Update Changelog for 2.26.0
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 184bd09..a6d4adf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,116 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.26.0 branch released 2021-03-08
+
+API changes
+ * Renamed the PSA Crypto API output buffer size macros to bring them in line
+ with version 1.0.0 of the specification.
+ * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
+ in bits rather than bytes, with an additional flag to indicate if the
+ size may have been rounded up to a whole number of bytes.
+ * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
+ with version 1.0.0 of the specification.
+
+Default behavior changes
+ * In mbedtls_rsa_context objects, the ver field was formerly documented
+ as always 0. It is now reserved for internal purposes and may take
+ different values.
+
+New deprecations
+ * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
+ PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
+ PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
+ deprecated.
+ * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
+ have been renamed, and the old names deprecated.
+
+Features
+ * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
+ CTR_DRBG is used by default if it is available, but you can override
+ this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
+ Fix #3354.
+ * Automatic fallback to a software implementation of ECP when
+ MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
+ through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
+ * The PSA crypto subsystem can now be configured to use less static RAM by
+ tweaking the setting for the maximum amount of keys simultaneously in RAM.
+ MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
+ can exist simultaneously. It has a sensible default if not overridden.
+ * Partial implementation of the PSA crypto driver interface: Mbed TLS can
+ now use an external random generator instead of the library's own
+ entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+ and see the documentation of mbedtls_psa_external_get_random() for details.
+ * Applications using both mbedtls_xxx and psa_xxx functions (for example,
+ applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
+ random generator with mbedtls_xxx functions. See the documentation of
+ mbedtls_psa_get_random() for details.
+ * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
+ minimum MAC or tag length thanks to the new wildcards
+ PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
+ PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
+
+Security
+ * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
+ nonce from entropy. Applications were affected if they called
+ mbedtls_ctr_drbg_set_nonce_len(), if they called
+ mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
+ length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
+ In such cases, a random nonce was necessary to achieve the advertised
+ security strength, but the code incorrectly used a constant instead of
+ entropy from the nonce.
+ Found by John Stroebel in #3819 and fixed in #3973.
+ * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
+ |A| - |B| where |B| is larger than |A| and has more limbs (so the
+ function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
+ applications calling mbedtls_mpi_sub_abs() directly are affected:
+ all calls inside the library were safe since this function is
+ only called with |A| >= |B|. Reported by Guido Vranken in #4042.
+ * Fix an errorneous estimation for an internal buffer in
+ mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
+ value the function might fail to write a private RSA keys of the largest
+ supported size.
+ Found by Daniel Otte, reported in #4093 and fixed in #4094.
+ * Fix a stack buffer overflow with mbedtls_net_poll() and
+ mbedtls_net_recv_timeout() when given a file descriptor that is
+ beyond FD_SETSIZE. Reported by FigBug in #4169.
+ * Guard against strong local side channel attack against base64 tables by
+ making access aceess to them use constant flow code.
+
+Bugfix
+ * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
+ * Fix memory leak that occured when calling psa_close_key() on a
+ wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
+ * Fix an incorrect error code if an RSA private operation glitched.
+ * Fix a memory leak in an error case in psa_generate_derived_key_internal().
+ * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
+ is enabled, on platforms where initializing a mutex allocates resources.
+ This was a regression introduced in the previous release. Reported in
+ #4017, #4045 and #4071.
+ * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
+ twice is safe. This happens for RSA when some Mbed TLS library functions
+ fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
+ enabled on platforms where freeing a mutex twice is not safe.
+ * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
+ when MBEDTLS_THREADING_C is enabled on platforms where initializing
+ a mutex allocates resources.
+ * Fixes a bug where, if the library was configured to include support for
+ both the old SE interface and the new PSA driver interface, external keys were
+ not loaded from storage. This was fixed by #3996.
+ * This change makes 'mbedtls_x509write_crt_set_basic_constraints'
+ consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
+ include this extension in all CA certificates that contain public keys
+ used to validate digital signatures on certificates and MUST mark the
+ extension as critical in such certificates." Previous to this change,
+ the extension was always marked as non-critical. This was fixed by
+ #3698.
+
+Changes
+ * A new library C file psa_crypto_client.c has been created to contain
+ the PSA code needed by a PSA crypto client when the PSA crypto
+ implementation is not included into the library.
+ * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
+ now uses the getrandom syscall instead of reading from /dev/urandom.
+
= mbed TLS 2.25.0 branch released 2020-12-11
API changes
diff --git a/ChangeLog.d/basic-constraints-critical.txt b/ChangeLog.d/basic-constraints-critical.txt
deleted file mode 100644
index 72e706e..0000000
--- a/ChangeLog.d/basic-constraints-critical.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Bugfix
- * This change makes 'mbedtls_x509write_crt_set_basic_constraints'
- consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
- include this extension in all CA certificates that contain public keys
- used to validate digital signatures on certificates and MUST mark the
- extension as critical in such certificates." Previous to this change,
- the extension was always marked as non-critical. This was fixed by
- #3698.
diff --git a/ChangeLog.d/drbg-mutex.txt b/ChangeLog.d/drbg-mutex.txt
deleted file mode 100644
index 3ac5abf..0000000
--- a/ChangeLog.d/drbg-mutex.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
- is enabled, on platforms where initializing a mutex allocates resources.
- This was a regression introduced in the previous release. Reported in
- #4017, #4045 and #4071.
diff --git a/ChangeLog.d/external-wrapped-keys.txt b/ChangeLog.d/external-wrapped-keys.txt
deleted file mode 100644
index ca29e0d..0000000
--- a/ChangeLog.d/external-wrapped-keys.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fixes a bug where, if the library was configured to include support for
- both the old SE interface and the new PSA driver interface, external keys were
- not loaded from storage. This was fixed by #3996.
diff --git a/ChangeLog.d/fix_psa_crypto_leak.txt b/ChangeLog.d/fix_psa_crypto_leak.txt
deleted file mode 100644
index 6f9e5fe..0000000
--- a/ChangeLog.d/fix_psa_crypto_leak.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix a memory leak in an error case in psa_generate_derived_key_internal().
diff --git a/ChangeLog.d/getentropy.txt b/ChangeLog.d/getentropy.txt
deleted file mode 100644
index 460798f..0000000
--- a/ChangeLog.d/getentropy.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
- now uses the getrandom syscall instead of reading from /dev/urandom.
diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt
deleted file mode 100644
index e41520f..0000000
--- a/ChangeLog.d/issue3819.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Security
- * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
- nonce from entropy. Applications were affected if they called
- mbedtls_ctr_drbg_set_nonce_len(), if they called
- mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
- length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
- In such cases, a random nonce was necessary to achieve the advertised
- security strength, but the code incorrectly used a constant instead of
- entropy from the nonce.
- Found by John Stroebel in #3819 and fixed in #3973.
diff --git a/ChangeLog.d/issue4093.txt b/ChangeLog.d/issue4093.txt
deleted file mode 100644
index f6985cf..0000000
--- a/ChangeLog.d/issue4093.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Fix an errorneous estimation for an internal buffer in
- mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
- value the function might fail to write a private RSA keys of the largest
- supported size.
- Found by Daniel Otte, reported in #4093 and fixed in #4094.
diff --git a/ChangeLog.d/make_base64_table_access_constant_flow.txt b/ChangeLog.d/make_base64_table_access_constant_flow.txt
deleted file mode 100644
index 733c972..0000000
--- a/ChangeLog.d/make_base64_table_access_constant_flow.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Guard against strong local side channel attack against base64 tables by
- making access aceess to them use constant flow code.
-
diff --git a/ChangeLog.d/mbedtls_ecc_group_of_psa.txt b/ChangeLog.d/mbedtls_ecc_group_of_psa.txt
deleted file mode 100644
index bce4c66..0000000
--- a/ChangeLog.d/mbedtls_ecc_group_of_psa.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-API changes
- * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
- in bits rather than bytes, with an additional flag to indicate if the
- size may have been rounded up to a whole number of bytes.
diff --git a/ChangeLog.d/mbedtls_psa_get_random.txt b/ChangeLog.d/mbedtls_psa_get_random.txt
deleted file mode 100644
index f6e6b09..0000000
--- a/ChangeLog.d/mbedtls_psa_get_random.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Features
- * Partial implementation of the PSA crypto driver interface: Mbed TLS can
- now use an external random generator instead of the library's own
- entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
- and see the documentation of mbedtls_psa_external_get_random() for details.
- * Applications using both mbedtls_xxx and psa_xxx functions (for example,
- applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
- random generator with mbedtls_xxx functions. See the documentation of
- mbedtls_psa_get_random() for details.
diff --git a/ChangeLog.d/mpi_sub_abs.txt b/ChangeLog.d/mpi_sub_abs.txt
deleted file mode 100644
index 9f34ee7..0000000
--- a/ChangeLog.d/mpi_sub_abs.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
- * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
- |A| - |B| where |B| is larger than |A| and has more limbs (so the
- function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
- applications calling mbedtls_mpi_sub_abs() directly are affected:
- all calls inside the library were safe since this function is
- only called with |A| >= |B|. Reported by Guido Vranken in #4042.
diff --git a/ChangeLog.d/net_poll-fd_setsize.txt b/ChangeLog.d/net_poll-fd_setsize.txt
deleted file mode 100644
index e4db8c7..0000000
--- a/ChangeLog.d/net_poll-fd_setsize.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Fix a stack buffer overflow with mbedtls_net_poll() and
- mbedtls_net_recv_timeout() when given a file descriptor that is
- beyond FD_SETSIZE. Reported by FigBug in #4169.
diff --git a/ChangeLog.d/no_ecp_fallback.txt b/ChangeLog.d/no_ecp_fallback.txt
deleted file mode 100644
index f61d311..0000000
--- a/ChangeLog.d/no_ecp_fallback.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Automatic fallback to a software implementation of ECP when
- MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
- through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
diff --git a/ChangeLog.d/programs-ssl-use-after-scope.txt b/ChangeLog.d/programs-ssl-use-after-scope.txt
deleted file mode 100644
index 64bea61..0000000
--- a/ChangeLog.d/programs-ssl-use-after-scope.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
diff --git a/ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt b/ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt
deleted file mode 100644
index 58c5e4f..0000000
--- a/ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-API changes
- * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
- with version 1.0.0 of the specification.
-
-New deprecations
- * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
- have been renamed, and the old names deprecated.
diff --git a/ChangeLog.d/psa-crypto-client.txt b/ChangeLog.d/psa-crypto-client.txt
deleted file mode 100644
index 3070ee9..0000000
--- a/ChangeLog.d/psa-crypto-client.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * A new library C file psa_crypto_client.c has been created to contain
- the PSA code needed by a PSA crypto client when the PSA crypto
- implementation is not included into the library.
diff --git a/ChangeLog.d/psa-crypto-hmac-drbg.txt b/ChangeLog.d/psa-crypto-hmac-drbg.txt
deleted file mode 100644
index 18a0d1b..0000000
--- a/ChangeLog.d/psa-crypto-hmac-drbg.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
- CTR_DRBG is used by default if it is available, but you can override
- this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
- Fix #3354.
diff --git a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt
deleted file mode 100644
index 56fbbc9..0000000
--- a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
- minimum MAC or tag length thanks to the new wildcards
- PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
- PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
diff --git a/ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt b/ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt
deleted file mode 100644
index 1e8fb5f..0000000
--- a/ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-API changes
- * Renamed the PSA Crypto API output buffer size macros to bring them in line
- with version 1.0.0 of the specification.
-
-New deprecations
- * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
- PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
- PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
- deprecated.
diff --git a/ChangeLog.d/psa_allow_tweaking_library_configuration.txt b/ChangeLog.d/psa_allow_tweaking_library_configuration.txt
deleted file mode 100644
index 78b082c..0000000
--- a/ChangeLog.d/psa_allow_tweaking_library_configuration.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Features
- * The PSA crypto subsystem can now be configured to use less static RAM by
- tweaking the setting for the maximum amount of keys simultaneously in RAM.
- MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
- can exist simultaneously. It has a sensible default if not overridden.
diff --git a/ChangeLog.d/psa_close_key_memory_leak_fix.txt b/ChangeLog.d/psa_close_key_memory_leak_fix.txt
deleted file mode 100644
index 91ce174..0000000
--- a/ChangeLog.d/psa_close_key_memory_leak_fix.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix memory leak that occured when calling psa_close_key() on a
- wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
diff --git a/ChangeLog.d/rsa-mutex.txt b/ChangeLog.d/rsa-mutex.txt
deleted file mode 100644
index 2a477a9..0000000
--- a/ChangeLog.d/rsa-mutex.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-Bugfix
- * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
- twice is safe. This happens for RSA when some Mbed TLS library functions
- fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
- enabled on platforms where freeing a mutex twice is not safe.
- * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
- when MBEDTLS_THREADING_C is enabled on platforms where initializing
- a mutex allocates resources.
-
-Default behavior changes
- * In mbedtls_rsa_context objects, the ver field was formerly documented
- as always 0. It is now reserved for internal purposes and may take
- different values.
diff --git a/ChangeLog.d/rsa_private-ret.txt b/ChangeLog.d/rsa_private-ret.txt
deleted file mode 100644
index b965cea..0000000
--- a/ChangeLog.d/rsa_private-ret.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix an incorrect error code if an RSA private operation glitched.