in the ChangeLog.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client
establishing a new connection using the same UDP quartet as an already active
connection, which we implement under the compile option
MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts:
[the server] MUST NOT destroy the existing
association until the client has demonstrated reachability either by
completing a cookie exchange or by completing a complete handshake
including delivering a verifiable Finished message.
[...]
The reachability requirement prevents
off-path/blind attackers from destroying associations merely by
sending forged ClientHellos.
Our code chooses to use a cookie exchange for establishing reachability, but
unfortunately that check was effectively removed in a recent refactoring,
which changed what value ssl_handle_possible_reconnect() needs to return in
order for ssl_get_next_record() (introduced in that refactoring) to take the
proper action. Unfortunately, in addition to changing the value, the
refactoring also changed a return statement to an assignment to the ret
variable, causing the function to reach the code for a valid cookie, which
immediately destroys the existing association, effectively bypassing the
cookie verification.
This commit fixes that by immediately returning after sending a
HelloVerifyRequest when a ClientHello without a valid cookie is found. It also
updates the description of the function to reflect the new return value
convention (the refactoring updated the code but not the documentation).
The commit that changed the return value convention (and introduced the bug)
is 2fddd3765e, whose commit message explains the
change.
Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client
reconnect from same port: reconnect" to occasionally fail due to a race
condition between the reception of the ClientHello carrying a valid cookie and
the closure of the connection by the server after noticing the ClientHello
didn't carry a valid cookie after it incorrectly destroyed the previous
connection, that could cause that ClientHello to be invisible to the server
(if that message reaches the server just before it does `net_close()`). A
welcome side effect of this commit is to remove that race condition, as the
new connection will immediately start with a ClientHello carrying a valid
cookie in the SSL input buffer, so the server will not call `net_close()` and
not risk discarding a better ClientHello that arrived in the meantime.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
See the comments in the code for how an attack would go, and the ChangeLog
entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar
over several signatures translates to full private key recovery using a
lattice attack.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.
Conflicts:
* ChangeLog: add/add conflict. Resolve by using the usual section order.
Add a changelog entry for an already-released version to indicate when
the crypto submodule became mandatory.
Add a changelog entry for the removal of the crypto submodule.
The contribution from #2663 was split in two: the crypto part was
mereged in 2.19.1 and the x509 part was merged after 2.20.0. Tweak the
wording of the changelog entries to specify which is which.
This reverts commit c0c92fea3d, reversing
changes made to bfc73bcfd2.
stat() will never return S_IFLNK as the file type, as stat() explicitly
follows symlinks.
Fixes#3005.
* iotssl-2652-deprecate-pkcs11:
Group PKCS11_C entries in check_config.h
Clarify that what we're dropping is pkcs11-helper support
Fix typo in doxy docs for ssl_pkcs11_sign()
Add missing docs to PKCS#11 public funcs
Wrap PKCS1 module with DEPRECATED_REMOVED
Fix deprecated docs for PKCS1
Deprecate MBEDTLS_PKCS11_C functions
Add ChangeLog entry for MBEDTLS_PKCS11_C deprecation
Deprecate MBEDTLS_PKCS11_C feature
