From 80a81563141959a3b50b7654f270c5a02ce2b694 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 3 Oct 2023 22:03:50 +0100 Subject: [PATCH] Prepare ChangeLog for 3.5.0 release ``` ./scripts/assemble_changelog.py ``` Signed-off-by: Minos Galanakis --- ChangeLog | 286 ++++++++++++++++++ ...ine-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt | 18 -- ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt | 13 - .../MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt | 4 - .../Switch-pkparse-to-new-pbe-funsctions.txt | 9 - ...509Parse_SignatureKeyId_AuthorityKeyId.txt | 3 - ChangeLog.d/add-aes-128bit-only.txt | 4 - ChangeLog.d/add-aes-hardware-only-option.txt | 6 - ChangeLog.d/add-directoryname-san.txt | 3 - ChangeLog.d/add-getters-for-some-fields.txt | 7 - ChangeLog.d/add-milliseconds-time-api.txt | 5 - ChangeLog.d/add-missing-md-includes.txt | 5 - ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt | 7 - ChangeLog.d/add-pbkdf2-cmac.txt | 2 - ChangeLog.d/add-pbkdf2-hmac.txt | 2 - ChangeLog.d/add-psa_want_alg_some_pake.txt | 3 - .../add-rfc822-directoryname-csr-gen.txt | 3 - ChangeLog.d/add-subjectAltName-certs.txt | 6 - ChangeLog.d/aes-perf.txt | 7 - ChangeLog.d/armclang-compile-fix.txt | 7 - ChangeLog.d/basic-uri-verification.txt | 4 - ChangeLog.d/bugfix_iar_typo.txt | 3 - ChangeLog.d/check-set_padding-is-called.txt | 5 - .../cmake-pass-through-config-defines.txt | 3 - ChangeLog.d/config_psa-include-order.txt | 4 - ChangeLog.d/driver-ffdh.txt | 5 - ChangeLog.d/driver-only-ecc.txt | 23 -- ChangeLog.d/driver-only-hashes.txt | 11 - ChangeLog.d/ec_jpake_user_peer_2.txt | 3 - ChangeLog.d/enforce-min-RSA-key-size.txt | 3 - ChangeLog.d/extend-distinguished-names.txt | 3 - ChangeLog.d/extend-pk-opaque-ecc.txt | 6 - ChangeLog.d/ffdh-tls-1-3.txt | 6 - ChangeLog.d/fix-a-few-unchecked-return.txt | 3 - ChangeLog.d/fix-aes-cbc-iv-corruption.txt | 3 - .../fix-crypt_and_hash-decrypt-issue.txt | 4 - ...ls_ecdsa_sign_det_restartable-function.txt | 5 - ChangeLog.d/fix-empty-enum.txt | 3 - ChangeLog.d/fix-hrr-in-psk-kem.txt | 5 - ChangeLog.d/fix-iar-compiler-warnings.txt | 2 - ChangeLog.d/fix-ilp32.txt | 4 - ChangeLog.d/fix-log-level-msg.txt | 2 - ChangeLog.d/fix-string-to-names-retcode.txt | 3 - ChangeLog.d/fix-tfm-build.txt | 5 - ChangeLog.d/fix-tls-padbuf-zeroization.txt | 4 - ...terminated-pragma-clang-attribute-push.txt | 4 - ...-on-ecp-curve-optimized-representation.txt | 3 - .../initialize-struct-get-other-name.txt | 8 - ChangeLog.d/inject-entropy.txt | 2 - ...dtls_ecdsa_can_do-unconditional-define.txt | 3 - ChangeLog.d/mbedtls_x509_time.txt | 3 - ChangeLog.d/misc-from-psa-crypto.txt | 3 - ChangeLog.d/oid-parse-from-numeric-string.txt | 3 - ChangeLog.d/p256-m.txt | 5 - ChangeLog.d/padding-ct-changelog.txt | 6 - ChangeLog.d/programs_psa_fix.txt | 3 - ChangeLog.d/psa_crypto_user_config_file.txt | 3 - ChangeLog.d/python3.8.txt | 2 - .../rename_psa_crypto_driver_wrappers.txt | 5 - ChangeLog.d/rfc8410.txt | 3 - ChangeLog.d/safer-ct.txt | 6 - ChangeLog.d/sha3.txt | 3 - ChangeLog.d/sha384-blocksize.txt | 6 - ...-too-small-when-psa-ecc-is-accelerated.txt | 5 - ChangeLog.d/ssl_debug_helpers-stack_usage.txt | 3 - ChangeLog.d/ssl_decrypt_buf-short_record.txt | 3 - ChangeLog.d/ssl_premaster_secret-empty.txt | 3 - ChangeLog.d/tls13-custom-config.txt | 3 - .../tls13-server-version-negotiation.txt | 5 - ChangeLog.d/updated_windows_apis.txt | 9 - ChangeLog.d/use_heap_rsa_signature.txt | 4 - ChangeLog.d/verify-ip-sans-properly.txt | 2 - .../x509-ec-algorithm-identifier-fix.txt | 4 - ChangeLog.d/xxx_psa_peerkey.txt | 8 - 74 files changed, 286 insertions(+), 356 deletions(-) delete mode 100644 ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt delete mode 100644 ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt delete mode 100644 ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt delete mode 100644 ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt delete mode 100644 ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt delete mode 100644 ChangeLog.d/add-aes-128bit-only.txt delete mode 100644 ChangeLog.d/add-aes-hardware-only-option.txt delete mode 100644 ChangeLog.d/add-directoryname-san.txt delete mode 100644 ChangeLog.d/add-getters-for-some-fields.txt delete mode 100644 ChangeLog.d/add-milliseconds-time-api.txt delete mode 100644 ChangeLog.d/add-missing-md-includes.txt delete mode 100644 ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt delete mode 100644 ChangeLog.d/add-pbkdf2-cmac.txt delete mode 100644 ChangeLog.d/add-pbkdf2-hmac.txt delete mode 100644 ChangeLog.d/add-psa_want_alg_some_pake.txt delete mode 100644 ChangeLog.d/add-rfc822-directoryname-csr-gen.txt delete mode 100644 ChangeLog.d/add-subjectAltName-certs.txt delete mode 100644 ChangeLog.d/aes-perf.txt delete mode 100644 ChangeLog.d/armclang-compile-fix.txt delete mode 100644 ChangeLog.d/basic-uri-verification.txt delete mode 100644 ChangeLog.d/bugfix_iar_typo.txt delete mode 100644 ChangeLog.d/check-set_padding-is-called.txt delete mode 100644 ChangeLog.d/cmake-pass-through-config-defines.txt delete mode 100644 ChangeLog.d/config_psa-include-order.txt delete mode 100644 ChangeLog.d/driver-ffdh.txt delete mode 100644 ChangeLog.d/driver-only-ecc.txt delete mode 100644 ChangeLog.d/driver-only-hashes.txt delete mode 100644 ChangeLog.d/ec_jpake_user_peer_2.txt delete mode 100644 ChangeLog.d/enforce-min-RSA-key-size.txt delete mode 100644 ChangeLog.d/extend-distinguished-names.txt delete mode 100644 ChangeLog.d/extend-pk-opaque-ecc.txt delete mode 100644 ChangeLog.d/ffdh-tls-1-3.txt delete mode 100644 ChangeLog.d/fix-a-few-unchecked-return.txt delete mode 100644 ChangeLog.d/fix-aes-cbc-iv-corruption.txt delete mode 100644 ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt delete mode 100644 ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt delete mode 100644 ChangeLog.d/fix-empty-enum.txt delete mode 100644 ChangeLog.d/fix-hrr-in-psk-kem.txt delete mode 100644 ChangeLog.d/fix-iar-compiler-warnings.txt delete mode 100644 ChangeLog.d/fix-ilp32.txt delete mode 100644 ChangeLog.d/fix-log-level-msg.txt delete mode 100644 ChangeLog.d/fix-string-to-names-retcode.txt delete mode 100644 ChangeLog.d/fix-tfm-build.txt delete mode 100644 ChangeLog.d/fix-tls-padbuf-zeroization.txt delete mode 100644 ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt delete mode 100644 ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt delete mode 100644 ChangeLog.d/initialize-struct-get-other-name.txt delete mode 100644 ChangeLog.d/inject-entropy.txt delete mode 100644 ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt delete mode 100644 ChangeLog.d/mbedtls_x509_time.txt delete mode 100644 ChangeLog.d/misc-from-psa-crypto.txt delete mode 100644 ChangeLog.d/oid-parse-from-numeric-string.txt delete mode 100644 ChangeLog.d/p256-m.txt delete mode 100644 ChangeLog.d/padding-ct-changelog.txt delete mode 100644 ChangeLog.d/programs_psa_fix.txt delete mode 100644 ChangeLog.d/psa_crypto_user_config_file.txt delete mode 100644 ChangeLog.d/python3.8.txt delete mode 100644 ChangeLog.d/rename_psa_crypto_driver_wrappers.txt delete mode 100644 ChangeLog.d/rfc8410.txt delete mode 100644 ChangeLog.d/safer-ct.txt delete mode 100644 ChangeLog.d/sha3.txt delete mode 100644 ChangeLog.d/sha384-blocksize.txt delete mode 100644 ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt delete mode 100644 ChangeLog.d/ssl_debug_helpers-stack_usage.txt delete mode 100644 ChangeLog.d/ssl_decrypt_buf-short_record.txt delete mode 100644 ChangeLog.d/ssl_premaster_secret-empty.txt delete mode 100644 ChangeLog.d/tls13-custom-config.txt delete mode 100644 ChangeLog.d/tls13-server-version-negotiation.txt delete mode 100644 ChangeLog.d/updated_windows_apis.txt delete mode 100644 ChangeLog.d/use_heap_rsa_signature.txt delete mode 100644 ChangeLog.d/verify-ip-sans-properly.txt delete mode 100644 ChangeLog.d/x509-ec-algorithm-identifier-fix.txt delete mode 100644 ChangeLog.d/xxx_psa_peerkey.txt diff --git a/ChangeLog b/ChangeLog index bc1d32e4d..1758e7d37 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,291 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS x.x.x branch released xxxx-xx-xx + +API changes + * Mbed TLS 3.4 introduced support for omitting the built-in implementation + of ECDSA and/or EC J-PAKE when those are provided by a driver. However, + their was a flaw in the logic checking if the built-in implementation, in + that if failed to check if all the relevant curves were supported by the + accelerator. As a result, it was possible to declare no curves as + accelerated and still have the built-in implementation compiled out. + Starting with this release, it is necessary to declare which curves are + accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be + considered not accelerated, and the built-in implementation of the curves + and any algorithm possible using them will be included in the build. + * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()` + function, needed for TLS 1.3 ticket lifetimes. Alternative implementations + can be created using an ALT interface. + +Requirement changes + * Officially require Python 3.8 now that earlier versions are out of support. + * Minimum required Windows version is now Windows Vista, or + Windows Server 2008. + +New deprecations + * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and + MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA, + are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and + MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC, + IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about + the capabilities of the PSA side for either key. + * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of + MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests: + maximum size of any supported block cipher) or the new name + MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics: + maximum size of a block cipher supported by the CMAC module). + * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now + deprecated in favor of mbedtls_pkcs5_pbes2_ext() and + mbedtls_pkcs12_pbe_ext() as they offer more security by checking + for overflow of the output buffer and reporting the actual length + of the output. + +Features + * All modules that use hashes or HMAC can now take advantage of PSA Crypto + drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has + been called. Previously (in 3.3), this was restricted to a few modules, + and only in builds where MBEDTLS_MD_C was disabled; in particular the + entropy module was not covered which meant an external RNG had to be + provided - these limitations are lifted in this version. A new set of + feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used + to check for availability of hash algorithms, regardless of whether + they're provided by a built-in implementation, a driver or both. See + docs/driver-only-builds.md. + * When a PSA driver for ECDH is present, it is now possible to disable + MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2 + key exchanges based on ECDH(E) to work, this requires + MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in + TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet, + as PSA does not have an API for restartable ECDH yet. + * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by + a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C + if not required by another module) and still get support for ECC keys and + algorithms in PSA, with some limitations. See docs/driver-only-builds.txt + for details. + * Add parsing of directoryName subtype for subjectAltName extension in + x509 certificates. + * Add support for server-side TLS version negotiation. If both TLS 1.2 and + TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or + TLS 1.3 depending on the capabilities and preferences of TLS clients. + Fixes #6867. + * X.509 hostname verification now supports IPAddress Subject Alternate Names. + * Add support for reading and writing X25519 and X448 + public and private keys in RFC 8410 format using the existing PK APIs. + * When parsing X.509 certificates, support the extensions + SignatureKeyIdentifier and AuthorityKeyIdentifier. + * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc) + if no PAKE algorithms are requested + * Add support for the FFDH algorithm and DH key types in PSA, with + parameters from RFC 7919. This includes a built-in implementation based + on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative + implementations of FFDH through the driver entry points. + * It is now possible to generate certificates with SubjectAltNames. + Currently supported subtypes: DnsName, UniformResourceIdentifier, + IP address, OtherName, and DirectoryName, as defined in RFC 5280. + See mbedtls_x509write_crt_set_subject_alternative_name for + more information. + * X.509 hostname verification now partially supports URI Subject Alternate + Names. Only exact matching, without any normalization procedures + described in 7.4 of RFC5280, will result in a positive URI verification. + * Add function mbedtls_oid_from_numeric_string() to parse an OID from a + string to a DER-encoded mbedtls_asn1_buf. + * Add SHA-3 family hash functions. + * Add support to restrict AES to 128-bit keys in order to save code size. + A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be + used to enable this feature. + * AES performance improvements. Uplift varies by platform, + toolchain, optimisation flags and mode. + Aarch64, gcc -Os and CCM, GCM and XTS benefit the most. + On Aarch64, uplift is typically around 20 - 110%. + When compiling with gcc -Os on Aarch64, AES-XTS improves + by 4.5x. + * Add support for PBKDF2-HMAC through the PSA API. + * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and + MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA + or DH) were introduced in order to have finer accuracy in defining the + PSA capabilities for each key. These capabilities, named yyy above, can be + any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE. + - DERIVE is only available for ECC keys, not for RSA or DH ones. + - implementations are free to enable more than what it was strictly + requested. For example BASIC internally enables IMPORT and EXPORT + (useful for testing purposes), but this might change in the future. + * Add support for FFDH key exchange in TLS 1.3. + This is automatically enabled as soon as PSA_WANT_ALG_FFDH + and the ephemeral or psk-ephemeral key exchange mode are enabled. + By default, all groups are offered; the list of groups can be + configured using the existing API function mbedtls_ssl_conf_groups(). + * Improve mbedtls_x509_time performance and reduce memory use. + * Reduce syscalls to time() during certificate verification. + * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by + setting the CMake variable of the same name at configuration time. + * Add getter (mbedtls_ssl_cache_get_timeout()) to access + `mbedtls_ssl_cache_context.timeout`. + * Add getter (mbedtls_ssl_get_hostname()) to access + `mbedtls_ssl_context.hostname`. + * Add getter (mbedtls_ssl_conf_get_endpoint()) to access + `mbedtls_ssl_config.endpoint`. + * Support for "opaque" (PSA-held) ECC keys in the PK module has been + extended: it is now possible to use mbedtls_pk_write_key_der(), + mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and + mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes + allow it). + * The documentation of mbedtls_ecp_group now describes the optimized + representation of A for some curves. Fixes #8045. + * Add a possibility to generate CSR's with RCF822 and directoryName subtype + of subjectAltName extension in x509 certificates. + * Add support for PBKDF2-CMAC through the PSA API. + * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When + using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option + disables the plain C implementation and the run-time detection for the + CPU feature, which reduces code size and avoids the vulnerability of the + plain C implementation. + * Accept arbitrary AttributeType and AttributeValue in certificate + Distinguished Names using RFC 4514 syntax. + * Applications using ECC over secp256r1 through the PSA API can use a + new implementation with a much smaller footprint, but some minor + usage restrictions. See the documentation of the new configuration + option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details. + +Security + * Fix a case where potentially sensitive information held in memory would not + be completely zeroized during TLS 1.2 handshake, in both server and client + configurations. + * In configurations with ARIA or Camellia but not AES, the value of + MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might + suggest. This did not affect any library code, because this macro was + only used in relation with CMAC which does not support these ciphers. + This may affect application code that uses this macro. + * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should + review the size of the output buffer passed to this function, and note + that the output after decryption may include CBC padding. Consider moving + to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() + which checks for overflow of the output buffer and reports the actual + length of the output. + * Improve padding calculations in CBC decryption, NIST key unwrapping and + RSA OAEP decryption. With the previous implementation, some compilers + (notably recent versions of Clang and IAR) could produce non-constant + time code, which could allow a padding oracle attack if the attacker + has access to precise timing measurements. + * Updates to constant-time C code so that compilers are less likely to use + conditional instructions, which can have an observable difference in + timing. (Clang has been seen to do this.) Also introduce assembly + implementations for 32- and 64-bit Arm and for x86 and x86-64, which are + guaranteed not to use conditional instructions. + * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too + small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was + undefined. Mbed TLS itself was unaffected by this, but user code + which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only + release containing this bug was Mbed TLS 3.4.0. + * Fix a buffer overread when parsing short TLS application data records in + null-cipher cipher suites. Credit to OSS-Fuzz. + * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing. + In TLS 1.3, all configurations are affected except PSK-only ones, and + both clients and servers are affected. + In TLS 1.2, the affected configurations are those with + MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled, + and only servers are affected, not clients. + Credit to OSS-Fuzz. + +Bugfix + * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and + PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger + than all built-in ones and RSA is disabled. + Resolves #6622. + * Add missing md.h includes to some of the external programs from + the programs directory. Without this, even though the configuration + was sufficient for a particular program to work, it would only print + a message that one of the required defines is missing. + * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function + in the ecdsa.h header file. There was a build warning when the + configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined. + Resolves #7407. + * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not + MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498. + * Fix missing PSA initialization in sample programs when + MBEDTLS_USE_PSA_CRYPTO is enabled. + * Fix the J-PAKE driver interface for user and peer to accept any values + (previously accepted values were limited to "client" or "server"). + * Fix clang and armclang compilation error when targeting certain Arm + M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23, + SecurCore SC000). Fixes #1077. + * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when + built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a + way to detect the crypto extensions required. A warning is still issued. + * Fixed an issue that caused compile errors when using CMake and the IAR + toolchain. + * Fix very high stack usage in SSL debug code. Reported by Maximilian + Gerhardt in #7804. + * Fix a compilation failure in the constant_time module when + building for arm64_32 (e.g., for watchos). Reported by Paulo + Coutinho in #7787. + * Fix crypt_and_hash decryption fail when used with a stream cipher + mode of operation due to the input not being multiple of block size. + Resolves #7417. + * Fix a bug in which mbedtls_x509_string_to_names() would return success + when given a invalid name string if it did not contain '=' or ','. + * Fix compilation warnings in aes.c, which prevented the + example TF-M configuration in configs/ from building cleanly: + tfm_mbedcrypto_config_profile_medium.h with + crypto_config_profile_medium.h. + * In TLS 1.3, fix handshake failure when a client in its ClientHello + proposes an handshake based on PSK only key exchange mode or at least + one of the key exchange modes using ephemeral keys to a server that + supports only the PSK key exchange mode. + * Fix CCM* with no tag being not supported in a build with CCM as the only + symmetric encryption algorithm and the PSA configuration enabled. + * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516. + * Fix a compilation error on some platforms when including mbedtls/ssl.h + with all TLS support disabled. Fixes #6628. + * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when + using ECC key. The certificate was rejected by some crypto frameworks. + Fixes #2924. + * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc() + is called with zero length and padlock is not enabled. + * Fix compile failure due to empty enum in cipher_wrap.c, when building + with a very minimal configuration. Fixes #7625. + * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA + signature can silently return an incorrect result in low memory conditions. + * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when + MBEDTLS_PSA_CRYPTO_CONFIG is disabled. + * Fix IAR compiler warnings. + * Fix an issue when parsing an otherName subject alternative name into a + mbedtls_x509_san_other_name struct. The type-id of the otherName was not + copied to the struct. This meant that the struct had incomplete + information about the otherName SAN and contained uninitialized memory. + * Fix the detection of HardwareModuleName otherName SANs. These were being + detected by comparing the wrong field and the check was erroneously + inverted. + * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG + enabled, where some low-level modules required by requested PSA crypto + features were not getting automatically enabled. Fixes #7420. + * Fix undefined symbols in some builds using TLS 1.3 with a custom + configuration file. + * Fix log level for the got supported group message. Fixes #6765 + * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx + error code on failure. Before, they returned 1 to indicate failure in + some cases involving a missing entry or a full cache. + * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys. + +Changes + * Enable Arm / Thumb bignum assembly for most Arm platforms when + compiling with gcc, clang or armclang and -O0. + * Enforce minimum RSA key size when generating a key + to avoid accidental misuse. + * Use heap memory to allocate DER encoded RSA private key. + This reduces stack usage significantly for RSA signature + operations when MBEDTLS_PSA_CRYPTO_C is defined. + * Update Windows code to use BCryptGenRandom and wcslen, and + ensure that conversions between size_t, ULONG, and int are + always done safely. Original contribution by Kevin Kane #635, #730 + followed by Simon Butcher #1453. + * Users intergrating their own PSA drivers should be aware that + the file library/psa_crypto_driver_wrappers.c has been renamed + to psa_crypto_driver_wrappers_no_static.c. + * When using CBC with the cipher module, the requirement to call + mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting + this call accidentally applied a default padding mode chosen at compile + time. + = Mbed TLS 3.4.1 branch released 2023-08-04 Bugfix diff --git a/ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt b/ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt deleted file mode 100644 index 014eec657..000000000 --- a/ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt +++ /dev/null @@ -1,18 +0,0 @@ -New deprecations - * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and - MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA, - are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and - MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC, - IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about - the capabilities of the PSA side for either key. - -Features - * New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and - MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA - or DH) were introduced in order to have finer accuracy in defining the - PSA capabilities for each key. These capabilities, named yyy above, can be - any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE. - - DERIVE is only available for ECC keys, not for RSA or DH ones. - - implementations are free to enable more than what it was strictly - requested. For example BASIC internally enables IMPORT and EXPORT - (useful for testing purposes), but this might change in the future. diff --git a/ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt b/ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt deleted file mode 100644 index e4e564cdb..000000000 --- a/ChangeLog.d/MBEDTLS_CIPHER_BLKSIZE_MAX.txt +++ /dev/null @@ -1,13 +0,0 @@ -New deprecations - * MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of - MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests: - maximum size of any supported block cipher) or the new name - MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics: - maximum size of a block cipher supported by the CMAC module). - -Security - * In configurations with ARIA or Camellia but not AES, the value of - MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might - suggest. This did not affect any library code, because this macro was - only used in relation with CMAC which does not support these ciphers. - This may affect application code that uses this macro. diff --git a/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt b/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt deleted file mode 100644 index 6f091bb9f..000000000 --- a/ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx - error code on failure. Before, they returned 1 to indicate failure in - some cases involving a missing entry or a full cache. diff --git a/ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt b/ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt deleted file mode 100644 index d819e8293..000000000 --- a/ChangeLog.d/Switch-pkparse-to-new-pbe-funsctions.txt +++ /dev/null @@ -1,9 +0,0 @@ -New deprecations - * mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now - deprecated in favor of mbedtls_pkcs5_pbes2_ext() and - mbedtls_pkcs12_pbe_ext() as they offer more security by checking - for overflow of the output buffer and reporting the actual length - of the output. - -Bugfix - * mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys. diff --git a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt b/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt deleted file mode 100644 index 9aa3ff91d..000000000 --- a/ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * When parsing X.509 certificates, support the extensions - SignatureKeyIdentifier and AuthorityKeyIdentifier. diff --git a/ChangeLog.d/add-aes-128bit-only.txt b/ChangeLog.d/add-aes-128bit-only.txt deleted file mode 100644 index b080cac5e..000000000 --- a/ChangeLog.d/add-aes-128bit-only.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Add support to restrict AES to 128-bit keys in order to save code size. - A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be - used to enable this feature. diff --git a/ChangeLog.d/add-aes-hardware-only-option.txt b/ChangeLog.d/add-aes-hardware-only-option.txt deleted file mode 100644 index a185aff2a..000000000 --- a/ChangeLog.d/add-aes-hardware-only-option.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When - using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option - disables the plain C implementation and the run-time detection for the - CPU feature, which reduces code size and avoids the vulnerability of the - plain C implementation. diff --git a/ChangeLog.d/add-directoryname-san.txt b/ChangeLog.d/add-directoryname-san.txt deleted file mode 100644 index e11629878..000000000 --- a/ChangeLog.d/add-directoryname-san.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add parsing of directoryName subtype for subjectAltName extension in - x509 certificates. diff --git a/ChangeLog.d/add-getters-for-some-fields.txt b/ChangeLog.d/add-getters-for-some-fields.txt deleted file mode 100644 index 6a6fbad67..000000000 --- a/ChangeLog.d/add-getters-for-some-fields.txt +++ /dev/null @@ -1,7 +0,0 @@ -Features - * Add getter (mbedtls_ssl_cache_get_timeout()) to access - `mbedtls_ssl_cache_context.timeout`. - * Add getter (mbedtls_ssl_get_hostname()) to access - `mbedtls_ssl_context.hostname`. - * Add getter (mbedtls_ssl_conf_get_endpoint()) to access - `mbedtls_ssl_config.endpoint`. diff --git a/ChangeLog.d/add-milliseconds-time-api.txt b/ChangeLog.d/add-milliseconds-time-api.txt deleted file mode 100644 index d9e939fad..000000000 --- a/ChangeLog.d/add-milliseconds-time-api.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()` - function, needed for TLS 1.3 ticket lifetimes. Alternative implementations - can be created using an ALT interface. - diff --git a/ChangeLog.d/add-missing-md-includes.txt b/ChangeLog.d/add-missing-md-includes.txt deleted file mode 100644 index 408c3615e..000000000 --- a/ChangeLog.d/add-missing-md-includes.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Add missing md.h includes to some of the external programs from - the programs directory. Without this, even though the configuration - was sufficient for a particular program to work, it would only print - a message that one of the required defines is missing. diff --git a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt b/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt deleted file mode 100644 index f2e7a4a2c..000000000 --- a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt +++ /dev/null @@ -1,7 +0,0 @@ -Security - * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should - review the size of the output buffer passed to this function, and note - that the output after decryption may include CBC padding. Consider moving - to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() - which checks for overflow of the output buffer and reports the actual - length of the output. diff --git a/ChangeLog.d/add-pbkdf2-cmac.txt b/ChangeLog.d/add-pbkdf2-cmac.txt deleted file mode 100644 index 0ed84ea51..000000000 --- a/ChangeLog.d/add-pbkdf2-cmac.txt +++ /dev/null @@ -1,2 +0,0 @@ -Features - * Add support for PBKDF2-CMAC through the PSA API. diff --git a/ChangeLog.d/add-pbkdf2-hmac.txt b/ChangeLog.d/add-pbkdf2-hmac.txt deleted file mode 100644 index 2708098a3..000000000 --- a/ChangeLog.d/add-pbkdf2-hmac.txt +++ /dev/null @@ -1,2 +0,0 @@ -Features - * Add support for PBKDF2-HMAC through the PSA API. diff --git a/ChangeLog.d/add-psa_want_alg_some_pake.txt b/ChangeLog.d/add-psa_want_alg_some_pake.txt deleted file mode 100644 index 00b3002b6..000000000 --- a/ChangeLog.d/add-psa_want_alg_some_pake.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc) - if no PAKE algorithms are requested diff --git a/ChangeLog.d/add-rfc822-directoryname-csr-gen.txt b/ChangeLog.d/add-rfc822-directoryname-csr-gen.txt deleted file mode 100644 index ff8693c40..000000000 --- a/ChangeLog.d/add-rfc822-directoryname-csr-gen.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add a possibility to generate CSR's with RCF822 and directoryName subtype - of subjectAltName extension in x509 certificates. diff --git a/ChangeLog.d/add-subjectAltName-certs.txt b/ChangeLog.d/add-subjectAltName-certs.txt deleted file mode 100644 index 487e5c656..000000000 --- a/ChangeLog.d/add-subjectAltName-certs.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * It is now possible to generate certificates with SubjectAltNames. - Currently supported subtypes: DnsName, UniformResourceIdentifier, - IP address, OtherName, and DirectoryName, as defined in RFC 5280. - See mbedtls_x509write_crt_set_subject_alternative_name for - more information. diff --git a/ChangeLog.d/aes-perf.txt b/ChangeLog.d/aes-perf.txt deleted file mode 100644 index ab716bce8..000000000 --- a/ChangeLog.d/aes-perf.txt +++ /dev/null @@ -1,7 +0,0 @@ -Features - * AES performance improvements. Uplift varies by platform, - toolchain, optimisation flags and mode. - Aarch64, gcc -Os and CCM, GCM and XTS benefit the most. - On Aarch64, uplift is typically around 20 - 110%. - When compiling with gcc -Os on Aarch64, AES-XTS improves - by 4.5x. diff --git a/ChangeLog.d/armclang-compile-fix.txt b/ChangeLog.d/armclang-compile-fix.txt deleted file mode 100644 index 59ae1cd9d..000000000 --- a/ChangeLog.d/armclang-compile-fix.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * Fix clang and armclang compilation error when targeting certain Arm - M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23, - SecurCore SC000). Fixes #1077. -Changes - * Enable Arm / Thumb bignum assembly for most Arm platforms when - compiling with gcc, clang or armclang and -O0. diff --git a/ChangeLog.d/basic-uri-verification.txt b/ChangeLog.d/basic-uri-verification.txt deleted file mode 100644 index aa039ea29..000000000 --- a/ChangeLog.d/basic-uri-verification.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * X.509 hostname verification now partially supports URI Subject Alternate - Names. Only exact matching, without any normalization procedures - described in 7.4 of RFC5280, will result in a positive URI verification. diff --git a/ChangeLog.d/bugfix_iar_typo.txt b/ChangeLog.d/bugfix_iar_typo.txt deleted file mode 100644 index 95f97b1cb..000000000 --- a/ChangeLog.d/bugfix_iar_typo.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fixed an issue that caused compile errors when using CMake and the IAR - toolchain. diff --git a/ChangeLog.d/check-set_padding-is-called.txt b/ChangeLog.d/check-set_padding-is-called.txt deleted file mode 100644 index 2c26de89f..000000000 --- a/ChangeLog.d/check-set_padding-is-called.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * When using CBC with the cipher module, the requirement to call - mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting - this call accidentally applied a default padding mode chosen at compile - time. diff --git a/ChangeLog.d/cmake-pass-through-config-defines.txt b/ChangeLog.d/cmake-pass-through-config-defines.txt deleted file mode 100644 index 6122f37d2..000000000 --- a/ChangeLog.d/cmake-pass-through-config-defines.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by - setting the CMake variable of the same name at configuration time. diff --git a/ChangeLog.d/config_psa-include-order.txt b/ChangeLog.d/config_psa-include-order.txt deleted file mode 100644 index 674c28653..000000000 --- a/ChangeLog.d/config_psa-include-order.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG - enabled, where some low-level modules required by requested PSA crypto - features were not getting automatically enabled. Fixes #7420. diff --git a/ChangeLog.d/driver-ffdh.txt b/ChangeLog.d/driver-ffdh.txt deleted file mode 100644 index a9fa6414e..000000000 --- a/ChangeLog.d/driver-ffdh.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Add support for the FFDH algorithm and DH key types in PSA, with - parameters from RFC 7919. This includes a built-in implementation based - on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative - implementations of FFDH through the driver entry points. diff --git a/ChangeLog.d/driver-only-ecc.txt b/ChangeLog.d/driver-only-ecc.txt deleted file mode 100644 index 887808511..000000000 --- a/ChangeLog.d/driver-only-ecc.txt +++ /dev/null @@ -1,23 +0,0 @@ -Features - * When a PSA driver for ECDH is present, it is now possible to disable - MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2 - key exchanges based on ECDH(E) to work, this requires - MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in - TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet, - as PSA does not have an API for restartable ECDH yet. - * When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by - a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C - if not required by another module) and still get support for ECC keys and - algorithms in PSA, with some limitations. See docs/driver-only-builds.txt - for details. -API changes - * Mbed TLS 3.4 introduced support for omitting the built-in implementation - of ECDSA and/or EC J-PAKE when those are provided by a driver. However, - their was a flaw in the logic checking if the built-in implementation, in - that if failed to check if all the relevant curves were supported by the - accelerator. As a result, it was possible to declare no curves as - accelerated and still have the built-in implementation compiled out. - Starting with this release, it is necessary to declare which curves are - accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be - considered not accelerated, and the built-in implementation of the curves - and any algorithm possible using them will be included in the build. diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt deleted file mode 100644 index cd1e030d1..000000000 --- a/ChangeLog.d/driver-only-hashes.txt +++ /dev/null @@ -1,11 +0,0 @@ -Features - * All modules that use hashes or HMAC can now take advantage of PSA Crypto - drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has - been called. Previously (in 3.3), this was restricted to a few modules, - and only in builds where MBEDTLS_MD_C was disabled; in particular the - entropy module was not covered which meant an external RNG had to be - provided - these limitations are lifted in this version. A new set of - feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used - to check for availability of hash algorithms, regardless of whether - they're provided by a built-in implementation, a driver or both. See - docs/driver-only-builds.md. diff --git a/ChangeLog.d/ec_jpake_user_peer_2.txt b/ChangeLog.d/ec_jpake_user_peer_2.txt deleted file mode 100644 index 9572ac7c1..000000000 --- a/ChangeLog.d/ec_jpake_user_peer_2.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the J-PAKE driver interface for user and peer to accept any values - (previously accepted values were limited to "client" or "server"). diff --git a/ChangeLog.d/enforce-min-RSA-key-size.txt b/ChangeLog.d/enforce-min-RSA-key-size.txt deleted file mode 100644 index 06cd2a276..000000000 --- a/ChangeLog.d/enforce-min-RSA-key-size.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Enforce minimum RSA key size when generating a key - to avoid accidental misuse. diff --git a/ChangeLog.d/extend-distinguished-names.txt b/ChangeLog.d/extend-distinguished-names.txt deleted file mode 100644 index b148424cf..000000000 --- a/ChangeLog.d/extend-distinguished-names.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Accept arbitrary AttributeType and AttributeValue in certificate - Distinguished Names using RFC 4514 syntax. diff --git a/ChangeLog.d/extend-pk-opaque-ecc.txt b/ChangeLog.d/extend-pk-opaque-ecc.txt deleted file mode 100644 index ad5bdc096..000000000 --- a/ChangeLog.d/extend-pk-opaque-ecc.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Support for "opaque" (PSA-held) ECC keys in the PK module has been - extended: it is now possible to use mbedtls_pk_write_key_der(), - mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and - mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes - allow it). diff --git a/ChangeLog.d/ffdh-tls-1-3.txt b/ChangeLog.d/ffdh-tls-1-3.txt deleted file mode 100644 index c5d07d69f..000000000 --- a/ChangeLog.d/ffdh-tls-1-3.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Add support for FFDH key exchange in TLS 1.3. - This is automatically enabled as soon as PSA_WANT_ALG_FFDH - and the ephemeral or psk-ephemeral key exchange mode are enabled. - By default, all groups are offered; the list of groups can be - configured using the existing API function mbedtls_ssl_conf_groups(). diff --git a/ChangeLog.d/fix-a-few-unchecked-return.txt b/ChangeLog.d/fix-a-few-unchecked-return.txt deleted file mode 100644 index aadde3631..000000000 --- a/ChangeLog.d/fix-a-few-unchecked-return.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA - signature can silently return an incorrect result in low memory conditions. diff --git a/ChangeLog.d/fix-aes-cbc-iv-corruption.txt b/ChangeLog.d/fix-aes-cbc-iv-corruption.txt deleted file mode 100644 index 11eb9463e..000000000 --- a/ChangeLog.d/fix-aes-cbc-iv-corruption.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc() - is called with zero length and padlock is not enabled. diff --git a/ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt b/ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt deleted file mode 100644 index ded9b2d47..000000000 --- a/ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix crypt_and_hash decryption fail when used with a stream cipher - mode of operation due to the input not being multiple of block size. - Resolves #7417. diff --git a/ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt b/ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt deleted file mode 100644 index c30e07451..000000000 --- a/ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix declaration of mbedtls_ecdsa_sign_det_restartable() function - in the ecdsa.h header file. There was a build warning when the - configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined. - Resolves #7407. diff --git a/ChangeLog.d/fix-empty-enum.txt b/ChangeLog.d/fix-empty-enum.txt deleted file mode 100644 index 458d58f3b..000000000 --- a/ChangeLog.d/fix-empty-enum.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix compile failure due to empty enum in cipher_wrap.c, when building - with a very minimal configuration. Fixes #7625. diff --git a/ChangeLog.d/fix-hrr-in-psk-kem.txt b/ChangeLog.d/fix-hrr-in-psk-kem.txt deleted file mode 100644 index 037771184..000000000 --- a/ChangeLog.d/fix-hrr-in-psk-kem.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * In TLS 1.3, fix handshake failure when a client in its ClientHello - proposes an handshake based on PSK only key exchange mode or at least - one of the key exchange modes using ephemeral keys to a server that - supports only the PSK key exchange mode. diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt deleted file mode 100644 index 0dc2623f8..000000000 --- a/ChangeLog.d/fix-iar-compiler-warnings.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix IAR compiler warnings. diff --git a/ChangeLog.d/fix-ilp32.txt b/ChangeLog.d/fix-ilp32.txt deleted file mode 100644 index 3f18ac5c5..000000000 --- a/ChangeLog.d/fix-ilp32.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a compilation failure in the constant_time module when - building for arm64_32 (e.g., for watchos). Reported by Paulo - Coutinho in #7787. diff --git a/ChangeLog.d/fix-log-level-msg.txt b/ChangeLog.d/fix-log-level-msg.txt deleted file mode 100644 index 4e82ad150..000000000 --- a/ChangeLog.d/fix-log-level-msg.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix log level for the got supported group message. Fixes #6765 diff --git a/ChangeLog.d/fix-string-to-names-retcode.txt b/ChangeLog.d/fix-string-to-names-retcode.txt deleted file mode 100644 index ac4b3d176..000000000 --- a/ChangeLog.d/fix-string-to-names-retcode.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a bug in which mbedtls_x509_string_to_names() would return success - when given a invalid name string if it did not contain '=' or ','. diff --git a/ChangeLog.d/fix-tfm-build.txt b/ChangeLog.d/fix-tfm-build.txt deleted file mode 100644 index 64cb837ae..000000000 --- a/ChangeLog.d/fix-tfm-build.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix compilation warnings in aes.c, which prevented the - example TF-M configuration in configs/ from building cleanly: - tfm_mbedcrypto_config_profile_medium.h with - crypto_config_profile_medium.h. diff --git a/ChangeLog.d/fix-tls-padbuf-zeroization.txt b/ChangeLog.d/fix-tls-padbuf-zeroization.txt deleted file mode 100644 index 36451cb4b..000000000 --- a/ChangeLog.d/fix-tls-padbuf-zeroization.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Fix a case where potentially sensitive information held in memory would not - be completely zeroized during TLS 1.2 handshake, in both server and client - configurations. diff --git a/ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt b/ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt deleted file mode 100644 index 7fcb5ec29..000000000 --- a/ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when - built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a - way to detect the crypto extensions required. A warning is still issued. diff --git a/ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt b/ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt deleted file mode 100644 index 8fdc588b1..000000000 --- a/ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * The documentation of mbedtls_ecp_group now describes the optimized - representation of A for some curves. Fixes #8045. diff --git a/ChangeLog.d/initialize-struct-get-other-name.txt b/ChangeLog.d/initialize-struct-get-other-name.txt deleted file mode 100644 index dc8395d40..000000000 --- a/ChangeLog.d/initialize-struct-get-other-name.txt +++ /dev/null @@ -1,8 +0,0 @@ -Bugfix - * Fix an issue when parsing an otherName subject alternative name into a - mbedtls_x509_san_other_name struct. The type-id of the otherName was not - copied to the struct. This meant that the struct had incomplete - information about the otherName SAN and contained uninitialized memory. - * Fix the detection of HardwareModuleName otherName SANs. These were being - detected by comparing the wrong field and the check was erroneously - inverted. diff --git a/ChangeLog.d/inject-entropy.txt b/ChangeLog.d/inject-entropy.txt deleted file mode 100644 index 762662969..000000000 --- a/ChangeLog.d/inject-entropy.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516. diff --git a/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt b/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt deleted file mode 100644 index 22e8adbc5..000000000 --- a/ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not - MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498. diff --git a/ChangeLog.d/mbedtls_x509_time.txt b/ChangeLog.d/mbedtls_x509_time.txt deleted file mode 100644 index 557f1910d..000000000 --- a/ChangeLog.d/mbedtls_x509_time.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Improve mbedtls_x509_time performance and reduce memory use. - * Reduce syscalls to time() during certificate verification. diff --git a/ChangeLog.d/misc-from-psa-crypto.txt b/ChangeLog.d/misc-from-psa-crypto.txt deleted file mode 100644 index 40a043a4f..000000000 --- a/ChangeLog.d/misc-from-psa-crypto.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix CCM* with no tag being not supported in a build with CCM as the only - symmetric encryption algorithm and the PSA configuration enabled. diff --git a/ChangeLog.d/oid-parse-from-numeric-string.txt b/ChangeLog.d/oid-parse-from-numeric-string.txt deleted file mode 100644 index 82ed2fd71..000000000 --- a/ChangeLog.d/oid-parse-from-numeric-string.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add function mbedtls_oid_from_numeric_string() to parse an OID from a - string to a DER-encoded mbedtls_asn1_buf. diff --git a/ChangeLog.d/p256-m.txt b/ChangeLog.d/p256-m.txt deleted file mode 100644 index e47358052..000000000 --- a/ChangeLog.d/p256-m.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Applications using ECC over secp256r1 through the PSA API can use a - new implementation with a much smaller footprint, but some minor - usage restrictions. See the documentation of the new configuration - option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details. diff --git a/ChangeLog.d/padding-ct-changelog.txt b/ChangeLog.d/padding-ct-changelog.txt deleted file mode 100644 index 3e2c7e2e8..000000000 --- a/ChangeLog.d/padding-ct-changelog.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Improve padding calculations in CBC decryption, NIST key unwrapping and - RSA OAEP decryption. With the previous implementation, some compilers - (notably recent versions of Clang and IAR) could produce non-constant - time code, which could allow a padding oracle attack if the attacker - has access to precise timing measurements. diff --git a/ChangeLog.d/programs_psa_fix.txt b/ChangeLog.d/programs_psa_fix.txt deleted file mode 100644 index fe2099ecc..000000000 --- a/ChangeLog.d/programs_psa_fix.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix missing PSA initialization in sample programs when - MBEDTLS_USE_PSA_CRYPTO is enabled. diff --git a/ChangeLog.d/psa_crypto_user_config_file.txt b/ChangeLog.d/psa_crypto_user_config_file.txt deleted file mode 100644 index f538f4707..000000000 --- a/ChangeLog.d/psa_crypto_user_config_file.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when - MBEDTLS_PSA_CRYPTO_CONFIG is disabled. diff --git a/ChangeLog.d/python3.8.txt b/ChangeLog.d/python3.8.txt deleted file mode 100644 index 32a7c09a8..000000000 --- a/ChangeLog.d/python3.8.txt +++ /dev/null @@ -1,2 +0,0 @@ -Requirement changes - * Officially require Python 3.8 now that earlier versions are out of support. diff --git a/ChangeLog.d/rename_psa_crypto_driver_wrappers.txt b/ChangeLog.d/rename_psa_crypto_driver_wrappers.txt deleted file mode 100644 index a0710963b..000000000 --- a/ChangeLog.d/rename_psa_crypto_driver_wrappers.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Users intergrating their own PSA drivers should be aware that - the file library/psa_crypto_driver_wrappers.c has been renamed - to psa_crypto_driver_wrappers_no_static.c. - diff --git a/ChangeLog.d/rfc8410.txt b/ChangeLog.d/rfc8410.txt deleted file mode 100644 index e2984ee4b..000000000 --- a/ChangeLog.d/rfc8410.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add support for reading and writing X25519 and X448 - public and private keys in RFC 8410 format using the existing PK APIs. diff --git a/ChangeLog.d/safer-ct.txt b/ChangeLog.d/safer-ct.txt deleted file mode 100644 index 0a5b632ab..000000000 --- a/ChangeLog.d/safer-ct.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Updates to constant-time C code so that compilers are less likely to use - conditional instructions, which can have an observable difference in - timing. (Clang has been seen to do this.) Also introduce assembly - implementations for 32- and 64-bit Arm and for x86 and x86-64, which are - guaranteed not to use conditional instructions. diff --git a/ChangeLog.d/sha3.txt b/ChangeLog.d/sha3.txt deleted file mode 100644 index 9426f879f..000000000 --- a/ChangeLog.d/sha3.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add SHA-3 family hash functions. - diff --git a/ChangeLog.d/sha384-blocksize.txt b/ChangeLog.d/sha384-blocksize.txt deleted file mode 100644 index 4917eb2c2..000000000 --- a/ChangeLog.d/sha384-blocksize.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too - small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was - undefined. Mbed TLS itself was unaffected by this, but user code - which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only - release containing this bug was Mbed TLS 3.4.0. diff --git a/ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt b/ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt deleted file mode 100644 index 8cc6e5eab..000000000 --- a/ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and - PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger - than all built-in ones and RSA is disabled. - Resolves #6622. diff --git a/ChangeLog.d/ssl_debug_helpers-stack_usage.txt b/ChangeLog.d/ssl_debug_helpers-stack_usage.txt deleted file mode 100644 index e2c24759f..000000000 --- a/ChangeLog.d/ssl_debug_helpers-stack_usage.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix very high stack usage in SSL debug code. Reported by Maximilian - Gerhardt in #7804. diff --git a/ChangeLog.d/ssl_decrypt_buf-short_record.txt b/ChangeLog.d/ssl_decrypt_buf-short_record.txt deleted file mode 100644 index c2af1ec2a..000000000 --- a/ChangeLog.d/ssl_decrypt_buf-short_record.txt +++ /dev/null @@ -1,3 +0,0 @@ -Security - * Fix a buffer overread when parsing short TLS application data records in - null-cipher cipher suites. Credit to OSS-Fuzz. diff --git a/ChangeLog.d/ssl_premaster_secret-empty.txt b/ChangeLog.d/ssl_premaster_secret-empty.txt deleted file mode 100644 index 0ce5f36ea..000000000 --- a/ChangeLog.d/ssl_premaster_secret-empty.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a compilation error on some platforms when including mbedtls/ssl.h - with all TLS support disabled. Fixes #6628. diff --git a/ChangeLog.d/tls13-custom-config.txt b/ChangeLog.d/tls13-custom-config.txt deleted file mode 100644 index da2e25d95..000000000 --- a/ChangeLog.d/tls13-custom-config.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix undefined symbols in some builds using TLS 1.3 with a custom - configuration file. diff --git a/ChangeLog.d/tls13-server-version-negotiation.txt b/ChangeLog.d/tls13-server-version-negotiation.txt deleted file mode 100644 index 989018b40..000000000 --- a/ChangeLog.d/tls13-server-version-negotiation.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Add support for server-side TLS version negotiation. If both TLS 1.2 and - TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or - TLS 1.3 depending on the capabilities and preferences of TLS clients. - Fixes #6867. diff --git a/ChangeLog.d/updated_windows_apis.txt b/ChangeLog.d/updated_windows_apis.txt deleted file mode 100644 index 73b17df9d..000000000 --- a/ChangeLog.d/updated_windows_apis.txt +++ /dev/null @@ -1,9 +0,0 @@ -Requirement changes - * Minimum required Windows version is now Windows Vista, or - Windows Server 2008. - -Changes - * Update Windows code to use BCryptGenRandom and wcslen, and - ensure that conversions between size_t, ULONG, and int are - always done safely. Original contribution by Kevin Kane #635, #730 - followed by Simon Butcher #1453. diff --git a/ChangeLog.d/use_heap_rsa_signature.txt b/ChangeLog.d/use_heap_rsa_signature.txt deleted file mode 100644 index e6d7b1255..000000000 --- a/ChangeLog.d/use_heap_rsa_signature.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Use heap memory to allocate DER encoded RSA private key. - This reduces stack usage significantly for RSA signature - operations when MBEDTLS_PSA_CRYPTO_C is defined. diff --git a/ChangeLog.d/verify-ip-sans-properly.txt b/ChangeLog.d/verify-ip-sans-properly.txt deleted file mode 100644 index 00203a8ca..000000000 --- a/ChangeLog.d/verify-ip-sans-properly.txt +++ /dev/null @@ -1,2 +0,0 @@ -Features - * X.509 hostname verification now supports IPAddress Subject Alternate Names. diff --git a/ChangeLog.d/x509-ec-algorithm-identifier-fix.txt b/ChangeLog.d/x509-ec-algorithm-identifier-fix.txt deleted file mode 100644 index c1de491e6..000000000 --- a/ChangeLog.d/x509-ec-algorithm-identifier-fix.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when - using ECC key. The certificate was rejected by some crypto frameworks. - Fixes #2924. diff --git a/ChangeLog.d/xxx_psa_peerkey.txt b/ChangeLog.d/xxx_psa_peerkey.txt deleted file mode 100644 index d25e4ecbf..000000000 --- a/ChangeLog.d/xxx_psa_peerkey.txt +++ /dev/null @@ -1,8 +0,0 @@ -Security - * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing. - In TLS 1.3, all configurations are affected except PSK-only ones, and - both clients and servers are affected. - In TLS 1.2, the affected configurations are those with - MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled, - and only servers are affected, not clients. - Credit to OSS-Fuzz.