Assemble ChangeLog
Executed scripts/assemble_changelog.py.
Signed-off-by: Janos Follath <janos.follath@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 594c3cf..f8cd778 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,176 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+API changes
+ * The numerical values of the PSA Crypto API macros have been updated to
+ conform to version 1.0.0 of the specification.
+ * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4.
+ The underlying stream cipher is determined by the key type
+ (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
+ * The functions mbedtls_cipher_auth_encrypt() and
+ mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
+ as they have no way to check if the output buffer is large enough.
+ Please use mbedtls_cipher_auth_encrypt_ext() and
+ mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
+ Cryptofuzz. Fixes #3665.
+
+Requirement changes
+ * Update the minimum required CMake version to 2.8.12.
+ * This silences a warning on CMake 3.19.0. #3801
+
+New deprecations
+ * PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated.
+ Use PSA_ALG_STREAM_CIPHER instead.
+ * The functions mbedtls_cipher_auth_encrypt() and
+ mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
+ functions mbedtls_cipher_auth_encrypt_ext() and
+ mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
+ these new functions always append the tag to the ciphertext, and include
+ the tag in the ciphertext length.
+
+Features
+ * Partial implementation of the new PSA Crypto accelerator APIs for
+ enabling key generation and asymmetric signing/verification through crypto
+ accelerators. Contributed by Steven Cooreman in #3501.
+ * Add support for ECB to the PSA cipher API.
+ * Partial implementation of the new PSA Crypto accelerator APIs for
+ enabling symmetric cipher acceleration through crypto accelerators.
+ Contributed by Steven Cooreman in #3644.
+ * In PSA, allow using a key declared with a base key agreement algorithm
+ in combined key agreement and derivation operations, as long as the key
+ agreement algorithm in use matches the algorithm the key was declared with.
+ This is currently non-standard behaviour, but expected to make it into a
+ future revision of the PSA Crypto standard.
+ * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
+ mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
+ external CMake projects that include this one to avoid CMake target name
+ clashes. The default value of this variable is "", so default target names
+ are unchanged.
+ * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
+ Pascal, improved by Ron Eldor.
+ * In the PSA API, it is no longer necessary to open persistent keys:
+ operations now accept the key identifier. The type psa_key_handle_t is now
+ identical to psa_key_id_t instead of being platform-defined. This bridges
+ the last major gap to compliance with the PSA Cryptography specification
+ version 1.0.0. Opening persistent keys is still supported for backward
+ compatibility, but will be deprecated and later removed in future
+ releases.
+ * Implementation of the export_public_key interface for PSA Crypto
+ accelerator drivers, as defined in #3493. Contributed in #3786.
+ * Implementation of the validate_key entry point for PSA Crypto accelerator
+ drivers as defined in #3695.
+ * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and
+ PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
+ 1.0.0 of the PSA Crypto API specification.
+
+Security
+ * The functions mbedtls_cipher_auth_encrypt() and
+ mbedtls_cipher_auth_decrypt() would write past the minimum documented
+ size of the output buffer when used with NIST_KW. As a result, code using
+ those functions as documented with NIST_KW could have a buffer overwrite
+ of up to 15 bytes, with consequences ranging up to arbitrary code
+ execution depending on the location of the output buffer.
+ * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
+ MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
+ generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
+ * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
+ which is how most uses of randomization in asymmetric cryptography
+ (including key generation, intermediate value randomization and blinding)
+ are implemented. This could cause failures or the silent use of non-random
+ values. A random generator can fail if it needs reseeding and cannot not
+ obtain entropy, or due to an internal failure (which, for Mbed TLS's own
+ CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
+ * Fix a compliance issue whereby we were not checking the tag on the
+ algorithm parameters (only the size) when comparing the signature in the
+ description part of the cert to the real signature. This meant that a
+ NULL algorithm parameters entry would look identical to an array of REAL
+ (size zero) to the library and thus the certificate would be considered
+ valid. However, if the parameters do not match in *any* way then the
+ certificate should be considered invalid, and indeed OpenSSL marks these
+ certs as invalid when mbedtls did not.
+ Many thanks to guidovranken who found this issue via differential fuzzing
+ and reported it in #3629.
+ * Zeroising of local buffers and variables which are used for calculations
+ in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
+ mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
+ functions to erase sensitive data from memory. Reported by
+ Johan Malmgren and Johan Uppman Bruce from Sectra.
+
+Bugfix
+ * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
+ enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
+ * Include the psa_constant_names generated source code in the source tree
+ instead of generating it at build time. Fixes #3524.
+ * Fix rsa_prepare_blinding() to retry when the blinding value is not
+ invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
+ addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
+ Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
+ Fixes #3647.
+ * Use socklen_t on Android and other POSIX-compliant system
+ * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
+ Fix #3432.
+ * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
+ sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
+ psa_cipher_* functions compliant with the PSA Crypto API specification.
+ * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
+ "x25519" and "x448". These curves support ECDH but not ECDSA. If you need
+ only the curves that support ECDSA, filter the list with
+ mbedtls_ecdsa_can_do().
+ * Fix psa_generate_key() returning an error when asked to generate
+ an ECC key pair on Curve25519 or secp244k1.
+ * Fix psa_key_derivation_output_key() to allow the output of a combined key
+ agreement and subsequent key derivation operation to be used as a key
+ inside of the PSA Crypto core.
+ * Fix handling of EOF against 0xff bytes and on platforms with unsigned
+ chars. Fixes a build failure on platforms where char is unsigned. Fixes
+ #3794.
+ * Fix an off-by-one error in the additional data length check for
+ CCM, which allowed encryption with a non-standard length field.
+ Fixes #3719.
+ * Correct the default IV size for mbedtls_cipher_info_t structures using
+ MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
+ * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
+ defined. Fix contributed in #3571.
+ * Fix conditions for including string.h in error.c. Fixes #3866.
+ * psa_set_key_id() now also sets the lifetime to persistent for keys located
+ in a secure element.
+ * Attempting to create a volatile key with a non-zero key identifier now
+ fails. Previously the key identifier was just ignored when creating a
+ volatile key.
+ * Attempting to create or register a key with a key identifier in the vendor
+ range now fails.
+ * Fix build failures on GCC 11. Fixes #3782.
+ * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
+ * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
+ (an error condition) and the second operand was aliased to the result.
+ * Fix a case in elliptic curve arithmetic where an out-of-memory condition
+ could go undetected, resulting in an incorrect result.
+ * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
+ Fixes #2927.
+ * In PEM writing functions, fill the trailing part of the buffer with null
+ bytes. This guarantees that the corresponding parsing function can read
+ the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
+ until this property was inadvertently broken in Mbed TLS 2.19.0.
+ Fixes #3682.
+ * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT
+ option on. In this configuration key management methods that are required
+ for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
+ Fixes #3818. Reported by John Stroebel.
+
+Changes
+ * Reduce stack usage significantly during sliding window exponentiation.
+ Reported in #3591 and fix contributed in #3592 by Daniel Otte.
+ * The PSA persistent storage format is updated to always store the key bits
+ attribute. No automatic upgrade path is provided. Previously stored keys
+ must be erased, or manually upgraded based on the key storage format
+ specification (docs/architecture/mbed-crypto-storage-specification.md).
+ Fixes #3740.
+ * Remove the zeroization of a pointer variable in AES rounds. It was valid
+ but spurious and misleading since it looked like a mistaken attempt to
+ zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
+ Leti, France.
+
= mbed TLS 2.24.0 branch released 2020-09-01
API changes
diff --git a/ChangeLog.d/AES_SETKEY_ALT-fix.txt b/ChangeLog.d/AES_SETKEY_ALT-fix.txt
deleted file mode 100644
index a0d1679..0000000
--- a/ChangeLog.d/AES_SETKEY_ALT-fix.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT
- option on. In this configuration key management methods that are required
- for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
- Fixes #3818. Reported by John Stroebel.
diff --git a/ChangeLog.d/_GNU_SOURCE-redefined.txt b/ChangeLog.d/_GNU_SOURCE-redefined.txt
deleted file mode 100644
index 59c8a15..0000000
--- a/ChangeLog.d/_GNU_SOURCE-redefined.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
- Fix #3432.
diff --git a/ChangeLog.d/add-aes-ecb-to-psa.txt b/ChangeLog.d/add-aes-ecb-to-psa.txt
deleted file mode 100644
index b0de67c..0000000
--- a/ChangeLog.d/add-aes-ecb-to-psa.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Features
- * Add support for ECB to the PSA cipher API.
diff --git a/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt b/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt
deleted file mode 100644
index 533f309..0000000
--- a/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
- mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
- external CMake projects that include this one to avoid CMake target name
- clashes. The default value of this variable is "", so default target names
- are unchanged.
diff --git a/ChangeLog.d/add_cipher_transparent_driver.txt b/ChangeLog.d/add_cipher_transparent_driver.txt
deleted file mode 100644
index ce6f33d..0000000
--- a/ChangeLog.d/add_cipher_transparent_driver.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Partial implementation of the new PSA Crypto accelerator APIs for
- enabling symmetric cipher acceleration through crypto accelerators.
- Contributed by Steven Cooreman in #3644.
diff --git a/ChangeLog.d/add_export_public_key_driver.txt b/ChangeLog.d/add_export_public_key_driver.txt
deleted file mode 100644
index dc13131..0000000
--- a/ChangeLog.d/add_export_public_key_driver.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Implementation of the export_public_key interface for PSA Crypto
- accelerator drivers, as defined in #3493. Contributed in #3786.
diff --git a/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt b/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt
deleted file mode 100644
index fe43899..0000000
--- a/ChangeLog.d/add_sign_verify_keygen_transparent_driver.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * Partial implementation of the new PSA Crypto accelerator APIs for
- enabling key generation and asymmetric signing/verification through crypto
- accelerators. Contributed by Steven Cooreman in #3501.
diff --git a/ChangeLog.d/add_validate_key_driver.txt b/ChangeLog.d/add_validate_key_driver.txt
deleted file mode 100644
index 0d56969..0000000
--- a/ChangeLog.d/add_validate_key_driver.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Implementation of the validate_key entry point for PSA Crypto accelerator
- drivers as defined in #3695.
diff --git a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt b/ChangeLog.d/adjusting sliding_window_size_PR3592.txt
deleted file mode 100644
index 6089565..0000000
--- a/ChangeLog.d/adjusting sliding_window_size_PR3592.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Reduce stack usage significantly during sliding window exponentiation.
- Reported in #3591 and fix contributed in #3592 by Daniel Otte.
diff --git a/ChangeLog.d/aes-zeroize-pointer.txt b/ChangeLog.d/aes-zeroize-pointer.txt
deleted file mode 100644
index ccc6dc1..0000000
--- a/ChangeLog.d/aes-zeroize-pointer.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * Remove the zeroization of a pointer variable in AES rounds. It was valid
- but spurious and misleading since it looked like a mistaken attempt to
- zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
- Leti, France.
diff --git a/ChangeLog.d/android-socklen_t.txt b/ChangeLog.d/android-socklen_t.txt
deleted file mode 100644
index d795a52..0000000
--- a/ChangeLog.d/android-socklen_t.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Use socklen_t on Android and other POSIX-compliant system
-
diff --git a/ChangeLog.d/arc4random_buf-implicit.txt b/ChangeLog.d/arc4random_buf-implicit.txt
deleted file mode 100644
index 81c245e..0000000
--- a/ChangeLog.d/arc4random_buf-implicit.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
- defined. Fix contributed in #3571.
diff --git a/ChangeLog.d/bugfix-2927.txt b/ChangeLog.d/bugfix-2927.txt
deleted file mode 100644
index 2213c6e..0000000
--- a/ChangeLog.d/bugfix-2927.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
- Fixes #2927.
diff --git a/ChangeLog.d/bugfix_3524.txt b/ChangeLog.d/bugfix_3524.txt
deleted file mode 100644
index e3ee01e..0000000
--- a/ChangeLog.d/bugfix_3524.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Include the psa_constant_names generated source code in the source tree
- instead of generating it at build time. Fixes #3524.
diff --git a/ChangeLog.d/bugfix_3782.txt b/ChangeLog.d/bugfix_3782.txt
deleted file mode 100644
index a92dffa..0000000
--- a/ChangeLog.d/bugfix_3782.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix build failures on GCC 11. Fixes #3782.
diff --git a/ChangeLog.d/bugfix_3794.txt b/ChangeLog.d/bugfix_3794.txt
deleted file mode 100644
index bcb7fbf..0000000
--- a/ChangeLog.d/bugfix_3794.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix handling of EOF against 0xff bytes and on platforms with unsigned
- chars. Fixes a build failure on platforms where char is unsigned. Fixes
- #3794.
diff --git a/ChangeLog.d/bugfix_PR3294.txt b/ChangeLog.d/bugfix_PR3294.txt
deleted file mode 100644
index a6ea75e..0000000
--- a/ChangeLog.d/bugfix_PR3294.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
- enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
-
diff --git a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt b/ChangeLog.d/cipher-auth-crypt-nist-kw.txt
deleted file mode 100644
index fd18e85..0000000
--- a/ChangeLog.d/cipher-auth-crypt-nist-kw.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-API changes
- * The functions mbedtls_cipher_auth_encrypt() and
- mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
- as they have no way to check if the output buffer is large enough.
- Please use mbedtls_cipher_auth_encrypt_ext() and
- mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
- Cryptofuzz. Fixes #3665.
-
-Security
- * The functions mbedtls_cipher_auth_encrypt() and
- mbedtls_cipher_auth_decrypt() would write past the minimum documented
- size of the output buffer when used with NIST_KW. As a result, code using
- those functions as documented with NIST_KW could have a buffer overwrite
- of up to 15 bytes, with consequences ranging up to arbitrary code
- execution depending on the location of the output buffer.
-
-New deprecations
- * The functions mbedtls_cipher_auth_encrypt() and
- mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
- functions mbedtls_cipher_auth_encrypt_ext() and
- mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
- these new functions always append the tag to the ciphertext, and include
- the tag in the ciphertext length.
diff --git a/ChangeLog.d/clean_pem_buffers.txt b/ChangeLog.d/clean_pem_buffers.txt
deleted file mode 100644
index 5f79649..0000000
--- a/ChangeLog.d/clean_pem_buffers.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * In PEM writing functions, fill the trailing part of the buffer with null
- bytes. This guarantees that the corresponding parsing function can read
- the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
- until this property was inadvertently broken in Mbed TLS 2.19.0.
- Fixes #3682.
diff --git a/ChangeLog.d/ecb_iv_fix.txt b/ChangeLog.d/ecb_iv_fix.txt
deleted file mode 100644
index ae2ae25..0000000
--- a/ChangeLog.d/ecb_iv_fix.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Correct the default IV size for mbedtls_cipher_info_t structures using
- MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
diff --git a/ChangeLog.d/ecp-bignum-error-checks.txt b/ChangeLog.d/ecp-bignum-error-checks.txt
deleted file mode 100644
index 8cad08e..0000000
--- a/ChangeLog.d/ecp-bignum-error-checks.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
- (an error condition) and the second operand was aliased to the result.
- * Fix a case in elliptic curve arithmetic where an out-of-memory condition
- could go undetected, resulting in an incorrect result.
diff --git a/ChangeLog.d/ecp_curve_list.txt b/ChangeLog.d/ecp_curve_list.txt
deleted file mode 100644
index 55745d3..0000000
--- a/ChangeLog.d/ecp_curve_list.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
- "x25519" and "x448". These curves support ECDH but not ECDSA. If you need
- only the curves that support ECDSA, filter the list with
- mbedtls_ecdsa_can_do().
diff --git a/ChangeLog.d/error-include-string.txt b/ChangeLog.d/error-include-string.txt
deleted file mode 100644
index 0a12c7b..0000000
--- a/ChangeLog.d/error-include-string.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix conditions for including string.h in error.c. Fixes #3866.
diff --git a/ChangeLog.d/feature-dtls-srtp.txt b/ChangeLog.d/feature-dtls-srtp.txt
deleted file mode 100644
index af8bfe8..0000000
--- a/ChangeLog.d/feature-dtls-srtp.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
- Pascal, improved by Ron Eldor.
diff --git a/ChangeLog.d/fix-rsa-blinding.txt b/ChangeLog.d/fix-rsa-blinding.txt
deleted file mode 100644
index a13572c..0000000
--- a/ChangeLog.d/fix-rsa-blinding.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Bugfix
- * Fix rsa_prepare_blinding() to retry when the blinding value is not
- invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
- addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
- Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
- Fixes #3647.
diff --git a/ChangeLog.d/fix_ccm_add_length_check.txt b/ChangeLog.d/fix_ccm_add_length_check.txt
deleted file mode 100644
index 259399f..0000000
--- a/ChangeLog.d/fix_ccm_add_length_check.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix an off-by-one error in the additional data length check for
- CCM, which allowed encryption with a non-standard length field.
- Fixes #3719.
-
diff --git a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt b/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt
deleted file mode 100644
index 2ba98d5..0000000
--- a/ChangeLog.d/limit_size_of_diffie_hellman_calculations.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
- * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
- MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
- generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
diff --git a/ChangeLog.d/minimum_cmake_version_PR3802.txt b/ChangeLog.d/minimum_cmake_version_PR3802.txt
deleted file mode 100644
index a24b854..0000000
--- a/ChangeLog.d/minimum_cmake_version_PR3802.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Requirement changes
- * Update the minimum required CMake version to 2.8.12.
- * This silences a warning on CMake 3.19.0. #3801
diff --git a/ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt b/ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt
deleted file mode 100644
index 2f11264..0000000
--- a/ChangeLog.d/missing-debug-message-arguments_mbedtls_ssl_decrypt_buf.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
diff --git a/ChangeLog.d/mpi_fill_random-rng_failure.txt b/ChangeLog.d/mpi_fill_random-rng_failure.txt
deleted file mode 100644
index 8addf18..0000000
--- a/ChangeLog.d/mpi_fill_random-rng_failure.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Security
- * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
- which is how most uses of randomization in asymmetric cryptography
- (including key generation, intermediate value randomization and blinding)
- are implemented. This could cause failures or the silent use of non-random
- values. A random generator can fail if it needs reseeding and cannot not
- obtain entropy, or due to an internal failure (which, for Mbed TLS's own
- CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
diff --git a/ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt b/ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt
deleted file mode 100644
index 07e00e6..0000000
--- a/ChangeLog.d/psa-crypto-api-iv-nonce-macros-1.0.0.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Features
- * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and
- PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
- 1.0.0 of the PSA Crypto API specification.
diff --git a/ChangeLog.d/psa-crypto-api-values-1.0.0.txt b/ChangeLog.d/psa-crypto-api-values-1.0.0.txt
deleted file mode 100644
index 0bd3764..0000000
--- a/ChangeLog.d/psa-crypto-api-values-1.0.0.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-API changes
- * The numerical values of the PSA Crypto API macros have been updated to
- conform to version 1.0.0 of the specification.
- * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4.
- The underlying stream cipher is determined by the key type
- (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
-New deprecations
- * PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated.
- Use PSA_ALG_STREAM_CIPHER instead.
diff --git a/ChangeLog.d/psa-openless.txt b/ChangeLog.d/psa-openless.txt
deleted file mode 100644
index 2e40cdf..0000000
--- a/ChangeLog.d/psa-openless.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-Features
- * In the PSA API, it is no longer necessary to open persistent keys:
- operations now accept the key identifier. The type psa_key_handle_t is now
- identical to psa_key_id_t instead of being platform-defined. This bridges
- the last major gap to compliance with the PSA Cryptography specification
- version 1.0.0. Opening persistent keys is still supported for backward
- compatibility, but will be deprecated and later removed in future
- releases.
-
-Bugfix
- * psa_set_key_id() now also sets the lifetime to persistent for keys located
- in a secure element.
- * Attempting to create a volatile key with a non-zero key identifier now
- fails. Previously the key identifier was just ignored when creating a
- volatile key.
- * Attempting to create or register a key with a key identifier in the vendor
- range now fails.
diff --git a/ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt b/ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt
deleted file mode 100644
index 85c363b..0000000
--- a/ChangeLog.d/psa_error_invalid_argument_for_invalid_cipher_input_sizes.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
- sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
- psa_cipher_* functions compliant with the PSA Crypto API specification.
diff --git a/ChangeLog.d/psa_generate_key-curve25519.txt b/ChangeLog.d/psa_generate_key-curve25519.txt
deleted file mode 100644
index 24b6fcf..0000000
--- a/ChangeLog.d/psa_generate_key-curve25519.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix psa_generate_key() returning an error when asked to generate
- an ECC key pair on Curve25519 or secp244k1.
diff --git a/ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt b/ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt
deleted file mode 100644
index 6660dc3..0000000
--- a/ChangeLog.d/support-ecdh-kdf-with-ecdh-key.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Features
- * In PSA, allow using a key declared with a base key agreement algorithm
- in combined key agreement and derivation operations, as long as the key
- agreement algorithm in use matches the algorithm the key was declared with.
- This is currently non-standard behaviour, but expected to make it into a
- future revision of the PSA Crypto standard.
diff --git a/ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt b/ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt
deleted file mode 100644
index 3f61481..0000000
--- a/ChangeLog.d/support-key-agreement-and-derivation-output-as-key.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix psa_key_derivation_output_key() to allow the output of a combined key
- agreement and subsequent key derivation operation to be used as a key
- inside of the PSA Crypto core.
diff --git a/ChangeLog.d/systematically_store_bit_size_3740.txt b/ChangeLog.d/systematically_store_bit_size_3740.txt
deleted file mode 100644
index 4a039e0..0000000
--- a/ChangeLog.d/systematically_store_bit_size_3740.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Changes
- * The PSA persistent storage format is updated to always store the key bits
- attribute. No automatic upgrade path is provided. Previously stored keys
- must be erased, or manually upgraded based on the key storage format
- specification (docs/architecture/mbed-crypto-storage-specification.md).
- Fixes #3740.
diff --git a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt b/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt
deleted file mode 100644
index f2c72b0..0000000
--- a/ChangeLog.d/x509-add-tag-check-to-algorithm-params.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Security
- * Fix a compliance issue whereby we were not checking the tag on the
- algorithm parameters (only the size) when comparing the signature in the
- description part of the cert to the real signature. This meant that a
- NULL algorithm parameters entry would look identical to an array of REAL
- (size zero) to the library and thus the certificate would be considered
- valid. However, if the parameters do not match in *any* way then the
- certificate should be considered invalid, and indeed OpenSSL marks these
- certs as invalid when mbedtls did not.
- Many thanks to guidovranken who found this issue via differential fuzzing
- and reported it in #3629.
diff --git a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt b/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt
deleted file mode 100644
index 320bb0e..0000000
--- a/ChangeLog.d/zeroizations_of_sensitive_data_in_PKCS5_and_SHA.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Zeroising of local buffers and variables which are used for calculations
- in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
- mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
- functions to erase sensitive data from memory. Reported by
- Johan Malmgren and Johan Uppman Bruce from Sectra.
