From dbe435cda022affa0e927975264a019a134fcaf4 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Thu, 23 Mar 2023 10:43:15 +0000 Subject: [PATCH] Assemble Changelog for 3.4.0 release Signed-off-by: Paul Elliott --- ChangeLog | 211 ++++++++++++++++++ ChangeLog.d/add-cache-remove-api.txt | 5 - ChangeLog.d/add-uri-san.txt | 3 - ChangeLog.d/add_interruptible_sign_hash.txt | 5 - ChangeLog.d/aes-ce-security-notice.txt | 5 - ChangeLog.d/aes-ni-security-notice.txt | 6 - ChangeLog.d/aesni.txt | 7 - ChangeLog.d/alignment-perf.txt | 8 - ChangeLog.d/armv8-aes.txt | 5 - ChangeLog.d/c-build-helper-hostcc.txt | 4 - ...a_key_derivation_abort-no-other_secret.txt | 3 - ChangeLog.d/cmake-install.txt | 3 - ChangeLog.d/coding-style.txt | 5 - ...ditionalize-mbedtls_mpi_sub_abs-memcpy.txt | 4 - ChangeLog.d/crypto_config_ccm_star.txt | 3 - ChangeLog.d/csr_v3_extensions.txt | 3 - ChangeLog.d/driver-only-ecdsa.txt | 7 - ChangeLog.d/driver-only-ecjpake.txt | 5 - ChangeLog.d/ec_jpake_driver_dispatch.txt | 3 - ChangeLog.d/empty-retval-description.txt | 3 - .../enable_opaque_ECJPAKE_key_exchange.txt | 4 - ChangeLog.d/fix-example-programs-no-args.txt | 4 - ChangeLog.d/fix-gettimeofday-overflow.txt | 3 - ChangeLog.d/fix-iar-warnings.txt | 2 - ChangeLog.d/fix-jpake-user-peer.txt | 4 - ChangeLog.d/fix-oid-to-string-bugs.txt | 10 - ChangeLog.d/fix-overread-in-tls13-debug.txt | 3 - ChangeLog.d/fix-rsaalt-test-guards.txt | 3 - ..._for_directory_names_containing_spaces.txt | 4 - ..._cert_writing_serial_number_management.txt | 19 -- ..._sha384_independent_from_sha256_sha512.txt | 4 - ...s_ecp_point_read_binary-compressed-fmt.txt | 6 - .../mbedtls_ssl_read_undefined_behavior.txt | 3 - ChangeLog.d/mpi-window-perf.txt | 7 - ChangeLog.d/pk-sign-restartable.txt | 5 - ChangeLog.d/pk_ext-pss_options-public.txt | 4 - ChangeLog.d/pkcs7-parser.txt | 15 -- ChangeLog.d/platform-zeroization.txt | 3 - ChangeLog.d/psa-alt-headers.txt | 4 - .../psa-mbedtls-error-translations.txt | 6 - ...psa_alg_tls12_ecjpake_to_pms-reject_ka.txt | 4 - .../reduce-cpu-modifiers-to-file-scope.txt | 12 - ChangeLog.d/rsa-padding-accessor.txt | 4 - ChangeLog.d/san_csr.txt | 2 - ChangeLog.d/san_rfc822Name.txt | 3 - ChangeLog.d/tls13-only-renegotiation.txt | 5 - ...13-reorder-ciphersuite-preference-list.txt | 12 - ChangeLog.d/vs2013.txt | 4 - .../workaround_gnutls_anti_replay_fail.txt | 7 - ChangeLog.d/x509-subaltname-ext.txt | 5 - 50 files changed, 211 insertions(+), 258 deletions(-) delete mode 100644 ChangeLog.d/add-cache-remove-api.txt delete mode 100644 ChangeLog.d/add-uri-san.txt delete mode 100644 ChangeLog.d/add_interruptible_sign_hash.txt delete mode 100644 ChangeLog.d/aes-ce-security-notice.txt delete mode 100644 ChangeLog.d/aes-ni-security-notice.txt delete mode 100644 ChangeLog.d/aesni.txt delete mode 100644 ChangeLog.d/alignment-perf.txt delete mode 100644 ChangeLog.d/armv8-aes.txt delete mode 100644 ChangeLog.d/c-build-helper-hostcc.txt delete mode 100644 ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt delete mode 100644 ChangeLog.d/cmake-install.txt delete mode 100644 ChangeLog.d/coding-style.txt delete mode 100644 ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt delete mode 100644 ChangeLog.d/crypto_config_ccm_star.txt delete mode 100644 ChangeLog.d/csr_v3_extensions.txt delete mode 100644 ChangeLog.d/driver-only-ecdsa.txt delete mode 100644 ChangeLog.d/driver-only-ecjpake.txt delete mode 100644 ChangeLog.d/ec_jpake_driver_dispatch.txt delete mode 100644 ChangeLog.d/empty-retval-description.txt delete mode 100644 ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt delete mode 100644 ChangeLog.d/fix-example-programs-no-args.txt delete mode 100644 ChangeLog.d/fix-gettimeofday-overflow.txt delete mode 100644 ChangeLog.d/fix-iar-warnings.txt delete mode 100644 ChangeLog.d/fix-jpake-user-peer.txt delete mode 100644 ChangeLog.d/fix-oid-to-string-bugs.txt delete mode 100644 ChangeLog.d/fix-overread-in-tls13-debug.txt delete mode 100644 ChangeLog.d/fix-rsaalt-test-guards.txt delete mode 100644 ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt delete mode 100644 ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt delete mode 100644 ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt delete mode 100644 ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt delete mode 100644 ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt delete mode 100644 ChangeLog.d/mpi-window-perf.txt delete mode 100644 ChangeLog.d/pk-sign-restartable.txt delete mode 100644 ChangeLog.d/pk_ext-pss_options-public.txt delete mode 100644 ChangeLog.d/pkcs7-parser.txt delete mode 100644 ChangeLog.d/platform-zeroization.txt delete mode 100644 ChangeLog.d/psa-alt-headers.txt delete mode 100644 ChangeLog.d/psa-mbedtls-error-translations.txt delete mode 100644 ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt delete mode 100644 ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt delete mode 100644 ChangeLog.d/rsa-padding-accessor.txt delete mode 100644 ChangeLog.d/san_csr.txt delete mode 100644 ChangeLog.d/san_rfc822Name.txt delete mode 100644 ChangeLog.d/tls13-only-renegotiation.txt delete mode 100644 ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt delete mode 100644 ChangeLog.d/vs2013.txt delete mode 100644 ChangeLog.d/workaround_gnutls_anti_replay_fail.txt delete mode 100644 ChangeLog.d/x509-subaltname-ext.txt diff --git a/ChangeLog b/ChangeLog index 639c8e97b..9b30aff00 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,216 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 3.4.0 branch released 2023-03-28 + +Default behavior changes + * The default priority order of TLS 1.3 cipher suites has been modified to + follow the same rules as the TLS 1.2 cipher suites (see + ssl_ciphersuites.c). The preferred cipher suite is now + TLS_CHACHA20_POLY1305_SHA256. + +New deprecations + * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of + mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any + direct dependency of X509 on BIGNUM_C. + * PSA to mbedtls error translation is now unified in psa_util.h, + deprecating mbedtls_md_error_from_psa. Each file that performs error + translation should define its own version of PSA_TO_MBEDTLS_ERR, + optionally providing file-specific error pairs. Please see psa_util.h for + more details. + +Features + * Added partial support for parsing the PKCS #7 Cryptographic Message + Syntax, as defined in RFC 2315. Currently, support is limited to the + following: + - Only the signed-data content type, version 1 is supported. + - Only DER encoding is supported. + - Only a single digest algorithm per message is supported. + - Certificates must be in X.509 format. A message must have either 0 + or 1 certificates. + - There is no support for certificate revocation lists. + - The authenticated and unauthenticated attribute fields of SignerInfo + must be empty. + Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for + contributing this feature, and to Demi-Marie Obenour for contributing + various improvements, tests and bug fixes. + * General performance improvements by accessing multiple bytes at a time. + Fixes #1666. + * Improvements to use of unaligned and byte-swapped memory, reducing code + size and improving performance (depending on compiler and target + architecture). + * Add support for reading points in compressed format + (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary() + (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4 + (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves + except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1) + * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively. + This helps in saving code size when some of the above hashes are not + required. + * Add parsing of V3 extensions (key usage, Netscape cert-type, + Subject Alternative Names) in x509 Certificate Sign Requests. + * Use HOSTCC (if it is set) when compiling C code during generation of the + configuration-independent files. This allows them to be generated when + CC is set for cross compilation. + * Add parsing of uniformResourceIdentifier subtype for subjectAltName + extension in x509 certificates. + * Add an interruptible version of sign and verify hash to the PSA interface, + backed by internal library support for ECDSA signing and verification. + * Add parsing of rfc822Name subtype for subjectAltName + extension in x509 certificates. + * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and + MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for + the headers "psa/crypto_platform.h" and "psa/crypto_struct.h". + * When a PSA driver for ECDSA is present, it is now possible to disable + MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509 + and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled. + Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not + supported in those builds yet, as driver support for interruptible ECDSA + operations is not present yet. + * Add a driver dispatch layer for EC J-PAKE, enabling alternative + implementations of EC J-PAKE through the driver entry points. + * Add new API mbedtls_ssl_cache_remove for cache entry removal by + its session id. + * Add support to include the SubjectAltName extension to a CSR. + * Add support for AES with the Armv8-A Cryptographic Extension on + 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can + be used to enable this feature. Run-time detection is supported + under Linux only. + * When a PSA driver for EC J-PAKE is present, it is now possible to disable + MBEDTLS_ECJPAKE_C in the build in order to save code size. For the + corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs + to be enabled. + * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg() + to read non-public fields for padding mode and hash id from + an mbedtls_rsa_context, as requested in #6917. + * AES-NI is now supported with Visual Studio. + * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM + is disabled, when compiling with GCC or Clang or a compatible compiler + for a target CPU that supports the requisite instructions (for example + gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like + compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.) + * It is now possible to use a PSA-held (opaque) password with the TLS 1.2 + ECJPAKE key exchange, using the new API function + mbedtls_ssl_set_hs_ecjpake_password_opaque(). + +Security + * Use platform-provided secure zeroization function where possible, such as + explicit_bzero(). + * Zeroize SSL cache entries when they are freed. + * Fix a potential heap buffer overread in TLS 1.3 client-side when + MBEDTLS_DEBUG_C is enabled. This may result in an application crash. + * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit + Arm, so that these systems are no longer vulnerable to timing side-channel + attacks. This is configured by MBEDTLS_AESCE_C, which is on by default. + Reported by Demi Marie Obenour. + * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on + builds that couldn't compile the GCC-style assembly implementation + (most notably builds with Visual Studio), leaving them vulnerable to + timing side-channel attacks. There is now an intrinsics-based AES-NI + implementation as a fallback for when the assembly one cannot be used. + +Bugfix + * Fix possible integer overflow in mbedtls_timing_hardclock(), which + could cause a crash in programs/test/benchmark. + * Fix IAR compiler warnings. Fixes #6924. + * Fix a bug in the build where directory names containing spaces were + causing generate_errors.pl to error out resulting in a build failure. + Fixes issue #6879. + * In TLS 1.3, when using a ticket for session resumption, tweak its age + calculation on the client side. It prevents a server with more accurate + ticket timestamps (typically timestamps in milliseconds) compared to the + Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller + than the age computed and transmitted by the client and thus potentially + reject the ticket. Fix #6623. + * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are + defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. + * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can + be toggled with config.py. + * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be + used on a shared secret from a key agreement since its input must be + an ECC public key. Reject this properly. + * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers + whose binary representation is longer than 20 bytes. This was already + forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being + enforced also at code level. + * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by + Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by + Aaron Ucko under Valgrind. + * Fix behavior of certain sample programs which could, when run with no + arguments, access uninitialized memory in some cases. Fixes #6700 (which + was found by TrustInSoft Analyzer during REDOCS'22) and #1120. + * Fix parsing of X.509 SubjectAlternativeName extension. Previously, + malformed alternative name components were not caught during initial + certificate parsing, but only on subsequent calls to + mbedtls_x509_parse_subject_alt_name(). Fixes #2838. + * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it + possible to verify RSA PSS signatures with the pk module, which was + inadvertently broken since Mbed TLS 3.0. + * Fix bug in conversion from OID to string in + mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed + correctly. + * Reject OIDs with overlong-encoded subidentifiers when converting + them to a string. + * Reject OIDs with subidentifier values exceeding UINT_MAX. Such + subidentifiers can be valid, but Mbed TLS cannot currently handle them. + * Reject OIDs that have unterminated subidentifiers, or (equivalently) + have the most-significant bit set in their last byte. + * Silence warnings from clang -Wdocumentation about empty \retval + descriptions, which started appearing with Clang 15. Fixes #6960. + * Fix the handling of renegotiation attempts in TLS 1.3. They are now + systematically rejected. + * Fix an unused-variable warning in TLS 1.3-only builds if + MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200. + * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if + len argument is 0 and buffer is NULL. + * Allow setting user and peer identifiers for EC J-PAKE operation + instead of role in PAKE PSA Crypto API as described in the specification. + This is a partial fix that allows only "client" and "server" identifiers. + * Fix a compilation error when PSA Crypto is built with support for + TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125. + * In the TLS 1.3 server, select the preferred client cipher suite, not the + least preferred. The selection error was introduced in Mbed TLS 3.3.0. + * Fix TLS 1.3 session resumption when the established pre-shared key is + 384 bits long. That is the length of pre-shared keys created under a + session where the cipher suite is TLS_AES_256_GCM_SHA384. + * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + enabled, which required specifying compiler flags enabling SHA3 Crypto + Extensions, where some compilers would emit EOR3 instructions in other + modules, which would then fail if run on a CPU without the SHA3 + extensions. Fixes #5758. + +Changes + * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS, + typically /usr/lib/cmake/MbedTLS. + * Mixed-endian systems are explicitly not supported any more. + * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both + defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA + signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to + the behaviour without it, where deterministic ECDSA was already used. + * Visual Studio: Rename the directory containing Visual Studio files from + visualc/VS2010 to visualc/VS2013 as we do not support building with versions + older than 2013. Update the solution file to specify VS2013 as a minimum. + * programs/x509/cert_write: + - now it accepts the serial number in 2 different formats: decimal and + hex. They cannot be used simultaneously + - "serial" is used for the decimal format and it's limted in size to + unsigned long long int + - "serial_hex" is used for the hex format; max length here is + MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2 + * The C code follows a new coding style. This is transparent for users but + affects contributors and maintainers of local patches. For more + information, see + https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/ + * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. + As tested in issue 6790, the correlation between this define and + RSA decryption performance has changed lately due to security fixes. + To fix the performance degradation when using default values the + window was reduced from 6 to 2, a value that gives the best or close + to best results when tested on Cortex-M4 and Intel i7. + * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or + MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify + compiler target flags on the command line; the library now sets target + options within the appropriate modules. + = Mbed TLS 3.3.0 branch released 2022-12-14 Default behavior changes diff --git a/ChangeLog.d/add-cache-remove-api.txt b/ChangeLog.d/add-cache-remove-api.txt deleted file mode 100644 index 950ff9730..000000000 --- a/ChangeLog.d/add-cache-remove-api.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Add new API mbedtls_ssl_cache_remove for cache entry removal by - its session id. -Security - * Zeroize SSL cache entries when they are freed. diff --git a/ChangeLog.d/add-uri-san.txt b/ChangeLog.d/add-uri-san.txt deleted file mode 100644 index 5184e8f5d..000000000 --- a/ChangeLog.d/add-uri-san.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add parsing of uniformResourceIdentifier subtype for subjectAltName - extension in x509 certificates. diff --git a/ChangeLog.d/add_interruptible_sign_hash.txt b/ChangeLog.d/add_interruptible_sign_hash.txt deleted file mode 100644 index 3d933038e..000000000 --- a/ChangeLog.d/add_interruptible_sign_hash.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Add an interruptible version of sign and verify hash to the PSA interface, - backed by internal library support for ECDSA signing and verification. - - diff --git a/ChangeLog.d/aes-ce-security-notice.txt b/ChangeLog.d/aes-ce-security-notice.txt deleted file mode 100644 index 27f8f80d8..000000000 --- a/ChangeLog.d/aes-ce-security-notice.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit - Arm, so that these systems are no longer vulnerable to timing side-channel - attacks. This is configured by MBEDTLS_AESCE_C, which is on by default. - Reported by Demi Marie Obenour. diff --git a/ChangeLog.d/aes-ni-security-notice.txt b/ChangeLog.d/aes-ni-security-notice.txt deleted file mode 100644 index ccf8c9a67..000000000 --- a/ChangeLog.d/aes-ni-security-notice.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on - builds that couldn't compile the GCC-style assembly implementation - (most notably builds with Visual Studio), leaving them vulnerable to - timing side-channel attacks. There is now an intrinsics-based AES-NI - implementation as a fallback for when the assembly one cannot be used. diff --git a/ChangeLog.d/aesni.txt b/ChangeLog.d/aesni.txt deleted file mode 100644 index 2d90a6e1c..000000000 --- a/ChangeLog.d/aesni.txt +++ /dev/null @@ -1,7 +0,0 @@ -Features - * AES-NI is now supported with Visual Studio. - * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM - is disabled, when compiling with GCC or Clang or a compatible compiler - for a target CPU that supports the requisite instructions (for example - gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like - compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.) diff --git a/ChangeLog.d/alignment-perf.txt b/ChangeLog.d/alignment-perf.txt deleted file mode 100644 index 7a8e6fb4a..000000000 --- a/ChangeLog.d/alignment-perf.txt +++ /dev/null @@ -1,8 +0,0 @@ -Features - * General performance improvements by accessing multiple bytes at a time. - Fixes #1666. - * Improvements to use of unaligned and byte-swapped memory, reducing code - size and improving performance (depending on compiler and target - architecture). -Changes - * Mixed-endian systems are explicitly not supported any more. diff --git a/ChangeLog.d/armv8-aes.txt b/ChangeLog.d/armv8-aes.txt deleted file mode 100644 index 37d3479ba..000000000 --- a/ChangeLog.d/armv8-aes.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Add support for AES with the Armv8-A Cryptographic Extension on - 64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can - be used to enable this feature. Run-time detection is supported - under Linux only. diff --git a/ChangeLog.d/c-build-helper-hostcc.txt b/ChangeLog.d/c-build-helper-hostcc.txt deleted file mode 100644 index 86182c3be..000000000 --- a/ChangeLog.d/c-build-helper-hostcc.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Use HOSTCC (if it is set) when compiling C code during generation of the - configuration-independent files. This allows them to be generated when - CC is set for cross compilation. diff --git a/ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt b/ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt deleted file mode 100644 index 8fcc18b20..000000000 --- a/ChangeLog.d/changelog-6567-psa_key_derivation_abort-no-other_secret.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a compilation error when PSA Crypto is built with support for - TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125. diff --git a/ChangeLog.d/cmake-install.txt b/ChangeLog.d/cmake-install.txt deleted file mode 100644 index d8eb72e1e..000000000 --- a/ChangeLog.d/cmake-install.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS, - typically /usr/lib/cmake/MbedTLS. diff --git a/ChangeLog.d/coding-style.txt b/ChangeLog.d/coding-style.txt deleted file mode 100644 index b2cff5cc0..000000000 --- a/ChangeLog.d/coding-style.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * The C code follows a new coding style. This is transparent for users but - affects contributors and maintainers of local patches. For more - information, see - https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/ diff --git a/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt b/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt deleted file mode 100644 index 0a90721ea..000000000 --- a/ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by - Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by - Aaron Ucko under Valgrind. diff --git a/ChangeLog.d/crypto_config_ccm_star.txt b/ChangeLog.d/crypto_config_ccm_star.txt deleted file mode 100644 index 947014ae3..000000000 --- a/ChangeLog.d/crypto_config_ccm_star.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can - be toggled with config.py. diff --git a/ChangeLog.d/csr_v3_extensions.txt b/ChangeLog.d/csr_v3_extensions.txt deleted file mode 100644 index 92740174f..000000000 --- a/ChangeLog.d/csr_v3_extensions.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add parsing of V3 extensions (key usage, Netscape cert-type, - Subject Alternative Names) in x509 Certificate Sign Requests. diff --git a/ChangeLog.d/driver-only-ecdsa.txt b/ChangeLog.d/driver-only-ecdsa.txt deleted file mode 100644 index 645a72374..000000000 --- a/ChangeLog.d/driver-only-ecdsa.txt +++ /dev/null @@ -1,7 +0,0 @@ -Features - * When a PSA driver for ECDSA is present, it is now possible to disable - MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509 - and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled. - Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not - supported in those builds yet, as driver support for interruptible ECDSA - operations is not present yet. diff --git a/ChangeLog.d/driver-only-ecjpake.txt b/ChangeLog.d/driver-only-ecjpake.txt deleted file mode 100644 index 706f304c3..000000000 --- a/ChangeLog.d/driver-only-ecjpake.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * When a PSA driver for EC J-PAKE is present, it is now possible to disable - MBEDTLS_ECJPAKE_C in the build in order to save code size. For the - corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs - to be enabled. diff --git a/ChangeLog.d/ec_jpake_driver_dispatch.txt b/ChangeLog.d/ec_jpake_driver_dispatch.txt deleted file mode 100644 index 343929629..000000000 --- a/ChangeLog.d/ec_jpake_driver_dispatch.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add a driver dispatch layer for EC J-PAKE, enabling alternative - implementations of EC J-PAKE through the driver entry points. diff --git a/ChangeLog.d/empty-retval-description.txt b/ChangeLog.d/empty-retval-description.txt deleted file mode 100644 index 491adf55d..000000000 --- a/ChangeLog.d/empty-retval-description.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Silence warnings from clang -Wdocumentation about empty \retval - descriptions, which started appearing with Clang 15. Fixes #6960. diff --git a/ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt b/ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt deleted file mode 100644 index aa1332f5b..000000000 --- a/ChangeLog.d/enable_opaque_ECJPAKE_key_exchange.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * It is now possible to use a PSA-held (opaque) password with the TLS 1.2 - ECJPAKE key exchange, using the new API function - mbedtls_ssl_set_hs_ecjpake_password_opaque(). diff --git a/ChangeLog.d/fix-example-programs-no-args.txt b/ChangeLog.d/fix-example-programs-no-args.txt deleted file mode 100644 index 57fe37a8e..000000000 --- a/ChangeLog.d/fix-example-programs-no-args.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix behavior of certain sample programs which could, when run with no - arguments, access uninitialized memory in some cases. Fixes #6700 (which - was found by TrustInSoft Analyzer during REDOCS'22) and #1120. diff --git a/ChangeLog.d/fix-gettimeofday-overflow.txt b/ChangeLog.d/fix-gettimeofday-overflow.txt deleted file mode 100644 index b7e10d2b0..000000000 --- a/ChangeLog.d/fix-gettimeofday-overflow.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix possible integer overflow in mbedtls_timing_hardclock(), which - could cause a crash in programs/test/benchmark. diff --git a/ChangeLog.d/fix-iar-warnings.txt b/ChangeLog.d/fix-iar-warnings.txt deleted file mode 100644 index 8a3013232..000000000 --- a/ChangeLog.d/fix-iar-warnings.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix IAR compiler warnings. Fixes #6924. diff --git a/ChangeLog.d/fix-jpake-user-peer.txt b/ChangeLog.d/fix-jpake-user-peer.txt deleted file mode 100644 index e027fc37b..000000000 --- a/ChangeLog.d/fix-jpake-user-peer.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Allow setting user and peer identifiers for EC J-PAKE operation - instead of role in PAKE PSA Crypto API as described in the specification. - This is a partial fix that allows only "client" and "server" identifiers. diff --git a/ChangeLog.d/fix-oid-to-string-bugs.txt b/ChangeLog.d/fix-oid-to-string-bugs.txt deleted file mode 100644 index 3cf02c39c..000000000 --- a/ChangeLog.d/fix-oid-to-string-bugs.txt +++ /dev/null @@ -1,10 +0,0 @@ -Bugfix - * Fix bug in conversion from OID to string in - mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed - correctly. - * Reject OIDs with overlong-encoded subidentifiers when converting - them to a string. - * Reject OIDs with subidentifier values exceeding UINT_MAX. Such - subidentifiers can be valid, but Mbed TLS cannot currently handle them. - * Reject OIDs that have unterminated subidentifiers, or (equivalently) - have the most-significant bit set in their last byte. diff --git a/ChangeLog.d/fix-overread-in-tls13-debug.txt b/ChangeLog.d/fix-overread-in-tls13-debug.txt deleted file mode 100644 index e089ce161..000000000 --- a/ChangeLog.d/fix-overread-in-tls13-debug.txt +++ /dev/null @@ -1,3 +0,0 @@ -Security - * Fix a potential heap buffer overread in TLS 1.3 client-side when - MBEDTLS_DEBUG_C is enabled. This may result in an application crash. diff --git a/ChangeLog.d/fix-rsaalt-test-guards.txt b/ChangeLog.d/fix-rsaalt-test-guards.txt deleted file mode 100644 index f4f39c9e5..000000000 --- a/ChangeLog.d/fix-rsaalt-test-guards.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are - defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. diff --git a/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt b/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt deleted file mode 100644 index e7643b703..000000000 --- a/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a bug in the build where directory names containing spaces were - causing generate_errors.pl to error out resulting in a build failure. - Fixes issue #6879. diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt deleted file mode 100644 index 1764c2f64..000000000 --- a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt +++ /dev/null @@ -1,19 +0,0 @@ -Bugfix - * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers - whose binary representation is longer than 20 bytes. This was already - forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being - enforced also at code level. - -New deprecations - * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of - mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any - direct dependency of X509 on BIGNUM_C. - -Changes - * programs/x509/cert_write: - - now it accepts the serial number in 2 different formats: decimal and - hex. They cannot be used simultaneously - - "serial" is used for the decimal format and it's limted in size to - unsigned long long int - - "serial_hex" is used for the hex format; max length here is - MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2 diff --git a/ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt b/ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt deleted file mode 100644 index d2c9b35dd..000000000 --- a/ChangeLog.d/make_sha224_sha384_independent_from_sha256_sha512.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively. - This helps in saving code size when some of the above hashes are not - required. diff --git a/ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt b/ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt deleted file mode 100644 index 44253dd3b..000000000 --- a/ChangeLog.d/mbedtls_ecp_point_read_binary-compressed-fmt.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Add support for reading points in compressed format - (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary() - (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4 - (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves - except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1) diff --git a/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt b/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt deleted file mode 100644 index 1f2c563be..000000000 --- a/ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if - len argument is 0 and buffer is NULL. diff --git a/ChangeLog.d/mpi-window-perf.txt b/ChangeLog.d/mpi-window-perf.txt deleted file mode 100644 index 0f75d6af1..000000000 --- a/ChangeLog.d/mpi-window-perf.txt +++ /dev/null @@ -1,7 +0,0 @@ -Changes - * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. - As tested in issue 6790, the correlation between this define and - RSA decryption performance has changed lately due to security fixes. - To fix the performance degradation when using default values the - window was reduced from 6 to 2, a value that gives the best or close - to best results when tested on Cortex-M4 and Intel i7. diff --git a/ChangeLog.d/pk-sign-restartable.txt b/ChangeLog.d/pk-sign-restartable.txt deleted file mode 100644 index 35da2be13..000000000 --- a/ChangeLog.d/pk-sign-restartable.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both - defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA - signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to - the behaviour without it, where deterministic ECDSA was already used. diff --git a/ChangeLog.d/pk_ext-pss_options-public.txt b/ChangeLog.d/pk_ext-pss_options-public.txt deleted file mode 100644 index b11fa3063..000000000 --- a/ChangeLog.d/pk_ext-pss_options-public.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it - possible to verify RSA PSS signatures with the pk module, which was - inadvertently broken since Mbed TLS 3.0. diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt deleted file mode 100644 index b60d187e8..000000000 --- a/ChangeLog.d/pkcs7-parser.txt +++ /dev/null @@ -1,15 +0,0 @@ -Features - * Added partial support for parsing the PKCS #7 Cryptographic Message - Syntax, as defined in RFC 2315. Currently, support is limited to the - following: - - Only the signed-data content type, version 1 is supported. - - Only DER encoding is supported. - - Only a single digest algorithm per message is supported. - - Certificates must be in X.509 format. A message must have either 0 - or 1 certificates. - - There is no support for certificate revocation lists. - - The authenticated and unauthenticated attribute fields of SignerInfo - must be empty. - Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for - contributing this feature, and to Demi-Marie Obenour for contributing - various improvements, tests and bug fixes. diff --git a/ChangeLog.d/platform-zeroization.txt b/ChangeLog.d/platform-zeroization.txt deleted file mode 100644 index f17fbbb96..000000000 --- a/ChangeLog.d/platform-zeroization.txt +++ /dev/null @@ -1,3 +0,0 @@ -Security - * Use platform-provided secure zeroization function where possible, such as - explicit_bzero(). diff --git a/ChangeLog.d/psa-alt-headers.txt b/ChangeLog.d/psa-alt-headers.txt deleted file mode 100644 index 95556290a..000000000 --- a/ChangeLog.d/psa-alt-headers.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and - MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for - the headers "psa/crypto_platform.h" and "psa/crypto_struct.h". diff --git a/ChangeLog.d/psa-mbedtls-error-translations.txt b/ChangeLog.d/psa-mbedtls-error-translations.txt deleted file mode 100644 index 366f03b63..000000000 --- a/ChangeLog.d/psa-mbedtls-error-translations.txt +++ /dev/null @@ -1,6 +0,0 @@ -New deprecations - * PSA to mbedtls error translation is now unified in psa_util.h, - deprecating mbedtls_md_error_from_psa. Each file that performs error - translation should define its own version of PSA_TO_MBEDTLS_ERR, - optionally providing file-specific error pairs. Please see psa_util.h for - more details. diff --git a/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt b/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt deleted file mode 100644 index cfea66136..000000000 --- a/ChangeLog.d/psa_alg_tls12_ecjpake_to_pms-reject_ka.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be - used on a shared secret from a key agreement since its input must be - an ECC public key. Reject this properly. diff --git a/ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt b/ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt deleted file mode 100644 index 9bfc80c99..000000000 --- a/ChangeLog.d/reduce-cpu-modifiers-to-file-scope.txt +++ /dev/null @@ -1,12 +0,0 @@ -Bugfix - * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - enabled, which required specifying compiler flags enabling SHA3 Crypto - Extensions, where some compilers would emit EOR3 instructions in other - modules, which would then fail if run on a CPU without the SHA3 - extensions. Fixes #5758. - -Changes - * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or - MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify - compiler target flags on the command line; the library now sets target - options within the appropriate modules. diff --git a/ChangeLog.d/rsa-padding-accessor.txt b/ChangeLog.d/rsa-padding-accessor.txt deleted file mode 100644 index ad1468674..000000000 --- a/ChangeLog.d/rsa-padding-accessor.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg() - to read non-public fields for padding mode and hash id from - an mbedtls_rsa_context, as requested in #6917. diff --git a/ChangeLog.d/san_csr.txt b/ChangeLog.d/san_csr.txt deleted file mode 100644 index b5c6cf3cb..000000000 --- a/ChangeLog.d/san_csr.txt +++ /dev/null @@ -1,2 +0,0 @@ -Features - * Add support to include the SubjectAltName extension to a CSR. diff --git a/ChangeLog.d/san_rfc822Name.txt b/ChangeLog.d/san_rfc822Name.txt deleted file mode 100644 index 9720e5275..000000000 --- a/ChangeLog.d/san_rfc822Name.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add parsing of rfc822Name subtype for subjectAltName - extension in x509 certificates. diff --git a/ChangeLog.d/tls13-only-renegotiation.txt b/ChangeLog.d/tls13-only-renegotiation.txt deleted file mode 100644 index f463de1af..000000000 --- a/ChangeLog.d/tls13-only-renegotiation.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix the handling of renegotiation attempts in TLS 1.3. They are now - systematically rejected. - * Fix an unused-variable warning in TLS 1.3-only builds if - MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200. diff --git a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt b/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt deleted file mode 100644 index 1d3406854..000000000 --- a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt +++ /dev/null @@ -1,12 +0,0 @@ -Default behavior changes - * The default priority order of TLS 1.3 cipher suites has been modified to - follow the same rules as the TLS 1.2 cipher suites (see - ssl_ciphersuites.c). The preferred cipher suite is now - TLS_CHACHA20_POLY1305_SHA256. - -Bugfix - * In the TLS 1.3 server, select the preferred client cipher suite, not the - least preferred. The selection error was introduced in Mbed TLS 3.3.0. - * Fix TLS 1.3 session resumption when the established pre-shared key is - 384 bits long. That is the length of pre-shared keys created under a - session where the cipher suite is TLS_AES_256_GCM_SHA384. diff --git a/ChangeLog.d/vs2013.txt b/ChangeLog.d/vs2013.txt deleted file mode 100644 index 6fe7a5e7f..000000000 --- a/ChangeLog.d/vs2013.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Visual Studio: Rename the directory containing Visual Studio files from - visualc/VS2010 to visualc/VS2013 as we do not support building with versions - older than 2013. Update the solution file to specify VS2013 as a minimum. diff --git a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt b/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt deleted file mode 100644 index cebc2b7ef..000000000 --- a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * In TLS 1.3, when using a ticket for session resumption, tweak its age - calculation on the client side. It prevents a server with more accurate - ticket timestamps (typically timestamps in milliseconds) compared to the - Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller - than the age computed and transmitted by the client and thus potentially - reject the ticket. Fix #6623. diff --git a/ChangeLog.d/x509-subaltname-ext.txt b/ChangeLog.d/x509-subaltname-ext.txt deleted file mode 100644 index 7845f181a..000000000 --- a/ChangeLog.d/x509-subaltname-ext.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix parsing of X.509 SubjectAlternativeName extension. Previously, - malformed alternative name components were not caught during initial - certificate parsing, but only on subsequent calls to - mbedtls_x509_parse_subject_alt_name(). Fixes #2838.