Assemble changelog
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 89572ca..43d42a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,126 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+API changes
+ * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
+ different order. This only affects applications that define such
+ structures directly or serialize them.
+
+Requirement changes
+ * Sign-magnitude and one's complement representations for signed integers are
+ not supported. Two's complement is the only supported representation.
+
+Removals
+ * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
+ which allowed SHA-1 in the default TLS configuration for certificate
+ signing. It was intended to facilitate the transition in environments
+ with SHA-1 certificates. SHA-1 is considered a weak message digest and
+ its use constitutes a security risk.
+ * Remove the partial support for running unit tests via Greentea on Mbed OS,
+ which had been unmaintained since 2018.
+
+Features
+ * The identifier of the CID TLS extension can be configured by defining
+ MBEDTLS_TLS_EXT_CID at compile time.
+ * Warn if errors from certain functions are ignored. This is currently
+ supported on GCC-like compilers and on MSVC and can be configured through
+ the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
+ (where supported) for critical functions where ignoring the return
+ value is almost always a bug. Enable the new configuration option
+ MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
+ is currently implemented in the AES, DES and md modules, and will be
+ extended to other modules in the future.
+ * Add missing PSA macros declared by PSA Crypto API 1.0.0:
+ PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
+ * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
+ * Add PSA API definition for ARIA.
+
+Security
+ * Zeroize several intermediate variables used to calculate the expected
+ value when verifying a MAC or AEAD tag. This hardens the library in
+ case the value leaks through a memory disclosure vulnerability. For
+ example, a memory disclosure vulnerability could have allowed a
+ man-in-the-middle to inject fake ciphertext into a DTLS connection.
+ * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
+ from the output buffer. This fixes a potential policy bypass or decryption
+ oracle vulnerability if the output buffer is in memory that is shared with
+ an untrusted application.
+
+Bugfix
+ * Stop using reserved identifiers as local variables. Fixes #4630.
+ * The GNU makefiles invoke python3 in preference to python except on Windows.
+ The check was accidentally not performed when cross-compiling for Windows
+ on Linux. Fix this. Fixes #4774.
+ * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
+ PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
+ * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
+ * Don't use the obsolete header path sys/fcntl.h in unit tests.
+ These header files cause compilation errors in musl.
+ Fixes #4969.
+ * Fix missing constraints on x86_64 and aarch64 assembly code
+ for bignum multiplication that broke some bignum operations with
+ (at least) Clang 12.
+ Fixes #4116, #4786, #4917, #4962.
+ * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * Failures of alternative implementations of AES or DES single-block
+ functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
+ MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
+ This does not concern the implementation provided with Mbed TLS,
+ where this function cannot fail, or full-module replacements with
+ MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
+ * Some failures of HMAC operations were ignored. These failures could only
+ happen with an alternative implementation of the underlying hash module.
+ * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
+ * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
+ MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
+ * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
+ This algorithm now accepts only the same salt length for verification
+ that it produces when signing, as documented. Use the new algorithm
+ PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
+ * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
+ for algorithm values that fully encode the hashing step, as per the PSA
+ Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
+ PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
+ all algorithms that can be used with psa_{sign,verify}_hash(), including
+ these two.
+ * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
+ not to list other shared libraries they need.
+ * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32.
+ * Fix #4884.
+ * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
+ version 11.
+ * Fix the build when no SHA2 module is included. Fixes #4930.
+ * Fix the build when only the bignum module is included. Fixes #4929.
+ * Fix a potential invalid pointer dereference and infinite loop bugs in
+ pkcs12 functions when the password is empty. Fix the documentation to
+ better describe the inputs to these functions and their possible values.
+ Fixes #5136.
+ * Fix a double-free that happened after mbedtls_ssl_set_session() or
+ mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
+ (out of memory). After that, calling mbedtls_ssl_session_free()
+ and mbedtls_ssl_free() would cause an internal session buffer to
+ be free()'d twice.
+ * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
+ operations psa_mac_compute() and psa_mac_sign_setup().
+ * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
+ operations psa_mac_verify() and psa_mac_verify_setup().
+
+Changes
+ * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
+ disabled by default.
+ * Improve the performance of base64 constant-flow code. The result is still
+ slower than the original non-constant-flow implementation, but much faster
+ than the previous constant-flow implementation. Fixes #4814.
+ * Indicate in the error returned if the nonce length used with
+ ChaCha20-Poly1305 is invalid, and not just unsupported.
+ * The mbedcrypto library includes a new source code module constant_time.c,
+ containing various functions meant to resist timing side channel attacks.
+ This module does not have a separate configuration option, and functions
+ from this module will be included in the build as required. Currently
+ most of the interface of this module is private and may change at any
+ time.
+
= mbed TLS 2.27.0 branch released 2021-07-07
API changes
diff --git a/ChangeLog.d/aria.txt b/ChangeLog.d/aria.txt
deleted file mode 100644
index 280a7c9..0000000
--- a/ChangeLog.d/aria.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add PSA API definition for ARIA.
-
diff --git a/ChangeLog.d/base64-ranges.txt b/ChangeLog.d/base64-ranges.txt
deleted file mode 100644
index e3f3862..0000000
--- a/ChangeLog.d/base64-ranges.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Improve the performance of base64 constant-flow code. The result is still
- slower than the original non-constant-flow implementation, but much faster
- than the previous constant-flow implementation. Fixes #4814.
diff --git a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
deleted file mode 100644
index c04c4aa..0000000
--- a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32.
- * Fix #4884.
-
diff --git a/ChangeLog.d/build-without-sha.txt b/ChangeLog.d/build-without-sha.txt
deleted file mode 100644
index 78ba276..0000000
--- a/ChangeLog.d/build-without-sha.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix the build when no SHA2 module is included. Fixes #4930.
- * Fix the build when only the bignum module is included. Fixes #4929.
diff --git a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt b/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt
deleted file mode 100644
index ca3f9ac..0000000
--- a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Indicate in the error returned if the nonce length used with
- ChaCha20-Poly1305 is invalid, and not just unsupported.
diff --git a/ChangeLog.d/check-return.txt b/ChangeLog.d/check-return.txt
deleted file mode 100644
index 7d905da..0000000
--- a/ChangeLog.d/check-return.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-Bugfix
- * Failures of alternative implementations of AES or DES single-block
- functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
- MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
- This does not concern the implementation provided with Mbed TLS,
- where this function cannot fail, or full-module replacements with
- MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
- * Some failures of HMAC operations were ignored. These failures could only
- happen with an alternative implementation of the underlying hash module.
-
-Features
- * Warn if errors from certain functions are ignored. This is currently
- supported on GCC-like compilers and on MSVC and can be configured through
- the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
- (where supported) for critical functions where ignoring the return
- value is almost always a bug. Enable the new configuration option
- MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
- is currently implemented in the AES, DES and md modules, and will be
- extended to other modules in the future.
diff --git a/ChangeLog.d/constant_time_module.txt b/ChangeLog.d/constant_time_module.txt
deleted file mode 100644
index ebb0b7f..0000000
--- a/ChangeLog.d/constant_time_module.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Changes
- * The mbedcrypto library includes a new source code module constant_time.c,
- containing various functions meant to resist timing side channel attacks.
- This module does not have a separate configuration option, and functions
- from this module will be included in the build as required. Currently
- most of the interface of this module is private and may change at any
- time.
-
-Features
- * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
diff --git a/ChangeLog.d/do-not-use-obsolete-header.txt b/ChangeLog.d/do-not-use-obsolete-header.txt
deleted file mode 100644
index 9a57ef1..0000000
--- a/ChangeLog.d/do-not-use-obsolete-header.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Don't use the obsolete header path sys/fcntl.h in unit tests.
- These header files cause compilation errors in musl.
- Fixes #4969.
-
diff --git a/ChangeLog.d/fix-cipher-iv.txt b/ChangeLog.d/fix-cipher-iv.txt
deleted file mode 100644
index e7af641..0000000
--- a/ChangeLog.d/fix-cipher-iv.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Security
- * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
- from the output buffer. This fixes a potential policy bypass or decryption
- oracle vulnerability if the output buffer is in memory that is shared with
- an untrusted application.
diff --git a/ChangeLog.d/fix-cipher-output-size-macros.txt b/ChangeLog.d/fix-cipher-output-size-macros.txt
deleted file mode 100644
index 4a4b971..0000000
--- a/ChangeLog.d/fix-cipher-output-size-macros.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
- PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
-
diff --git a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt b/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt
deleted file mode 100644
index 6dc4724..0000000
--- a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
diff --git a/ChangeLog.d/fix-needed-shared-libraries-linux.txt b/ChangeLog.d/fix-needed-shared-libraries-linux.txt
deleted file mode 100644
index 74ad3bc..0000000
--- a/ChangeLog.d/fix-needed-shared-libraries-linux.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
- not to list other shared libraries they need.
diff --git a/ChangeLog.d/fix-pkcs12-null-password.txt b/ChangeLog.d/fix-pkcs12-null-password.txt
deleted file mode 100644
index fae8195..0000000
--- a/ChangeLog.d/fix-pkcs12-null-password.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a potential invalid pointer dereference and infinite loop bugs in
- pkcs12 functions when the password is empty. Fix the documentation to
- better describe the inputs to these functions and their possible values.
- Fixes #5136.
diff --git a/ChangeLog.d/fix-psa_gen_key-status.txt b/ChangeLog.d/fix-psa_gen_key-status.txt
deleted file mode 100644
index 7860988..0000000
--- a/ChangeLog.d/fix-psa_gen_key-status.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
diff --git a/ChangeLog.d/fix-session-copy-bug.txt b/ChangeLog.d/fix-session-copy-bug.txt
deleted file mode 100644
index 46e3d8e..0000000
--- a/ChangeLog.d/fix-session-copy-bug.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * Fix a double-free that happened after mbedtls_ssl_set_session() or
- mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
- (out of memory). After that, calling mbedtls_ssl_session_free()
- and mbedtls_ssl_free() would cause an internal session buffer to
- be free()'d twice.
diff --git a/ChangeLog.d/fix-sign_verify-message-usage.txt b/ChangeLog.d/fix-sign_verify-message-usage.txt
deleted file mode 100644
index dd326ee..0000000
--- a/ChangeLog.d/fix-sign_verify-message-usage.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
- operations psa_mac_compute() and psa_mac_sign_setup().
- * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
- operations psa_mac_verify() and psa_mac_verify_setup().
diff --git a/ChangeLog.d/fix_compilation_ssl_tests.txt b/ChangeLog.d/fix_compilation_ssl_tests.txt
deleted file mode 100644
index 202e5c4..0000000
--- a/ChangeLog.d/fix_compilation_ssl_tests.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
- version 11.
diff --git a/ChangeLog.d/issue4630.txt b/ChangeLog.d/issue4630.txt
deleted file mode 100644
index 0bc4b99..0000000
--- a/ChangeLog.d/issue4630.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Stop using reserved identifiers as local variables. Fixes #4630.
diff --git a/ChangeLog.d/mac-zeroize.txt b/ChangeLog.d/mac-zeroize.txt
deleted file mode 100644
index a43e34f..0000000
--- a/ChangeLog.d/mac-zeroize.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Zeroize several intermediate variables used to calculate the expected
- value when verifying a MAC or AEAD tag. This hardens the library in
- case the value leaks through a memory disclosure vulnerability. For
- example, a memory disclosure vulnerability could have allowed a
- man-in-the-middle to inject fake ciphertext into a DTLS connection.
diff --git a/ChangeLog.d/makefile-python-windows.txt b/ChangeLog.d/makefile-python-windows.txt
deleted file mode 100644
index 57ccc1a..0000000
--- a/ChangeLog.d/makefile-python-windows.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * The GNU makefiles invoke python3 in preference to python except on Windows.
- The check was accidentally not performed when cross-compiling for Windows
- on Linux. Fix this. Fixes #4774.
diff --git a/ChangeLog.d/muladdc-memory.txt b/ChangeLog.d/muladdc-memory.txt
deleted file mode 100644
index 218be5a..0000000
--- a/ChangeLog.d/muladdc-memory.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix missing constraints on x86_64 and aarch64 assembly code
- for bignum multiplication that broke some bignum operations with
- (at least) Clang 12.
- Fixes #4116, #4786, #4917, #4962.
diff --git a/ChangeLog.d/no-strerror.txt b/ChangeLog.d/no-strerror.txt
deleted file mode 100644
index 69743a8..0000000
--- a/ChangeLog.d/no-strerror.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
- MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
diff --git a/ChangeLog.d/psa_alg_rsa_pss.txt b/ChangeLog.d/psa_alg_rsa_pss.txt
deleted file mode 100644
index 5c6048f..0000000
--- a/ChangeLog.d/psa_alg_rsa_pss.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
- This algorithm now accepts only the same salt length for verification
- that it produces when signing, as documented. Use the new algorithm
- PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
diff --git a/ChangeLog.d/psa_cipher_update_ecp.txt b/ChangeLog.d/psa_cipher_update_ecp.txt
deleted file mode 100644
index 1c3fbc6..0000000
--- a/ChangeLog.d/psa_cipher_update_ecp.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
diff --git a/ChangeLog.d/psa_crypto_api_macros.txt b/ChangeLog.d/psa_crypto_api_macros.txt
deleted file mode 100644
index ff53e33..0000000
--- a/ChangeLog.d/psa_crypto_api_macros.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Features
- * Add missing PSA macros declared by PSA Crypto API 1.0.0:
- PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
-
-Bugfix
- * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
- for algorithm values that fully encode the hashing step, as per the PSA
- Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
- PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
- all algorithms that can be used with psa_{sign,verify}_hash(), including
- these two.
diff --git a/ChangeLog.d/remove-greentea-support.txt b/ChangeLog.d/remove-greentea-support.txt
deleted file mode 100644
index af4df4b..0000000
--- a/ChangeLog.d/remove-greentea-support.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Removals
- * Remove the partial support for running unit tests via Greentea on Mbed OS,
- which had been unmaintained since 2018.
diff --git a/ChangeLog.d/remove_default_alllow_sha1.txt b/ChangeLog.d/remove_default_alllow_sha1.txt
deleted file mode 100644
index 9ec10cf..0000000
--- a/ChangeLog.d/remove_default_alllow_sha1.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Removals
- * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
- which allowed SHA-1 in the default TLS configuration for certificate
- signing. It was intended to facilitate the transition in environments
- with SHA-1 certificates. SHA-1 is considered a weak message digest and
- its use constitutes a security risk.
-
-Changes
- * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
- disabled by default.
diff --git a/ChangeLog.d/semi-public-structure-fields.txt b/ChangeLog.d/semi-public-structure-fields.txt
deleted file mode 100644
index 802f8de..0000000
--- a/ChangeLog.d/semi-public-structure-fields.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-API changes
- * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
- different order. This only affects applications that define such
- structures directly or serialize them.
-
diff --git a/ChangeLog.d/tls_ext_cid-config.txt b/ChangeLog.d/tls_ext_cid-config.txt
deleted file mode 100644
index b7b1e72..0000000
--- a/ChangeLog.d/tls_ext_cid-config.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * The identifier of the CID TLS extension can be configured by defining
- MBEDTLS_TLS_EXT_CID at compile time.
diff --git a/ChangeLog.d/twos_complement_representation.txt b/ChangeLog.d/twos_complement_representation.txt
deleted file mode 100644
index fa49859..0000000
--- a/ChangeLog.d/twos_complement_representation.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Requirement changes
- * Sign-magnitude and one's complement representations for signed integers are
- not supported. Two's complement is the only supported representation.