Skip to content

Commit cf46671

Browse files
authored
Merge pull request #869 from ARMmbed/mbedtls-2.16.12rc0-pr
Mbedtls 2.16.12rc0 pr
2 parents 7b9cd91 + b9f4568 commit cf46671

19 files changed

+73
-68
lines changed

ChangeLog

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,60 @@
11
mbed TLS ChangeLog (Sorted per branch, date)
22

3+
= mbed TLS 2.16.12 branch released 2021-12-17
4+
5+
Security
6+
* Zeroize several intermediate variables used to calculate the expected
7+
value when verifying a MAC or AEAD tag. This hardens the library in
8+
case the value leaks through a memory disclosure vulnerability. For
9+
example, a memory disclosure vulnerability could have allowed a
10+
man-in-the-middle to inject fake ciphertext into a DTLS connection.
11+
* Fix a double-free that happened after mbedtls_ssl_set_session() or
12+
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
13+
(out of memory). After that, calling mbedtls_ssl_session_free()
14+
and mbedtls_ssl_free() would cause an internal session buffer to
15+
be free()'d twice.
16+
17+
Bugfix
18+
* Stop using reserved identifiers as local variables. Fixes #4630.
19+
* The GNU makefiles invoke python3 in preference to python except on Windows.
20+
The check was accidentally not performed when cross-compiling for Windows
21+
on Linux. Fix this. Fixes #4774.
22+
* Mark basic constraints critical as appropriate. Note that the previous
23+
entry for this fix in the 2.16.10 changelog was in error, and it was not
24+
included in the 2.16.10 release as was stated.
25+
Make 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC
26+
5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in
27+
all CA certificates that contain public keys used to validate digital
28+
signatures on certificates and MUST mark the extension as critical in
29+
such certificates." Previous to this change, the extension was always
30+
marked as non-critical. This was fixed by #4044.
31+
* Fix missing constraints on x86_64 assembly code for bignum multiplication
32+
that broke some bignum operations with (at least) Clang 12.
33+
Fixes #4116, #4786, #4917.
34+
* Failures of alternative implementations of AES or DES single-block
35+
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
36+
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
37+
This does not concern the implementation provided with Mbed TLS,
38+
where this function cannot fail, or full-module replacements with
39+
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
40+
* Some failures of HMAC operations were ignored. These failures could only
41+
happen with an alternative implementation of the underlying hash module.
42+
* Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
43+
MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
44+
* Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
45+
exceeds 2^32. Fixes #4884.
46+
* Fix the build when no SHA2 module is included. Fixes #4930.
47+
* Fix the build when only the bignum module is included. Fixes #4929.
48+
* Fix a potential invalid pointer dereference and infinite loop bugs in
49+
pkcs12 functions when the password is empty. Fix the documentation to
50+
better describe the inputs to these functions and their possible values.
51+
Fixes #5136.
52+
53+
Changes
54+
* Improve the performance of base64 constant-flow code. The result is still
55+
slower than the original non-constant-flow implementation, but much faster
56+
than the previous constant-flow implementation. Fixes #4814.
57+
358
= mbed TLS 2.16.11 branch released 2021-07-07
459

560
Security

ChangeLog.d/base64-ranges.txt

Lines changed: 0 additions & 4 deletions
This file was deleted.

ChangeLog.d/bugfix-for-gcm-long-iv-size.txt

Lines changed: 0 additions & 3 deletions
This file was deleted.

ChangeLog.d/build-without-sha.txt

Lines changed: 0 additions & 3 deletions
This file was deleted.

ChangeLog.d/check-return.txt

Lines changed: 0 additions & 10 deletions
This file was deleted.

ChangeLog.d/fix-pkcs12-null-password.txt

Lines changed: 0 additions & 5 deletions
This file was deleted.

ChangeLog.d/issue4630.txt

Lines changed: 0 additions & 2 deletions
This file was deleted.

ChangeLog.d/issue4870.txt

Lines changed: 0 additions & 10 deletions
This file was deleted.

ChangeLog.d/mac-zeroize.txt

Lines changed: 0 additions & 6 deletions
This file was deleted.

ChangeLog.d/makefile-python-windows.txt

Lines changed: 0 additions & 4 deletions
This file was deleted.

0 commit comments

Comments
 (0)