Assemble Changelog for 3.4.0 release
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 639c8e9..9b30aff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,216 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS 3.4.0 branch released 2023-03-28
+
+Default behavior changes
+ * The default priority order of TLS 1.3 cipher suites has been modified to
+ follow the same rules as the TLS 1.2 cipher suites (see
+ ssl_ciphersuites.c). The preferred cipher suite is now
+ TLS_CHACHA20_POLY1305_SHA256.
+
+New deprecations
+ * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
+ mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
+ direct dependency of X509 on BIGNUM_C.
+ * PSA to mbedtls error translation is now unified in psa_util.h,
+ deprecating mbedtls_md_error_from_psa. Each file that performs error
+ translation should define its own version of PSA_TO_MBEDTLS_ERR,
+ optionally providing file-specific error pairs. Please see psa_util.h for
+ more details.
+
+Features
+ * Added partial support for parsing the PKCS #7 Cryptographic Message
+ Syntax, as defined in RFC 2315. Currently, support is limited to the
+ following:
+ - Only the signed-data content type, version 1 is supported.
+ - Only DER encoding is supported.
+ - Only a single digest algorithm per message is supported.
+ - Certificates must be in X.509 format. A message must have either 0
+ or 1 certificates.
+ - There is no support for certificate revocation lists.
+ - The authenticated and unauthenticated attribute fields of SignerInfo
+ must be empty.
+ Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
+ contributing this feature, and to Demi-Marie Obenour for contributing
+ various improvements, tests and bug fixes.
+ * General performance improvements by accessing multiple bytes at a time.
+ Fixes #1666.
+ * Improvements to use of unaligned and byte-swapped memory, reducing code
+ size and improving performance (depending on compiler and target
+ architecture).
+ * Add support for reading points in compressed format
+ (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
+ (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
+ (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
+ except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
+ * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
+ This helps in saving code size when some of the above hashes are not
+ required.
+ * Add parsing of V3 extensions (key usage, Netscape cert-type,
+ Subject Alternative Names) in x509 Certificate Sign Requests.
+ * Use HOSTCC (if it is set) when compiling C code during generation of the
+ configuration-independent files. This allows them to be generated when
+ CC is set for cross compilation.
+ * Add parsing of uniformResourceIdentifier subtype for subjectAltName
+ extension in x509 certificates.
+ * Add an interruptible version of sign and verify hash to the PSA interface,
+ backed by internal library support for ECDSA signing and verification.
+ * Add parsing of rfc822Name subtype for subjectAltName
+ extension in x509 certificates.
+ * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
+ MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
+ the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
+ * When a PSA driver for ECDSA is present, it is now possible to disable
+ MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
+ and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
+ Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
+ supported in those builds yet, as driver support for interruptible ECDSA
+ operations is not present yet.
+ * Add a driver dispatch layer for EC J-PAKE, enabling alternative
+ implementations of EC J-PAKE through the driver entry points.
+ * Add new API mbedtls_ssl_cache_remove for cache entry removal by
+ its session id.
+ * Add support to include the SubjectAltName extension to a CSR.
+ * Add support for AES with the Armv8-A Cryptographic Extension on
+ 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
+ be used to enable this feature. Run-time detection is supported
+ under Linux only.
+ * When a PSA driver for EC J-PAKE is present, it is now possible to disable
+ MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
+ corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
+ to be enabled.
+ * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
+ to read non-public fields for padding mode and hash id from
+ an mbedtls_rsa_context, as requested in #6917.
+ * AES-NI is now supported with Visual Studio.
+ * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
+ is disabled, when compiling with GCC or Clang or a compatible compiler
+ for a target CPU that supports the requisite instructions (for example
+ gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
+ compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
+ * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
+ ECJPAKE key exchange, using the new API function
+ mbedtls_ssl_set_hs_ecjpake_password_opaque().
+
+Security
+ * Use platform-provided secure zeroization function where possible, such as
+ explicit_bzero().
+ * Zeroize SSL cache entries when they are freed.
+ * Fix a potential heap buffer overread in TLS 1.3 client-side when
+ MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
+ * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
+ Arm, so that these systems are no longer vulnerable to timing side-channel
+ attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
+ Reported by Demi Marie Obenour.
+ * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
+ builds that couldn't compile the GCC-style assembly implementation
+ (most notably builds with Visual Studio), leaving them vulnerable to
+ timing side-channel attacks. There is now an intrinsics-based AES-NI
+ implementation as a fallback for when the assembly one cannot be used.
+
+Bugfix
+ * Fix possible integer overflow in mbedtls_timing_hardclock(), which
+ could cause a crash in programs/test/benchmark.
+ * Fix IAR compiler warnings. Fixes #6924.
+ * Fix a bug in the build where directory names containing spaces were
+ causing generate_errors.pl to error out resulting in a build failure.
+ Fixes issue #6879.
+ * In TLS 1.3, when using a ticket for session resumption, tweak its age
+ calculation on the client side. It prevents a server with more accurate
+ ticket timestamps (typically timestamps in milliseconds) compared to the
+ Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
+ than the age computed and transmitted by the client and thus potentially
+ reject the ticket. Fix #6623.
+ * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
+ defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
+ * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
+ be toggled with config.py.
+ * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
+ used on a shared secret from a key agreement since its input must be
+ an ECC public key. Reject this properly.
+ * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
+ whose binary representation is longer than 20 bytes. This was already
+ forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
+ enforced also at code level.
+ * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
+ Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
+ Aaron Ucko under Valgrind.
+ * Fix behavior of certain sample programs which could, when run with no
+ arguments, access uninitialized memory in some cases. Fixes #6700 (which
+ was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
+ * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
+ malformed alternative name components were not caught during initial
+ certificate parsing, but only on subsequent calls to
+ mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
+ * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
+ possible to verify RSA PSS signatures with the pk module, which was
+ inadvertently broken since Mbed TLS 3.0.
+ * Fix bug in conversion from OID to string in
+ mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
+ correctly.
+ * Reject OIDs with overlong-encoded subidentifiers when converting
+ them to a string.
+ * Reject OIDs with subidentifier values exceeding UINT_MAX. Such
+ subidentifiers can be valid, but Mbed TLS cannot currently handle them.
+ * Reject OIDs that have unterminated subidentifiers, or (equivalently)
+ have the most-significant bit set in their last byte.
+ * Silence warnings from clang -Wdocumentation about empty \retval
+ descriptions, which started appearing with Clang 15. Fixes #6960.
+ * Fix the handling of renegotiation attempts in TLS 1.3. They are now
+ systematically rejected.
+ * Fix an unused-variable warning in TLS 1.3-only builds if
+ MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
+ * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
+ len argument is 0 and buffer is NULL.
+ * Allow setting user and peer identifiers for EC J-PAKE operation
+ instead of role in PAKE PSA Crypto API as described in the specification.
+ This is a partial fix that allows only "client" and "server" identifiers.
+ * Fix a compilation error when PSA Crypto is built with support for
+ TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
+ * In the TLS 1.3 server, select the preferred client cipher suite, not the
+ least preferred. The selection error was introduced in Mbed TLS 3.3.0.
+ * Fix TLS 1.3 session resumption when the established pre-shared key is
+ 384 bits long. That is the length of pre-shared keys created under a
+ session where the cipher suite is TLS_AES_256_GCM_SHA384.
+ * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+ enabled, which required specifying compiler flags enabling SHA3 Crypto
+ Extensions, where some compilers would emit EOR3 instructions in other
+ modules, which would then fail if run on a CPU without the SHA3
+ extensions. Fixes #5758.
+
+Changes
+ * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
+ typically /usr/lib/cmake/MbedTLS.
+ * Mixed-endian systems are explicitly not supported any more.
+ * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
+ defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
+ signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
+ the behaviour without it, where deterministic ECDSA was already used.
+ * Visual Studio: Rename the directory containing Visual Studio files from
+ visualc/VS2010 to visualc/VS2013 as we do not support building with versions
+ older than 2013. Update the solution file to specify VS2013 as a minimum.
+ * programs/x509/cert_write:
+ - now it accepts the serial number in 2 different formats: decimal and
+ hex. They cannot be used simultaneously
+ - "serial" is used for the decimal format and it's limted in size to
+ unsigned long long int
+ - "serial_hex" is used for the hex format; max length here is
+ MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
+ * The C code follows a new coding style. This is transparent for users but
+ affects contributors and maintainers of local patches. For more
+ information, see
+ https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
+ * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
+ As tested in issue 6790, the correlation between this define and
+ RSA decryption performance has changed lately due to security fixes.
+ To fix the performance degradation when using default values the
+ window was reduced from 6 to 2, a value that gives the best or close
+ to best results when tested on Cortex-M4 and Intel i7.
+ * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
+ MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
+ compiler target flags on the command line; the library now sets target
+ options within the appropriate modules.
+
= Mbed TLS 3.3.0 branch released 2022-12-14
Default behavior changes
diff --git a/ChangeLog.d/add-cache-remove-api.txt b/ChangeLog.d/add-cache-remove-api.txt
deleted file mode 100644
index 950ff97..0000000
--- a/ChangeLog.d/add-cache-remove-api.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * Add new API mbedtls_ssl_cache_remove for cache entry removal by
- its session id.
-Security
- * Zeroize SSL cache entries when they are freed.
diff --git a/ChangeLog.d/add-uri-san.txt b/ChangeLog.d/add-uri-san.txt
deleted file mode 100644
index 5184e8f..0000000
--- a/ChangeLog.d/add-uri-san.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add parsing of uniformResourceIdentifier subtype for subjectAltName
- extension in x509 certificates.
diff --git a/ChangeLog.d/add_interruptible_sign_hash.txt b/ChangeLog.d/add_interruptible_sign_hash.txt
deleted file mode 100644
index 3d93303..0000000
--- a/ChangeLog.d/add_interruptible_sign_hash.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * Add an interruptible version of sign and verify hash to the PSA interface,
- backed by internal library support for ECDSA signing and verification.
-
-
diff --git a/ChangeLog.d/aes-ce-security-notice.txt b/ChangeLog.d/aes-ce-security-notice.txt
deleted file mode 100644
index 27f8f80..0000000
--- a/ChangeLog.d/aes-ce-security-notice.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Security
- * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
- Arm, so that these systems are no longer vulnerable to timing side-channel
- attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
- Reported by Demi Marie Obenour.
diff --git a/ChangeLog.d/aes-ni-security-notice.txt b/ChangeLog.d/aes-ni-security-notice.txt
deleted file mode 100644
index ccf8c9a..0000000
--- a/ChangeLog.d/aes-ni-security-notice.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
- builds that couldn't compile the GCC-style assembly implementation
- (most notably builds with Visual Studio), leaving them vulnerable to
- timing side-channel attacks. There is now an intrinsics-based AES-NI
- implementation as a fallback for when the assembly one cannot be used.
diff --git a/ChangeLog.d/aesni.txt b/ChangeLog.d/aesni.txt
deleted file mode 100644
index 2d90a6e..0000000
--- a/ChangeLog.d/aesni.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
- * AES-NI is now supported with Visual Studio.
- * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
- is disabled, when compiling with GCC or Clang or a compatible compiler
- for a target CPU that supports the requisite instructions (for example
- gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
- compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
diff --git a/ChangeLog.d/alignment-perf.txt b/ChangeLog.d/alignment-perf.txt
deleted file mode 100644
index 7a8e6fb..0000000
--- a/ChangeLog.d/alignment-perf.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Features
- * General performance improvements by accessing multiple bytes at a time.
- Fixes #1666.
- * Improvements to use of unaligned and byte-swapped memory, reducing code
- size and improving performance (depending on compiler and target
- architecture).
-Changes
- * Mixed-endian systems are explicitly not supported any more.
diff --git a/ChangeLog.d/armv8-aes.txt b/ChangeLog.d/armv8-aes.txt
deleted file mode 100644
index 37d3479..0000000
--- a/ChangeLog.d/armv8-aes.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * Add support for AES with the Armv8-A Cryptographic Extension on
- 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
- be used to enable this feature. Run-time detection is supported
- under Linux only.
diff --git a/ChangeLog.d/c-build-helper-hostcc.txt b/ChangeLog.d/c-build-helper-hostcc.txt
deleted file mode 100644
index 86182c3..0000000
--- a/ChangeLog.d/c-build-helper-hostcc.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Use HOSTCC (if it is set) when compiling C code during generation of the
- configuration-independent files. This allows them to be generated when
- CC is set for cross compilation.
diff --git a/ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt b/ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt
deleted file mode 100644
index 8fcc18b..0000000
--- a/ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a compilation error when PSA Crypto is built with support for
- TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
diff --git a/ChangeLog.d/cmake-install.txt b/ChangeLog.d/cmake-install.txt
deleted file mode 100644
index d8eb72e..0000000
--- a/ChangeLog.d/cmake-install.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
- typically /usr/lib/cmake/MbedTLS.
diff --git a/ChangeLog.d/coding-style.txt b/ChangeLog.d/coding-style.txt
deleted file mode 100644
index b2cff5c..0000000
--- a/ChangeLog.d/coding-style.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * The C code follows a new coding style. This is transparent for users but
- affects contributors and maintainers of local patches. For more
- information, see
- https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
diff --git a/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt b/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt
deleted file mode 100644
index 0a90721..0000000
--- a/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
- Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
- Aaron Ucko under Valgrind.
diff --git a/ChangeLog.d/crypto_config_ccm_star.txt b/ChangeLog.d/crypto_config_ccm_star.txt
deleted file mode 100644
index 947014a..0000000
--- a/ChangeLog.d/crypto_config_ccm_star.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
- be toggled with config.py.
diff --git a/ChangeLog.d/csr_v3_extensions.txt b/ChangeLog.d/csr_v3_extensions.txt
deleted file mode 100644
index 9274017..0000000
--- a/ChangeLog.d/csr_v3_extensions.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add parsing of V3 extensions (key usage, Netscape cert-type,
- Subject Alternative Names) in x509 Certificate Sign Requests.
diff --git a/ChangeLog.d/driver-only-ecdsa.txt b/ChangeLog.d/driver-only-ecdsa.txt
deleted file mode 100644
index 645a723..0000000
--- a/ChangeLog.d/driver-only-ecdsa.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
- * When a PSA driver for ECDSA is present, it is now possible to disable
- MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
- and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
- Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
- supported in those builds yet, as driver support for interruptible ECDSA
- operations is not present yet.
diff --git a/ChangeLog.d/driver-only-ecjpake.txt b/ChangeLog.d/driver-only-ecjpake.txt
deleted file mode 100644
index 706f304..0000000
--- a/ChangeLog.d/driver-only-ecjpake.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * When a PSA driver for EC J-PAKE is present, it is now possible to disable
- MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
- corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
- to be enabled.
diff --git a/ChangeLog.d/ec_jpake_driver_dispatch.txt b/ChangeLog.d/ec_jpake_driver_dispatch.txt
deleted file mode 100644
index 3439296..0000000
--- a/ChangeLog.d/ec_jpake_driver_dispatch.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add a driver dispatch layer for EC J-PAKE, enabling alternative
- implementations of EC J-PAKE through the driver entry points.
diff --git a/ChangeLog.d/empty-retval-description.txt b/ChangeLog.d/empty-retval-description.txt
deleted file mode 100644
index 491adf5..0000000
--- a/ChangeLog.d/empty-retval-description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Silence warnings from clang -Wdocumentation about empty \retval
- descriptions, which started appearing with Clang 15. Fixes #6960.
diff --git a/ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt b/ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt
deleted file mode 100644
index aa1332f..0000000
--- a/ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
- ECJPAKE key exchange, using the new API function
- mbedtls_ssl_set_hs_ecjpake_password_opaque().
diff --git a/ChangeLog.d/fix-example-programs-no-args.txt b/ChangeLog.d/fix-example-programs-no-args.txt
deleted file mode 100644
index 57fe37a..0000000
--- a/ChangeLog.d/fix-example-programs-no-args.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix behavior of certain sample programs which could, when run with no
- arguments, access uninitialized memory in some cases. Fixes #6700 (which
- was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
diff --git a/ChangeLog.d/fix-gettimeofday-overflow.txt b/ChangeLog.d/fix-gettimeofday-overflow.txt
deleted file mode 100644
index b7e10d2..0000000
--- a/ChangeLog.d/fix-gettimeofday-overflow.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix possible integer overflow in mbedtls_timing_hardclock(), which
- could cause a crash in programs/test/benchmark.
diff --git a/ChangeLog.d/fix-iar-warnings.txt b/ChangeLog.d/fix-iar-warnings.txt
deleted file mode 100644
index 8a30132..0000000
--- a/ChangeLog.d/fix-iar-warnings.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix IAR compiler warnings. Fixes #6924.
diff --git a/ChangeLog.d/fix-jpake-user-peer.txt b/ChangeLog.d/fix-jpake-user-peer.txt
deleted file mode 100644
index e027fc3..0000000
--- a/ChangeLog.d/fix-jpake-user-peer.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Allow setting user and peer identifiers for EC J-PAKE operation
- instead of role in PAKE PSA Crypto API as described in the specification.
- This is a partial fix that allows only "client" and "server" identifiers.
diff --git a/ChangeLog.d/fix-oid-to-string-bugs.txt b/ChangeLog.d/fix-oid-to-string-bugs.txt
deleted file mode 100644
index 3cf02c3..0000000
--- a/ChangeLog.d/fix-oid-to-string-bugs.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Bugfix
- * Fix bug in conversion from OID to string in
- mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
- correctly.
- * Reject OIDs with overlong-encoded subidentifiers when converting
- them to a string.
- * Reject OIDs with subidentifier values exceeding UINT_MAX. Such
- subidentifiers can be valid, but Mbed TLS cannot currently handle them.
- * Reject OIDs that have unterminated subidentifiers, or (equivalently)
- have the most-significant bit set in their last byte.
diff --git a/ChangeLog.d/fix-overread-in-tls13-debug.txt b/ChangeLog.d/fix-overread-in-tls13-debug.txt
deleted file mode 100644
index e089ce1..0000000
--- a/ChangeLog.d/fix-overread-in-tls13-debug.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Security
- * Fix a potential heap buffer overread in TLS 1.3 client-side when
- MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
diff --git a/ChangeLog.d/fix-rsaalt-test-guards.txt b/ChangeLog.d/fix-rsaalt-test-guards.txt
deleted file mode 100644
index f4f39c9..0000000
--- a/ChangeLog.d/fix-rsaalt-test-guards.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
- defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
diff --git a/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt b/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt
deleted file mode 100644
index e7643b7..0000000
--- a/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix a bug in the build where directory names containing spaces were
- causing generate_errors.pl to error out resulting in a build failure.
- Fixes issue #6879.
diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
deleted file mode 100644
index 1764c2f..0000000
--- a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-Bugfix
- * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
- whose binary representation is longer than 20 bytes. This was already
- forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
- enforced also at code level.
-
-New deprecations
- * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
- mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
- direct dependency of X509 on BIGNUM_C.
-
-Changes
- * programs/x509/cert_write:
- - now it accepts the serial number in 2 different formats: decimal and
- hex. They cannot be used simultaneously
- - "serial" is used for the decimal format and it's limted in size to
- unsigned long long int
- - "serial_hex" is used for the hex format; max length here is
- MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
diff --git a/ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt b/ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt
deleted file mode 100644
index d2c9b35..0000000
--- a/ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
- This helps in saving code size when some of the above hashes are not
- required.
diff --git a/ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt b/ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt
deleted file mode 100644
index 44253dd..0000000
--- a/ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * Add support for reading points in compressed format
- (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
- (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
- (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
- except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
diff --git a/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt b/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt
deleted file mode 100644
index 1f2c563..0000000
--- a/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
- len argument is 0 and buffer is NULL.
diff --git a/ChangeLog.d/mpi-window-perf.txt b/ChangeLog.d/mpi-window-perf.txt
deleted file mode 100644
index 0f75d6a..0000000
--- a/ChangeLog.d/mpi-window-perf.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Changes
- * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
- As tested in issue 6790, the correlation between this define and
- RSA decryption performance has changed lately due to security fixes.
- To fix the performance degradation when using default values the
- window was reduced from 6 to 2, a value that gives the best or close
- to best results when tested on Cortex-M4 and Intel i7.
diff --git a/ChangeLog.d/pk-sign-restartable.txt b/ChangeLog.d/pk-sign-restartable.txt
deleted file mode 100644
index 35da2be..0000000
--- a/ChangeLog.d/pk-sign-restartable.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
- defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
- signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
- the behaviour without it, where deterministic ECDSA was already used.
diff --git a/ChangeLog.d/pk_ext-pss_options-public.txt b/ChangeLog.d/pk_ext-pss_options-public.txt
deleted file mode 100644
index b11fa30..0000000
--- a/ChangeLog.d/pk_ext-pss_options-public.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
- possible to verify RSA PSS signatures with the pk module, which was
- inadvertently broken since Mbed TLS 3.0.
diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt
deleted file mode 100644
index b60d187..0000000
--- a/ChangeLog.d/pkcs7-parser.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-Features
- * Added partial support for parsing the PKCS #7 Cryptographic Message
- Syntax, as defined in RFC 2315. Currently, support is limited to the
- following:
- - Only the signed-data content type, version 1 is supported.
- - Only DER encoding is supported.
- - Only a single digest algorithm per message is supported.
- - Certificates must be in X.509 format. A message must have either 0
- or 1 certificates.
- - There is no support for certificate revocation lists.
- - The authenticated and unauthenticated attribute fields of SignerInfo
- must be empty.
- Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
- contributing this feature, and to Demi-Marie Obenour for contributing
- various improvements, tests and bug fixes.
diff --git a/ChangeLog.d/platform-zeroization.txt b/ChangeLog.d/platform-zeroization.txt
deleted file mode 100644
index f17fbbb..0000000
--- a/ChangeLog.d/platform-zeroization.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Security
- * Use platform-provided secure zeroization function where possible, such as
- explicit_bzero().
diff --git a/ChangeLog.d/psa-alt-headers.txt b/ChangeLog.d/psa-alt-headers.txt
deleted file mode 100644
index 9555629..0000000
--- a/ChangeLog.d/psa-alt-headers.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
- MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
- the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
diff --git a/ChangeLog.d/psa-mbedtls-error-translations.txt b/ChangeLog.d/psa-mbedtls-error-translations.txt
deleted file mode 100644
index 366f03b..0000000
--- a/ChangeLog.d/psa-mbedtls-error-translations.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-New deprecations
- * PSA to mbedtls error translation is now unified in psa_util.h,
- deprecating mbedtls_md_error_from_psa. Each file that performs error
- translation should define its own version of PSA_TO_MBEDTLS_ERR,
- optionally providing file-specific error pairs. Please see psa_util.h for
- more details.
diff --git a/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt b/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt
deleted file mode 100644
index cfea661..0000000
--- a/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
- used on a shared secret from a key agreement since its input must be
- an ECC public key. Reject this properly.
diff --git a/ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt b/ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt
deleted file mode 100644
index 9bfc80c..0000000
--- a/ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-Bugfix
- * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
- enabled, which required specifying compiler flags enabling SHA3 Crypto
- Extensions, where some compilers would emit EOR3 instructions in other
- modules, which would then fail if run on a CPU without the SHA3
- extensions. Fixes #5758.
-
-Changes
- * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
- MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
- compiler target flags on the command line; the library now sets target
- options within the appropriate modules.
diff --git a/ChangeLog.d/rsa-padding-accessor.txt b/ChangeLog.d/rsa-padding-accessor.txt
deleted file mode 100644
index ad14686..0000000
--- a/ChangeLog.d/rsa-padding-accessor.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
- to read non-public fields for padding mode and hash id from
- an mbedtls_rsa_context, as requested in #6917.
diff --git a/ChangeLog.d/san_csr.txt b/ChangeLog.d/san_csr.txt
deleted file mode 100644
index b5c6cf3..0000000
--- a/ChangeLog.d/san_csr.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * Add support to include the SubjectAltName extension to a CSR.
diff --git a/ChangeLog.d/san_rfc822Name.txt b/ChangeLog.d/san_rfc822Name.txt
deleted file mode 100644
index 9720e52..0000000
--- a/ChangeLog.d/san_rfc822Name.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add parsing of rfc822Name subtype for subjectAltName
- extension in x509 certificates.
diff --git a/ChangeLog.d/tls13-only-renegotiation.txt b/ChangeLog.d/tls13-only-renegotiation.txt
deleted file mode 100644
index f463de1..0000000
--- a/ChangeLog.d/tls13-only-renegotiation.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix the handling of renegotiation attempts in TLS 1.3. They are now
- systematically rejected.
- * Fix an unused-variable warning in TLS 1.3-only builds if
- MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
diff --git a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt b/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt
deleted file mode 100644
index 1d34068..0000000
--- a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-Default behavior changes
- * The default priority order of TLS 1.3 cipher suites has been modified to
- follow the same rules as the TLS 1.2 cipher suites (see
- ssl_ciphersuites.c). The preferred cipher suite is now
- TLS_CHACHA20_POLY1305_SHA256.
-
-Bugfix
- * In the TLS 1.3 server, select the preferred client cipher suite, not the
- least preferred. The selection error was introduced in Mbed TLS 3.3.0.
- * Fix TLS 1.3 session resumption when the established pre-shared key is
- 384 bits long. That is the length of pre-shared keys created under a
- session where the cipher suite is TLS_AES_256_GCM_SHA384.
diff --git a/ChangeLog.d/vs2013.txt b/ChangeLog.d/vs2013.txt
deleted file mode 100644
index 6fe7a5e..0000000
--- a/ChangeLog.d/vs2013.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Visual Studio: Rename the directory containing Visual Studio files from
- visualc/VS2010 to visualc/VS2013 as we do not support building with versions
- older than 2013. Update the solution file to specify VS2013 as a minimum.
diff --git a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt b/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt
deleted file mode 100644
index cebc2b7..0000000
--- a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Bugfix
- * In TLS 1.3, when using a ticket for session resumption, tweak its age
- calculation on the client side. It prevents a server with more accurate
- ticket timestamps (typically timestamps in milliseconds) compared to the
- Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
- than the age computed and transmitted by the client and thus potentially
- reject the ticket. Fix #6623.
diff --git a/ChangeLog.d/x509-subaltname-ext.txt b/ChangeLog.d/x509-subaltname-ext.txt
deleted file mode 100644
index 7845f18..0000000
--- a/ChangeLog.d/x509-subaltname-ext.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
- malformed alternative name components were not caught during initial
- certificate parsing, but only on subsequent calls to
- mbedtls_x509_parse_subject_alt_name(). Fixes #2838.