From bb2eece7cf509ab1adbd3d22ff71cac005d9e298 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 30 Jun 2021 18:07:19 +0100 Subject: [PATCH] Create aggregated ChangeLog Signed-off-by: Dave Rodgman --- ChangeLog | 371 +++++++++++++++++- ChangeLog.d/add-cmake-package-config.txt | 2 - ChangeLog.d/add-missing-parenthesis.txt | 3 - ChangeLog.d/aescrypt2.txt | 3 - ChangeLog.d/allow_alt_cmac_without_des.txt | 3 - ChangeLog.d/alt-context-relaxation.txt | 6 - ChangeLog.d/aria-alt.txt | 5 - ChangeLog.d/cipher-delayed-output.txt | 6 - ChangeLog.d/ciphersuite-sha1-sha384-guard.txt | 4 - ChangeLog.d/ciphersuite-sha384-guard.txt | 2 - ChangeLog.d/default-curves.txt | 9 - ChangeLog.d/dhm-fields.txt | 9 - ChangeLog.d/dhm_min_bitlen.txt | 4 - ChangeLog.d/ecdsa-random-leading-zeros.txt | 7 - ChangeLog.d/ecjpake-point_format.txt | 4 - ChangeLog.d/ecp-window-size.txt | 3 - ChangeLog.d/ecp_max_bits.txt | 3 - ChangeLog.d/fix-mingw-build.txt | 5 - ChangeLog.d/fix-pk-parse-key-error-code.txt | 2 - ChangeLog.d/fix-rsa-leak.txt | 6 - ChangeLog.d/fix-ssl-cf-hmac-alt.txt | 5 - ChangeLog.d/fix_tls_alert_codes.txt | 5 - ChangeLog.d/gcm-update.txt | 19 - ChangeLog.d/host_test-int32.txt | 3 - ChangeLog.d/implicit_key_usage_policy.txt | 5 - ChangeLog.d/issue4036.txt | 5 - ChangeLog.d/issue4055.txt | 3 - ChangeLog.d/issue4083.txt | 4 - ChangeLog.d/issue4084.txt | 4 - ChangeLog.d/issue4128.txt | 4 - ChangeLog.d/issue4176.txt | 3 - ChangeLog.d/issue4212.txt | 6 - ChangeLog.d/issue4282.txt | 13 - ChangeLog.d/issue4286.txt | 10 - ChangeLog.d/issue4313.txt | 4 - ChangeLog.d/issue4335.txt | 4 - ChangeLog.d/issue4361.txt | 3 - ChangeLog.d/issue4367.txt | 13 - ChangeLog.d/issue4378.txt | 4 - ChangeLog.d/issue4386.txt | 3 - ChangeLog.d/issue4398.txt | 3 - ChangeLog.d/issue4403.txt | 2 - ChangeLog.d/issue4405.txt | 4 - ChangeLog.d/key-export.txt | 10 - ChangeLog.d/make-generate-tests-python.txt | 3 - ChangeLog.d/mandatory-rng-param.txt | 14 - ChangeLog.d/max-record-payload-api.txt | 9 - ChangeLog.d/mbed-can-do-timing.txt | 3 - ChangeLog.d/mbedtls_debug_print_mpi.txt | 5 - ChangeLog.d/mpi_exp_mod-zero.txt | 7 - ChangeLog.d/mpi_gcd-0.txt | 4 - ChangeLog.d/mpi_random.txt | 3 - ChangeLog.d/mpi_read_zero.txt | 9 - ChangeLog.d/no-generated-files.txt | 7 - ChangeLog.d/one-shot-mac.txt | 3 - ChangeLog.d/one-shot_cipher_functions.txt | 4 - ChangeLog.d/out_size.txt | 5 - ChangeLog.d/posix-define.txt | 6 - ChangeLog.d/private-fields.txt | 5 - .../psa-aead-output-size-macros-1.0.txt | 5 - .../psa-builtin-keys-implementation.txt | 4 - ChangeLog.d/psa-read-only-keys.txt | 5 - ChangeLog.d/psa-rsa-verify-alt-fix.txt | 7 - ChangeLog.d/psa-without-genprime-fix.txt | 5 - .../psa_key_derivation-bad_workflow.txt | 3 - ChangeLog.d/psa_sign_message.txt | 2 - ChangeLog.d/random-range.txt | 4 - ChangeLog.d/reject-low-order-points-early.txt | 6 - ChangeLog.d/relaxed-psk-semantics.txt | 7 - ChangeLog.d/remove-config-psa-crypto.txt | 3 - .../remove-enable-weak-ciphersuites.txt | 2 - ChangeLog.d/remove-max-content-len.txt | 4 - ChangeLog.d/remove-rsa-mode-parameter.txt | 8 - ChangeLog.d/remove_null_entropy.txt | 2 - ChangeLog.d/require-matching-hashlen-rsa.txt | 5 - ChangeLog.d/rm-ecdh-legacy-context-option.txt | 3 - ChangeLog.d/rm-ticket-lifetime-option.txt | 5 - ChangeLog.d/rm-truncated-hmac-ext.txt | 5 - ChangeLog.d/rsa-padding.txt | 5 - ChangeLog.d/session-cache-api.txt | 5 - ChangeLog.d/sha224_sha384.txt | 7 - ChangeLog.d/sha512-output-type.txt | 6 - ChangeLog.d/split-config.txt | 13 - ChangeLog.d/spm_build.txt | 4 - ChangeLog.d/ssl-error-code-cleanup.txt | 6 - ChangeLog.d/tool-versions.txt | 4 - .../undefined_reference_without_psa.txt | 4 - ChangeLog.d/update_ssl_error_codes.txt | 3 - ChangeLog.d/winsock.txt | 4 - ChangeLog.d/x509_remove_info.txt | 6 - 90 files changed, 369 insertions(+), 466 deletions(-) delete mode 100644 ChangeLog.d/add-cmake-package-config.txt delete mode 100644 ChangeLog.d/add-missing-parenthesis.txt delete mode 100644 ChangeLog.d/aescrypt2.txt delete mode 100644 ChangeLog.d/allow_alt_cmac_without_des.txt delete mode 100644 ChangeLog.d/alt-context-relaxation.txt delete mode 100644 ChangeLog.d/aria-alt.txt delete mode 100644 ChangeLog.d/cipher-delayed-output.txt delete mode 100644 ChangeLog.d/ciphersuite-sha1-sha384-guard.txt delete mode 100644 ChangeLog.d/ciphersuite-sha384-guard.txt delete mode 100644 ChangeLog.d/default-curves.txt delete mode 100644 ChangeLog.d/dhm-fields.txt delete mode 100644 ChangeLog.d/dhm_min_bitlen.txt delete mode 100644 ChangeLog.d/ecdsa-random-leading-zeros.txt delete mode 100644 ChangeLog.d/ecjpake-point_format.txt delete mode 100644 ChangeLog.d/ecp-window-size.txt delete mode 100644 ChangeLog.d/ecp_max_bits.txt delete mode 100644 ChangeLog.d/fix-mingw-build.txt delete mode 100644 ChangeLog.d/fix-pk-parse-key-error-code.txt delete mode 100644 ChangeLog.d/fix-rsa-leak.txt delete mode 100644 ChangeLog.d/fix-ssl-cf-hmac-alt.txt delete mode 100644 ChangeLog.d/fix_tls_alert_codes.txt delete mode 100644 ChangeLog.d/gcm-update.txt delete mode 100644 ChangeLog.d/host_test-int32.txt delete mode 100644 ChangeLog.d/implicit_key_usage_policy.txt delete mode 100644 ChangeLog.d/issue4036.txt delete mode 100644 ChangeLog.d/issue4055.txt delete mode 100644 ChangeLog.d/issue4083.txt delete mode 100644 ChangeLog.d/issue4084.txt delete mode 100644 ChangeLog.d/issue4128.txt delete mode 100644 ChangeLog.d/issue4176.txt delete mode 100644 ChangeLog.d/issue4212.txt delete mode 100644 ChangeLog.d/issue4282.txt delete mode 100644 ChangeLog.d/issue4286.txt delete mode 100644 ChangeLog.d/issue4313.txt delete mode 100644 ChangeLog.d/issue4335.txt delete mode 100644 ChangeLog.d/issue4361.txt delete mode 100644 ChangeLog.d/issue4367.txt delete mode 100644 ChangeLog.d/issue4378.txt delete mode 100644 ChangeLog.d/issue4386.txt delete mode 100644 ChangeLog.d/issue4398.txt delete mode 100644 ChangeLog.d/issue4403.txt delete mode 100644 ChangeLog.d/issue4405.txt delete mode 100644 ChangeLog.d/key-export.txt delete mode 100644 ChangeLog.d/make-generate-tests-python.txt delete mode 100644 ChangeLog.d/mandatory-rng-param.txt delete mode 100644 ChangeLog.d/max-record-payload-api.txt delete mode 100644 ChangeLog.d/mbed-can-do-timing.txt delete mode 100644 ChangeLog.d/mbedtls_debug_print_mpi.txt delete mode 100644 ChangeLog.d/mpi_exp_mod-zero.txt delete mode 100644 ChangeLog.d/mpi_gcd-0.txt delete mode 100644 ChangeLog.d/mpi_random.txt delete mode 100644 ChangeLog.d/mpi_read_zero.txt delete mode 100644 ChangeLog.d/no-generated-files.txt delete mode 100644 ChangeLog.d/one-shot-mac.txt delete mode 100644 ChangeLog.d/one-shot_cipher_functions.txt delete mode 100644 ChangeLog.d/out_size.txt delete mode 100644 ChangeLog.d/posix-define.txt delete mode 100644 ChangeLog.d/private-fields.txt delete mode 100644 ChangeLog.d/psa-aead-output-size-macros-1.0.txt delete mode 100644 ChangeLog.d/psa-builtin-keys-implementation.txt delete mode 100644 ChangeLog.d/psa-read-only-keys.txt delete mode 100644 ChangeLog.d/psa-rsa-verify-alt-fix.txt delete mode 100644 ChangeLog.d/psa-without-genprime-fix.txt delete mode 100644 ChangeLog.d/psa_key_derivation-bad_workflow.txt delete mode 100644 ChangeLog.d/psa_sign_message.txt delete mode 100644 ChangeLog.d/random-range.txt delete mode 100644 ChangeLog.d/reject-low-order-points-early.txt delete mode 100644 ChangeLog.d/relaxed-psk-semantics.txt delete mode 100644 ChangeLog.d/remove-config-psa-crypto.txt delete mode 100644 ChangeLog.d/remove-enable-weak-ciphersuites.txt delete mode 100644 ChangeLog.d/remove-max-content-len.txt delete mode 100644 ChangeLog.d/remove-rsa-mode-parameter.txt delete mode 100644 ChangeLog.d/remove_null_entropy.txt delete mode 100644 ChangeLog.d/require-matching-hashlen-rsa.txt delete mode 100644 ChangeLog.d/rm-ecdh-legacy-context-option.txt delete mode 100644 ChangeLog.d/rm-ticket-lifetime-option.txt delete mode 100644 ChangeLog.d/rm-truncated-hmac-ext.txt delete mode 100644 ChangeLog.d/rsa-padding.txt delete mode 100644 ChangeLog.d/session-cache-api.txt delete mode 100644 ChangeLog.d/sha224_sha384.txt delete mode 100644 ChangeLog.d/sha512-output-type.txt delete mode 100644 ChangeLog.d/split-config.txt delete mode 100644 ChangeLog.d/spm_build.txt delete mode 100644 ChangeLog.d/ssl-error-code-cleanup.txt delete mode 100644 ChangeLog.d/tool-versions.txt delete mode 100644 ChangeLog.d/undefined_reference_without_psa.txt delete mode 100644 ChangeLog.d/update_ssl_error_codes.txt delete mode 100644 ChangeLog.d/winsock.txt delete mode 100644 ChangeLog.d/x509_remove_info.txt diff --git a/ChangeLog b/ChangeLog index fcd842708f..5074249437 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= Mbed TLS 3.0.0 branch released 2021-xx-xx += Mbed TLS 3.0.0 branch released 2021-07-07 API changes * Remove HAVEGE module. @@ -36,12 +36,146 @@ API changes * Drop support for RC4 TLS ciphersuites. * Drop support for single-DES ciphersuites. * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL. + * Update AEAD output size macros to bring them in line with the PSA Crypto + API version 1.0 spec. This version of the spec parameterizes them on the + key type used, as well as the key bit-size in the case of + PSA_AEAD_TAG_LENGTH. + * Add configuration option MBEDTLS_X509_REMOVE_INFO which + removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt() + as well as other functions and constants only used by + those functions. This reduces the code footprint by + several kB. + * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` + and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never + returned from the public SSL API. + * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return + `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead. + * The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret, + mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type + rather than array type. This removes spurious warnings in some compilers + when outputting a SHA-384 or SHA-224 hash into a buffer of exactly + the hash size. + * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388. + * The interface of the GCM module has changed to remove restrictions on + how the input to multipart operations is broken down. mbedtls_gcm_finish() + now takes an extra output parameter for the last partial output block. + mbedtls_gcm_update() now takes extra parameters for the output length. + The software implementation always produces the full output at each + call to mbedtls_gcm_update(), but alternative implementations activated + by MBEDTLS_GCM_ALT may delay partial blocks to the next call to + mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications + no longer pass the associated data to mbedtls_gcm_starts(), but to the + new function mbedtls_gcm_update_ad(). + These changes are backward compatible for users of the cipher API. + * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C. + This separates config option enabling the SHA384 algorithm from option + enabling the SHA512 algorithm. Fixes #4034. + * Introduce MBEDTLS_SHA224_C. + This separates config option enabling the SHA224 algorithm from option + enabling SHA256. + * The getter and setter API of the SSL session cache (used for + session-ID based session resumption) has changed to that of + a key-value store with keys being session IDs and values + being opaque instances of `mbedtls_ssl_session`. + * Remove the mode parameter from RSA operation functions. Signature and + decryption functions now always use the private key and verification and + encryption use the public key. Verification functions also no longer have + RNG parameters. + * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`: + In Mbed TLS 2.X, the API prescribes that later calls overwrite + the effect of earlier calls. In Mbed TLS 3.0, calling + `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail, + leaving the PSK that was configured first intact. + Support for more than one PSK may be added in 3.X. + * The function mbedtls_x509write_csr_set_extension() has an extra parameter + which allows to mark an extension as critical. Fixes #4055. + * For multi-part AEAD operations with the cipher module, calling + mbedtls_cipher_finish() is now mandatory. Previously the documentation + was unclear on this point, and this function happened to never do + anything with the currently implemented AEADs, so in practice it was + possible to skip calling it, which is no longer supported. + * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables + instead of computing tables in runtime. Thus, this option now increase + code size, and it does not increase RAM usage in runtime anymore. + * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and + mbedtls_ssl_get_output_max_frag_len(), and add a new API + mbedtls_ssl_get_max_in_record_payload(), complementing the existing + mbedtls_ssl_get_max_out_record_payload(). + Uses of mbedtls_ssl_get_input_max_frag_len() and + mbedtls_ssl_get_input_max_frag_len() should be replaced by + mbedtls_ssl_get_max_in_record_payload() and + mbedtls_ssl_get_max_out_record_payload(), respectively. + * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA + key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding() + after initializing the context. mbedtls_rsa_set_padding() now returns an + error if its parameters are invalid. + * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime + configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398. + * Instead of accessing the len field of a DHM context, which is no longer + supported, use the new function mbedtls_dhm_get_len() . + * In modules that implement cryptographic hash functions, many functions + mbedtls_xxx() now return int instead of void, and the corresponding + function mbedtls_xxx_ret() which was identical except for returning int + has been removed. This also concerns mbedtls_xxx_drbg_update(). See the + migration guide for more information. Fixes #4212. + * For all functions that take a random number generator (RNG) as a + parameter, this parameter is now mandatory (that is, NULL is not an + acceptable value). Functions which previously accepted NULL and now + reject it are: the X.509 CRT and CSR writing functions; the PK and RSA + sign and decrypt function; mbedtls_rsa_private(); the functions + in DHM and ECDH that compute the shared secret; the scalar multiplication + functions in ECP. + * The following functions now require an RNG parameter: + mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(), + mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile(). + * mbedtls_ssl_conf_export_keys_ext_cb() and + mbedtls_ssl_conf_export_keys_cb() have been removed and + replaced by a new API mbedtls_ssl_set_export_keys_cb(). + Raw keys and IVs are no longer passed to the callback. + Further, callbacks now receive an additional parameter + indicating the type of secret that's being exported, + paving the way for the larger number of secrets + in TLS 1.3. Finally, the key export callback and + context are now connection-specific. + * Signature functions in the RSA and PK modules now require the hash + length parameter to be the size of the hash input. For RSA signatures + other than raw PKCS#1 v1.5, this must match the output size of the + specified hash algorithm. + * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(), + mbedtls_ecdsa_write_signature() and + mbedtls_ecdsa_write_signature_restartable() now take an extra parameter + indicating the size of the output buffer for the signature. + * Implement one-shot cipher functions, psa_cipher_encrypt and + psa_cipher_decrypt, according to the PSA Crypto API 1.0.0 + specification. + * Direct access to fields of structures declared in public headers is no + longer supported except for fields that are documented public. Use accessor + functions instead. For more information, see the migration guide entry + "Most structure fields are now private". + +Default behavior changes + * Enable by default the functionalities which have no reason to be disabled. + They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and + Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036. + * Some default policies for X.509 certificate verification and TLS have + changed: curves and hashes weaker than 255 bits are no longer accepted + by default. The default order in TLS now favors faster curves over larger + curves. Requirement changes * The library now uses the %zu format specifier with the printf() family of functions, so requires a toolchain that supports it. This change does not affect the maintained LTS branches, so when contributing changes please bear this in mind and do not add them to backported code. + * If you build the development version of Mbed TLS, rather than an official + release, some configuration-independent files are now generated at build + time rather than checked into source control. This includes some library + source files as well as the Visual Studio solution. Perl, Python 3 and a + C compiler for the host platform are required. See “Generated source files + in the development branch” in README.md for more information. + * Refresh the minimum supported versions of tools to build the + library. CMake versions older than 3.10.2 and Python older + than 3.6 are no longer supported. Removals * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES @@ -49,7 +183,6 @@ Removals certificates signed with SHA-1 due to the known attacks against SHA-1. If needed, SHA-1 certificates can still be verified by using a custom verification profile. - * Removed deprecated things in psa/crypto_compat.h. Fixes #4284 * Removed deprecated functions from hashing modules. Fixes #4280. * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality, @@ -58,12 +191,133 @@ Removals More details on PCKS#11 wrapper removal can be found in the mailing list https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html * Remove deprecated error codes. Fix #4283 + * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416. + * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + compile-time option. This option has been inactive for a long time. + Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()` + instead. + * Remove the following deprecated functions and constants of hex-encoded + primes based on RFC 5114 and RFC 3526 from library code and tests: + mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(), + mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(), + mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(), + mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(), + mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(), + MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G, + MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G, + MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G, + MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G. + Remove the deprecated file: include/mbedtls/net.h. Fixes #4282. + * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since + MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace + it. Fixes #4362. + * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its + previous action. Fixes #4361. + * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for + CBC record splitting, fallback SCSV, and the ability to configure + ciphersuites per version, which are no longer relevant. This removes the + configuration options MBEDTLS_SSL_PROTO_TLS1, + MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and + MBEDTLS_SSL_FALLBACK_SCSV as well as the functions + mbedtls_ssl_conf_cbc_record_splitting(), + mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(), + and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286. + * The RSA module no longer supports private-key operations with the public + key and vice versa. + * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403. + * Remove all the 3DES ciphersuites: + MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the + MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant. + Fixes #4367. + * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code + behave as if it was always disabled. Fixes #4386. + * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for + backward compatibility which is no longer supported. Addresses #4404. + * Remove the following macros: MBEDTLS_CHECK_PARAMS, + MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED, + MBEDTLS_PARAM_FAILED_ALT. Fixes #4313. + * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h + option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for + migration path. Fixes #4378. + * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and + MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code + behave as if they were always enabled. Fixes #4405. + * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is + now determined automatically based on supported curves. + * Remove the following functions: mbedtls_timing_self_test(), + mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and + mbedtls_set_alarm(). Fixes #4083. + * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as + it no longer had any effect. + * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the + corresponding modules and all their APIs and related configuration + options. Fixes #4084. + * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove + MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by + using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC. + See issue #4341 for more details. + * Remove the compile-time option + MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE. Features * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a signature with a specific salt length. This function allows to validate test cases provided in the NIST's CAVP test suite. Contributed by Cédric Meuter in PR #3183. + * Added support for built-in driver keys through the PSA opaque crypto + driver interface. Refer to the documentation of + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. + * Implement psa_sign_message() and psa_verify_message(). + * The multi-part GCM interface (mbedtls_gcm_update() or + mbedtls_cipher_update()) no longer requires the size of partial inputs to + be a multiple of 16. + * The multi-part GCM interface now supports chunked associated data through + multiple calls to mbedtls_gcm_update_ad(). + * The new function mbedtls_mpi_random() generates a random value in a + given range uniformly. + * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing + modules had undocumented constraints on their context types. These + constraints have been relaxed. + See docs/architecture/alternative-implementations.md for the remaining + constraints. + * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() + query the size of the modulus in a Diffie-Hellman context. + * The new function mbedtls_dhm_get_value() copy a field out of a + Diffie-Hellman context. + * Use the new function mbedtls_ecjpake_set_point_format() to select the + point format for ECJPAKE instead of accessing the point_format field + directly, which is no longer supported. + * Implement psa_mac_compute() and psa_mac_verify() as defined in the + PSA Cryptograpy API 1.0.0 specification. + +Security +* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) + private keys and of blinding values for DHM and elliptic curves (ECP) + computations. Reported by FlorianF89 in #4245. +* Fix a potential side channel vulnerability in ECDSA ephemeral key generation. + An adversary who is capable of very precise timing measurements could + learn partial information about the leading bits of the nonce used for the + signature, allowing the recovery of the private key after observing a + large number of signature operations. This completes a partial fix in + Mbed TLS 2.20.0. + * An adversary with access to precise enough information about memory + accesses (typically, an untrusted operating system attacking a secure + enclave) could recover an RSA private key after observing the victim + performing a single private-key operation. Found and reported by + Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. + * An adversary with access to precise enough timing information (typically, a + co-located process) could recover a Curve25519 or Curve448 static ECDH key + after inputting a chosen public key and observing the victim performing the + corresponding private-key operation. Found and reported by Leila Batina, + Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe. Bugfix * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may @@ -87,6 +341,76 @@ Bugfix mbedtls_mpi_read_string() was called on "-0", or when mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of the arguments being negative and the other being 0. Fixes #4643. + * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is + defined. Fixes #4217. + * Fix an incorrect error code when parsing a PKCS#8 private key. + * In a TLS client, enforce the Diffie-Hellman minimum parameter size + set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the + minimum size was rounded down to the nearest multiple of 8. + * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are + defined to specific values. If the code is used in a context + where these are already defined, this can result in a compilation + error. Instead, assume that if they are defined, the values will + be adequate to build Mbed TLS. + * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built + nonetheless, resulting in undefined reference errors when building a + shared library. Reported by Guillermo Garcia M. in #4411. + * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available + when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 + was disabled. Fix the dependency. Fixes #4472. + * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499. + * Fix test suite code on platforms where int32_t is not int, such as + Arm Cortex-M. Fixes #4530. + * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced + directive in a header and a missing initialization in the self-test. + * Fix a missing initialization in the Camellia self-test, affecting + MBEDTLS_CAMELLIA_ALT implementations. + * Restore the ability to configure PSA via Mbed TLS options to support RSA + key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME + is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). + Fixes #4512. + * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites + (when the encrypt-then-MAC extension is not in use) with some ALT + implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing + the affected side to wrongly reject valid messages. Fixes #4118. + * Remove outdated check-config.h check that prevented implementing the + timing module on Mbed OS. Fixes #4633. + * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive + about missing inputs. + * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with + MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. + * Fix a resource leak in a test suite with an alternative AES + implementation. Fixes #4176. + * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This + could notably be triggered by setting the TLS debug level to 3 or above + and using a Montgomery curve for the key exchange. Reported by lhuang04 + in #4578. Fixes #4608. + * psa_verify_hash() was relying on implementation-specific behavior of + mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT + implementations. This reliance is now removed. Fixes #3990. + * Disallow inputs of length different from the corresponding hash when + signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates + that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.) + * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with + A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug + could not be triggered by code that constructed A with one of the + mbedtls_mpi_read_xxx functions (including in particular TLS code) since + those always built an mpi object with at least one limb. + Credit to OSS-Fuzz. Fixes #4641. + * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no + effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect + applications that call mbedtls_mpi_gcd() directly. Fixes #4642. + * The PSA API no longer allows the creation or destruction of keys with a + read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY + can now only be used as intended, for keys that cannot be modified through + normal use of the API. + * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included + in all the right places. Include it from crypto_platform.h, which is + the natural place. Fixes #4649. + * Fix which alert is sent in some cases to conform to the + applicable RFC: on an invalid Finished message value, an + invalid max_fragment_length extension, or an + unsupported extension used by the server. Changes * Fix the setting of the read timeout in the DTLS sample programs. @@ -94,6 +418,49 @@ Changes * Fix memsan build false positive in x509_crt.c with clang 11 * There is ongoing work for the next release (= Mbed TLS 3.0.0 branch to be released 2021-xx-xx), including various API-breaking changes. + * Alternative implementations of CMAC may now opt to not support 3DES as a + CMAC block cipher, and still pass the CMAC self test. + * Remove the AES sample application programs/aes/aescrypt2 which shows + bad cryptographic practice. Fix #1906. + * Remove configs/config-psa-crypto.h, which no longer had any intended + differences from the default configuration, but had accidentally diverged. + * When building the test suites with GNU make, invoke python3 or python, not + python2, which is no longer supported upstream. + * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on. + When that flag is on, standard GNU C printf format specifiers + should be used. + * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and + MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335. + * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage + during ECC operations at a negligible performance cost. + * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and + mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs + when their input has length 0. Note that this is an implementation detail + and can change at any time, so this change should be transparent, but it + may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string() + now writing an empty string where it previously wrote one or more + zero digits when operating from values constructed with an mpi_read + function and some mpi operations. + * Add CMake package config generation for CMake projects consuming Mbed TLS. + * config.h has been split into build_info.h and mbedtls_config.h + build_info.h is intended to be included from C code directly, while + mbedtls_config.h is intended to be edited by end users wishing to + change the build configuration, and should generally only be included from + build_info.h. + * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h. + * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced. + Defining it to a particular value will ensure that Mbed TLS interprets + the config file in a way that's compatible with the config file format + used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same + value. + The only value supported by Mbed TLS 3.0.0 is 0x03000000. + * Various changes to which alert and/or error code may be returned + * during the TLS handshake. + * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when + PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag + when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension + is also applied when loading a key from storage. = mbed TLS 2.26.0 branch released 2021-03-08 diff --git a/ChangeLog.d/add-cmake-package-config.txt b/ChangeLog.d/add-cmake-package-config.txt deleted file mode 100644 index 3b738169b5..0000000000 --- a/ChangeLog.d/add-cmake-package-config.txt +++ /dev/null @@ -1,2 +0,0 @@ -Changes - * Add CMake package config generation for CMake projects consuming Mbed TLS. diff --git a/ChangeLog.d/add-missing-parenthesis.txt b/ChangeLog.d/add-missing-parenthesis.txt deleted file mode 100644 index 9576ff3793..0000000000 --- a/ChangeLog.d/add-missing-parenthesis.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is - defined. Fixes #4217. diff --git a/ChangeLog.d/aescrypt2.txt b/ChangeLog.d/aescrypt2.txt deleted file mode 100644 index 7ffa49eaa3..0000000000 --- a/ChangeLog.d/aescrypt2.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Remove the AES sample application programs/aes/aescrypt2 which shows - bad cryptographic practice. Fix #1906. diff --git a/ChangeLog.d/allow_alt_cmac_without_des.txt b/ChangeLog.d/allow_alt_cmac_without_des.txt deleted file mode 100644 index 5193a9e61e..0000000000 --- a/ChangeLog.d/allow_alt_cmac_without_des.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Alternative implementations of CMAC may now opt to not support 3DES as a - CMAC block cipher, and still pass the CMAC self test. diff --git a/ChangeLog.d/alt-context-relaxation.txt b/ChangeLog.d/alt-context-relaxation.txt deleted file mode 100644 index 10fd476192..0000000000 --- a/ChangeLog.d/alt-context-relaxation.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing - modules had undocumented constraints on their context types. These - constraints have been relaxed. - See docs/architecture/alternative-implementations.md for the remaining - constraints. diff --git a/ChangeLog.d/aria-alt.txt b/ChangeLog.d/aria-alt.txt deleted file mode 100644 index 20aaa2b71d..0000000000 --- a/ChangeLog.d/aria-alt.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced - directive in a header and a missing initialization in the self-test. - * Fix a missing initialization in the Camellia self-test, affecting - MBEDTLS_CAMELLIA_ALT implementations. diff --git a/ChangeLog.d/cipher-delayed-output.txt b/ChangeLog.d/cipher-delayed-output.txt deleted file mode 100644 index 4ca3a0cc0a..0000000000 --- a/ChangeLog.d/cipher-delayed-output.txt +++ /dev/null @@ -1,6 +0,0 @@ -API changes - * For multi-part AEAD operations with the cipher module, calling - mbedtls_cipher_finish() is now mandatory. Previously the documentation - was unclear on this point, and this function happened to never do - anything with the currently implemented AEADs, so in practice it was - possible to skip calling it, which is no longer supported. diff --git a/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt b/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt deleted file mode 100644 index d253f349a5..0000000000 --- a/ChangeLog.d/ciphersuite-sha1-sha384-guard.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available - when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 - was disabled. Fix the dependency. Fixes #4472. diff --git a/ChangeLog.d/ciphersuite-sha384-guard.txt b/ChangeLog.d/ciphersuite-sha384-guard.txt deleted file mode 100644 index 0ddf463ebc..0000000000 --- a/ChangeLog.d/ciphersuite-sha384-guard.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499. diff --git a/ChangeLog.d/default-curves.txt b/ChangeLog.d/default-curves.txt deleted file mode 100644 index bfb0fd0e03..0000000000 --- a/ChangeLog.d/default-curves.txt +++ /dev/null @@ -1,9 +0,0 @@ -Default behavior changes - * Some default policies for X.509 certificate verification and TLS have - changed: curves and hashes weaker than 255 bits are no longer accepted - by default. The default order in TLS now favors faster curves over larger - curves. - -Removals - * Remove the compile-time option - MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE. diff --git a/ChangeLog.d/dhm-fields.txt b/ChangeLog.d/dhm-fields.txt deleted file mode 100644 index 4d5c751fba..0000000000 --- a/ChangeLog.d/dhm-fields.txt +++ /dev/null @@ -1,9 +0,0 @@ -Features - * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen() - query the size of the modulus in a Diffie-Hellman context. - * The new function mbedtls_dhm_get_value() copy a field out of a - Diffie-Hellman context. - -API changes - * Instead of accessing the len field of a DHM context, which is no longer - supported, use the new function mbedtls_dhm_get_len() . diff --git a/ChangeLog.d/dhm_min_bitlen.txt b/ChangeLog.d/dhm_min_bitlen.txt deleted file mode 100644 index e7ea827302..0000000000 --- a/ChangeLog.d/dhm_min_bitlen.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * In a TLS client, enforce the Diffie-Hellman minimum parameter size - set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the - minimum size was rounded down to the nearest multiple of 8. diff --git a/ChangeLog.d/ecdsa-random-leading-zeros.txt b/ChangeLog.d/ecdsa-random-leading-zeros.txt deleted file mode 100644 index cbc674bd48..0000000000 --- a/ChangeLog.d/ecdsa-random-leading-zeros.txt +++ /dev/null @@ -1,7 +0,0 @@ -Security -* Fix a potential side channel vulnerability in ECDSA ephemeral key generation. - An adversary who is capable of very precise timing measurements could - learn partial information about the leading bits of the nonce used for the - signature, allowing the recovery of the private key after observing a - large number of signature operations. This completes a partial fix in - Mbed TLS 2.20.0. diff --git a/ChangeLog.d/ecjpake-point_format.txt b/ChangeLog.d/ecjpake-point_format.txt deleted file mode 100644 index 6e05b23393..0000000000 --- a/ChangeLog.d/ecjpake-point_format.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Use the new function mbedtls_ecjpake_set_point_format() to select the - point format for ECJPAKE instead of accessing the point_format field - directly, which is no longer supported. diff --git a/ChangeLog.d/ecp-window-size.txt b/ChangeLog.d/ecp-window-size.txt deleted file mode 100644 index 909d4e8a42..0000000000 --- a/ChangeLog.d/ecp-window-size.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage - during ECC operations at a negligible performance cost. diff --git a/ChangeLog.d/ecp_max_bits.txt b/ChangeLog.d/ecp_max_bits.txt deleted file mode 100644 index b952469196..0000000000 --- a/ChangeLog.d/ecp_max_bits.txt +++ /dev/null @@ -1,3 +0,0 @@ -Removals - * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is - now determined automatically based on supported curves. diff --git a/ChangeLog.d/fix-mingw-build.txt b/ChangeLog.d/fix-mingw-build.txt deleted file mode 100644 index 383b1c7fd4..0000000000 --- a/ChangeLog.d/fix-mingw-build.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on. - When that flag is on, standard GNU C printf format specifiers - should be used. - diff --git a/ChangeLog.d/fix-pk-parse-key-error-code.txt b/ChangeLog.d/fix-pk-parse-key-error-code.txt deleted file mode 100644 index 3aa330b1a5..0000000000 --- a/ChangeLog.d/fix-pk-parse-key-error-code.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix an incorrect error code when parsing a PKCS#8 private key. diff --git a/ChangeLog.d/fix-rsa-leak.txt b/ChangeLog.d/fix-rsa-leak.txt deleted file mode 100644 index b7d3e3e758..0000000000 --- a/ChangeLog.d/fix-rsa-leak.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * An adversary with access to precise enough information about memory - accesses (typically, an untrusted operating system attacking a secure - enclave) could recover an RSA private key after observing the victim - performing a single private-key operation. Found and reported by - Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. diff --git a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt b/ChangeLog.d/fix-ssl-cf-hmac-alt.txt deleted file mode 100644 index 57ffa02e2a..0000000000 --- a/ChangeLog.d/fix-ssl-cf-hmac-alt.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites - (when the encrypt-then-MAC extension is not in use) with some ALT - implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing - the affected side to wrongly reject valid messages. Fixes #4118. diff --git a/ChangeLog.d/fix_tls_alert_codes.txt b/ChangeLog.d/fix_tls_alert_codes.txt deleted file mode 100644 index 10235d7bc3..0000000000 --- a/ChangeLog.d/fix_tls_alert_codes.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix which alert is sent in some cases to conform to the - applicable RFC: on an invalid Finished message value, an - invalid max_fragment_length extension, or an - unsupported extension used by the server. diff --git a/ChangeLog.d/gcm-update.txt b/ChangeLog.d/gcm-update.txt deleted file mode 100644 index 858bd0a734..0000000000 --- a/ChangeLog.d/gcm-update.txt +++ /dev/null @@ -1,19 +0,0 @@ -API changes - * The interface of the GCM module has changed to remove restrictions on - how the input to multipart operations is broken down. mbedtls_gcm_finish() - now takes an extra output parameter for the last partial output block. - mbedtls_gcm_update() now takes extra parameters for the output length. - The software implementation always produces the full output at each - call to mbedtls_gcm_update(), but alternative implementations activated - by MBEDTLS_GCM_ALT may delay partial blocks to the next call to - mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications - no longer pass the associated data to mbedtls_gcm_starts(), but to the - new function mbedtls_gcm_update_ad(). - These changes are backward compatible for users of the cipher API. - -Features - * The multi-part GCM interface (mbedtls_gcm_update() or - mbedtls_cipher_update()) no longer requires the size of partial inputs to - be a multiple of 16. - * The multi-part GCM interface now supports chunked associated data through - multiple calls to mbedtls_gcm_update_ad(). diff --git a/ChangeLog.d/host_test-int32.txt b/ChangeLog.d/host_test-int32.txt deleted file mode 100644 index 60ef8e9702..0000000000 --- a/ChangeLog.d/host_test-int32.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix test suite code on platforms where int32_t is not int, such as - Arm Cortex-M. Fixes #4530. diff --git a/ChangeLog.d/implicit_key_usage_policy.txt b/ChangeLog.d/implicit_key_usage_policy.txt deleted file mode 100644 index ee33ecb7b6..0000000000 --- a/ChangeLog.d/implicit_key_usage_policy.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when - PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag - when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension - is also applied when loading a key from storage. diff --git a/ChangeLog.d/issue4036.txt b/ChangeLog.d/issue4036.txt deleted file mode 100644 index 7009496235..0000000000 --- a/ChangeLog.d/issue4036.txt +++ /dev/null @@ -1,5 +0,0 @@ -Default behavior changes - * Enable by default the functionalities which have no reason to be disabled. - They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and - Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036. - diff --git a/ChangeLog.d/issue4055.txt b/ChangeLog.d/issue4055.txt deleted file mode 100644 index e9bd1d14e1..0000000000 --- a/ChangeLog.d/issue4055.txt +++ /dev/null @@ -1,3 +0,0 @@ -API changes - * The function mbedtls_x509write_csr_set_extension() has an extra parameter - which allows to mark an extension as critical. Fixes #4055. diff --git a/ChangeLog.d/issue4083.txt b/ChangeLog.d/issue4083.txt deleted file mode 100644 index 845733702f..0000000000 --- a/ChangeLog.d/issue4083.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove the following functions: mbedtls_timing_self_test(), - mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and - mbedtls_set_alarm(). Fixes #4083. diff --git a/ChangeLog.d/issue4084.txt b/ChangeLog.d/issue4084.txt deleted file mode 100644 index 75273c1bdc..0000000000 --- a/ChangeLog.d/issue4084.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the - corresponding modules and all their APIs and related configuration - options. Fixes #4084. diff --git a/ChangeLog.d/issue4128.txt b/ChangeLog.d/issue4128.txt deleted file mode 100644 index bc41874fd4..0000000000 --- a/ChangeLog.d/issue4128.txt +++ /dev/null @@ -1,4 +0,0 @@ -API changes - * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables - instead of computing tables in runtime. Thus, this option now increase - code size, and it does not increase RAM usage in runtime anymore. diff --git a/ChangeLog.d/issue4176.txt b/ChangeLog.d/issue4176.txt deleted file mode 100644 index ddca37f9be..0000000000 --- a/ChangeLog.d/issue4176.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a resource leak in a test suite with an alternative AES - implementation. Fixes #4176. diff --git a/ChangeLog.d/issue4212.txt b/ChangeLog.d/issue4212.txt deleted file mode 100644 index 9e72ca9d77..0000000000 --- a/ChangeLog.d/issue4212.txt +++ /dev/null @@ -1,6 +0,0 @@ -API changes - * In modules that implement cryptographic hash functions, many functions - mbedtls_xxx() now return int instead of void, and the corresponding - function mbedtls_xxx_ret() which was identical except for returning int - has been removed. This also concerns mbedtls_xxx_drbg_update(). See the - migration guide for more information. Fixes #4212. diff --git a/ChangeLog.d/issue4282.txt b/ChangeLog.d/issue4282.txt deleted file mode 100644 index 685f64df40..0000000000 --- a/ChangeLog.d/issue4282.txt +++ /dev/null @@ -1,13 +0,0 @@ -Removals - * Remove the following deprecated functions and constants of hex-encoded - primes based on RFC 5114 and RFC 3526 from library code and tests: - mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(), - mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(), - mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(), - mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(), - mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(), - MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G, - MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G, - MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G, - MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G. - Remove the deprecated file: include/mbedtls/net.h. Fixes #4282. diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt deleted file mode 100644 index 75d2f0928f..0000000000 --- a/ChangeLog.d/issue4286.txt +++ /dev/null @@ -1,10 +0,0 @@ -Removals - * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for - CBC record splitting, fallback SCSV, and the ability to configure - ciphersuites per version, which are no longer relevant. This removes the - configuration options MBEDTLS_SSL_PROTO_TLS1, - MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and - MBEDTLS_SSL_FALLBACK_SCSV as well as the functions - mbedtls_ssl_conf_cbc_record_splitting(), - mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(), - and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286. diff --git a/ChangeLog.d/issue4313.txt b/ChangeLog.d/issue4313.txt deleted file mode 100644 index 1fb61234be..0000000000 --- a/ChangeLog.d/issue4313.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove the following macros: MBEDTLS_CHECK_PARAMS, - MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED, - MBEDTLS_PARAM_FAILED_ALT. Fixes #4313. diff --git a/ChangeLog.d/issue4335.txt b/ChangeLog.d/issue4335.txt deleted file mode 100644 index fe9b7affa6..0000000000 --- a/ChangeLog.d/issue4335.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and - MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option - MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335. diff --git a/ChangeLog.d/issue4361.txt b/ChangeLog.d/issue4361.txt deleted file mode 100644 index f1dbb3f195..0000000000 --- a/ChangeLog.d/issue4361.txt +++ /dev/null @@ -1,3 +0,0 @@ -Removals - * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its - previous action. Fixes #4361. diff --git a/ChangeLog.d/issue4367.txt b/ChangeLog.d/issue4367.txt deleted file mode 100644 index 9012fc062c..0000000000 --- a/ChangeLog.d/issue4367.txt +++ /dev/null @@ -1,13 +0,0 @@ -Removals - * Remove all the 3DES ciphersuites: - MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the - MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant. - Fixes #4367. diff --git a/ChangeLog.d/issue4378.txt b/ChangeLog.d/issue4378.txt deleted file mode 100644 index 9a7522b3ab..0000000000 --- a/ChangeLog.d/issue4378.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h - option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for - migration path. Fixes #4378. diff --git a/ChangeLog.d/issue4386.txt b/ChangeLog.d/issue4386.txt deleted file mode 100644 index 9e61fdba23..0000000000 --- a/ChangeLog.d/issue4386.txt +++ /dev/null @@ -1,3 +0,0 @@ -Removals - * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code - behave as if it was always disabled. Fixes #4386. diff --git a/ChangeLog.d/issue4398.txt b/ChangeLog.d/issue4398.txt deleted file mode 100644 index b7f241391e..0000000000 --- a/ChangeLog.d/issue4398.txt +++ /dev/null @@ -1,3 +0,0 @@ -API changes - * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime - configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398. diff --git a/ChangeLog.d/issue4403.txt b/ChangeLog.d/issue4403.txt deleted file mode 100644 index 08ac60e699..0000000000 --- a/ChangeLog.d/issue4403.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403. diff --git a/ChangeLog.d/issue4405.txt b/ChangeLog.d/issue4405.txt deleted file mode 100644 index c36aefa154..0000000000 --- a/ChangeLog.d/issue4405.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and - MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code - behave as if they were always enabled. Fixes #4405. diff --git a/ChangeLog.d/key-export.txt b/ChangeLog.d/key-export.txt deleted file mode 100644 index 2fc01a4c52..0000000000 --- a/ChangeLog.d/key-export.txt +++ /dev/null @@ -1,10 +0,0 @@ -API changes - * mbedtls_ssl_conf_export_keys_ext_cb() and - mbedtls_ssl_conf_export_keys_cb() have been removed and - replaced by a new API mbedtls_ssl_set_export_keys_cb(). - Raw keys and IVs are no longer passed to the callback. - Further, callbacks now receive an additional parameter - indicating the type of secret that's being exported, - paving the way for the larger number of secrets - in TLS 1.3. Finally, the key export callback and - context are now connection-specific. diff --git a/ChangeLog.d/make-generate-tests-python.txt b/ChangeLog.d/make-generate-tests-python.txt deleted file mode 100644 index 4b9009d6f8..0000000000 --- a/ChangeLog.d/make-generate-tests-python.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * When building the test suites with GNU make, invoke python3 or python, not - python2, which is no longer supported upstream. diff --git a/ChangeLog.d/mandatory-rng-param.txt b/ChangeLog.d/mandatory-rng-param.txt deleted file mode 100644 index 39ee335339..0000000000 --- a/ChangeLog.d/mandatory-rng-param.txt +++ /dev/null @@ -1,14 +0,0 @@ -API changes - * For all functions that take a random number generator (RNG) as a - parameter, this parameter is now mandatory (that is, NULL is not an - acceptable value). Functions which previously accepted NULL and now - reject it are: the X.509 CRT and CSR writing functions; the PK and RSA - sign and decrypt function; mbedtls_rsa_private(); the functions - in DHM and ECDH that compute the shared secret; the scalar multiplication - functions in ECP. - * The following functions now require an RNG parameter: - mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(), - mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile(). -Removals - * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as - it no longer had any effect. diff --git a/ChangeLog.d/max-record-payload-api.txt b/ChangeLog.d/max-record-payload-api.txt deleted file mode 100644 index 02b47e4e1b..0000000000 --- a/ChangeLog.d/max-record-payload-api.txt +++ /dev/null @@ -1,9 +0,0 @@ -API changes - * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and - mbedtls_ssl_get_output_max_frag_len(), and add a new API - mbedtls_ssl_get_max_in_record_payload(), complementing the existing - mbedtls_ssl_get_max_out_record_payload(). - Uses of mbedtls_ssl_get_input_max_frag_len() and - mbedtls_ssl_get_input_max_frag_len() should be replaced by - mbedtls_ssl_get_max_in_record_payload() and - mbedtls_ssl_get_max_out_record_payload(), respectively. diff --git a/ChangeLog.d/mbed-can-do-timing.txt b/ChangeLog.d/mbed-can-do-timing.txt deleted file mode 100644 index d83da02432..0000000000 --- a/ChangeLog.d/mbed-can-do-timing.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Remove outdated check-config.h check that prevented implementing the - timing module on Mbed OS. Fixes #4633. diff --git a/ChangeLog.d/mbedtls_debug_print_mpi.txt b/ChangeLog.d/mbedtls_debug_print_mpi.txt deleted file mode 100644 index d1b4f5b415..0000000000 --- a/ChangeLog.d/mbedtls_debug_print_mpi.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This - could notably be triggered by setting the TLS debug level to 3 or above - and using a Montgomery curve for the key exchange. Reported by lhuang04 - in #4578. Fixes #4608. diff --git a/ChangeLog.d/mpi_exp_mod-zero.txt b/ChangeLog.d/mpi_exp_mod-zero.txt deleted file mode 100644 index 9df9031a91..0000000000 --- a/ChangeLog.d/mpi_exp_mod-zero.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with - A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug - could not be triggered by code that constructed A with one of the - mbedtls_mpi_read_xxx functions (including in particular TLS code) since - those always built an mpi object with at least one limb. - Credit to OSS-Fuzz. Fixes #4641. diff --git a/ChangeLog.d/mpi_gcd-0.txt b/ChangeLog.d/mpi_gcd-0.txt deleted file mode 100644 index 41e11e1f6b..0000000000 --- a/ChangeLog.d/mpi_gcd-0.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no - effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect - applications that call mbedtls_mpi_gcd() directly. Fixes #4642. diff --git a/ChangeLog.d/mpi_random.txt b/ChangeLog.d/mpi_random.txt deleted file mode 100644 index 9e6a416239..0000000000 --- a/ChangeLog.d/mpi_random.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * The new function mbedtls_mpi_random() generates a random value in a - given range uniformly. diff --git a/ChangeLog.d/mpi_read_zero.txt b/ChangeLog.d/mpi_read_zero.txt deleted file mode 100644 index 0c25159d94..0000000000 --- a/ChangeLog.d/mpi_read_zero.txt +++ /dev/null @@ -1,9 +0,0 @@ -Changes - * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and - mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs - when their input has length 0. Note that this is an implementation detail - and can change at any time, so this change should be transparent, but it - may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string() - now writing an empty string where it previously wrote one or more - zero digits when operating from values constructed with an mpi_read - function and some mpi operations. diff --git a/ChangeLog.d/no-generated-files.txt b/ChangeLog.d/no-generated-files.txt deleted file mode 100644 index 0f9648a99e..0000000000 --- a/ChangeLog.d/no-generated-files.txt +++ /dev/null @@ -1,7 +0,0 @@ -Requirement changes - * If you build the development version of Mbed TLS, rather than an official - release, some configuration-independent files are now generated at build - time rather than checked into source control. This includes some library - source files as well as the Visual Studio solution. Perl, Python 3 and a - C compiler for the host platform are required. See “Generated source files - in the development branch” in README.md for more information. diff --git a/ChangeLog.d/one-shot-mac.txt b/ChangeLog.d/one-shot-mac.txt deleted file mode 100644 index 112891decc..0000000000 --- a/ChangeLog.d/one-shot-mac.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Implement psa_mac_compute() and psa_mac_verify() as defined in the - PSA Cryptograpy API 1.0.0 specification. diff --git a/ChangeLog.d/one-shot_cipher_functions.txt b/ChangeLog.d/one-shot_cipher_functions.txt deleted file mode 100644 index 3bb85e10dc..0000000000 --- a/ChangeLog.d/one-shot_cipher_functions.txt +++ /dev/null @@ -1,4 +0,0 @@ -API changes - * Implement one-shot cipher functions, psa_cipher_encrypt and - psa_cipher_decrypt, according to the PSA Crypto API 1.0.0 - specification. diff --git a/ChangeLog.d/out_size.txt b/ChangeLog.d/out_size.txt deleted file mode 100644 index 721bf6aad6..0000000000 --- a/ChangeLog.d/out_size.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(), - mbedtls_ecdsa_write_signature() and - mbedtls_ecdsa_write_signature_restartable() now take an extra parameter - indicating the size of the output buffer for the signature. diff --git a/ChangeLog.d/posix-define.txt b/ChangeLog.d/posix-define.txt deleted file mode 100644 index 98cf2d0122..0000000000 --- a/ChangeLog.d/posix-define.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are - defined to specific values. If the code is used in a context - where these are already defined, this can result in a compilation - error. Instead, assume that if they are defined, the values will - be adequate to build Mbed TLS. diff --git a/ChangeLog.d/private-fields.txt b/ChangeLog.d/private-fields.txt deleted file mode 100644 index 10b9a594af..0000000000 --- a/ChangeLog.d/private-fields.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Direct access to fields of structures declared in public headers is no - longer supported except for fields that are documented public. Use accessor - functions instead. For more information, see the migration guide entry - "Most structure fields are now private". diff --git a/ChangeLog.d/psa-aead-output-size-macros-1.0.txt b/ChangeLog.d/psa-aead-output-size-macros-1.0.txt deleted file mode 100644 index 22756f1a5b..0000000000 --- a/ChangeLog.d/psa-aead-output-size-macros-1.0.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Update AEAD output size macros to bring them in line with the PSA Crypto - API version 1.0 spec. This version of the spec parameterizes them on the - key type used, as well as the key bit-size in the case of - PSA_AEAD_TAG_LENGTH. diff --git a/ChangeLog.d/psa-builtin-keys-implementation.txt b/ChangeLog.d/psa-builtin-keys-implementation.txt deleted file mode 100644 index 66ba77d07e..0000000000 --- a/ChangeLog.d/psa-builtin-keys-implementation.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Added support for built-in driver keys through the PSA opaque crypto - driver interface. Refer to the documentation of - MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. diff --git a/ChangeLog.d/psa-read-only-keys.txt b/ChangeLog.d/psa-read-only-keys.txt deleted file mode 100644 index a4a282373f..0000000000 --- a/ChangeLog.d/psa-read-only-keys.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * The PSA API no longer allows the creation or destruction of keys with a - read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY - can now only be used as intended, for keys that cannot be modified through - normal use of the API. diff --git a/ChangeLog.d/psa-rsa-verify-alt-fix.txt b/ChangeLog.d/psa-rsa-verify-alt-fix.txt deleted file mode 100644 index 74804caf7a..0000000000 --- a/ChangeLog.d/psa-rsa-verify-alt-fix.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * psa_verify_hash() was relying on implementation-specific behavior of - mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT - implementations. This reliance is now removed. Fixes #3990. - * Disallow inputs of length different from the corresponding hash when - signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates - that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.) diff --git a/ChangeLog.d/psa-without-genprime-fix.txt b/ChangeLog.d/psa-without-genprime-fix.txt deleted file mode 100644 index 8a7153a9cd..0000000000 --- a/ChangeLog.d/psa-without-genprime-fix.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Restore the ability to configure PSA via Mbed TLS options to support RSA - key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME - is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). - Fixes #4512. diff --git a/ChangeLog.d/psa_key_derivation-bad_workflow.txt b/ChangeLog.d/psa_key_derivation-bad_workflow.txt deleted file mode 100644 index 7fd03e6c9e..0000000000 --- a/ChangeLog.d/psa_key_derivation-bad_workflow.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive - about missing inputs. diff --git a/ChangeLog.d/psa_sign_message.txt b/ChangeLog.d/psa_sign_message.txt deleted file mode 100644 index 2d77ec054e..0000000000 --- a/ChangeLog.d/psa_sign_message.txt +++ /dev/null @@ -1,2 +0,0 @@ -Features - * Implement psa_sign_message() and psa_verify_message(). diff --git a/ChangeLog.d/random-range.txt b/ChangeLog.d/random-range.txt deleted file mode 100644 index dc35ec6c66..0000000000 --- a/ChangeLog.d/random-range.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security -* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) - private keys and of blinding values for DHM and elliptic curves (ECP) - computations. Reported by FlorianF89 in #4245. diff --git a/ChangeLog.d/reject-low-order-points-early.txt b/ChangeLog.d/reject-low-order-points-early.txt deleted file mode 100644 index eb735697a9..0000000000 --- a/ChangeLog.d/reject-low-order-points-early.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * An adversary with access to precise enough timing information (typically, a - co-located process) could recover a Curve25519 or Curve448 static ECDH key - after inputting a chosen public key and observing the victim performing the - corresponding private-key operation. Found and reported by Leila Batina, - Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe. diff --git a/ChangeLog.d/relaxed-psk-semantics.txt b/ChangeLog.d/relaxed-psk-semantics.txt deleted file mode 100644 index 418ff6fcb7..0000000000 --- a/ChangeLog.d/relaxed-psk-semantics.txt +++ /dev/null @@ -1,7 +0,0 @@ -API changes - * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`: - In Mbed TLS 2.X, the API prescribes that later calls overwrite - the effect of earlier calls. In Mbed TLS 3.0, calling - `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail, - leaving the PSK that was configured first intact. - Support for more than one PSK may be added in 3.X. diff --git a/ChangeLog.d/remove-config-psa-crypto.txt b/ChangeLog.d/remove-config-psa-crypto.txt deleted file mode 100644 index eb7cc504c2..0000000000 --- a/ChangeLog.d/remove-config-psa-crypto.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Remove configs/config-psa-crypto.h, which no longer had any intended - differences from the default configuration, but had accidentally diverged. diff --git a/ChangeLog.d/remove-enable-weak-ciphersuites.txt b/ChangeLog.d/remove-enable-weak-ciphersuites.txt deleted file mode 100644 index 97f63ebb8a..0000000000 --- a/ChangeLog.d/remove-enable-weak-ciphersuites.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416. diff --git a/ChangeLog.d/remove-max-content-len.txt b/ChangeLog.d/remove-max-content-len.txt deleted file mode 100644 index b7607e6c6b..0000000000 --- a/ChangeLog.d/remove-max-content-len.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since - MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace - it. Fixes #4362. diff --git a/ChangeLog.d/remove-rsa-mode-parameter.txt b/ChangeLog.d/remove-rsa-mode-parameter.txt deleted file mode 100644 index 2590d3a949..0000000000 --- a/ChangeLog.d/remove-rsa-mode-parameter.txt +++ /dev/null @@ -1,8 +0,0 @@ -Removals - * The RSA module no longer supports private-key operations with the public - key and vice versa. -API changes - * Remove the mode parameter from RSA operation functions. Signature and - decryption functions now always use the private key and verification and - encryption use the public key. Verification functions also no longer have - RNG parameters. diff --git a/ChangeLog.d/remove_null_entropy.txt b/ChangeLog.d/remove_null_entropy.txt deleted file mode 100644 index 3d9674b45f..0000000000 --- a/ChangeLog.d/remove_null_entropy.txt +++ /dev/null @@ -1,2 +0,0 @@ -API changes - * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388. diff --git a/ChangeLog.d/require-matching-hashlen-rsa.txt b/ChangeLog.d/require-matching-hashlen-rsa.txt deleted file mode 100644 index 096b577b59..0000000000 --- a/ChangeLog.d/require-matching-hashlen-rsa.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Signature functions in the RSA and PK modules now require the hash - length parameter to be the size of the hash input. For RSA signatures - other than raw PKCS#1 v1.5, this must match the output size of the - specified hash algorithm. diff --git a/ChangeLog.d/rm-ecdh-legacy-context-option.txt b/ChangeLog.d/rm-ecdh-legacy-context-option.txt deleted file mode 100644 index d5a527b94a..0000000000 --- a/ChangeLog.d/rm-ecdh-legacy-context-option.txt +++ /dev/null @@ -1,3 +0,0 @@ -Removals - * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for - backward compatibility which is no longer supported. Addresses #4404. diff --git a/ChangeLog.d/rm-ticket-lifetime-option.txt b/ChangeLog.d/rm-ticket-lifetime-option.txt deleted file mode 100644 index 4851512f87..0000000000 --- a/ChangeLog.d/rm-ticket-lifetime-option.txt +++ /dev/null @@ -1,5 +0,0 @@ -Removals - * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES - compile-time option. This option has been inactive for a long time. - Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()` - instead. diff --git a/ChangeLog.d/rm-truncated-hmac-ext.txt b/ChangeLog.d/rm-truncated-hmac-ext.txt deleted file mode 100644 index 3739256957..0000000000 --- a/ChangeLog.d/rm-truncated-hmac-ext.txt +++ /dev/null @@ -1,5 +0,0 @@ -Removals - * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove - MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by - using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC. - See issue #4341 for more details. diff --git a/ChangeLog.d/rsa-padding.txt b/ChangeLog.d/rsa-padding.txt deleted file mode 100644 index 5f9c11f717..0000000000 --- a/ChangeLog.d/rsa-padding.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA - key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding() - after initializing the context. mbedtls_rsa_set_padding() now returns an - error if its parameters are invalid. diff --git a/ChangeLog.d/session-cache-api.txt b/ChangeLog.d/session-cache-api.txt deleted file mode 100644 index 75cc9438f8..0000000000 --- a/ChangeLog.d/session-cache-api.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * The getter and setter API of the SSL session cache (used for - session-ID based session resumption) has changed to that of - a key-value store with keys being session IDs and values - being opaque instances of `mbedtls_ssl_session`. diff --git a/ChangeLog.d/sha224_sha384.txt b/ChangeLog.d/sha224_sha384.txt deleted file mode 100644 index f60ea563e7..0000000000 --- a/ChangeLog.d/sha224_sha384.txt +++ /dev/null @@ -1,7 +0,0 @@ -API changes - * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C. - This separates config option enabling the SHA384 algorithm from option - enabling the SHA512 algorithm. Fixes #4034. - * Introduce MBEDTLS_SHA224_C. - This separates config option enabling the SHA224 algorithm from option - enabling SHA256. diff --git a/ChangeLog.d/sha512-output-type.txt b/ChangeLog.d/sha512-output-type.txt deleted file mode 100644 index eabc67df70..0000000000 --- a/ChangeLog.d/sha512-output-type.txt +++ /dev/null @@ -1,6 +0,0 @@ -API changes - * The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret, - mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type - rather than array type. This removes spurious warnings in some compilers - when outputting a SHA-384 or SHA-224 hash into a buffer of exactly - the hash size. diff --git a/ChangeLog.d/split-config.txt b/ChangeLog.d/split-config.txt deleted file mode 100644 index f66dc93a8e..0000000000 --- a/ChangeLog.d/split-config.txt +++ /dev/null @@ -1,13 +0,0 @@ -Changes - * config.h has been split into build_info.h and mbedtls_config.h - build_info.h is intended to be included from C code directly, while - mbedtls_config.h is intended to be edited by end users wishing to - change the build configuration, and should generally only be included from - build_info.h. - * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h. - * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced. - Defining it to a particular value will ensure that Mbed TLS interprets - the config file in a way that's compatible with the config file format - used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same - value. - The only value supported by Mbed TLS 3.0.0 is 0x03000000. diff --git a/ChangeLog.d/spm_build.txt b/ChangeLog.d/spm_build.txt deleted file mode 100644 index 6016d84e08..0000000000 --- a/ChangeLog.d/spm_build.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included - in all the right places. Include it from crypto_platform.h, which is - the natural place. Fixes #4649. diff --git a/ChangeLog.d/ssl-error-code-cleanup.txt b/ChangeLog.d/ssl-error-code-cleanup.txt deleted file mode 100644 index 768d1905ad..0000000000 --- a/ChangeLog.d/ssl-error-code-cleanup.txt +++ /dev/null @@ -1,6 +0,0 @@ -API changes - * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` - and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never - returned from the public SSL API. - * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return - `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead. diff --git a/ChangeLog.d/tool-versions.txt b/ChangeLog.d/tool-versions.txt deleted file mode 100644 index b89b384aa3..0000000000 --- a/ChangeLog.d/tool-versions.txt +++ /dev/null @@ -1,4 +0,0 @@ -Requirement changes - * Refresh the minimum supported versions of tools to build the - library. CMake versions older than 3.10.2 and Python older - than 3.6 are no longer supported. diff --git a/ChangeLog.d/undefined_reference_without_psa.txt b/ChangeLog.d/undefined_reference_without_psa.txt deleted file mode 100644 index 4dae53419f..0000000000 --- a/ChangeLog.d/undefined_reference_without_psa.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built - nonetheless, resulting in undefined reference errors when building a - shared library. Reported by Guillermo Garcia M. in #4411. diff --git a/ChangeLog.d/update_ssl_error_codes.txt b/ChangeLog.d/update_ssl_error_codes.txt deleted file mode 100644 index 0630b54759..0000000000 --- a/ChangeLog.d/update_ssl_error_codes.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Various changes to which alert and/or error code may be returned - * during the TLS handshake. diff --git a/ChangeLog.d/winsock.txt b/ChangeLog.d/winsock.txt deleted file mode 100644 index 0b42e691c2..0000000000 --- a/ChangeLog.d/winsock.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with - MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. - diff --git a/ChangeLog.d/x509_remove_info.txt b/ChangeLog.d/x509_remove_info.txt deleted file mode 100644 index c103b1bd89..0000000000 --- a/ChangeLog.d/x509_remove_info.txt +++ /dev/null @@ -1,6 +0,0 @@ -API changes - * Add configuration option MBEDTLS_X509_REMOVE_INFO which - removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt() - as well as other functions and constants only used by - those functions. This reduces the code footprint by - several kB.