Assemble Changelog for 3.4.0 release

Signed-off-by: Paul Elliott <paul.elliott@arm.com>

ChangeLog

@@ -1,5 +1,216 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS 3.4.0 branch released 2023-03-28
+
+Default behavior changes
+   * The default priority order of TLS 1.3 cipher suites has been modified to
+     follow the same rules as the TLS 1.2 cipher suites (see
+     ssl_ciphersuites.c). The preferred cipher suite is now
+     TLS_CHACHA20_POLY1305_SHA256.
+
+New deprecations
+   * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
+     mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
+     direct dependency of X509 on BIGNUM_C.
+   * PSA to mbedtls error translation is now unified in psa_util.h,
+     deprecating mbedtls_md_error_from_psa. Each file that performs error
+     translation should define its own version of PSA_TO_MBEDTLS_ERR,
+     optionally providing file-specific error pairs. Please see psa_util.h for
+     more details.
+
+Features
+   * Added partial support for parsing the PKCS #7 Cryptographic Message
+     Syntax, as defined in RFC 2315. Currently, support is limited to the
+     following:
+     - Only the signed-data content type, version 1 is supported.
+     - Only DER encoding is supported.
+     - Only a single digest algorithm per message is supported.
+     - Certificates must be in X.509 format. A message must have either 0
+       or 1 certificates.
+     - There is no support for certificate revocation lists.
+     - The authenticated and unauthenticated attribute fields of SignerInfo
+       must be empty.
+     Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
+     contributing this feature, and to Demi-Marie Obenour for contributing
+     various improvements, tests and bug fixes.
+   * General performance improvements by accessing multiple bytes at a time.
+     Fixes #1666.
+   * Improvements to use of unaligned and byte-swapped memory, reducing code
+     size and improving performance (depending on compiler and target
+     architecture).
+   * Add support for reading points in compressed format
+     (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
+     (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
+     (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
+      except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
+   * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
+     This helps in saving code size when some of the above hashes are not
+     required.
+   * Add parsing of V3 extensions (key usage, Netscape cert-type,
+     Subject Alternative Names) in x509 Certificate Sign Requests.
+   * Use HOSTCC (if it is set) when compiling C code during generation of the
+     configuration-independent files. This allows them to be generated when
+     CC is set for cross compilation.
+   * Add parsing of uniformResourceIdentifier subtype for subjectAltName
+     extension in x509 certificates.
+   * Add an interruptible version of sign and verify hash to the PSA interface,
+     backed by internal library support for ECDSA signing and verification.
+   * Add parsing of rfc822Name subtype for subjectAltName
+     extension in x509 certificates.
+   * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
+     MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
+     the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
+   * When a PSA driver for ECDSA is present, it is now possible to disable
+     MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
+     and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
+     Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
+     supported in those builds yet, as driver support for interruptible ECDSA
+     operations is not present yet.
+   * Add a driver dispatch layer for EC J-PAKE, enabling alternative
+     implementations of EC J-PAKE through the driver entry points.
+   * Add new API mbedtls_ssl_cache_remove for cache entry removal by
+     its session id.
+   * Add support to include the SubjectAltName extension to a CSR.
+   * Add support for AES with the Armv8-A Cryptographic Extension on
+     64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
+     be used to enable this feature. Run-time detection is supported
+     under Linux only.
+   * When a PSA driver for EC J-PAKE is present, it is now possible to disable
+     MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
+     corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
+     to be enabled.
+   * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
+     to read non-public fields for padding mode and hash id from
+     an mbedtls_rsa_context, as requested in #6917.
+   * AES-NI is now supported with Visual Studio.
+   * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
+     is disabled, when compiling with GCC or Clang or a compatible compiler
+     for a target CPU that supports the requisite instructions (for example
+     gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
+     compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
+   * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
+     ECJPAKE key exchange, using the new API function
+     mbedtls_ssl_set_hs_ecjpake_password_opaque().
+
+Security
+   * Use platform-provided secure zeroization function where possible, such as
+     explicit_bzero().
+   * Zeroize SSL cache entries when they are freed.
+   * Fix a potential heap buffer overread in TLS 1.3 client-side when
+     MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
+   * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
+     Arm, so that these systems are no longer vulnerable to timing side-channel
+     attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
+     Reported by Demi Marie Obenour.
+   * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
+     builds that couldn't compile the GCC-style assembly implementation
+     (most notably builds with Visual Studio), leaving them vulnerable to
+     timing side-channel attacks. There is now an intrinsics-based AES-NI
+     implementation as a fallback for when the assembly one cannot be used.
+
+Bugfix
+   * Fix possible integer overflow in mbedtls_timing_hardclock(), which
+     could cause a crash in programs/test/benchmark.
+   * Fix IAR compiler warnings. Fixes #6924.
+   * Fix a bug in the build where directory names containing spaces were
+     causing generate_errors.pl to error out resulting in a build failure.
+     Fixes issue #6879.
+   * In TLS 1.3, when using a ticket for session resumption, tweak its age
+     calculation on the client side. It prevents a server with more accurate
+     ticket timestamps (typically timestamps in milliseconds) compared to the
+     Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
+     than the age computed and transmitted by the client and thus potentially
+     reject the ticket. Fix #6623.
+   * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
+     defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
+   * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
+     be toggled with config.py.
+   * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
+     used on a shared secret from a key agreement since its input must be
+     an ECC public key. Reject this properly.
+   * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
+     whose binary representation is longer than 20 bytes. This was already
+     forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
+     enforced also at code level.
+   * Fix potential undefined behavior in mbedtls_mpi_sub_abs().  Reported by
+     Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
+     Aaron Ucko under Valgrind.
+   * Fix behavior of certain sample programs which could, when run with no
+     arguments, access uninitialized memory in some cases. Fixes #6700 (which
+     was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
+   * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
+     malformed alternative name components were not caught during initial
+     certificate parsing, but only on subsequent calls to
+     mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
+   * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
+     possible to verify RSA PSS signatures with the pk module, which was
+     inadvertently broken since Mbed TLS 3.0.
+   * Fix bug in conversion from OID to string in
+     mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
+     correctly.
+   * Reject OIDs with overlong-encoded subidentifiers when converting
+     them to a string.
+   * Reject OIDs with subidentifier values exceeding UINT_MAX.  Such
+     subidentifiers can be valid, but Mbed TLS cannot currently handle them.
+   * Reject OIDs that have unterminated subidentifiers, or (equivalently)
+     have the most-significant bit set in their last byte.
+   * Silence warnings from clang -Wdocumentation about empty \retval
+     descriptions, which started appearing with Clang 15. Fixes #6960.
+   * Fix the handling of renegotiation attempts in TLS 1.3. They are now
+     systematically rejected.
+   * Fix an unused-variable warning in TLS 1.3-only builds if
+     MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
+   * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
+     len argument is 0 and buffer is NULL.
+   * Allow setting user and peer identifiers for EC J-PAKE operation
+     instead of role in PAKE PSA Crypto API as described in the specification.
+     This is a partial fix that allows only "client" and "server" identifiers.
+   * Fix a compilation error when PSA Crypto is built with support for
+     TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
+   * In the TLS 1.3 server, select the preferred client cipher suite, not the
+     least preferred. The selection error was introduced in Mbed TLS 3.3.0.
+   * Fix TLS 1.3 session resumption when the established pre-shared key is
+     384 bits long. That is the length of pre-shared keys created under a
+     session where the cipher suite is TLS_AES_256_GCM_SHA384.
+   * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+     enabled, which required specifying compiler flags enabling SHA3 Crypto
+     Extensions, where some compilers would emit EOR3 instructions in other
+     modules, which would then fail if run on a CPU without the SHA3
+     extensions. Fixes #5758.
+
+Changes
+   * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
+     typically /usr/lib/cmake/MbedTLS.
+   * Mixed-endian systems are explicitly not supported any more.
+   * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
+     defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
+     signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
+     the behaviour without it, where deterministic ECDSA was already used.
+   * Visual Studio: Rename the directory containing Visual Studio files from
+     visualc/VS2010 to visualc/VS2013 as we do not support building with versions
+     older than 2013. Update the solution file to specify VS2013 as a minimum.
+   * programs/x509/cert_write:
+     - now it accepts the serial number in 2 different formats: decimal and
+       hex. They cannot be used simultaneously
+     - "serial" is used for the decimal format and it's limted in size to
+       unsigned long long int
+     - "serial_hex" is used for the hex format; max length here is
+       MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
+   * The C code follows a new coding style. This is transparent for users but
+     affects contributors and maintainers of local patches. For more
+     information, see
+     https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
+   * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
+     As tested in issue 6790, the correlation between this define and
+     RSA decryption performance has changed lately due to security fixes.
+     To fix the performance degradation when using default values the
+     window was reduced from 6 to 2, a value that gives the best or close
+     to best results when tested on Cortex-M4 and Intel i7.
+   * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
+     MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
+     compiler target flags on the command line; the library now sets target
+     options within the appropriate modules.
+
 = Mbed TLS 3.3.0 branch released 2022-12-14
 
 Default behavior changes

ChangeLog.d/add-cache-remove-api.txt

@@ -1,5 +0,0 @@
-Features
-   * Add new API mbedtls_ssl_cache_remove for cache entry removal by
-     its session id.
-Security
-   * Zeroize SSL cache entries when they are freed.

ChangeLog.d/add-uri-san.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of uniformResourceIdentifier subtype for subjectAltName
-     extension in x509 certificates.

ChangeLog.d/add_interruptible_sign_hash.txt

@@ -1,5 +0,0 @@
-Features
-   * Add an interruptible version of sign and verify hash to the PSA interface,
-     backed by internal library support for ECDSA signing and verification.
-
-

ChangeLog.d/aes-ce-security-notice.txt

@@ -1,5 +0,0 @@
-Security
-   * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
-     Arm, so that these systems are no longer vulnerable to timing side-channel
-     attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
-     Reported by Demi Marie Obenour.

ChangeLog.d/aes-ni-security-notice.txt

@@ -1,6 +0,0 @@
-Security
-   * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
-     builds that couldn't compile the GCC-style assembly implementation
-     (most notably builds with Visual Studio), leaving them vulnerable to
-     timing side-channel attacks. There is now an intrinsics-based AES-NI
-     implementation as a fallback for when the assembly one cannot be used.

ChangeLog.d/aesni.txt

@@ -1,7 +0,0 @@
-Features
-   * AES-NI is now supported with Visual Studio.
-   * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
-     is disabled, when compiling with GCC or Clang or a compatible compiler
-     for a target CPU that supports the requisite instructions (for example
-     gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
-     compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)

ChangeLog.d/alignment-perf.txt

@@ -1,8 +0,0 @@
-Features
-   * General performance improvements by accessing multiple bytes at a time.
-     Fixes #1666.
-   * Improvements to use of unaligned and byte-swapped memory, reducing code
-     size and improving performance (depending on compiler and target
-     architecture).
-Changes
-   * Mixed-endian systems are explicitly not supported any more.

ChangeLog.d/armv8-aes.txt

@@ -1,5 +0,0 @@
-Features
-   * Add support for AES with the Armv8-A Cryptographic Extension on
-     64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
-     be used to enable this feature. Run-time detection is supported
-     under Linux only.

ChangeLog.d/c-build-helper-hostcc.txt

@@ -1,4 +0,0 @@
-Features
-   * Use HOSTCC (if it is set) when compiling C code during generation of the
-     configuration-independent files. This allows them to be generated when
-     CC is set for cross compilation.

ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a compilation error when PSA Crypto is built with support for
-     TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.

ChangeLog.d/cmake-install.txt

@@ -1,3 +0,0 @@
-Changes
-  * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
-    typically /usr/lib/cmake/MbedTLS.

ChangeLog.d/coding-style.txt

@@ -1,5 +0,0 @@
-Changes
-   * The C code follows a new coding style. This is transparent for users but
-     affects contributors and maintainers of local patches. For more
-     information, see
-     https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/

ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix potential undefined behavior in mbedtls_mpi_sub_abs().  Reported by
-     Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
-     Aaron Ucko under Valgrind.

ChangeLog.d/crypto_config_ccm_star.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
-     be toggled with config.py.

ChangeLog.d/csr_v3_extensions.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of V3 extensions (key usage, Netscape cert-type,
-     Subject Alternative Names) in x509 Certificate Sign Requests.

ChangeLog.d/driver-only-ecdsa.txt

@@ -1,7 +0,0 @@
-Features
-   * When a PSA driver for ECDSA is present, it is now possible to disable
-     MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
-     and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
-     Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
-     supported in those builds yet, as driver support for interruptible ECDSA
-     operations is not present yet.

ChangeLog.d/driver-only-ecjpake.txt

@@ -1,5 +0,0 @@
-Features
-   * When a PSA driver for EC J-PAKE is present, it is now possible to disable
-     MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
-     corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
-     to be enabled.

ChangeLog.d/ec_jpake_driver_dispatch.txt

@@ -1,3 +0,0 @@
-Features
-   * Add a driver dispatch layer for EC J-PAKE, enabling alternative
-     implementations of EC J-PAKE through the driver entry points.

ChangeLog.d/empty-retval-description.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Silence warnings from clang -Wdocumentation about empty \retval
-     descriptions, which started appearing with Clang 15. Fixes #6960.

ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt

@@ -1,4 +0,0 @@
-Features
-   * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
-     ECJPAKE key exchange, using the new API function
-     mbedtls_ssl_set_hs_ecjpake_password_opaque().

ChangeLog.d/fix-example-programs-no-args.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix behavior of certain sample programs which could, when run with no
-     arguments, access uninitialized memory in some cases. Fixes #6700 (which
-     was found by TrustInSoft Analyzer during REDOCS'22) and #1120.

ChangeLog.d/fix-gettimeofday-overflow.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix possible integer overflow in mbedtls_timing_hardclock(), which
-     could cause a crash in programs/test/benchmark.

ChangeLog.d/fix-iar-warnings.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix IAR compiler warnings. Fixes #6924.

ChangeLog.d/fix-jpake-user-peer.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Allow setting user and peer identifiers for EC J-PAKE operation
-     instead of role in PAKE PSA Crypto API as described in the specification.
-     This is a partial fix that allows only "client" and "server" identifiers.

ChangeLog.d/fix-oid-to-string-bugs.txt

@@ -1,10 +0,0 @@
-Bugfix
-   * Fix bug in conversion from OID to string in
-     mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
-     correctly.
-   * Reject OIDs with overlong-encoded subidentifiers when converting
-     them to a string.
-   * Reject OIDs with subidentifier values exceeding UINT_MAX.  Such
-     subidentifiers can be valid, but Mbed TLS cannot currently handle them.
-   * Reject OIDs that have unterminated subidentifiers, or (equivalently)
-     have the most-significant bit set in their last byte.

ChangeLog.d/fix-overread-in-tls13-debug.txt

@@ -1,3 +0,0 @@
-Security
-   * Fix a potential heap buffer overread in TLS 1.3 client-side when
-     MBEDTLS_DEBUG_C is enabled. This may result in an application crash.

ChangeLog.d/fix-rsaalt-test-guards.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
-     defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.

ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix a bug in the build where directory names containing spaces were
-     causing generate_errors.pl to error out resulting in a build failure.
-     Fixes issue #6879.

ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt

@@ -1,19 +0,0 @@
-Bugfix
-   * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
-     whose binary representation is longer than 20 bytes. This was already
-     forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
-     enforced also at code level.
-
-New deprecations
-   * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
-     mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
-     direct dependency of X509 on BIGNUM_C.
-
-Changes
-   * programs/x509/cert_write:
-     - now it accepts the serial number in 2 different formats: decimal and
-       hex. They cannot be used simultaneously
-     - "serial" is used for the decimal format and it's limted in size to
-       unsigned long long int
-     - "serial_hex" is used for the hex format; max length here is
-       MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2

ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt

@@ -1,4 +0,0 @@
-Features
-   * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
-     This helps in saving code size when some of the above hashes are not
-     required.

ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt

@@ -1,6 +0,0 @@
-Features
-   * Add support for reading points in compressed format
-     (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
-     (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
-     (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
-      except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)

ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
-     len argument is 0 and buffer is NULL.

ChangeLog.d/mpi-window-perf.txt

@@ -1,7 +0,0 @@
-Changes
-   * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
-     As tested in issue 6790, the correlation between this define and
-     RSA decryption performance has changed lately due to security fixes.
-     To fix the performance degradation when using default values the
-     window was reduced from 6 to 2, a value that gives the best or close
-     to best results when tested on Cortex-M4 and Intel i7.

ChangeLog.d/pk-sign-restartable.txt

@@ -1,5 +0,0 @@
-Changes
-   * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
-     defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
-     signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
-     the behaviour without it, where deterministic ECDSA was already used.

ChangeLog.d/pk_ext-pss_options-public.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
-     possible to verify RSA PSS signatures with the pk module, which was
-     inadvertently broken since Mbed TLS 3.0.

ChangeLog.d/pkcs7-parser.txt

@@ -1,15 +0,0 @@
-Features
-   * Added partial support for parsing the PKCS #7 Cryptographic Message
-     Syntax, as defined in RFC 2315. Currently, support is limited to the
-     following:
-     - Only the signed-data content type, version 1 is supported.
-     - Only DER encoding is supported.
-     - Only a single digest algorithm per message is supported.
-     - Certificates must be in X.509 format. A message must have either 0
-       or 1 certificates.
-     - There is no support for certificate revocation lists.
-     - The authenticated and unauthenticated attribute fields of SignerInfo
-       must be empty.
-     Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
-     contributing this feature, and to Demi-Marie Obenour for contributing
-     various improvements, tests and bug fixes.

ChangeLog.d/platform-zeroization.txt

@@ -1,3 +0,0 @@
-Security
-  * Use platform-provided secure zeroization function where possible, such as
-    explicit_bzero().

ChangeLog.d/psa-alt-headers.txt

@@ -1,4 +0,0 @@
-Features
-   * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
-     MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
-     the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".

ChangeLog.d/psa-mbedtls-error-translations.txt

@@ -1,6 +0,0 @@
-New deprecations
-   * PSA to mbedtls error translation is now unified in psa_util.h,
-     deprecating mbedtls_md_error_from_psa. Each file that performs error
-     translation should define its own version of PSA_TO_MBEDTLS_ERR,
-     optionally providing file-specific error pairs. Please see psa_util.h for
-     more details.

ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
-     used on a shared secret from a key agreement since its input must be
-     an ECC public key. Reject this properly.

ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt

@@ -1,12 +0,0 @@
-Bugfix
-   * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
-     enabled, which required specifying compiler flags enabling SHA3 Crypto
-     Extensions, where some compilers would emit EOR3 instructions in other
-     modules, which would then fail if run on a CPU without the SHA3
-     extensions. Fixes #5758.
-
-Changes
-   * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
-     MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
-     compiler target flags on the command line; the library now sets target
-     options within the appropriate modules.

ChangeLog.d/rsa-padding-accessor.txt

@@ -1,4 +0,0 @@
-Features
-   * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
-     to read non-public fields for padding mode and hash id from
-     an mbedtls_rsa_context, as requested in #6917.

ChangeLog.d/san_csr.txt

@@ -1,2 +0,0 @@
-Features
-   * Add support to include the SubjectAltName extension to a CSR.

ChangeLog.d/san_rfc822Name.txt

@@ -1,3 +0,0 @@
-Features
-   * Add parsing of rfc822Name subtype for subjectAltName
-     extension in x509 certificates.

ChangeLog.d/tls13-only-renegotiation.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix the handling of renegotiation attempts in TLS 1.3. They are now
-     systematically rejected.
-   * Fix an unused-variable warning in TLS 1.3-only builds if
-     MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.

ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt

@@ -1,12 +0,0 @@
-Default behavior changes
-   * The default priority order of TLS 1.3 cipher suites has been modified to
-     follow the same rules as the TLS 1.2 cipher suites (see
-     ssl_ciphersuites.c). The preferred cipher suite is now
-     TLS_CHACHA20_POLY1305_SHA256.
-
-Bugfix
-   * In the TLS 1.3 server, select the preferred client cipher suite, not the
-     least preferred. The selection error was introduced in Mbed TLS 3.3.0.
-   * Fix TLS 1.3 session resumption when the established pre-shared key is
-     384 bits long. That is the length of pre-shared keys created under a
-     session where the cipher suite is TLS_AES_256_GCM_SHA384.

ChangeLog.d/vs2013.txt

@@ -1,4 +0,0 @@
-Changes
-  * Visual Studio: Rename the directory containing Visual Studio files from
-    visualc/VS2010 to visualc/VS2013 as we do not support building with versions
-    older than 2013. Update the solution file to specify VS2013 as a minimum.

ChangeLog.d/workaround_gnutls_anti_replay_fail.txt

@@ -1,7 +0,0 @@
-Bugfix
-    * In TLS 1.3, when using a ticket for session resumption, tweak its age
-      calculation on the client side. It prevents a server with more accurate
-      ticket timestamps (typically timestamps in milliseconds) compared to the
-      Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
-      than the age computed and transmitted by the client and thus potentially
-      reject the ticket. Fix #6623.

ChangeLog.d/x509-subaltname-ext.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
-     malformed alternative name components were not caught during initial
-     certificate parsing, but only on subsequent calls to
-     mbedtls_x509_parse_subject_alt_name(). Fixes #2838.