Assemble ChangeLog

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>

ChangeLog

@@ -1,5 +1,115 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS 3.6.4 branch released 2025-06-30
+
+Features
+   * Add the function mbedtls_ssl_export_keying_material() which allows the
+     client and server to extract additional shared symmetric keys from an SSL
+     session, according to the TLS-Exporter specification in RFC 8446 and 5705.
+     This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
+     mbedtls_config.h.
+
+Security
+   * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
+     less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-49601
+   * Fix a vulnerability in LMS verification through which an adversary could
+     get an invalid signature accepted if they could cause a hash accelerator
+     to fail. Found and reported by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-49600
+   * On x86/amd64 platforms, with some compilers, when the library is
+     compiled with support for both AESNI and software AES and AESNI is
+     available in hardware, an adversary with fine control over which
+     threads make progress in a multithreaded program could force software
+     AES to be used for some time when the program starts. This could allow
+     the adversary to conduct timing attacks and potentially recover the
+     key. In particular, this attacker model may be possible against an SGX
+     enclave.
+     The same vulnerability affects GCM acceleration, which could allow
+     a similarly powerful adversary to craft GCM forgeries.
+     CVE-2025-52496
+   * Fix possible use-after-free or double-free in code calling
+     mbedtls_x509_string_to_names(). This was caused by the function calling
+     mbedtls_asn1_free_named_data_list() on its head argument, while the
+     documentation did no suggest it did, making it likely for callers relying
+     on the documented behaviour to still hold pointers to memory blocks after
+     they were free()d, resulting in high risk of use-after-free or double-free,
+     with consequences ranging up to arbitrary code execution.
+     In particular, the two sample programs x509/cert_write and x509/cert_req
+     were affected (use-after-free if the san string contains more than one DN).
+     Code that does not call mbedtls_string_to_names() directly is not affected.
+     Found by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-47917
+   * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
+     an item in the output list in an inconsistent state with val.p == NULL but
+     val.len > 0. This impacts applications that call this function directly,
+     or indirectly via mbedtls_x509_string_to_names() or one of the
+     mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The
+     inconsistent state of the output could then cause a NULL dereference either
+     inside the same call to mbedtls_x509_string_to_names(), or in subsequent
+     users of the output structure, such as mbedtls_x509_write_names(). This
+     only affects applications that create (as opposed to consume) X.509
+     certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data()
+     directly. Found by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-48965
+   * Fix an integer underflow that could occur when parsing malformed PEM
+     keys, which could be used by an attacker capable of feeding encrypted
+     PEM keys to a user. This could cause a crash or information disclosure.
+     Found and reported by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-52497
+   * Fix a timing side channel in the implementation of PKCS#7 padding
+     which would allow an attacker who can request decryption of arbitrary
+     ciphertexts to recover the plaintext through a timing oracle attack.
+     Reported by Ka Lok Wu from Stony Brook University and Doria Tang from
+     The Chinese University of Hong Kong.
+     CVE-2025-49087
+
+Bugfix
+   * Fix failures of PSA multipart or interruptible operations when the
+     library or the application is built with a compiler where
+     "union foo x = {0}" does not initialize non-default members of the
+     union, such as GCC 15 and some versions of Clang 18. This affected MAC
+     multipart operations, MAC-based key derivation operations, interruptible
+     signature, interruptible verification, and potentially other operations
+     when using third-party drivers. This also affected one-shot MAC
+     operations using the built-in implementation. Fixes #9814.
+   * On entry to PSA driver entry points that set up a multipart operation
+     ("xxx_setup"), the operation object is supposed to be all-bits-zero.
+     This was sometimes not the case when an operation object is reused,
+     or with compilers where "union foo x = {0}" does not initialize
+     non-default members of the union. The PSA core now ensures that this
+     guarantee is met in all cases. Fixes #9975.
+   * Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling
+     with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.
+   * Silence spurious -Wunterminated-string-initialization warnings introduced
+     by GCC 15. Fixes #9944.
+   * Fix a sloppy check in LMS public key import, which could lead to accepting
+     keys with a different LMS or LM-OTS types on some platforms. Specifically,
+     this could happen on platforms where enum types are smaller than 32 bits
+     and compiler optimization is enabled. Found and reported by Linh Le and
+     Ngan Nguyen from Calif.
+   * Fix a race condition on x86/amd64 platforms in AESNI support detection
+     that could lead to using software AES in some threads at the very
+     beginning of a multithreaded program. Reported by Solar Designer.
+     Fixes #9840.
+   * Fix mbedtls_base64_decode() on inputs that did not have the correct
+     number of trailing equal signs, or had 4*k+1 digits. They were accepted
+     as long as they had at most two trailing equal signs. They are now
+     rejected. Furthermore, before, on inputs with too few equal signs, the
+     function reported the correct size in *olen when it returned
+     MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the
+     last multiple of 3 bytes.
+   * When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
+     arguments, undefined behaviour would be triggered, in the form of a call to
+     memcpy(..., NULL, 0). This was harmless in practice, but could trigger
+     complains from sanitizers or static analyzers.
+
+Changes
+   * The function mbedtls_x509_string_to_names() now requires its head argument
+     to point to NULL on entry. This makes it likely that existing risky uses of
+     this function (see the entry in the Security section) will be detected and
+     fixed.
+
 = Mbed TLS 3.6.3 branch released 2025-03-24
 
 Default behavior changes

ChangeLog.d/1351_lms_overread.txt

@@ -1,4 +0,0 @@
-Security
-   * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is
-     less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif.
-     CVE-2025-49601

ChangeLog.d/1352_lms_enum_casting.txt

@@ -1,6 +0,0 @@
-Bugfix
-   * Fix a sloppy check in LMS public key import, which could lead to accepting
-     keys with a different LMS or LM-OTS types on some platforms. Specifically,
-     this could happen on platforms where enum types are smaller than 32 bits
-     and compiler optimization is enabled. Found and reported by Linh Le and
-     Ngan Nguyen from Calif.

ChangeLog.d/1353_lms_check_return_of_merkle_leaf.txt

@@ -1,5 +0,0 @@
-Security
-   * Fix a vulnerability in LMS verification through which an adversary could
-     get an invalid signature accepted if they could cause a hash accelerator
-     to fail. Found and reported by Linh Le and Ngan Nguyen from Calif.
-     CVE-2025-49600

ChangeLog.d/add-tls-exporter.txt

@@ -1,6 +0,0 @@
-Features
-   * Add the function mbedtls_ssl_export_keying_material() which allows the
-     client and server to extract additional shared symmetric keys from an SSL
-     session, according to the TLS-Exporter specification in RFC 8446 and 5705.
-     This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
-     mbedtls_config.h.

ChangeLog.d/aesni_has_support.txt

@@ -1,17 +0,0 @@
-Bugfix
-   * Fix a race condition on x86/amd64 platforms in AESNI support detection
-     that could lead to using software AES in some threads at the very
-     beginning of a multithreaded program. Reported by Solar Designer.
-     Fixes #9840.
-
-Security
-   * On x86/amd64 platforms, with some compilers, when the library is
-     compiled with support for both AESNI and software AES and AESNI is
-     available in hardware, an adversary with fine control over which
-     threads make progress in a multithreaded program could force software
-     AES to be used for some time when the program starts. This could allow
-     the adversary to conduct timing attacks and potentially recover the
-     key. In particular, this attacker model may be possible against an SGX
-     enclave.
-     The same vulnerability affects GCM acceleration, which could allow
-     a similarly powerful adversary to craft GCM forgeries.

ChangeLog.d/base64_decode.txt

@@ -1,8 +0,0 @@
-Bugfix
-   * Fix mbedtls_base64_decode() on inputs that did not have the correct
-     number of trailing equal signs, or had 4*k+1 digits. They were accepted
-     as long as they had at most two trailing equal signs. They are now
-     rejected. Furthermore, before, on inputs with too few equal signs, the
-     function reported the correct size in *olen when it returned
-     MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the
-     last multiple of 3 bytes.

ChangeLog.d/fix-asn1write-raw-buffer.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two
-     arguments, undefined behaviour would be triggered, in the form of a call to
-     memcpy(..., NULL, 0). This was harmless in practice, but could trigger
-     complains from sanitizers or static analyzers.

ChangeLog.d/fix-string-to-names-memory-management.txt

@@ -1,18 +0,0 @@
-Security
-   * Fix possible use-after-free or double-free in code calling
-     mbedtls_x509_string_to_names(). This was caused by the function calling
-     mbedtls_asn1_free_named_data_list() on its head argument, while the
-     documentation did no suggest it did, making it likely for callers relying
-     on the documented behaviour to still hold pointers to memory blocks after
-     they were free()d, resulting in high risk of use-after-free or double-free,
-     with consequences ranging up to arbitrary code execution.
-     In particular, the two sample programs x509/cert_write and x509/cert_req
-     were affected (use-after-free if the san string contains more than one DN).
-     Code that does not call mbedtls_string_to_names() directly is not affected.
-     Found by Linh Le and Ngan Nguyen from Calif.
-
-Changes
-   * The function mbedtls_x509_string_to_names() now requires its head argument
-     to point to NULL on entry. This makes it likely that existing risky uses of
-     this function (see the entry in the Security section) will be detected and
-     fixed.

ChangeLog.d/fix-string-to-names-store-named-data.txt

@@ -1,12 +0,0 @@
-Security
-   * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
-     an item in the output list in an inconsistent state with val.p == NULL but
-     val.len > 0. This impacts applications that call this function directly,
-     or indirectly via mbedtls_x509_string_to_names() or one of the
-     mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The
-     inconsistent state of the output could then cause a NULL dereference either
-     inside the same call to mbedtls_x509_string_to_names(), or in subsequent
-     users of the output structure, such as mbedtls_x509_write_names(). This
-     only affects applications that create (as opposed to consume) X.509
-     certificates, CSRs or CRLS, or that call mbedtls_asn1_store_named_data()
-     directly. Found by Linh Le and Ngan Nguyen from Calif.

ChangeLog.d/move-crypto-struct-inclusion.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling
-     with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.

ChangeLog.d/pem-integer-underflow.txt

@@ -1,5 +0,0 @@
-Security
-   * Fix an integer underflow that could occur when parsing malformed PEM
-     keys, which could be used by an attacker capable of feeding encrypted
-     PEM keys to a user. This could cause a crash or information disclosure.
-     Found and reported by Linh Le and Ngan Nguyen from Calif.

ChangeLog.d/pkcs7-padding-side-channel-fix.txt

@@ -1,6 +0,0 @@
-Security
-   * Fix a timing side channel in the implementation of PKCS#7 padding
-     which would allow an attacker who can request decryption of arbitrary
-     ciphertexts to recover the plaintext through a timing oracle attack.
-     Reported by Ka Lok Wu from Stony Brook University and Doria Tang from
-     The Chinese University of Hong Kong.

ChangeLog.d/union-initialization.txt

@@ -1,15 +0,0 @@
-Bugfix
-   * Fix failures of PSA multipart or interruptible operations when the
-     library or the application is built with a compiler where
-     "union foo x = {0}" does not initialize non-default members of the
-     union, such as GCC 15 and some versions of Clang 18. This affected MAC
-     multipart operations, MAC-based key derivation operations, interruptible
-     signature, interruptible verification, and potentially other operations
-     when using third-party drivers. This also affected one-shot MAC
-     operations using the built-in implementation. Fixes #9814.
-   * On entry to PSA driver entry points that set up a multipart operation
-     ("xxx_setup"), the operation object is supposed to be all-bits-zero.
-     This was sometimes not the case when an operation object is reused,
-     or with compilers where "union foo x = {0}" does not initialize
-     non-default members of the union. The PSA core now ensures that this
-     guarantee is met in all cases. Fixes #9975.

ChangeLog.d/unterminated-string-initialization.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Silence spurious -Wunterminated-string-initialization warnings introduced
-     by GCC 15. Fixes #9944.