From cf4d9f98c79b45d7b5f38880d0bb7535d5b408b0 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 30 Jun 2022 17:07:47 +0200
Subject: [PATCH] Changelog entry for mbedtls_setbuf()

* Security: we're improving a countermeasure.
* Requirement change: the library will no longer compile on a platform
  without setbuf().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/add_mbedtls_setbuf.txt | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 ChangeLog.d/add_mbedtls_setbuf.txt

diff --git a/ChangeLog.d/add_mbedtls_setbuf.txt b/ChangeLog.d/add_mbedtls_setbuf.txt
new file mode 100644
index 000000000..6152d60df
--- /dev/null
+++ b/ChangeLog.d/add_mbedtls_setbuf.txt
@@ -0,0 +1,10 @@
+Security
+   * Add the platform function mbedtls_setbuf() to allow buffering to be
+     disabled on stdio files, to stop secrets loaded from said files being
+     potentially left in memory after file operations. Reported by
+     Glenn Strauss.
+Requirement changes
+   * The library will no longer compile out of the box on a platform without
+     setbuf() if MBEDTLS_FS_IO is enabled. If your platform does not have
+     setbuf(), you can configure an alternative function by enabling
+     MBEDTLS_PLATFORM_SETBUF_ALT or MBEDTLS_PLATFORM_SETBUF_MACRO.