Assemble Changelog

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>

ChangeLog

@@ -1,5 +1,87 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS x.x.x branch released xxxx-xx-xx
+
+Default behavior changes
+   * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
+     mbedtls_ssl_handshake() now fails with
+     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+     if certificate-based authentication of the server is attempted.
+     This is because authenticating a server without knowing what name
+     to expect is usually insecure. To restore the old behavior, either
+     call mbedtls_ssl_set_hostname() with NULL as the hostname, or
+     enable the new compile-time option
+     MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
+
+Features
+   * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
+     uses static storage for keys, enabling malloc-less use of key slots.
+     The size of each buffer is given by the option
+     MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
+     largest PSA key enabled in the build.
+   * MD module can now perform PSA dispatching also when
+     `MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C`, even though this
+     configuration is not officially supported. This requires that a
+     PSA Crypto provider library which:
+     * supports the required `PSA_WANT_ALG_xxx` and
+     * implements `psa_can_do_hash()` on the client interface
+     is linked against Mbed TLS and that `psa_crypto_init()` is called before
+     performing any PSA call.
+
+Security
+   * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
+     if they use certificate authentication (i.e. not pre-shared keys).
+     Otherwise, in many scenarios, the server could be impersonated.
+     The library will now prevent the handshake and return
+     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+     if mbedtls_ssl_set_hostname() has not been called.
+     CVE-2025-27809
+   * Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
+     when deriving an ECC key pair.
+   * Zeroize temporary heap buffers used in PSA operations.
+   * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
+     or there was a cryptographic hardware failure when calculating the
+     Finished message, it could be calculated incorrectly. This would break
+     the security guarantees of the TLS handshake.
+     CVE-2025-27810
+
+Bugfix
+   * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
+     peers that have middlebox compatibility enabled, as long as no
+     problematic middlebox is in the way. Fixes #9551.
+   * Fix invalid JSON schemas for driver descriptions used by
+     generate_driver_wrappers.py.
+   * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
+     and 'mbedtls_net_connect' to prevent possible double close fd
+     problems. Fixes #9711.
+   * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
+     mbedtls_psa_der_to_raw() is called with bits=0.
+   * Fix compilation on MS-DOS DJGPP. Fixes #9813.
+   * Fix missing constraints on the AES-NI inline assembly which is used on
+     GCC-like compilers when building AES for generic x86_64 targets. This
+     may have resulted in incorrect code with some compilers, depending on
+     optimizations. Fixes #9819.
+   * Support re-assembly of fragmented handshake messages in TLS (both
+     1.2 and 1.3). The lack of support was causing handshake failures with
+     some servers, especially with TLS 1.3 in practice. There are a few
+     limitations, notably a fragmented ClientHello is only supported when
+     TLS 1.3 support is enabled. See the documentation of
+     mbedtls_ssl_handshake() for details.
+   * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
+     occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
+     with Visual Studio 2013 or MinGW.
+     Fixes #10017.
+   * Remove Everest Visual Studio 2010 compatibility headers, which could
+     shadow standard CRT headers inttypes.h and stdbool.h with incomplete
+     implementatios if placed on the include path, eg. when building Mbed TLS
+     with the .sln file shipped with the project.
+   * Fix issue where psa_key_derivation_input_integer() is not detecting
+     bad state after an operation has been aborted.
+
+Changes
+   * Improve performance of PSA key generation with ECC keys: it no longer
+     computes the public key (which was immediately discarded). Fixes #9732.
+
 = Mbed TLS 3.6.2 branch released 2024-10-14
 
 Security

ChangeLog.d/9302.txt

@@ -1,6 +0,0 @@
-Features
-   * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which
-     uses static storage for keys, enabling malloc-less use of key slots.
-     The size of each buffer is given by the option
-     MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the
-     largest PSA key enabled in the build.

ChangeLog.d/9652.txt

@@ -1,9 +0,0 @@
-Features
-   * MD module can now perform PSA dispatching also when
-     `MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C`, even though this
-     configuration is not officially supported. This requires that a
-     PSA Crypto provider library which:
-     * supports the required `PSA_WANT_ALG_xxx` and
-     * implements `psa_can_do_hash()` on the client interface
-     is linked against Mbed TLS and that `psa_crypto_init()` is called before
-     performing any PSA call.

ChangeLog.d/fix-aesni-asm-clobbers.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix missing constraints on the AES-NI inline assembly which is used on
-     GCC-like compilers when building AES for generic x86_64 targets. This
-     may have resulted in incorrect code with some compilers, depending on
-     optimizations. Fixes #9819.

ChangeLog.d/fix-compilation-with-djgpp.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix compilation on MS-DOS DJGPP. Fixes #9813.

ChangeLog.d/fix-driver-schema-check.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix invalid JSON schemas for driver descriptions used by
-     generate_driver_wrappers.py.

ChangeLog.d/fix-key-derive-bad-state-error.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix issue where psa_key_derivation_input_integer() is not detecting
-     bad state after an operation has been aborted.

ChangeLog.d/fix-msvc-version-guard-format-zu.txt

@@ -1,9 +0,0 @@
-Bugfix
-   * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
-     occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
-     with Visual Studio 2013 or MinGW.
-     Fixes #10017.
-   * Remove Everest Visual Studio 2010 compatibility headers, which could
-     shadow standard CRT headers inttypes.h and stdbool.h with incomplete
-     implementatios if placed on the include path, eg. when building Mbed TLS
-     with the .sln file shipped with the project.

ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt

@@ -1,3 +0,0 @@
-Changes
-   * Improve performance of PSA key generation with ECC keys: it no longer
-     computes the public key (which was immediately discarded). Fixes #9732.

ChangeLog.d/mbedtls_ssl_set_hostname.txt

@@ -1,19 +0,0 @@
-Default behavior changes
-   * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
-     mbedtls_ssl_handshake() now fails with
-     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
-     if certificate-based authentication of the server is attempted.
-     This is because authenticating a server without knowing what name
-     to expect is usually insecure. To restore the old behavior, either
-     call mbedtls_ssl_set_hostname() with NULL as the hostname, or
-     enable the new compile-time option
-     MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
-
-Security
-   * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
-     if they use certificate authentication (i.e. not pre-shared keys).
-     Otherwise, in many scenarios, the server could be impersonated.
-     The library will now prevent the handshake and return
-     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
-     if mbedtls_ssl_set_hostname() has not been called.
-     CVE-2025-27809

ChangeLog.d/psa-zeroize.txt

@@ -1,4 +0,0 @@
-Security
-   * Zeroize a temporary heap buffer used in psa_key_derivation_output_key()
-     when deriving an ECC key pair.
-   * Zeroize temporary heap buffers used in PSA operations.

ChangeLog.d/psa_util-bits-0.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or
-     mbedtls_psa_der_to_raw() is called with bits=0.

ChangeLog.d/replace-close-with-mbedtls_net_close.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind'
-     and 'mbedtls_net_connect' to prevent possible double close fd
-     problems. Fixes #9711.

ChangeLog.d/tls-hs-defrag-in.txt

@@ -1,7 +0,0 @@
-Bugfix
-   * Support re-assembly of fragmented handshake messages in TLS (both
-     1.2 and 1.3). The lack of support was causing handshake failures with
-     some servers, especially with TLS 1.3 in practice. There are a few
-     limitations, notably a fragmented ClientHello is only supported when
-     TLS 1.3 support is enabled. See the documentation of
-     mbedtls_ssl_handshake() for details.

ChangeLog.d/tls12-check-finished-calc.txt

@@ -1,6 +0,0 @@
-Security
-   * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
-     or there was a cryptographic hardware failure when calculating the
-     Finished message, it could be calculated incorrectly. This would break
-     the security guarantees of the TLS handshake.
-     CVE-2025-27810

ChangeLog.d/tls13-middlebox-compat-disabled.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with
-     peers that have middlebox compatibility enabled, as long as no
-     problematic middlebox is in the way. Fixes #9551.